Who: 43 Year Old Family Owned Midwest Manufacturing Business with 140 Total Employees
What Happened: Foreign State sponsored Cyber Attack, Initial Ransom Request = $750,000
The Results: Ransom negotiated and paid by Cyber Liability Insurance provider after being hard down for a week. Took over 6 months to fully recover.
Like many small businesses this company thought of themselves as a “non-target”, too small to be important, not on any cyber criminals’ radar, and like many small businesses, they were wrong. The attackers successfully infiltrated the network in January of 2020 through a successful email spear fishing attack on the office manager.
A link was clicked, the malicious code was downloaded, and it began monitoring and phoning home. The cyber criminals used the link to downloaded key logging software onto the PC. The code sat undetected, regularly phoning home until July 3rd of 2020. The company upgraded their ERP system on a Friday afternoon.
They used the network administrator credentials to log in to each PC and perform the upgrade. The PC phoned home to the cyber criminals, just like it had been doing for months. This time it had something to say.
On July 5th , now armed with the administrative credentials, the cyber criminals logged into the network and began copying and preparing for encrypting the files, including encrypting the backups that were only on-site. They worked diligently on the network for 29 straight hours, undetected. On July 8, 2020 upon arriving to work every single employee got the same message when they attempted to log in “You’ve been hacked”.
They were 100% encrypted, each individual machine with a different encryption key, including the servers and the backups. They reached out to the Cyber Liability insurance help line and got things started. The insurance company brought in a professional cyber-attack negotiator, cyber forensics experts and a legal team. The original ransom was $750,000.
Negotiations occurred back and forth for 3 days and resulted in a reduced $475,000 ransom which was paid with Bitcoin. The negotiator and cyber forensics experts confirmed the authenticity of the attackers (Maze group) who appear to be Chinese state sponsored. The company did reach out to the FBI to inform them of the attack and the FBI confirmed that Maze appear to be Chinese state sponsored.
On July 13th, they received the decryption keys from the cyber criminals. They spent the next 3 days decrypting and coordinating with vendors (specifically their accounting system). They did run into issues with a few of the decryption keys and called the cyber criminals’ help desk, yes, they have a help desk. They responded promptly with updated keys that worked.
The business was hard down without system access for almost a week. They were able to limp along with decrypted systems and lots of issues within a day of receiving the keys and were fully functional approximately 3 weeks from being attacked. The executive team continued to be distracted with the forensic investigation and insurance meetings through the end of November. The net hard cost of the incident, including what was paid by the cyber liability insurance was over $850,000.
If you are a small to medium-sized business and still in denial that your organization isn’t a target, consider this, according to the Verizon 2021 Data Breach Investigations Report, 56% of the cybersecurity incidents occurred in small businesses. In addition, small businesses are slower to detect the incident with less than half of SMBs (47%) reporting being able to detect them in less than a day. Meaning the bad guys have days, or in many cases weeks to roam inside the network undetected. These statistics reveal the grim cybersecurity situation for most small to mid-size businesses today.
The Purple Guys are here to help offering 24×7 monitoring and maintenance of your network.
If you are ready to learn more about The Purple Guys security services, let’s chat!