Ransomware makes headlines, but what’s it like in the office of a small business when it happens? One man tells his story.
“You feel invaded and vulnerable. This was his business, his baby, and it could all be over because some hackers were after a bit of cash.”
Names like Bad Rabbit, WannaCry and CryptoWall make the news due to the massive impact ransomware attacks have. Hackers cost individuals and businesses $5bn in 2017, and that figure is predicted to rise in 2018 to an astonishing $11.5bn. Avast alone blocked 132,000,000 ransomware attacks in 2017.
Most people understand how ransomware works – it’s in the name – but what’s it like when it happens to you and your business? What’s it like when the boss announces: ‘We’re being attacked’?
We spoke to Chris* who offers us an example of what happens when ransomware hits your business. This is his story - a detailed account of four days he will never forget.
“It didn’t just happen… it unfolded,” he says.
*Chris’s name has been changed and some of the details have been omitted or altered to protect the identity of those involved.
“We were a start-up [based in Europe], selling high-end products online to customers around the world.
“I was Head of Marketing at the time. While I’d worked in digital media for a long time, my technical knowledge wasn’t deep, but we were handling sensitive data so I knew that we should have protection. We didn’t hold card details, but we had names, email addresses and postal addresses.
“You’re only as strong as your weakest link”
“I felt we owed it to our customers to look after their data – keep it private. Also, you can get data-loss insurance but coverage depends on your level of protection.
“The CEO saw himself as a bit of an IT whiz and was very cagey about what security we had in place. I think what we had was very basic, and it wasn’t company-wide, just the out-of-the-box services that come with computers when you buy them. But that was it…”
Day Zero: The Day Before
“It started on a normal day. In the afternoon, towards the end of the working day, a few people found that they couldn’t open certain documents. I wasn’t having any issues because, working in marketing, I was using mainly cloud-based services and social media. It was mainly the accounts people and those dealing with customer queries. People just assumed that it was a glitch, that they would just turn their computers on the following day and it would be sorted. So, no one really made a big deal about it.
Day 1: The Attack
“The next morning, everyone came in as usual and booted up their computers. This time no one could open any documents. When you clicked on a file, a strange text document opened with lots of code in it – just nonsense. We could see that the files weren’t the file types they had been, but rather image files made to look like the original files.
“Our CEO came in as everyone was saying, ‘Hey, is anyone else having problems opening documents off the server?’. People were saying ‘Yes’, ‘Yeah, I am’, ‘Me too’.
“He sat at his desk in our open-plan office and started his computer. A few minutes later, he swore and punched the desk, then he stood up and put his hand over his mouth. He just stood there for 10 or 15 seconds. Then he shouted to everyone: ‘Right, everyone unplug your machines, network cables, everything. Do it now!’
“He was quite an imposing man, so when he said do something, you did it. We could all hear the emotion and panic in his voice. Also, it wasn’t normal for him to behave like this, so we knew immediately that something was very wrong. Everyone started getting under their desks to unplug everything.
“Once we’d done that, he gathered us round in the meeting room. He told us that he had received an email from hackers that said: ‘We’ve taken over your server and locked your documents. Pay us €15,000 in cryptocurrency to get them back. As a gesture of goodwill and to prove we can give you the documents back, we will release two documents of your choice.’ Our company had three days to decide.
“He asked us: ‘Has anyone had any issues with suspicious emails or websites?’ Our Head of Operations said she had received an invoice as a PDF, but when she opened it, it was for a different company. She had responded to the sender to explain this and heard nothing more. Our CEO said, ‘Why did no one tell me?!’, but no one had thought anything of it at the time. She gets dozens of emails from customers – unknown email addresses all the time – so it wasn’t that odd.
“We wondered if part of the problem was that she had not turned her computer off after this, giving hackers 12 hours before she came back in to work to break through our rudimentary antivirus and get into the server. Most of us had some sort of free antivirus on our machines, but not everyone, and when you’re all linked to a network, you’re only as strong your weakest link.
“We immediately downloaded free anti-malware and free antivirus software, while we searched for a more permanent solution.
“Our boss replied to the hackers requesting one document be released and that's when we started getting more and more emails from the hackers - threatening emails.
“It seemed as though the attacks were automated and they would have hundreds – maybe thousands of viruses – working away at servers and networks. Then, when the CEO responded to the email requesting that documents be released, the hackers knew they had got ‘a live one on the hook’.
“English clearly wasn’t their first language. All the words were there but the grammar wasn’t correct. We noticed colloquialism and slang in the translation and just had the feeling that the hackers were reasonably young – late 20s.
Day 2: The Damage
“We were a start-up so €15,000 was a lot of money. The heads got together to assess how much the data was worth: the data, the time to collate the data, customer details, previous sales records, assets – video, product photography. We also thought: ‘If we pay them, will they think we’re a soft touch and do it again?’ So there was also the cost of getting rid of whatever this was and getting what we needed to protect ourselves in the future.
“While we were deciding what to do, some people had gone out to buy new computers so we could keep running the business. We were still able to take orders but had to resort to pen and paper to record transactions.
“People in the office were actually really, really worried because they weren’t just concerned for the business, but for their personal data. Many people had their own laptops and mobiles on the network; would this give hackers access to our personal data? Wedding photos we might not have backed up? Internet banking details, social media information? Would we infect our families and friends through our personal emails? Myself and others called friends and family and said ‘Don’t open any emails from me in the past few days.’
“We also knew we had to contain this. Our CEO said we couldn’t tell anyone. At the time we were looking for outside investment and we knew this would damage our chances of getting it. We thought: ‘Who would invest in an insecure company that spent €15,000 to pay a ransom?’ Especially if they thought it might happen again. But what about our customers? Should we tell them? It was their data… emails, addresses and so on.
“We found that our email system was not infected and that we could source much of the lost data from emails. We also had the two documents the hacker released.
“Our CEO managed to negotiate with the hackers. He’d said that we were a small start-up and didn’t have €15,000, so they said we could have a discount to €10,000. A discount! We figured that they were just after a quick dirty buck, so they might as well accept anything – it was free money to them.
Day 3: The Decision, The Plan
“After a long, hard deliberation, we made a decision: we weren’t going to pay the hackers, but we were exposed. We needed to get clean and protected before the deadline - before they realised we weren’t going to pay them anything - so they couldn’t do any more damage. We thought that the information they had, while important to us, was of no value to anyone else; the hackers wouldn’t gain anything from publishing it. It would damage us, but their aim was money, not flogging some random company.
“24 hours was all we had until the deadline – and we needed to be ready.
“We could see all of the encrypted files on the server, so we knew what documents we had to rebuild.
“It was essential that we had security up and running, so we immediately upgraded the antivirus software to the premium, paid versions.
“We called an IT specialist who came in that day to look at the server. He disconnected everything, cleaned it out and made sure that the new software was a strong enough barrier to make sure we could fend off future attacks.
“We didn’t have to replace the server but we did have to buy a second, backup server. This server would back-up from the main server at the end of every day and then disconnect so it was protected.
“I didn't speak to the specialist myself but apparently he knew all about this kind of threat. He told the boss: ‘I'm increasingly getting called out for these things.’ He said that, ultimately, it's a really complicated attack that’s easy to defend against if you pay for proper antivirus, because then you have a company working to make sure you’re secure. Antivirus protection isn’t tangible or visible so it feels distant from you and because you’re disconnected from it, a lot of people ignore it - like we did.”
Day 4: Aftermath – Counting The Cost
It’s hard to work out exactly how much money we lost. It cost €4,000 for the IT guy; it cost about the same for the new server. No one in the office could work for three or four days as we were all rebuilding all the old documents. While we were still able to take orders on the site, we couldn’t process them so there were delivery delays to customers. That’s 12 people’s wages while we weren’t able to generate any income. It might not sound like a lot to a bigger business, but it was a lot of money to us because we were a start-up.
The human cost
“Our CEO said, ‘I feel sick, everything is tainted’. He’d been burgled once when he was in his house and he said this was the same: someone he didn't want to get in has got in, and is taking his stuff and threatening him. Emotionally, it’s the same – you feel invaded and vulnerable. This was his business, his baby, and it could all be over because some hackers were after a bit of cash.
“There was also a huge impact on the team. Everyone definitely felt that creepy nervousness about the whole thing. We were all very wary about opening emails and aware of turning our computers off at the end of the day. It took a long time before people started logging personal devices in to the work Wi-Fi again.
“We put a protocol in place in case anyone felt there was something odd going on with the computers.
“Even though it might have been the Head of Operations who ‘let it in’, there was no finger pointing. We all knew that it could have been any one of us.
“It’s funny: people hate those little antivirus update pop-ups on their screen, but for us, it made us feel safer. We felt like we weren’t on our own. We also felt like we weren’t personally responsible for our cybersecurity, or at least not alone.
“I was with the company for several months afterwards and there were no more attacks.
Epilogue: Advice to Small Businesses and Start-ups
“I’d say two things:
What’s it worth?
“You need to understand what your most valuable assets are. For some businesses it’s stock or relationships, but for many it’s data. If it is, you need to make sure you protect your data. This means that your laptops and tablets are very important, because they are the gateway to your data.
Small businesses ARE at risk
“Too many small businesses think, ‘I’m only small, they won’t bother with me’, but hackers aren’t that tactical – viruses can attack everyone because the technology means they can.
“A €15,000 ransomware attack could sink a small business – it nearly sank us. A bigger business is more able to absorb that cost or fight the attack. Hackers know that those who own their own businesses will do anything to protect it. They also know they’re more vulnerable because cybersecurity isn’t front of mind – it can also feel expensive to an SMB [small-medium-sized business]. That’s why hackers target small businesses – it’s easy money.”