From 2021 to 2022, ransomware attacks by hackers increased 13 percent, according to the Verizon Data Breach Investigations Report (DBIR), an increase larger than the previous five years combined. In 2014, Google researchers reported that “21 of the top-25 news organizations in the world have been targeted by hackers” (largely by state actors), a number that has almost certainly increased in the past eight years.
While large corporate and government hacks tend to generate the most attention, smaller organizations are at risk as well. In June 2022, a local, independently-owned publisher (who requested to remain anonymous) found its servers had been hacked and held ransom.
The publisher learned at 3:00 am local time that a hacker had broken in to one of their systems, looked at what files were accessible, and then locked the system, leaving a ransom note. The publisher found the ransom note when they accessed the system while attempting to solve a different print production issue. By 4:00 am local time, the publishers had notified their insurance provider, retained a lawyer and contacted the FBI.
With their legal and insurance team in place, the publisher began its response on two tracks. The first step was to contact the hacker directly. Since paying ransoms is technically illegal, their insurer had to get approval for any payments, and they were advised to set a ceiling for what they would pay and to not respond to the hacker right away, so that they might extend the timeline. On a parallel track, their internal teams were working to rebuild systems and find backups, to determine whether they would need the ransomed information at all.
It took approximately two weeks, but the publisher determined an estimate of the value of what was lost and made the hacker a counter-offer at an insurer-approved amount. When it was rejected, the publisher chose to walk away from what was lost, confident they had made the best decision without paying the original ransom amount. This was reinforced as the publisher learned that decryption keys, the information that hackers typically offer in return for their payment, don’t always work, and there is the risk of data loss even for those who pay off the hackers.
Overall, the publisher sees this as a success for three reasons:
1.) They had a plan: They previously had a conversation on this topic with another publisher in their region, which had led them to set up a process in the event of a hack.
2.) As part of that plan, they had cyber insurance that specifically covered ransomware attacks and a provider that could advise them on what to do, which included installing monitoring software throughout the organization’s computers and making changes to information security, such as requiring more complicated passwords.
3.) Because they had a plan, they were able to take a step back and proceed “like it was 1975,” as the publisher said, until all their systems were back up and running safely. Any work that could be done offline, was done offline.
Additionally, the publisher also learned that some of their internal processes, while not to blame for the attack, impacted how they were able to respond to it. For instance, the publisher stored some archives in physical servers that were then locked by the hacker, rather than utilizing cloud storage, which is controlled by a third-party that can provide necessary access. Additionally, the publisher’s regular data backup schedule meant that the hacker’s malware reached their internal servers more quickly than it might have otherwise. The publisher is now reconsidering how frequently to back up their data.
The publisher said that hacks of this nature are “a criminal enterprise that works because it’s done in silence.” They believe in talking candidly about what they learned and how other organizations can prepare in advance for the possibility of a ransomware attack.
The publisher offered three pieces of advice for companies thinking about their risk:
1.) Do not assume your company is too small for hackers to pay attention to.
2.) Make a plan – Know how to contact your lawyer, insurance provider, and law enforcement, so you can determine what to do at each stage of the process.
3.) Consider whether your IT policies increase your vulnerability to being hacked and work to resolve them in advance.
No company is immune to the threat of ransom attacks, but as this experience shows, forward-thinking organizations can take smart steps to mitigate their effects and continue with minimal interruptions.