300 Employees Lost Jobs Following a Botched Ransomware Recovery Process
More than 300 employees of The Heritage Company, an Arkansas-based telemarketing company, lost their jobs following a botched ransomware data recovery process.
Just a few days before Christmas, Sandra Franecke, Owner and CEO of The Heritage Company, informed the more than 300 employees of the company that in October last year, the company’s servers were “attacked by malicious software that basically ‘held us hostage for ransom’ and we were forced to pay the crooks to get the ‘key’ just to get our systems back up and running”. While not naming the attack as ransomware attack, the attack described by the owner and CEO of The Heritage Company is typical of a ransomware attack – a type of cyber-attack that uses a malicious software (malware) that stops users from accessing their computers or accessing their data via encryption.
In encryption, plaintext is converted into random and meaningless text and key, also known as decryption key, is needed to convert it back to plaintext. In exchange for this decryption key, ransomware attackers coerce victims to pay ransom.
Just before Christmas, nearly 2 months after paying the ransom, the owner and CEO of The Heritage Company said that the company wasn’t able to bring all their systems back up and added that the company is temporarily ceasing its operations. The employees were told to call a hotline to check the status of the company’s operations after the New Year.
“Though we have made progress, there is still much work to be done,” a director of the company said in a pre-recorded message to the employees. “With that in mind, we do not prevent you from searching for other employment. Please take care of yourselves, your loved ones, and have a happy New Year”.
The closure announcement of The Heritage Company came as a surprise to its employees as the company just recently gave 7 cruise giveaways to its employees. The cruise giveaways, the owner and CEO of The Heritage Company said, was made in November last year “when again I was being told the systems would be fixed that week.”
This isn’t the first time that a small business folded up after a ransomware attack. Wood Ranch Medical, a clinic in California, in September last year announced that a month earlier, it fell victim to a ransomware attack. Wood Ranch Medical said that the cyber-attack affected the company’s servers, including its backup systems, which contained patients’ personal healthcare information.
“Unfortunately, the damage to our computer system was such that we are unable to recover the data stored there and, with our backup system encrypted as well, we cannot rebuild our medical records,” Wood Ranch Medical said. “We will be closing our practice and ceasing operations on December 17, 2019.”
Backups, Data Recovery Process and Data Theft
As shown in the case of Wood Ranch Medical, ransomware attackers are going after backup systems as well, making this attack much more devastating for the victims.
In mid-2019, vendors of data backups warned customers that ransomware attackers are targeting backup systems, specifically NAS which stands for network attached storage. NAS is a type of backup system that stores data and can be connected to office or home or network or the internet.
In a security advisory to its customers, QNAP Systems, the vendor of QNAP NAS devices, warned its customers that the ransomware called “eCh0raix” specifically targets QNAP NAS devices. Synology, another NAS vendor, warned its customers that ransomware attackers are targeting Synology NAS devices.
Many ransomware victims assume that they can access back their computers or their encrypted data by paying the ransom. There have been many documented cases that this isn’t the case.
Despite paying ransom, many ransomware victims can’t access their encrypted data as some ransomware are simply designed to be a wiper – a malware that’s meant to permanently destroy files. An example of a wiper that masquerades as a ransomware is the malware called “NotPetya”.
NotPetya is a malware that infected 12,500 Windows computers in 64 countries in just a span of 24 hours on June 27, 2017. This malware was initially labelled as ransomware as it exhibited typical behaviours of a ransomware such as encrypting the hard drive of the compromised computer and demanding a ransom from victims to regain access to the computer. This malware, however, is incapable of decrypting files even though the victims paid ransom.
Other ransomware victims can’t access portion of the encrypted data despite paying ransom as some ransomware contain bugs which render them incapable of totally decrypting files. The ransomware called “Ryuk” is an example of a ransomware that can’t totally decrypt encrypted files.
Emsisoft reported that it found a bug in the application that Ryuk ransomware attackers gave to their victims after paying a ransom. According to Emsisoft, the bug causes an incomplete recovery of some types of data, leading to data loss.
Another concerning issue that ransomware victims encounter is the fact that some ransomware don’t merely encrypt data, but they also steal data prior to encryption. The ransomware called “Maze” is one example of a ransomware that steals data prior to encrypting victims’ files. The group behind this ransomware demands from its victims to pay ransom after encrypting the files. If a victim refuses to pay the ransom, portion of the stolen files is leaked online and the group then threatens to release the rest of the stolen data.
You don’t have to be the victim. Our experts can evaluate your current state and recommend a mitigating strategy to help you prevent a disaster. Call us today at (416) 920-3000 or email firstname.lastname@example.org