A (Fictional) Integrator’s Terrible, Horrible, No Good, Very Bad Day

ransomware attack

Unless you’ve been shortlisted for a Nobel prize or you’re waiting on the birth of a baby, early morning phone calls are never a good thing. When Joe (the owner of the company that I just made up in my head) got a call from Kate (his equally made-up service manager) at 6:30 a.m., he knew it couldn’t be good. Kate was in the office early to get a jump-start on a busy day, but something was wrong.

She couldn’t get into any of her files.

She’d logged into her computer just fine, but the icons that normally littered her desktop looked funny today. Everything, from DSP files to PDFs had a generic icon. And the file names all had a random string of characters appended to the end. Kate stared at her desktop in confusion, until she noticed that just one file looked different. It was a text document, labeled “RECOVER-[RANDOM STRING]-FILES.” She double-clicked on it and immediately called Joe.

Their company had just been hit by a cyberattack.

Globally, ransomware attacks are on a meteoric rise. Big name hacking collectives go after large paydays, but even smaller companies are at risk. You’ve heard of AV-as-a-Service (AVaaS), but have you heard of Ransomware as a Service (RaaS)? Malware creators are now leasing their software products to smaller organizations, launching a small army of new attackers. And let us not forget that the current state of the Russian economy incentivizes Russian hackers.

Ransomware attacks have been materially affecting our lives for quite some time now. If you had trouble finding cream cheese for your Christmas baking, you can thank the hackers who went after Schreiber Foods. If you’re curious about gas shortages last May, please see Paul Konikowski’s fantastic series about the Colonial Pipeline attack.

As Kate read the ransom demand out loud to Joe, their faces fell. On every company computer, every file was now inaccessible, rendered useless by the hackers’ malicious use of encryption. Without a key to decrypt them, none of their documents would open. Even worse, the hackers had downloaded copies of their most sensitive data — company financials, shop drawings, bank accounts and SSNs for their employees … the hackers had it all. It quickly dawned on them that the attackers had been silently poking around their network and files for weeks. The hackers had read their company’s financial documents in depth, enough to know just how painful a ransom to extort.

Joe and Kate were faced with a terrible choice. They could pay the ransom, a large sum of money that would cripple their company’s finances. Or, they could refuse to pay, lose all of their data, and face having their sensitive documents put on the internet for anyone to see. The ransom note itself was long and confusing, with references to something called “Tor” and payment in Bitcoin.

It was time to call in a professional.

______

Every company should fear a ransomware attack, but AV companies are in a uniquely precarious position. Our systems are closely integrated into our clients’ infrastructure and we are often privy to sensitive information. This one-two punch of trust and vulnerability makes for a tempting target. Add in many firms’ lackadaisical approach when it comes to basic cybersecurity precautions and it’s a small wonder that we don’t hear more horror stories.

“But it’s just some DSP files and control code,” you might be saying, “who cares about my documents?” This outdated way of thinking fails to recognize that even basic shop drawings contain sensitive information.

Don’t believe me? What’s something that everyone studying for their CTS needs to know how to read? A reflected ceiling plan (RCP).

Think long and hard about the companies that you do business with. Surely, there is at least one that would be … less than pleased to discover that their floor plans are now on the internet. I’ve worked jobs where it was specified that all construction drawings must be stored in a locked box at the end of each day. Companies that tightly control information about their infrastructure will have lawyers on speed dial, ready to activate them.

Along with floor plans and other schematics, most AV companies have access to a wide range of other proprietary information. Bid documents and price lists made public could sow chaos. I’ve been part of sensitive jobs where we weren’t even allowed to say that we worked on them. Even something as simple as getting the control protocols for a piece of hardware sometimes involves signing an NDA.

The biggest security liability comes into play if you’ve been lax about data security. Most people are >terrible about securing sensitive information. We email passwords and share sensitive documents in plain text. We leave files containing personally identifying information (PII) on laptops and servers. There are laws and regulations around the handling of PII, but many companies either aren’t bound by them, or have lax compliance.

If your firm has been breached, the hackers can weaponize you to go after the companies that you do business with. Cached passwords or VPN information saved in plain text are all it takes for hackers to initiate a secondary attack. Let us not forget that one of the first big name data breaches, the attack that stole millions of credit card numbers from Target, started with an HVAC vendor. Personally, I try to live my life in such a way that I never have to tell a sensitive client that my login to their system has been compromised.

What do you think our fictional integrator should do? Do they muster up the ransom money to save their data? Or do they stand on principle and refuse to pay up? Let us know in the comments or via social media. Stay tuned for part two of our series!