One of the ways we help business owners wake up to the current realities of cybercrime is by sharing real-life stories. We recently had the chance to sit down with GroupSense CEO & Co-Founder Kurtis Minder to hear some of those stories. Kurtis and his team have hundreds of cases they’ve dealt with, many with Kurtis leading the negotiating team.

You Can’t Always Google Everything

One story Kurtis shared was about a small Midwestern architectural firm that got hit over a holiday period. Their data was encrypted and the backups destroyed.

An architectural firm’s IP is crucial. Think of all the drawings and blueprints, not just for current projects but for those going back decades. These documents are referenced over time and relate to vital infrastructure such as roads, bridges, buildings, etc., not things you want to lose the plans to.

If that wasn’t bad enough, all the machines were encrypted, so they couldn’t use any of their software to do the current work. Everything was at a standstill.

Kurtis noted that he and his team did not actually get the first call. The firm googled the name of the ransomware variant, along with, “How to destroy X.” But just as legitimate businesses pay for Google Ads to get listed at the top of a search, so too do illegitimate companies. They count on a portion of business owners looking for an online DIY fix to their ransomware attack.

Unfortunately, the architecture firm was just headed for the second round. The criminals in the Google ad promised to “decrypt” the ransomware. But they were the middlemen. Using the ransom note — which the architectural firm happily handed over, not considering why that note would be necessary for decryption — these criminals then went onto the dark web. There, they found the original perpetrators and put themselves forward as the original victims looking for the decryption key.

A standard operating procedure for ransomware attacks is that the threat actor then decrypts a small amount of the data to show the victim that they are capable of reversing the damage of the original attack. This can move the victim to pay the ransom. In this case, the ‘Google criminal,’ acting as the real victim, paid for this “mini decrypt” to give the architectural firm some hope. They then acted as a middleman, marking up their cost by 80%. They billed the architectural firm and received payment. These new criminals then disappeared. That’s when Kurtis and his team got the call.

Having been burned twice and with a price for the ransomware decrypt already set by the middlemen criminals, the architectural firm chose to go an alternate route. They went to their email inboxes and found as many files as possible. They emailed them to each other to rebuild their database, which they built back almost in full.

What Businesses Should Do

Kurtis concedes that most 30-person small businesses are unlikely to have a cyber expert on staff and even if they wanted to have one, there wouldn’t be a supply for such a demand.

However, when Kurtis speaks to business owners around the country, the response he often gets is, “Wow, that’s scary, but that’s not going to happen to me.”  Wrong. More than 80% of ransomware attacks happen to small businesses and those are just the ones that get the headlines. Many attacks happen around us that never make the news.

Make a Plan

When they do get convinced, however, some of these businesses tend to go overboard, wanting to create a cyber risk assessment that covers every possible contingency. “Don’t let perfect be the enemy of good,” Kurtis warns. Put something basic in place, and of course, when you have it, print it out so it can’t get encrypted and become useless in the case of an attack.

Sweat the Small Stuff

One of the reasons business owners procrastinate over protective measures for their businesses is the thought that it will take time and money to implement them. But this is a misperception.

Kurtis encourages business owners to look at the example of the criminal using Google Ads to ensnare victims. Those criminals are using tried-and-tested practices of advertising to small businesses.

Many of these threat actors are small shops with limited teams and infrastructure. Only a few of them are part of the giant syndicates that make the news. Hence, they are going for low hanging fruit, which in this case consists of companies who don’t follow basic best practices in cybersecurity. This includes:

• Basic password policies: not permitting “password1234”, and other lazy practices, and insisting on forced changes more than once a year.

• Software patches: ensuring that all devices accessing company information and resources are updated to the latest software.

• MFA: ensuring that users are forced (whether they like it or not) to use multi-factor authentication to ensure the identity of those accessing company resources such as email accounts and databases.

• Offsite storage: ensuring backups exist that are disconnected from your regular resources, so if those regular resources go down, you can still access the backups.

Believe it or not, most of these small businesses get attacked through one of these avenues, leaving businesses with the, “If only I had done X” feeling.

If companies can’t have a cyber expert on staff, the least they can do is take the basic steps that any cyber expert would if they were on staff: fix passwords, patch software and implement MFA.

Kurtis does lots of public speaking so if you know anyone who could benefit from hearing this information, you can book him here.

If the worst happens, you’re going to want the best financial, legal, and technical support to get you back up and running again. With cyber insurance from DataStream, we find the most comprehensive insurance coverage on the market alongside critical post-incident customer support. 

Click here to learn more about how we can help secure your business data!