There are few things in the cyber security world that capture public attention quite like a ransomware attack. Whether it’s Maersk in 2017, Travelex in 2019, Colonial Pipeline in 2020, or Royal Mail in 2023, a big brand being undone by sub-par security and massive ransomware demands makes for a compelling story. The stated costs for all of these is in the millions of dollars.
This leads people to think that only the biggest organizations with multi-million dollar annual revenues are targets for ransomware attacks. The reality, however, is that any business of any size can be a victim and for those smaller victims that don’t make the news, the effects can be far more devastating.
This is a tale of two ransomware attacks, one that cost the victim $72.6 million and one that cost the victim everything.
Attempted extortion in Oslo
At 4.00am on 19 March 2019, Torstein Gimnes Are received the call that all information security professionals fear.
“I received a call from one of my colleagues in aluminium metal telling me that they observed strange behavior in the IT systems in the plant,” the Norsk Hydro CISO explains in the second episode of Sophos’ three-part video series Think you know ransomware?, Hunters and Hunted.
This was the beginning of a ransomware attack on one of the world’s biggest aluminum and renewable energy companies.
“The whole plant was attacked at the same time, both the steering panels [for the machinery]... went black, so you had nothing to turn the production after,” explains Olav Schulstad, production manager for Norsk Hydro.
In total around 25,000 PCs and 4,000 servers were infected by the ransomware. A note from the attackers read “Greetings! There was a significant flaw in the security system of your company.” Tauntingly, the attackers continued: “You should be thankful that the flaw was exploited by serious people and not some rookies who would have damaged all your data by mistake or for fun.”
A ransom was demanded in Bitcoin with a warning that the longer the company took to pay up, the more expensive it would become.
According to BBC reporter Joe Tidy, the ransom was the equivalent of about $200,000 and could probably have been negotiated down. Norsk Hydro, however, made a more principled decision and didn’t engage with the attackers at all.
“It took all together about six to eight months before we were back into a fully normal situation,” says Halvor Molland, senior VP of group communication at Norsk Hydro.
“If you look at the total cost summarized after the 2019 attack, it amounted to 800 million Norwegian kroner ($72.6 million),” says Are. “We also had cyber insurance which covered €75 million ($80 million).”
An existential crisis in California
The impact of the Norsk Hydro attack shouldn’t be minimized, but the company was so big, and so well insured, it was able to resist the cyber criminals and return to operations without paying.
The same can’t be said for Shayla Kasel.
Kasel graduated in medicine from the University of California in the 1990s and decided to go into family medicine. “It definitely gives you a perspective into how wonderful people are,” she says. Eventually she set up her own practice in Simi Valley, California.
One morning, however, all that changed.
“The ransomware attack encrypted 20 years of patient medical records, my scheduling system, so I truly had no idea who was going to be coming into the office. I was floored,” Kasel says.
As with many smaller businesses, prior to the attack on her practice she thought that ransomware gangs only targeted large entities like cities or big hospitals.
“Nope, they go after everybody,” she says.
As Jonathan Storfer, director of commercial sales at Redwood Software explains, businesses struck by an attack have a choice to make: Can they afford not to pay the ransom?
“‘If we lose all of our data right now, how much does that cost us and is that more or less money than what we would have to pay?’ And that’s just a simple math game, that’s the Excel spreadsheet,” he says. There’s another group, however, for which this math doesn’t add up.
“A lot of the people who can't afford great cyber security are small independent businesses that an impact like that would cripple their business.”
This was the situation Kasel found herself in.
“I thought I had done everything right to protect myself, but all it takes is one employee having an email that’s infected infecting your system,” she adds. “You just don’t realize that it can happen to you.”
Unable to pay the ransom or take the financial hit of restoring from backups, she was forced to close her surgery.
“I’m not that old and I’m not at retirement age yet and I wasn’t ready to retire,” says Kasel. “After the initial shock of having to go through this, it was quite an ordeal, and part of the reason that I’m sharing my story is that I think it’s really important for other physicians to know this is a possibility – this can happen – and [to] protect themselves against the bad actors that are out there.”
The ransomware lifestyle
For the bad actors, it doesn’t really matter who they harm. Their objective is to extort as much money as they can from as many people and organizations as is possible – big or small – in order to fund their increasingly lavish lifestyles.
“I made, like, $200,000 in one day,” says Peter Levashov, a former spam and botnet master turned author. Considered one of the world’s most prolific spammers, according to Radio Free Europe, he was extradited from Spain to the USA in 2017 and ultimately convicted of four counts of computer-related criminal activities.
Levashov notes that, while in Russia, he operated openly and claims not to have realized his behavior was criminal. Some other members of ransomware gangs are even more brazen. “There are videos of [cyber criminals] driving supercars, with their pet tigers. Their number plates even translate to ‘thief’,” says Peter MacKenzie, director of incident response at Sophos.
“They’re not going to give up the lifestyle that they’ve grown accustomed to,” adds Tom Kellerman, head of cyber security strategy at VMware. “They’ll go down burning before they give it up.”
This is the second in a series of three articles based on the Think you know ransomware? documentary series by Sophos. To watch the whole episode Hunters and Hunted and learn more about how businesses can protect themselves from ransomware, click here.
