See It In The Eyes – Ransomware Attack Case Study

Table of Contents

For anyone who thinks that cyber protection is being overblown by security firms who have a vested interest in offering their services and products, it might be instructive to take a close look at what happened in the recent ‘See it in the Eyes’ Ransomware attack. When the attack occurred, it took approximately 16 hours to detect it, and it involved the Phobos Ransomware, aka Eight Virus. The victim, a jewelry company was unable to open their business the next day following the attack. All servers with files, emails, and databases were encrypted.

By the time a resolution had been reached, 71 days passed, and it cost the owners $25,000 to rebuild the entire digital presence, the virtual servers, and the applications that used to process in-store and e-commerce orders. An estimate of $275,000 was paid out as soft costs, and $25,000 was paid directly to the attackers. Making matters worse, the backups for the applications and data were also encrypted because they were not stored offsite for safety, but on the same system as the business-critical files.

Many people also have come to believe that Cyberattackers primarily target big corporations, because of the potential for big money being paid out. This example should totally refute that kind of thinking, because the targeted company was a small jewelry store in Georgia, with only Thirty employees. The company was targeted because its cybersecurity measures were inadequate, as can be seen by the fact that backups were located on-site and on the same network as the primary data and networking misconfiguration.

Cybercriminals take great delight in attacking small businesses, simply because there are so many of them, and because so many of them take Cybersecurity too lightly, by saying What are the chances we will suffer such an attack – we are too small, who cares about our data? The truth is, no one is immune from Cyberattacks, and every company that has any assets at all is subject to attack. In the case of the Georgia jewelry store, the one thing they did right was to purchase cybersecurity insurance, which meant that the insurance company ended up bearing the brunt of the financial cost.

About The Ransomware

The Phobos Ransomware is not new, and it appends segments onto your file names making them totally unrecognizable to any operating system. The appended segments include the file’s original name, your company ID (so they know who they attacked), an email address you can use to contact them, and the word ‘EIGHT’ (hence the virus name). Even if you could rename the file to make it recognizable, you wouldn’t be able to read the data, because it has been encrypted and made unreadable. At the present time, there are no effective decryption tools available that could help with data recovery, and for this reason, you are literally at the mercy of the Cybercriminal.

This Ransomware was totally effective in disrupting the business, and besides the money paid directly to the attackers, and the cost to rebuild the entire infrastructure, there was an additional ‘soft cost’ of $275,000. This was the amount of money that had to be paid to employees during the 71 days the business was down, and unable to bring in any earnings. Of course, the company was obliged to shut down during that entire period, because it had no inventory data to draw on, and no way to record sales.

Timeline Of The Attack

The attack occurred on a Sunday at 6:45 on the evening of April 10, 2022, when the store was closed. The servers were completely unprotected and vulnerable to attack. The encryption was carried out overnight, and by Monday morning, the IT manager called in to report a blue screen on the VM host, which led her to think there was a problem with the operating system. They contacted 2Secure Corp, which had previously helped them migrate their email system to a current system, and described the issue.

All workstations were affected, as well as the virtual host server and the Network-Attached Server (NAS). Action taken by 2Secure Corp was to reinstall Windows in the hope of recovering access to the servers. By Monday afternoon, it was apparent that the client should contact their insurance company, as well as the FBI to begin an investigation into what was happening. On Tuesday, recovery was started by the Forensic company by shipping drives and software utility to image the servers and start analyzing the cause of the breach.

All servers were imaged and the images were shipped back to the forensic company headquarters for further analysis. On Wednesday, a temporary email Microsoft Exchange was set, up so the victimized company could have some communication with clients and business associates. It took until June 23rd before the company had recovered to the point where they once again had a fully functioning system and could carry on business as usual.

However, even then all was not normal, because, during the 71-day period of recovery, the company\’s website suffered an attack and was significantly defaced. Clearly, the website also lacked adequate protection from Cyberattacks and was just as vulnerable as the host network for the business. When files were recovered, it was also found that many emails had been corrupted and had Malware included in them which could be capable of launching a secondary attack. All these were successfully removed, and any further disaster was thus thwarted.

So how did the Phobos Ransomware enter the victim’s system? Eventually, it was discovered that an improperly configured firewall left a port open to attack, and this provided the entry point for the Ransomware to penetrate the system. The firewall had actually been configured with security in mind, and some of the ports were changed so as to thwart a Cyberattack. But Cybercriminals are much more persistent than to skip over a firewall which has unconventional port assignments.

They will go through the entire port range until they find something that appears vulnerable, and that is exactly what happened in the case of the firewall for the jewelry store. This should point up the fact that nothing and no one is immune from attack, because any really committed Cybercriminal will keep working until they find a way to breach your system. The fact that saves most companies is that cybercriminals just haven’t heard about you yet, and haven’t focused on carrying out any attack on your system.

The Lingering Damage

Any business large or small, which is forced to shut down for over two months will suffer serious financial loss. In addition, any breach like this quickly becomes public knowledge and results in a loss of confidence in the company that was attacked. Casual observers feel that the company lacks adequate security measures, and are hesitant to do business with them. That loss of confidence translates to ongoing loss of business for a company because customers prefer to patronize more secure companies.

No one wants to have their personal data exposed to Cybercriminals because they fear that they could become the next victims. Suppliers and vendors are also hesitant to resume business relationships, knowing that you have just suffered a major security breach and that they could be indirectly affected somehow. Most companies that are victims of attack take quite a while before they fully recover, and regain the confidence of clients, vendors, and other business associates. The cost of suffering a Ransomware attack actually goes far beyond the monetary amount the company is obliged to pay out but can continue on into the future like a ripple effect.

Backups, Backups, Backups

The Georgia jewelry store attacked by the Phobos Ransomware could have avoided all this heartache and financial damage by simply having adequate backups prepared of their data and virtual servers. It doesn’t matter whether you have backups stored offsite or on the cloud, it’s just absolutely essential to have backups you can resort to if someone should hijack your business-critical data and hold it for ransom. If you are still using tape backups, keep in mind that damage can occur to the magnetic component of tapes over time, so they will need to be replaced at least annually. In addition, it will take a longer time to restore the data of the tapes as well as the backup procedure. If your backups are on the cloud, you don’t have to worry about that, but then you must worry about …

And if you don’t think the cloud is a safe place for backups, yes, the cloud is not safe as well because the vendor you are using is also can be breached and we have plenty of stories to prove that. It’s good to remember that there is no security protection system that can give you complete protection against Cyberattacks. And if you don’t even have modern, updated security in place, you’re just asking for an attack.

Another good step to take to protect your small business is to acquire insurance against attack. In the event you are attacked, you\’ll definitely have to pay a higher premium afterward, because you demonstrated that your security could be breached. However, the increased cost of premiums is well worth it, so you don’t end up bearing the entire financial cost of damages yourself.

The Georgia jewelry store could have faced financial ruin if they hadn’t taken the step of purchasing cybersecurity insurance beforehand. They managed to avert total disaster because they didn’t have to pay all those costs mentioned above on their own. Whatever the cost of insurance, backups, and security measures, it will always be far less than what it would cost if your company is obliged to close its doors forever.

Share this article with a friend

Create an account to access this functionality.
Discover the advantages