Articles

Top 10 Things I Learned When My Home Office Got Hit with Ransomware

I never thought that my little company, EEO Consulting, would have anything in common with Colonial Pipeline, but we both were hit with ransomware in 2021. My home office with three computers, two remote employees and one server; we got hit. So, if we got hit, really anyone can get hit. On that note I want to share what I learned in hopes of saving even one person from my nightmare, although I’ll be the first to admit, there were several silver linings.

1. Encryption: I learned that just because we could not access our files, it did not automatically mean the kidnappers accessed our files. I have taken to calling the unknown criminals who accessed my system as “kidnappers”, after all, they left a ransom note. But the reality is the specific tools they used were only intended to lock my system. I have learned that some encryption malware, such as the 2016 Tarocrypt malware they used, does not have “exfiltration” capabilities. Even though I could not access my data once my server was encrypted, neither did my kidnappers. The key takeaway here is call your IT folks first! A prompt response puts the kidnappers at a disadvantage. That includes advice like: “unplug everything right now!”.
     
2. Ransom Notes: I learned there are two types of ransom notes; notes that include your data, and notes that don’t. The electronic ransom note said they would “put my data on the dark web” if we did not pay up. It said to send them three files so that they could prove they had the decryption code. Now - hold that thought. If they kidnapped my baby, why did they need me to send them a picture of her – right? That’s not the way kidnapping works! The types of ransomware that steal your data typically come with a note that proves they have your data and state, “we have these files – would you like the rest of your files?” Eventually the kidnappers would ask for 0.3 bit coins, which was over $11,000. We did not pay it. They also asked me not to be mad at them, that they were just doing their job! We are still mad, really mad. Apparently, there are rooms full of these folks trying to hack into home computers. And, according to recent statistics, they are getting in to one network about every 11 seconds. Key takeaway: your home office is not too small to get a ransom note.
     
3. FBI: I learned how to fill out an IC3 form. I tried to call the FBI, but there was no way to get to a person until I completed an Internet Crime report, IC3, online. I was told I would never hear from the FBI, but I sure did. I thought they would take over the negotiations with the kidnappers, but they sure didn’t! Once I sent the agent the ransom note, she said it “was not a credible threat”, and that they would not open a file. They knew it was a bluff when the kidnappers did not attach a file. The FBI’s advice was not to email them, and certainly not pay the ransom; however, if we got the wallet number or the variant type to let them know. Two days later, we had both. The agent also advised me to search the internet for an IT Forensic Specialist near me, like looking for a Chinese restaurant. Eventually, we were also able to provide the FBI with coding script left behind by the kidnappers. Although it was too late to help us, the FBI said that all of our information “would be used as the baseline for their protocols on this malware for future investigations”. So, that was pretty cool. Plus, I got to say “I’ve got to go, the FBI is on the other line” a couple times. That was cool too. Key takeaway: If you have to fill out an IC3 and you don’t know the ransom amount yet, just guess. The FBI will not talk to you until they get your IC3 form.
     
4. Security Incidents vs Data Breach: I learned there’s a big difference; HUGE! Being hit with ransomware is major event, but it is a security incident until there is evidence of a data breach, which has all sorts of legal implications. I was fortunate to have my network of HR clients who led me to their cyber security and data privacy experts. They explained what I needed to know in terms I could understand. Before you knew it, I could talk to CIO’s without getting my IT guy on the line. Once they explained what happened in our office was most likely not a data breach; we just had to prove it. Every effort you make to keep a security incident from becoming a data breach is worth its weight in gold. Saving a little money on hardware or software because you don’t think your home office will get hit is not a good business decision, not in today’s environment. Key Takeaway: Listen to your IT folks; buy the good stuff.
     
5. IT Forensic Companies: I learned that all of my grandchildren should pursue jobs as IT Forensic Private Investigators. Two companies would not come to my home office without a $10,000 retainer, even though they stated it would only take 7-8 hours. I also learned it’s best to get a team: a data privacy attorney and an IT forensic company who can work together to protect your interest. After making more than a few calls, I found both services locally and will highly recommend them should you need their names. The IT Forensic company can tell you important information which may include how the kidnappers got in, how long they were there, if they used software like Excel or Word, and most importantly – whether or not they “exfiltrated” or “accessed” any data files. Key Takeaway: Make sure your legal counsel and IT forensic company work together.
     
6. PII: I learned all 50 states plus DC have different regulations on what constitutes Personal Identifiable Information (PII) and required notifications. My worst case scenario was the mere thought of paying for theft protection for thousands of people even though we don’t maintain social security numbers, home addresses or email addresses. We write affirmative action programs, so the only PII we maintain are birthdates. I was stunned to discover even a disability column with yes/no could be considered health information! I also learned it’s not about where I do business, but where the employees of my clients reside, which we don’t always know since we only track recruiting areas. As you consider your data security, since more of your employees work from home now, it is very likely you could find yourself researching the laws of nearly every state in the country. Fortunately for us, we do not cover international employees. I can’t even imagine going down that road. While we waited for the IT Forensic company to finish the autopsy, (and I imagined Abby from NCIS was analyzing my server), my attorney asked me for a list of the states we cover and number of employees in each state since each state has different thresholds depending on the PII that was accessed. Fortunately, my attorney had knowledge and experience with security incidents and data breaches. It’s a daunting task, and timing is critical. We were prepared in the event that we needed to notify our clients, their employees, state Attorney Generals, or credit reporting companies. I’m grateful that my worst case scenario was not where we landed, but we were ready.
     
   Two weeks before my incident, I was notified of a ransomware attack at a client through an offer to pay for identity theft protection since they pay me and have my social security number. I’m guessing you have received one of those over the last few years. Don’t be in a position to have to send those letters. Three Key Takeaways on PII: #1: Don’t get data you don’t need; we need age, not DOB. #2: Archive old data; they can’t get to the data files you don’t keep. #3: Learn the legal obligations of the states where your employees reside before you have a data breach.
     
7. VPN: I learned all about Virtual Private Networks. If you have a home office and you have anyone, yourself, or your employees, using remote access, you need a router with VPN. And that’s not even enough. If you are working remotely and you leave to get your kids from school or run an errand, the hackers can get in. There are rooms full of these criminals just trying to find an open port. You hear a lot about phishing emails, but that’s not the only way they get in. Huge takeaway here - check your router.
     
8. Multi-factor Authentication (MFA): I learned about a free remote access app for business with less than 10 users – Duo Mobile. I got so much free advice from my clients, but that was one of the best. I only have two employees! The Duo Mobile app we use now uses QR codes (scantrons). My employees capture it on their phone and get a code to put in to their remote access login to gain access to the server. And when they leave, they log out! I’m sure this is standard for larger companies. Now it’s standard for both of my employees in my little home office. Key takeaway: Always use MFA!
     
9. Insurance Policies: I learned the difference between Errors and Omissions Professional Liability Insurance and Cyber Security Insurance. If you have cyber security insurance, there’s a good chance they will set you up with an attorney and IT forensic company who will swoop in and access the situation in a few days. So, call them right away. Also, if you have cyber security insurance and you take all of the steps they recommend, there’s a decent chance you won’t have an issue in the first place. Apparently, there are lots of loopholes in those policies. So read your policy carefully to ensure you are not paying a premium coverage you won’t be able to use because you were not following the policy rules and instructions. It’s really just a matter of time before everyone gets hit. There’s plenty of anti-virus software out there. Not so much anti-ransomware. Key Takeaway: If you don’t have cyber security insurance, get some.
     
10. Passwords: I learned they are more important than ever. The fact that we encrypt our employee data files with passwords, even short passwords, was a key point in our favor through the process of deciding if notifications were required. More advice included making passwords 12 characters in length, all four types every time. To make them even safe, replace a letter with a character (a = @). Plus, don’t use the company name, and don’t have any files called “password”; (seems obvious, but you know you do it.). There are password apps out there if that’s your thing. And you can go old school with alphabetical password books. But the best advice we got was to use password phrases! So, we are rolling out a new protocol to “Make Passwords Great Again” to keep our clients’ data safer then ever. This has allowed us to learn even more about our clients; their favorite animals, pets’ names, company slogans, product names, etc. If we hadn’t started asking our clients about their favorite animals, we would have never known that one of our clients moved from Colorado to Hawaii to train Dolphins! And we would have never watched a video on pink fairy armadillos; they are too cute! We’ve gone from boring passwords, to ones that make us smile, and our clients. Key takeaway: Use Password Phrases.

 
I mentioned silver linings at the start. Knowing how to protect my business and clients from future security incidents is a huge silver lining. I hope what I have shared helps you in some small way. Above all else, I learned the importance of maintaining good business relationships. After I called my IT guy, and the FBI, I called my HR clients. I needed help and they delivered. They surrounded me with their inhouse legal and IT experts who were smart and kind and pointed me in the direction of the local experts I could afford. Because of my HR clients, I was able to sleep at night. So, check your router, use password phrases, get cyber security insurance, and be kind to each other always, but especially in times of crisis.

Judy Julius
EEO Consulting, LLC