The FBI Notifies an AVATAR Client of a Pending Cybersecurity Attack
Have you ever been contacted by the FBI?
The FBI contacted an AVATAR client to let them know that their credentials were for sale on the dark web. AVATAR had recently performed an overall technical assessment for our client, resulting in some recommendations designed to reduce their general cybersecurity risks. However, the company had not experienced a network penetration before (to their knowledge), and as a small business, they felt that the incremental investment was not sufficiently urgent. So, they chose to hold off on making the required changes and using the recommended tools.
Of course, business leaders make reasonable expense trade-offs all the time in light of their past experience. But, with the escalation of hacking attempts, ransomware, and social engineering to penetrate company networks, effective cybersecurity prevention is now highly critical, even for small businesses. In this particular situation, the attack occurred fairly soon after the decision to hold off on the expenditure.
Now, in our experience, getting a notification directly from the FBI is extremely rare. We can’t know how it was that the FBI came across their information and the posting, but it was indeed fortunate that the FBI caught it and reached out and notified our client directly. They were also lucky that they read the FBI email and took it seriously. If you got a message from the FBI via email, would you think it was real? Or, would you believe the email itself was just another phishing attempt?
The problem faced by our client’s management was that even after being notified, they could not be sure whether the credentials had ever been sold and used by other hackers. They could not be immediately sure whether another hacker had gotten in or placed a hidden piece of ransomware on their system. If that happened, ransomware software might eventually shut their business down weeks or months later, encrypt their mission-critical data, and ask for a payment of hundreds of thousands of dollars in bitcoin to unencrypt their critical information.
Although we’ve never heard from the FBI in the past, we regularly run across hesitancy from small business owners to invest in security protections. The situation is a bit like when you purchase a new car and decide whether or not to buy the extended warranty. If you never have a significant repair or defective component, you feel like you never got the value from that extended warranty. But the moment that your transmission or hybrid battery fails, that investment looks to be very small in retrospect.
The facts prove that a ransomware attack is probably going to cost your business far more than you think. The report “The State Of Ransomware 2020” by Sophos outlines that of 5000 IT managers surveyed, 37% suffered a Ransomware attack in the past year, and 54% of those attacks succeeded in encrypting critical information. The average ransom paid by mid-size businesses to unencrypt their information was over $ 174,000. And that cost fails to account for the productivity loss and remediation costs, which can be extremely high. Whether or not the actual ransomware encryption ever occurs, and whether or not you pay, many other internal costs result.
For example, in the case of our client, even though the FBI notified the company of the pending credential sale right away, there were still significant costs involved. When we learned of the attack, we immediately cut off all access to the company network from outside in. We started trying to see who might have had access. But with no timestamps and no username, there was no insight about whose account might have been used to gain the access. We scanned all the servers to ensure there weren’t any remnants of ransomware and then put our security tools onto their IT infrastructure (the ones they had previously opted out of due to cost). New network security systems such as modern VPNs needed to be added. Additional network testing needed to be done. While this was all happening, external communications were limited, employees lacked access to important information, and productivity suffered. And keep in mind – this resulted from what appears to be a failed attack!
Because the tools had not been in place at the attack time, we could not easily trace what occurred. So we manually went through every system. Fortunately, we could find no apparent malware/ransomware software on their servers and computers. Once we knew that, recovery was straightforward. Although we could not verify whether someone had used the purchased credentials, we did not find that anyone had put anything onto their servers. But to be completely transparent, even the best tools, the most detailed analysis, and tracking can sometimes miss sophisticated software programs that lie dormant. Technology providers and service providers are in a constant battle against increasingly sophisticated hackers. So even we can’t be 100% sure that something won’t trigger down the road. For this reason, the need for taking all precautions up-front is genuinely urgent.
In retrospect, it’s essential to understand the relative cost trade-offs. Each company and every situation will be different. However, implementing cybersecurity best practices, 24/7/365 security monitoring, and defensive and offensive security tools such as Security Operation Center (SOC), Multifactor Authentication (MFA), Next-Generation Firewall, and Next-Generation Antivirus, might cost an additional 30% above what the typical IT service provider might otherwise charge per each of your employees. But, each successful attack will create productivity losses, potential ransom payments, and the costs of remediation that are likely to be in the hundreds of thousands of dollars — even for small businesses. In our client’s case, the FBI’s timely intervention seems to have prevented hackers from wreaking further havoc.
Today, our client has now upgraded firewalls, improved email security, and has implemented The AVATAR Advantage Program which includes a pragmatic security tool stack. Everybody is directly connecting remotely into their network via upgraded VPNs with multifactor authentication. We’re now helping them implement best practices across the company for managing credentials and minimizing their security risks. The cyberattack on our client did not happen because they did not budget for the recommended tools. Criminals don’t care – every company is a target. Our client simply made what they believed to be a rational business decision of spending based upon their experience. Unfortunately, the world has changed very quickly in this area, and your experience and history could be leading you to choices that put you and your employees at more risk than what you believe. This isn’t about Avatar trying to sell fancy tech, or increase the cost of doing business. This is a genuine, serious, and ever-increasing risk to all of us that sophisticated criminals are driving. There is no longer a question about whether you will experience some attempt at network penetration or some ransomware attack. It is just a question of when. By being prepared with the proper tools and procedures in place, you will increase the likelihood of getting an immediate notification when it happens. And, even if the penetration attempt has initial success, you will likely be able to immediately and automatically isolate the issue and track it to stop proliferation before it’s too late.