This company was hit with ransomware, but didn't have to pay up. Here's how they did it

Cyber criminals demanded $15 million for a decryption key and sent threatening messages to staff - but this company recovered its network without paying hackers a thing.
Written by Danny Palmer, Senior Writer

There's never a good time for an organisation to fall victim to a ransomware attack, but for Matthew Day, CIO of Langs Building Supplies, a phone call on May 20, 2021 came at perhaps the worst possible time – before dawn, just as he was about to take time off for the first time in a long time.

"I was going on my holidays. But I got a phone call at four o'clock in the morning, saying basically 'I can't log in, what's going on?'" he says.

Day got up and made the 30-minute drive to his office in Brisbane, Australia where the construction, building supplies and home-building company is based, all the while thinking about what the problem could be, perhaps a hardware failure or an unplanned outage? 

The answer became obvious when he arrived and tried to bring up the systems – a ransom note appeared and said: "You've been hacked."

SEE: A winning strategy for cybersecurity (ZDNet special report)

Langs had fallen victim to Lorenz ransomware and the cyber criminals who had encrypted multiple servers and thousands of files were demanding a payment of $15 million in Bitcoin in exchange for the decryption key. Like many ransomware attacks, the cyber criminals also said they'd stolen information and threatened to leak it if the ransom wasn't paid.

"The reality is that's a pretty scary proposition – but we were quickly able to isolate the attack and disconnect it from the network," says Day.

He suspects that Langs was specifically targeted by the criminals behind the attack because of the nature of the business. At the time, the Queensland government was operating a response plan to keep the trade and construction industries in business, while much of Australia was still facing lockdown because of COVID-19. And if a building supplier like Langs was unable to do business, that could affect the whole programme for the regional construction industry.

"It's a macro-level event – it's not just limited to Langs because if we can't supply a builder their goods because we're offline, they can't build that house. That just ratchets up more pressure," he says.

Many victims of ransomware opt to pay the ransom, either because they feel they don't have any other choice or they perceive it as the easiest way to restore the network – although, even with the decryption key, it can be a long, drawn-out process.

For Langs and Day, however, the idea of paying the ransom wasn't an option – and they had recovery software that allowed them to analyse what data had been encrypted or modified and restore the network from backups stored separately to the rest of the network within a matter of hours, with minimal disruption to services.

"I was pretty confident about the data side of things – we use Rubrik. We make sure it's got multi-factor authentication (MFA) on it and doesn't have any shared credentials, so it's a walled garden," says Day. "These people immediately want to go after your backups because that ratchets up pressure, so if they can't get to your backups, you're in a good place."

But this didn't stop the cyber criminals from attempting to extort a ransom payment – they emailed all the staff at Langs, claiming they'd stolen data and threatened to sell it on the dark web if a payment wasn't received by a particular date.

While 13 gigabytes of data had left the network, it turned out to be ping traffic, so nothing that could be a security or privacy risk to Langs' customers or employees. Receiving the emails was a shock to staff, but Day was able to explain the situation and reassure people that, even though cyber criminals had contacted them, there was nothing to worry about.

"You've got to communicate with people, explain it to them. We were able to show the business that they're [the cyber criminals] playing chicken and we're not going to blink first. So we didn't pay the ransom, the day came – and nothing happened," says Day.

The investigation into the incident revealed that hackers initially gained access to the network via a phishing email. But this wasn't a run-of-the-mill basic phishing email; the attackers had done their research and sent it to a Langs employee from the legitimate email account of a real employee at a supplier that they'd already compromised.

SEECloud security in 2021: A business guide to essential tools and best practices

Langs had set up allow lists to verify emails coming from known suppliers – and the attackers were able to take advantage, after examining emails sent and received by the compromised account and specifically tailoring the email that was sent to victims who opened it and unintentionally triggered the attack.

"They responded to an order that we had sent them in the exactly correct manner; this was a really smart play for these guys. It came from a verified account, from a person at a time and in a way that was expected by the user, my staff member, with the correct formatting and quoted the correct valid number, so it wasn't a fake account, it wasn't a spoofed account, it was the real deal," explains Day.

The email asked the user to visit a portal that looked exactly like the website of the supplier, except this one asked for a username and password – and because the victim had been duped into thinking they were responding to a message from a legitimate contact, they entered the information, inadvertently providing cyber criminals with login credentials that they exploited for initial access to the network.

But Day doesn't place blame on the user, because the sophisticated and targeted nature of the phishing email means it would be difficult for most people to identify it as a suspicious message.

"We can land planes, 99.9995% of the time, no worries, but it only takes that one decimal place to cause a massive incident, and this is no different – so I can't be too hard on my user for falling for this, because it looked legit," he says.

That initial access with legitimate credentials allowed the attackers to snoop around the network without being noticed, laying down the foundations to encrypt as much as possible before triggering the ransomware attack.

The data recovery and backup software meant that the impact of the ransomware attack was relatively mild, but it could have been much worse – and Day used the incident to examine how cyberscurity at Langs could be improved.

SEE: Cybersecurity: Let's get tactical (ZDNet special feature)

One of those tactics was ensuring that multi-factor authentication (MFA) was applied to a wider range of accounts. Day had previously pushed for it to be applied to users, but it was seen as a barrier to productivity. Looking back, he believes if the company had listened to his advice and applied multi-factor authentication, the attack could have been prevented from happening.

"I should have stuck to my guns more about external access and MFA. Because we've been talking about it for quite a while and I was pushing for it, but the company pushed back because it was seen as an onerous burden on the users; one more thing that they have to learn and deal with," Day says.

"If I'd had MFA, we could have stopped this particular attack in its tracks and I'm happy to say we can now have MFA on those external desktops."

The way in which the attack originated via the compromised email of a supplier has also resulted in Langs taking a more hands-on approach to the security of its supply chain, helping the suppliers and customers it deals with most to make their networks more resilient to cyberattacks.

"We don't exist in our own little bubble, our bubble has to include our customers and suppliers in that supply chain life-cycle and make sure we secure it end to end," Day explains.

Ransomware is one of the most significant cybersecurity threats facing businesses today, but even when organisations successfully fight off a ransomware attack without paying a ransom to cyber criminals, few are willing to talk about what happened. So, why is Day willing to speak about it when so few others are?

"Talking about it is a bit of an 'up yours' thing. I also want to empower other people to speak out about these things. If I speak about it, nothing bad happens – it just encourages other people to do it," he says.

Day hopes speaking about the incident, how it happened and what was learned can help other businesses defend against ransomware, and crucially, help them persuade boardrooms about the importance of taking cybersecurity threats seriously.

"If, by coming forward and talking about these things, I encourage another CIO, IT manager or IT professional to go and have a conversation about how to protect their data, how they handle data governance, or cybersecurity planning and processes, so that they can protect the livelihoods of their their employees and their colleagues, it feels better," he says.


Editorial standards