Cyber criminals have demanded nearly $500,000 ransom in bitcoin to undo computer damage they inflicted last week on Greater Morristown nonprofits, according to people close to the investigation.
“Fifteen years of data is gone. It’s like a tornado. Everything’s gone,” Vonda Givens, executive director of The Stickley Museum at Craftsman Farms in Parsippany.
Other nonprofits hit included the Shakespeare Theatre of New Jersey in Madison, where a Dec. 4 preview performance of Charles Dickens’ A Christmas Carol was canceled, and the Museum of Early Trades and Crafts, also in Madison.
These organizations were not targeted individually. The attacker struck the information technology company that provides their networking services, Morristown-based Oxford Network Solutions, and other IT companies, said Deborah Farrar Starker, executive director of the Museum of Early Trades in Crafts.
“No one is safe. These ransomware folks are one step ahead of all the IT people,” Starker said.
Reached on Monday morning, one of Oxford’s owners, Duncan Goodwin, said he was too busy with clients to discuss the matter.
“All of the techs are out on-site helping people get back on their feet,” said Goodwin, whose company website lists offices in Morristown and Richmond, Va.
Ransomware attacks don’t steal information. Rather, they render it inaccessible. By exploiting security vulnerabilities, attackers remotely insert software that encrypts data. Then they demand ransom for the digital key to decrypt the information.
At least 621 U.S. government entities, healthcare service providers and school districts, colleges and universities were affected by ransomware in the first nine months of 2019, according to Emisoft, a New Zealand-based cyber security company.
School openings were delayed in Livingston last Monday after a ransomware attack hit the district’s payroll system. Around the same time, computer systems at Hackensack Meridian Health, the state’s largest healthcare network, were plagued by “externally-driven technical issues.”
Hackensack Meridian has not disclosed if this was a ransomware attack. It’s not clear whether these incidents are connected with the ones in Greater Morristown.
Last month, Dover’s municipal computers were disrupted by ransomware called “Ryuk,” but town officials told The Star-Ledger that their IT company removed the virus without paying ransom. Union County’s employee email system also was hobbled by a cyberattack.
Authorities generally advise against paying ransom. But Newark forked over $30,000 in bitcoin “cryptocurrency” to restore city computer systems in 2017. Mayor Ras Baraka said law enforcement recommended the move to avert lengthy disruptions of government services.
Two Iranian men were indicted earlier this year in that case. They are accused of using ransomware called SamSam in “an extreme form of 21st century digital blackmail,” targeting Newark and municipal-, university- and hospital computer systems across the U.S. and Canada.
Victims paid more than $6 million in ransom, and lost more than $30 million from their inability to access data, according to the indictment. The Iranians remain at large.
NJ OFFICE OF HOMELAND SECURITY: TIPS TO REDUCE RANSOMWARE RISKS
Cracking the encryption of cyber crooks is exceedingly difficult, if not impossible, said Norman Rosenthal of Sterling Rose LLC, a Morris Township IT company helping one of the Greater Morristown nonprofits deal with the crisis.
While declining to discuss specifics of this case, Rosenthal noted that ransomware sometimes exploits programs that IT companies use to remotely access their clients’ systems.
Passwords are not enough. Without additional layers of security, he said, this software can be compromised–giving access to the bad guys.
The only rock-solid safeguard, Rosenthal said, “is making sure you have good backups, and backups for your backups,” on drives and networks not connected to your server.
‘IT HAS BEEN WONDERFUL IN SOME WAYS’
Employees at Craftsman Farms and the Museum of Early Trades and Crafts got a crash course in ransomware when they returned to work last Tuesday, after Monday’s snowstorm.
“When the power came back on and we were trying to get up and running, we just thought it was a WiFi problem,” Givens told MorristownGreen.com.
The attack “devastated our administrative record-keeping,” encrypting office computers, servers and backups, Givens told trustees and patrons in a message.
Administrative records dating to the 1990s “will remain inaccessible and encrypted for the foreseeable future,” she said.
Fortunately, credit card information and other personal identifiers were not stored on the affected systems, or on any data storage device, Givens said. And the Stickley museum shop’s computer and register were not compromised.
She is working with law enforcement and with an IT consultant, who is attempting to rebuild the office system.
Craftsman Farms was the early 20th century estate of the late designer Gustav Stickley. To keep up her spirits through this ordeal, Givens is drawing on the example of Stickley, who “prized honesty and integrity…that extended beyond design and were truly a manner of living.”
Staffers at the Museum of Early Trades and Crafts booted up their office computers last Tuesday to find “all their files were blank and encrypted,” said Deborah Starker, the executive director.
Anything stored on the museum’s network server is gone: Shared files, reports, records, grant applications and records. It will take months to rebuild this information from hard drive backups and paper documents, Starker said.
Yet things could have been worse. Starting about a year ago, the museum began moving sensitive information–its donor database, financial records, museum shop transactions–from its network server to cloud-based services.
“We’re probably in better shape than some organizations that have not backed up more frequently,” Starker said. “It’s really rough.”
Paying ransom is not an option–the demand is equal to Starker’s annual budget. Yet beefing up security also is a tricky balancing act for small nonprofits.
“More secure systems cost a lot more money,” Starker said.
It’s money these places simply don’t have, said Leslie Bensley, executive director of the Morris County Tourism Bureau.
“This is a time for benefactors, patrons, philanthropists, friends, and supporters to dig deep and support these organizations that do so much, relatively speaking, with tight budgets,” Bensley said.
She praised the tenacity of Craftsman Farms and the Museum of Early Crafts and Trades, which both participated in a weekend Holly Walk promotion, and of the Shakespeare Theatre, which pulled off a successful opening night for A Christmas Carol despite an obliterated ticketing system.
It may be another two weeks before the theater can process advance sales and offer online ticketing, said Marketing Director Jessica Damrow Sherman. For now, tickets only can be sold at the box office on the day of a show, payable by cash, check or credit card.
Rebuilding the theater’s database of patrons will take months, Sherman said. The Dickens show runs through Dec. 29, 2019.
At opening night on Saturday, Shakespeare Theatre Artistic Director Bonnie Monte searched for a silver lining to this “really terrible, threatening” ransomware attack.
In some ways, she told the big audience, it actually has been wonderful.
“When we called out to all of you to help us very quickly re-create our database to some extent, so that we could sell the show, we were flooded with an incredible response. And everybody has been incredibly thoughtful and patient and generous and kind,” Monte said.
“It absolutely exemplifies the spirit of Charles Dickens’ A Christmas Carol.”
“These ransomware folks are one step ahead of all the IT people”
This is a ridiculous sentiment. Any reasonably capable “IT people” would have put in place at a minimum a 3-2-1 backup plan. Or if they are really invested in your success and not just looking for extra billable hours they’d tell you to go with any one of the myriad of cloud services that provide backup, sync, access control, etc. for sensitive and critical data. Not to mention nonprofits can get these services at a discount or for free, so there’s really no excuses here. In this day and age, if you fall victim to a ransomware attack that results in permanent data loss because your IT vendor was not equipped to deal with such a commonplace scenario, it’s time to drop that IT vendor. Of course there is the alternative scenario where all of these organizations simply declined backup/disaster recovery services, in which case shame on them, but given the fact that a single IT services company seems to be at the center of all of this it seems unlikely.
Even if none of the data had been lost, this type of occurrence clearly indicates that data storage managed by this IT vendor is not safe. If every single byte was recovered, it’s still possible that all of it has been stolen. Personally identifiable info, payment card info, social security numbers of employees, plaintext password files (assuming worst case) to other systems that store sensitive information: all of this has been exposed to malicious code, and may have been exfiltrated at the same time that the encryption took place. Unless the IT vendor can irrefutably prove that no data exfiltration took place (unlikely), and unless contractual terms dictate otherwise, these nonprofits should be indemnified against any financial loss that has or may result from this exposure. If they aren’t, at an average cost of $150 per record lost, they may want to reassess the importance of budgeting more for IT security.
To those organizations that were affected: time to revisit those contracts and figure out how to ensure your financial security, through legal action or otherwise, to avoid any more serious fallout from this unfortunate occurrence.
“These ransomware folks are one step ahead of all the IT people” <- A talking point, but not the truth
Actually, it's the other way around. Even if you cannot defend against the attack, creating a backup system, even with cheap cloud-based services, is totally within reach of organizations of this size. If i were at these orgs, I'd be looking very carefully at my contract to see just how much I could recover from the IT company that left the door open to this attack.
And while I doubt the Stickley Farms org has a top-heavy compensation structure, there are plenty of non-profits that spend well on executive-level salaries and shortchange the rank-and-file and scoff at any IT expense beyond a few hundred dollars. The attackers know this.
I'm also a bit concerned by the PR spin – I got an email from TSNJ that claimed that because the attackers encrypted my personal information on their servers, it was "safe". Nope. Actually, it's sort of the opposite. If your IT company was compromised, and then your on-site workstations and servers were compromised, that means you were open to other attacks. The fact that the most recent attacker encrypted everything does not erase the actions of whoever may have been there before them, nor that this attacker did not grab all the subscriber and CC data BEFORE turning lose the ransomware.
I also wish the article wasn't so focused on the "impossibility" of defending against this sort of thing. Small non-profits have many affordable options, as do normal small businesses. It's a matter of whether you want to be proactive or not.
Unlike the IT vendors quoted in the article, I'll share some free professional advice from someone working in the field for more than two decades: Backups work. Offsite backups that maintain multiple copies are nearly invulnerable to this exact sort of attack. These are affordable options, and any cleanup you'd pay your IT folks to restore the data and do cleanup will absolutely dwarf a ransom demand. And lastly, don't totally give up hope – past variants of ransomware have been cracked and free data recovery tools have been released by the white hats: https://www.nomoreransom.org/en/index.html
This is an older article on the topic of how to recover from an attack, but it's still relevant and accurate:
https://krebsonsecurity.com/2016/12/before-you-pay-that-ransomware-demand/
I know some folks will blame whatever unlucky employee clicked some attachment they shouldn't have, but it's really on IT to educate users and to make it extremely difficult for people to destroy their own workstations. And in this instance, it sure sounds like poor security practices at the IT vendor are the root cause (again, speak to a lawyer – we're talking gross negligence by your vendor!).