Cyber criminals have demanded nearly $500,000 ransom in bitcoin to undo computer damage they inflicted last week on Greater Morristown nonprofits, according to people close to the investigation.
“Fifteen years of data is gone. It’s like a tornado. Everything’s gone,” Vonda Givens, executive director of The Stickley Museum at Craftsman Farms in Parsippany.
Other nonprofits hit included the Shakespeare Theatre of New Jersey in Madison, where a Dec. 4 preview performance of Charles Dickens’ A Christmas Carol was canceled, and the Museum of Early Trades and Crafts, also in Madison.
These organizations were not targeted individually. The attacker struck the information technology company that provides their networking services, Morristown-based Oxford Network Solutions, and other IT companies, said Deborah Farrar Starker, executive director of the Museum of Early Trades in Crafts.
“No one is safe. These ransomware folks are one step ahead of all the IT people,” Starker said.
Reached on Monday morning, one of Oxford’s owners, Duncan Goodwin, said he was too busy with clients to discuss the matter.
“All of the techs are out on-site helping people get back on their feet,” said Goodwin, whose company website lists offices in Morristown and Richmond, Va.
Ransomware attacks don’t steal information. Rather, they render it inaccessible. By exploiting security vulnerabilities, attackers remotely insert software that encrypts data. Then they demand ransom for the digital key to decrypt the information.
At least 621 U.S. government entities, healthcare service providers and school districts, colleges and universities were affected by ransomware in the first nine months of 2019, according to Emisoft, a New Zealand-based cyber security company.
School openings were delayed in Livingston last Monday after a ransomware attack hit the district’s payroll system. Around the same time, computer systems at Hackensack Meridian Health, the state’s largest healthcare network, were plagued by “externally-driven technical issues.”
Hackensack Meridian has not disclosed if this was a ransomware attack. It’s not clear whether these incidents are connected with the ones in Greater Morristown.
Last month, Dover’s municipal computers were disrupted by ransomware called “Ryuk,” but town officials told The Star-Ledger that their IT company removed the virus without paying ransom. Union County’s employee email system also was hobbled by a cyberattack.
Authorities generally advise against paying ransom. But Newark forked over $30,000 in bitcoin “cryptocurrency” to restore city computer systems in 2017. Mayor Ras Baraka said law enforcement recommended the move to avert lengthy disruptions of government services.
Two Iranian men were indicted earlier this year in that case. They are accused of using ransomware called SamSam in “an extreme form of 21st century digital blackmail,” targeting Newark and municipal-, university- and hospital computer systems across the U.S. and Canada.
Victims paid more than $6 million in ransom, and lost more than $30 million from their inability to access data, according to the indictment. The Iranians remain at large.
Cracking the encryption of cyber crooks is exceedingly difficult, if not impossible, said Norman Rosenthal of Sterling Rose LLC, a Morris Township IT company helping one of the Greater Morristown nonprofits deal with the crisis.
While declining to discuss specifics of this case, Rosenthal noted that ransomware sometimes exploits programs that IT companies use to remotely access their clients’ systems.
Passwords are not enough. Without additional layers of security, he said, this software can be compromised–giving access to the bad guys.
The only rock-solid safeguard, Rosenthal said, “is making sure you have good backups, and backups for your backups,” on drives and networks not connected to your server.
‘IT HAS BEEN WONDERFUL IN SOME WAYS’
Employees at Craftsman Farms and the Museum of Early Trades and Crafts got a crash course in ransomware when they returned to work last Tuesday, after Monday’s snowstorm.
“When the power came back on and we were trying to get up and running, we just thought it was a WiFi problem,” Givens told MorristownGreen.com.
The attack “devastated our administrative record-keeping,” encrypting office computers, servers and backups, Givens told trustees and patrons in a message.
Administrative records dating to the 1990s “will remain inaccessible and encrypted for the foreseeable future,” she said.
Fortunately, credit card information and other personal identifiers were not stored on the affected systems, or on any data storage device, Givens said. And the Stickley museum shop’s computer and register were not compromised.
She is working with law enforcement and with an IT consultant, who is attempting to rebuild the office system.
Craftsman Farms was the early 20th century estate of the late designer Gustav Stickley. To keep up her spirits through this ordeal, Givens is drawing on the example of Stickley, who “prized honesty and integrity…that extended beyond design and were truly a manner of living.”
Staffers at the Museum of Early Trades and Crafts booted up their office computers last Tuesday to find “all their files were blank and encrypted,” said Deborah Starker, the executive director.
Anything stored on the museum’s network server is gone: Shared files, reports, records, grant applications and records. It will take months to rebuild this information from hard drive backups and paper documents, Starker said.
Yet things could have been worse. Starting about a year ago, the museum began moving sensitive information–its donor database, financial records, museum shop transactions–from its network server to cloud-based services.
“We’re probably in better shape than some organizations that have not backed up more frequently,” Starker said. “It’s really rough.”
Paying ransom is not an option–the demand is equal to Starker’s annual budget. Yet beefing up security also is a tricky balancing act for small nonprofits.
“More secure systems cost a lot more money,” Starker said.
It’s money these places simply don’t have, said Leslie Bensley, executive director of the Morris County Tourism Bureau.
“This is a time for benefactors, patrons, philanthropists, friends, and supporters to dig deep and support these organizations that do so much, relatively speaking, with tight budgets,” Bensley said.
She praised the tenacity of Craftsman Farms and the Museum of Early Crafts and Trades, which both participated in a weekend Holly Walk promotion, and of the Shakespeare Theatre, which pulled off a successful opening night for A Christmas Carol despite an obliterated ticketing system.
It may be another two weeks before the theater can process advance sales and offer online ticketing, said Marketing Director Jessica Damrow Sherman. For now, tickets only can be sold at the box office on the day of a show, payable by cash, check or credit card.
Rebuilding the theater’s database of patrons will take months, Sherman said. The Dickens show runs through Dec. 29, 2019.
At opening night on Saturday, Shakespeare Theatre Artistic Director Bonnie Monte searched for a silver lining to this “really terrible, threatening” ransomware attack.
In some ways, she told the big audience, it actually has been wonderful.
“When we called out to all of you to help us very quickly re-create our database to some extent, so that we could sell the show, we were flooded with an incredible response. And everybody has been incredibly thoughtful and patient and generous and kind,” Monte said.
“It absolutely exemplifies the spirit of Charles Dickens’ A Christmas Carol.”