Hackers tried to rob me of $15m. Here’s how I stopped them…

Ransomware is rife. One of the ways to reduce its global proliferation is to openly share stories. It’s not something many companies do. But here – to his credit – is one CIO's tale...


The phone call came at 4am 
My name's Matthew Day. As CIO of Langs Building Supplies in Queensland, Australia, I’d been looking forward to a long holiday after 14 months of Covid-blighted operations.

But then the phone rang. One of my factory supervisors said they couldn’t get into the system:“We’ve been hacked!”

I jumped out of bed and rushed to the office. I saw the boot loader screen message: “We’ve encrypted all your data. Pay up… or we’ll publish it on the dark web.” 

The hairs on my neck stood up
I realised this was no small ransomware attack. They had scoped our business: hunted us, waited for us to be asleep, and took the shot with sniper gun precision. Worst of all, through our Rubrik zero trust security solution, I could see they had secured elevated access rights.

They demanded $15 million 
They wanted an enormous Bitcoin sum but I was also conscious that the attack would wipe out factory manhours – which could work out just as expensive. 

But I don’t negotiate with terrorists. I was never going to have a conversation with these people. 

What’s the worst day I could ever have?
I knew I had to draw on my pre-prepared strategy of ‘what’s the worst day the business could ever have?’ I’d already made sure all our data was backed-up and immutable. I also knew we had a solution that could quickly scan the holes in our system and monitor data packets to see what – and where – was being encrypted. This information was invaluable – it saved us. 

It took 24 hours to clean up the mess 
The hacker’s attack vector was a legitimate-looking email that came from a kosher email address in the right format. The one slight off detail was the link in the email. Two weeks later, the hackers had access to Langs’ systems. Our IT analysts spent two days cleaning up the environment, identifying and plugging holes against two waves. 

Don’t believe the hackers 
By this stage, I knew I could recover the data. I knew we had a good counter punch with the Rubrik solution which had safely protected the data, and was providing attacker visibility. My main concern was ‘is there any exfiltration of the data?’ I could see from our monitoring systems that there wasn’t. I didn’t need to engage with the hackers despite the continuous email threats they were sending.

My staff didn’t sleep for days
When I began the attack response, I enacted processes at the business level.  I had to get people out of bed… that’s why it’s so important to have good human capital management. You need people who will hit the trenches with you. Investment in your staff pays off in spades because they do what needs to be done.

Find the right partner
Make sure you have partners who care about you. I always bring it back to the chef Nigella Lawson – you can have great products but the real value is in the mixing of the ingredients. Nigella and I can both make a chocolate cake with the  same recipe – but whose cake would you rather eat? You need the right partners with the right skills. And make sure they care about and understand your business.

If I’m honest, we missed patch cycles
IT teams have got so many servers these days, that it doesn’t take much to miss a patch. That’s life – people make mistakes. But how do you recover from it? That’s the big point. Recovery is critical.

Education first
We were hacked through social engineering via a trusted supplier. Your employees are your number one protectors. Train your staff to understand that cybersecurity is everybody’s job. In some ways, investing in education is more important than perimeter defenses, like firewalls. 

I don’t live in fear
I have the attitude that it will happen again – that’s the only way you can plan for these things.  And it’s not if,  it’s when. We made mistakes, learned from them and moved on. I don’t live in fear. We mitigate against threats as best we can, while understanding that they exist. 

READ MORE:

Enjoyed this article? Sign up for exclusive weekly SC Media insights via our homepage – you'll get the analysis first

share