Picture this: It’s 6 a.m. and you’re awoken to several frantic phone calls. Your customers are calling you back-to-back, telling you they can’t access their company websites. As a business owner—especially one that manages the software that is streamlining operations for more than 1,000 flooring business of various sizes and roughly 6,000 users—this is one of your worst nightmares, and for QFloors, it was unfortunately a reality.
“I figured out in about 10 minutes that we were having a problem with our system,” said Chad Ogden, president and CEO of the company. “We have 400 floor covering stores on this particular system, and they all went down at one time.”
The reason? Ransomware, a malicious software which uses a computer virus to hold data hostage until a ransom is paid. Generally transmitted by email or web pop-ups, rebuilding data and hard drives after such an attack can get expensive, especially for companies who have 10 or 20 computers on a system, or in this case, 400.
Ogden and the QFloors team acted quickly, recognizing within about an hour that this had been a ransomware attack, making the software company just one business that is attacked by a cybercriminal every 11 seconds, according to data shared by BlackFog global cybersecurity company. BlackFog reports that in 2021, it is estimated that damage costs from these attacks will amount to about $20 billion.
QFloors has enjoyed industry firsts and milestones through the years, one being the celebration of 20 years in business, which it reached in 2019, but this cyberattack will be remembered as one of the company’s darkest moments, Ogden said.
“You can imagine that this was not one of my best days,” he shared. “That was probably one of the worst days of QFloors over the last 20 years or so.”
Attacked by one of the top five ransomware groups in the world—which is a ranking earned by how many companies it has attacked and how much money it has made from those attacks—Ogden explained in detail what he now knows about the cyberattack. Prior to the attack, the anonymous cybercriminal group watched the software company for several weeks; monitoring how QFloors ran its business and the programs its customers were using. From there, the attack was intentionally launched on QFloors’ most critical system.
After encrypting terabits of data (very large amounts), the cybercriminals behind the attack then left an electronic ransom note, informing the software company that it had been attacked by ransomware, and directing it to a password protected site on the dark web, where further instructions would be given on how to make a payment in order to reclaim the stolen data.
“These groups are very good at hiding, and the crypto currencies that are out there right now have made it very easy for them to get paid without being tracked,” Ogden explained. “So that’s even made it worse because they are demanding money in that form.”
Since these cybercriminals scope out companies before they attack, Ogden explained that they know about much more than just the computer systems they plan to attack. “That’s the other thing: since they’ve been scoping you out, they know everything about your company. They know who the employees are, they’ve been into your websites. They know how much they think you can pay. So, they can customize the payment.”
QFloors was faced with a difficult decision that had to be made very quickly: log in as directed for next steps and payment, which Ogden believes would have been in the hundreds of thousands of dollars, reach out to the FBI for assistance, or try to combat the group on its own.
Fortunately for QFloors and the hundreds of flooring companies impacted by the attack, what happened next is somewhat of an anomaly when it comes to cases of ransomware. The software company immediately got to work, doing its own research over a couple of days, to determine how the cybercriminals were able to gain access to its system, so that they could then remove that portion of the system, thus blocking the cyber group’s entry and access point. The QFloors team was successful in doing that.
“We knew fairly quickly that we were going to be able to bring everything back up,” Ogden said. “We have millions of sales orders out there, and during this time, we only lost two, and that was because someone put two orders in at midnight, after we’d done the backup. So essentially, we lost no data and we had everybody back up and running within four days.”
Once the system was back up and running, and things felt safe, QFloors did report the incident to the FBI. “If you get the FBI and the government involved, they come in and take control over what’s going to happen. We didn’t want that. We wanted to be able to control the situation.”
If this attack would have happed to the company a few years ago, it wouldn’t have survived it, Ogden says. Thanks to some recent changes the company made in how it backs up its data, QFloors is able to walk away from this attack a little shaken but unscathed.
Ogden hopes others will learn from this. “The bad guys are getting better and we have to counteract that,” He warns. “You have to be doing what’s called disconnected backups, which means once you back stuff up, you have to actually disconnect it from wherever you backed it up from, so that people can’t see those backups.”
Ransomware Dos and Don’ts
Security software company Norton offers the following advice for dealing with ransomware attacks.
- Do not pay the ransom. It only encourages and funds these attackers. Even if the ransom is paid, there is no guarantee that you will be able to regain access to your files.
- Restore any impacted files from a known good backup. Restoration of your files from a backup is the fastest way to regain access to your data.
- Do not provide personal information when answering an email, unsolicited phone call, text message or instant message. Phishers will try to trick employees into installing malware, or gain intelligence for attacks by claiming to be from IT. Be sure to contact your IT department if you or your coworkers receive suspicious calls.
- Use reputable antivirus software and a firewall. Maintaining a strong firewall and keeping your security software up to date are critical. It’s important to use antivirus software from a reputable company because of all the fake software out there.
- Employ content scanning and filtering on your mail servers. Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.
- Make sure that all systems and software are up-to-date with relevant patches. Exploit kits hosted on compromised websites are commonly used to spread malware. Regular patching of vulnerable software is necessary to help prevent infection.
If traveling, alert your IT department beforehand, especially if you’re going to be using public wireless Internet. Make sure you use a trustworthy Virtual Private Network (VPN) when accessing public wi-fi.