In this situation, you may have to negotiate with the extortionists – “Worst possible scenario”

A data security expert tells what kind of consequences being targeted by hackers’ extortion malware can have for the company in the worst case.

The Finnish company KWH Freeze is targeted by a ransomware attack using extortion malware. The hackers threaten to publish the information they captured from the company on November 27, if their ransom demand is not met.

KWH Freeze is Finland’s largest player in frozen food storage.

The company’s CEO Peter Lång confirmed the attack, but did not want to comment on, for example, the hackers’ ransom demand.

– Our operations are stable, he stated to Iltalehte on Thursday.

Data protection officer Anu Talus tells Iltalehti that the case has also come to the attention of the Ministry of Justice.

– We have indeed been notified of this, the data protection commissioner confirms.

“Grande disasters happen less often”

In its weekly review, the Finnish Transport and Communications Agency Traficom’s Cyber ​​Security Center tackled ransomware attacks carried out with extortion malware.

According to the Cybersecurity Center, an average of about 40 blackmail cases per year were reported in Finland in 2020–2022. The figure includes both large multinational companies and private individuals.

– The beginning of 2023 showed a similar trend, but a moderate increase in the number of notifications has been observed during November, the weekly review says.

Cybersecurity Center’s information security expert Matias Mesia tells Iltalehte that there has been a small increase specifically in the most serious cases.

– Such grande disasters, which end up in large swathes, however, occur less often, says Mesiä.

– Finnish organizations mostly do a really good job of protecting themselves from them, but they do happen here too. According to our statistics, however, relatively little compared to the rest of the world, Mesiä says and knocks on wood.

The story continues below the picture.

According to the expert, Finnish companies mainly take good care of their information security. Colourbox

You may have to negotiate with extortionists

Ransomware attacks are typically revealed from a company’s computer or server. At this point, the malware may have been languishing in the organization’s systems for months, waiting for the right moment to activate.

– First we are surprised when the systems suddenly don’t work at all and then we notice that there is such a message here. It can be, for example, a file or a notification that appears directly on the screen, telling you that the data is now encrypted and that bitcoins are required, Mesiä describes.

As a general rule, you should not agree to the ransom demands of hackers who have hijacked or hidden company information.

– Yes, the general instruction for these is always not to pay. It’s quite clear. By paying, you support crime, says Mesiä.

However, Mesia recognizes situations where the matter is not necessarily so one-sided. This can be the case, for example, if the company is poorly prepared for such attacks.

– In some cases, which fortunately are rarer, the situation can be so bad that absolutely all of the organization’s data is encrypted, Mesiä says.

Even in such a situation, it is possible to restore the data from the backup.

– But if even those backups are encrypted or do not exist, then the organization may have to think about a possible negotiation or even payment, says Mesiä.

“Worst possible scenario”

According to Mesiä, a ransomware attack can in the worst case completely paralyze the operation of even a large company.

– For example, in industry, if the factory’s production systems are encrypted [salataan]then the employees there may not be able to do anything, but production is completely at a standstill.

According to Mesiä, this is a very possible situation if the malware can spread effectively within the company. In such a situation, backups play an extremely important role.

– For example, factories do not necessarily always have the latest equipment or systems. For example, slightly older Windows and other things may be used there, and setting up such environments again is not that simple.

– It’s a tough place when you come to work and notice that there are blackmail messages on the screens, the equipment doesn’t work, the factory doesn’t run, the salespeople can’t sell and you can’t access the orders. That’s pretty much the core of ransomware.

According to Mesiä, in such a situation, the whole company is very quickly confused.

– The management is waving its hands in the direction of the IT department and the communication department should communicate. You should also be able to tell the customers, but the email server is also encrypted. This is the worst possible scenario, Mesia states.

– You can directly calculate it in money, how much it cost to be the target of such an attack, he continues.

The story continues below the picture.

If you are not prepared for cyber attacks at all, the consequences for the company’s operations can be catastrophic. Colourbox

Communication is key

In Mesiä’s opinion, it is of the utmost importance that organizations know what kind of data or which systems are vital for their operations.

– Whether it’s a production system or important data or whatever, it must be identified and protected very well.

In addition, Mesiä urges companies to prepare for crisis situations related to information security in advance and even practice operations in the middle of an attack. Sometimes companies make it difficult to cope with the situation completely unnecessarily with poor or non-existent communication.

– Companies communicate in these situations in very different ways. It is really important to think about how to do it in a crisis situation. However, there is no one correct solution.

According to Mesiä, some of the companies may hold a full training session for, for example, the authorities who have learned about the incident and are trying to offer their help to resolve the situation.

– It’s a really difficult situation if we, as an authority, try to help and ask for additional information from our international contacts, and we don’t get any information from within the organization. We can’t really do anything then.

– The communication side is a really big part of the situation when “cyber” hits the fan, Mesiä shares.

How often are ransoms paid?

Every year, the Cyber ​​Security Center receives only individual notifications of cases where ransoms would have been paid.

– Some of these will certainly never even come to our attention, says Mesiä.

Even if the ransom demand has already been agreed to, Mesia urges companies to report the case to the Data Protection Commissioner.

– It should always be done if there is even the slightest doubt that personal data may have been leaked.

Don’t trust a criminal

However, paying the ransom does not automatically guarantee that the data will be released and the threat will be over.

– It’s never 100% certain when you cooperate with criminals, says Mesiä.

For example, one can try to extort more money from a company that agrees to the requirements.

– Or you can fall into the clutches of ransomware again, he warns.

In the video, Osku Andersson tells Iltalehte in the spring of 2021 how hackers destroyed his business on Facebook. Timo Kiiski