The St. Louis Public Library system was hit with a ransomware attack last week. All 17 branches; around 700 systems.
The attackers asked for $35,000 to decrypt the 700 computers that were infected – translating to around $50 a computer.
However the library told them to pound sand – or something like that, possibly, something that we couldn’t print in a family oriented blog.
The good news is that, apparently, the library had good backups.
Right after the attack patrons could not check out books and staff email was down.
Within two days the circulation system was back up and patrons could check out books again.
At least there was some good news. Patron information was not stored on the infected system and patron information was not compromised (that was a good design decision).
While the reserve system was still down for a few more days, it appears that everything is back up.
While it likely that it cost the library some overtime – maybe – whatever the cost was, it was less than $35,000.
The message here is that IF you have good backups (which are OFFline so they cannot be infected by the ransomware) and you have the support of your customers, they will tolerate some downtime to avoid paying criminals.
The amount of downtime that an organization suffers is affected by several things.
First, how, exactly, did the ransomware infect 700 computers. Something went horribly wrong. I am sure that they will do an investigation – they did call in the FBI and the FBI is providing assistance in figuring out what happened.
If you can reduce the number of computers that get infected, you can reduce the time to recovery.
Things like user training, phishing exercises, policies, procedures and incident response training all work to reduce the impact of cyber events.
A few months before the Sony attack, the Sands Casino chain was under attack in a very similar way. The Sands, however, unlike Sony, had a very effective operational plan. They immediately pulled the plug on their Internet connection. Do you even know where the Internet “plug” is in your company? Doing that stopped the infected machines from “phoning home” – instantly. They also had I.T. techs running through the casinos UNPLUGGING computers from the local network so they didn’t get infected (don’t ask why they didn’t just pull the power cords from the network switches – either they didn’t think of that (lessons learned) or there was some other reason that wasn”t publicized). In any case the impact to the Sands was negligible while the impact to Sony was immense.
The I.T. crew did not have to convene a meeting to get approval to disconnect from the Internet – they already had that authority, so they could do that in minutes.
So in this case, the St. Louis Public Library came out as the good guys. Yes they were attacked, but they did not pay terrorists and they got their systems back online in just a few days.
Could your company do that as gracefully as they did? Good question!