When online clothing retailer FatFace was hacked in January 2021, it disobeyed one of the golden rules of managing a cybersecurity crisis; it kept quiet about it for two months before downplaying the threat, saying only that “some employment related information' had been accessed by third parties.”
We now know that was only the tip of the iceberg. In fact, sophisticated hackers known as the Conti gang had accessed the system when an employee clicked on a fraudulent email link and installed ransomware software. A week later, they launched a full-scale ransomware attack where they locked all employees out of their online systems until they were paid the equivalent of $7 million in crypto.
“The attackers triggered their crypto-locking malware one week after gaining access to Fat Face's systems, evading its security defenses, identifying its “Veeam backup servers and Nimble storage,” and exfiltrating 200GB of data, according to Computer Weekly.
Here’s how the Fatface backend first heard about it:
The ransom note, pictured above, triggered a back and forth negotiation. The company made use of a professional negotiator who assessed the size and nature of the threat, and spoke on behalf of the organisation.
FatFace argued they could not afford it, blaming the pandemic.
“The price was talked down after the 200-store chain argued its sales had slumped by as much as 75 per cent due to the coronavirus pandemic shutting its shops.” according to ThisIsMoney.
The gang argued that they knew the online retailer had ransomware insurance which would pay out, and eventually they settled on a number.
One of the most fascinating aspects of this ransomware attack was the window into the negotiations between the two parties that it provided. There were long back and forth discussions, offers and counter-offers in the process.
The Superfast blog did a deep dive into the attack, noting that “Historically, negotiations would take place via email, but today, hackers use ‘customer service instant chat' functionality instead – as you would expect from a corporate support desk.”
Looking at the hackers statements, there is a sense that this is not just one person sitting alone in a dark room. Quite the opposite, in fact. This was a professional operation with layers of command to consult and systems in place, including call centers and How-To guides on making payments.
Ultimately the price was negotiated down from $7 million to $2 million, paid in the cryptocurrency Monero and the relevant files were decrypted and returned.
One of the strangest twists came right at the end of the negotiations when the hackers posted a set of suggestions to the company on how to improve their security. It almost seems like they perceive themselves as providing a consulting service on all the ways that a company’s security is vulnerable…then they prove it by doing the attack, getting the ransom and delivering their report at the end of the day.
What did the hackers advise? Here’s a list of suggestions they offered FatFace:
- Implement email filtering
- Conduct employee phishing tests
- Review their Active Directory password policy
- Invest in better endpoint detection and response (EDR) technology – use a product that protects the internal network and isolate critical systems
- Implement offline storage and tape-based backup.
Ultimately, the damage to FatFace might be more reputational than financial. By negotiating the price down by five million dollars, the company was able to absorb the cost. But the fact that they withheld the news for so long and then only told half truths to their investors left a bad taste in the mouth.
The lesson from the whole affair, (apart from the great technical advise listed above) is that transparency after a cyberattack is vital.
It took far too long for the company to inform affected customers that attackers had accessed their name, address and email address, as well as the last four digits of their payment card and its expiration date. That information is vital so a customer can be aware of how they behave online when requests come in.
Your customers know that breaches happen, but do they know they can trust you to be honest with them?