Hiltzik: The real number of ransomware

When ransomware crooks attacked her business last June, encrypting all her data and operating software and sending her a picture of a skull and an email address to find out the price she would have to pay to restore everything, Fran Finnegan thought it would be necessary. weeks to restore everything to its pre-hack condition.

It took him over a year.

Finnegan’s service, SEC Info, went back online on July 18. The intervening year was one of brutal 12-hour days, seven days a week, and spending tens of thousands of dollars (and the loss of much more in subscriber payments while the site was down).

The amount of detail I had to deal with was unbearable… Because I lost everything.

— Fran Finnegan, SEC Information

He had to buy two new computers or high-capacity servers and wait for his vendor, Dell, to overcome the post-pandemic shortage of computer chips.

Meanwhile, subscribers, who had been paying up to $180 a year for their service, were falling away.

Finnegan estimates that as many as half of his subscribers may have canceled their accounts, leaving him with a six-figure loss of revenue for the year.

He expects most will return once they find SEC Info is up and running, but the hackers destroyed his customer database, including email contacts and billing information, so he has to wait for them to restore the your accounts proactively.

Retrieving the SEC information online required Finnegan to painstakingly rebuild the software he had written over the past 25 years and reinstall a database of some 15.4 million SEC corporate documents dating back to 1993.

It was a truly heroic effort, and it was all in his hands. Finnegan worked under intense, self-imposed pressure to get his service up and running as it was before the attack.

“The amount of detail I had to deal with was overwhelming and very frustrating: I thought, ‘I’ve done all this once before, and now I have to do it all over again.’ Because I’ve lost everything.”

At about the midpoint, a few days before Christmas, he suffered a mild stroke that manifested itself in a series of falls, but no cognitive difficulties, which he attributes to the stress he was under.

As I reported last year at the start of Finnegan’s ordeal, SEC Info offers subscribers access to all financial disclosure documents filed with the Securities and Exchange Commission: annual and quarterly reports, proxy statements, major shareholder information and more. a large warehouse. of publicly available financial information, presented in a searchable format and uniquely well organized.

The website looks like the product of a team of data analytics experts, but it’s a one-man shop. “This is mine,” Finnegan, 71, told me. “I’m the only guy. Nothing happens unless I do it.”

With a degree in computer science and an MBA from the University of Chicago, plus a dozen years of Wall Street experience as an investment banker and a few years as a freelance software designer for large corporations, Finnegan launched SEC Info in 1997.

A page on the SEC's information site.

Back in business: After a year, SECInfo.com is back online and has recovered from a 2021 ransomware attack.

(SECInfo.com)

The SEC put its EDGAR database online for free after recognizing that doing so would allow employers to offer a number of innovative formats and related data services.

Finnegan was one of the pioneers in the field, eventually becoming one of the SEC’s largest providers of filings.

Finnegan’s experience opens a window into the underreported consequences of ransomware: the impact on small businesses like his that don’t have teams of data professionals to mobilize in response or a footprint big enough to get government help federal or federal. international law enforcement agencies.

Ransomware attacks, in which perpetrators steal or encrypt victims’ online access or data and demand payment to regain access, have proliferated in recent years for a number of reasons.

One is the explosive growth of opportunity: more systems and devices are linked to cyberspace than ever before, and a relatively small percentage are protected by effective cybersecurity precautions.

Data hijackers can deploy an ever-expanding arsenal of available tools that “make launching ransomware attacks almost as easy as using an online auction site,” according to Palo Alto Networks, which markets cybersecurity systems. Some ransomware entrepreneurs “offer ‘starter kits’ and ‘support services’ to would-be cybercriminals, … accelerating the speed at which attacks can be introduced and spread,” reports Palo Alto.

The advent of cryptocurrencies may have also facilitated these attacks; the perpetrators often demand payment in bitcoins or other virtual currencies, evidently on the assumption that the authorities are more difficult to trace such transactions than those using dollars. (That may be a false assumption, as it turns out.)

It’s hard to put a finger on the scale of the ransomware threat, in part because most estimates come from private security firms, which may have incentives to maximize the problem and, if anything, offer mixed numbers.

What does seem clear is that the problem is growing, enough to have caught the attention of the White House and international agencies.

Attacks on large companies attract the most attention. In 2021, according to a list of 87 attacks compiled by Heimdal Security, victims included business consultancy Accenture, audio company Bose, Brazil’s National Treasury, Cox Media, Howard University, Kia Motors, the National Rifle Assn. and the University of Miami.

Healthcare institutions have long been prime targets. Last year, Scripps Health, the nonprofit operator of five hospitals and 19 outpatient clinics in California, had to move stroke and heart attack patients from four hospitals and close trauma treatment centers at two.

Staff have been locked out of some data systems. The attack cost Scripps at least $113 million, according to a preliminary estimate.

Finnegan’s offense was too small to appear on these lists. But for him it was a life-changing event.

The disaster began with a massive data breach at Yahoo that occurred in 2013 but was not disclosed by Yahoo until 2016. Hackers stole the email passwords, phone numbers, birth dates and security questions and answers of 3 billion of Yahoo users, including Finnegan.

Finnegan followed Yahoo’s advice to change his Yahoo account passwords but forgot that he had used the same password to access his administrative privileges at SEC Info.

It might not have been a problem, except that before he left for a week’s vacation last summer, he activated a digital access port so he could monitor his system from afar.

His old password was a ticking time bomb in the hands of anyone with access to Yahoo’s stolen data. As of June 26, hackers pinged their system 2.5 million times with passwords stolen from Yahoo, and finally hit the right one.

“They were lucky,” he told me. “If they had tried a week before or a week after, they wouldn’t have been able to get in.”

Finnegan didn’t know his system had been hacked until a subscriber asked him via text message why his website was down. When he accessed it remotely, he could only watch as the attackers encrypted all his files without being able to do anything.

Finnegan thought he had adequate backup, as his data was stored on two servers, high-capacity computers housed in a data center in San Francisco. That was a safeguard against either server being melted down, but not against a hacker using his password.

He briefly considered responding to the hackers, but a quick online search turned up reports of other victims who reported paying the ransom without receiving a decryption code.

Even if the hackers cracked Finnegan’s data — the more than 15 million SEC filings — they had trashed his operating software, and that couldn’t be recovered through decryption.

So Finnegan set about rebuilding his system. Fortunately, about 90% of the files were stored on external drives at his home in the Bay Area, disconnected from the Internet and thus beyond the reach of hackers.

But they were older files from before 2020, the latest data on the stored disks. The remaining 10% had been destroyed: more than 1.5 million documents.

Downloading the most recent SEC filings took two months because the agency limits the download rate of its database so that access cannot be monopolized by big users.

The most difficult task was rebuilding all the programs Finnegan had written over the years to analyze SEC data and make it usable for his subscribers in a myriad of ways.

“Some of this goes back 25 years, and you forget things,” he told me.

At first, he says, “I thought I’d just get the data, run it through the analytics engine again and reconfigure everything and be good to go.” He encountered a phenomenon memorably identified by former IBM software executive Fred Brooks in his classic book, “The Mythical Man-Month”: Software projects always take longer than anyone predicts, and always miss your deadlines.

So the weeks stretched into months. Finnegan would post a recovery date online and pass. “It got to the point where I stopped making predictions, because when it didn’t happen I felt like an idiot.”

By June, though, “I could see the end of the tunnel,” he says, and projected a return for his July 1 birthday. He still wasn’t ready, so he posted a restore date of July 15th online, and it finally went back up on July 18th.

This time, Finnegan sealed the security holes that allowed his attackers to screw up his business. Get data backups in near real time and keep them offline and disconnected from the internet and made the process of accessing your system remotely much more complex.

Finnegan still has some tasks to complete to make SEC Info work exactly as it once did, but these involve features that only a small minority of subscribers ever use. Trust that you will not have to face this tribulation again.

“I’m pretty sure I won’t hit myself again,” he told me. I heard a moment of doubt in his voice, but then his confidence returned. “No, no one’s going back in,” he said.

Leave a Reply

Your email address will not be published. Required fields are marked *