Cyberattack: victim business leaders tell the nightmare

This SME boss would never have imagined paying a ransom in bitcoins to masked criminals behind a computer screen. A few hours after noticing the total paralysis of a small subsidiary of his logistics company due to a cyberattack, he nevertheless created an account on a dark web website.

His usual search engine queries couldn't have gotten him there. But he followed the instructions of a criminal group calling itself Sodinokibi. After a few exchanges of messages - "like on WhatsApp" - the hackers ask him for 300,000 dollars in cryptocurrency to unblock his subsidiary. A sum equivalent to one third of the target's annual turnover.

The leader is taken by the throat. Since early this morning of January 27, 2020, all files stored on the entity's network are unreadable. A virus - ransomware - has renamed and padlocked them. Impossible for its employees to find their e-mails, their contact books, their accounting tables. Unless you give in to blackmail. “The other option would have been to reconstruct a year's worth of data, but it's a titanic job. »

As in a "customer service"

This professional based in the South-East of France wishes to remain anonymous, but remembers precisely the hours that followed. “The attackers answered us very politely, in English which did not appear to be their mother tongue. Between each message, it could pass twenty minutes, sometimes several hours, as if our interlocutors worked in a customer service which had a job, ”he explains.

ACTU - Cybersecurity: the government launches aid for entrepreneurs

The discussions, carried out with the help of cyber risk specialists mandated by his insurer who was contacted urgently, lasted more than a week. The criminals end up lowering the ransom amount. “At one point the insurance said okay we pay. »

Dilemma

It is then a question of obtaining bitcoins and following the instructions of the criminals to pay. The money goes, without the company knowing where. Then she receives a piece of software that she runs. "In a few minutes, we find our files in good shape and everything else disappears," recalls the boss.

Despite its happy ending, the cyberattack left the leader bitter. “The insurance premiums that I honored for years saved the company,” he says. However, the idea "that we are satisfied with pooling funds to pay criminals makes me sick", confesses the entrepreneur.

He is far from alone in facing this dilemma. Year after year, criminals in organized gangs, calling themselves DarkSide, Revil (alias Sodinokibi), Clop or Conti, crack down on actors from all walks of life and all sizes: large groups and SMEs, ministries and town halls, medical practices and even hospitals in the midst of a health crisis are not immune to their large-scale extortion campaigns.

Explosion attacks

Between 2019 and 2020, the National Information Systems Security Agency (Anssi) noted a fourfold increase, to 192, in the number of ransomware attacks perpetrated within major administrations and CAC 40 companies that it protects. .

And observers are sure that - under the radar - thousands of smaller companies fall victim every year. In the absence of direct help from Anssi, they can rely on technology professionals such as Orange Cyberdefense, Atos or Wavestone or on experts working for insurers such as Stelliant.

The extent of the cyber threat for ETIs and SMEs remains all the more difficult to quantify as complaints are not automatic and testimonies are rare.

NEWS - Cyberattacks cost insurers three times more in one year

Olivier Piquet, the managing director of the fine French lingerie group Lise Charmel, is one of those who have decided to break the silence. "It's better to talk about cyberattacks, it's the only thing that fucks you up in the air in 24 hours," he describes.

The boss speaks knowingly. Almost two years after being the target of hackers, his company has still not returned to the level of activity of 2018, which was marked by the movement of "yellow vests".

“Much harder than the Covid”

The Covid crisis and the confinements of 2020 and 2021 have been there of course. But “the cyberattack was something much harder for us than the Covid, insists Olivier Piquet. In the morning you get up and your box is dead. »

This morning was November 8, 2019 for Lise Charmel. Olivier Piquet receives a call from his IT manager, herself alerted by an employee who has found himself unable to work. At that time, "you just know that you have 1,000 people at a standstill," he recalls. The servers of the Lyon company are disconnected, but "in three hours of time in the night, 98% of our machines had been encrypted".

The entrepreneur decides not to pay the requested ransom. The experts consulted explain to him that paying the sum requested will not necessarily solve his problem. “Nothing tells you that there isn't a second bomb in your networks for two weeks from now”, sums up Olivier Piquet. The company, accompanied by Orange Cyberdefense, decided to reset its entire computer system and restart the business using the data saved, including on analog tape.

Legal redress

Simple to summarize, the operation is actually a headache. “Not counting the service providers, ten people worked night and day and weekends included for 1 month”, assures Olivier Piquet. It is necessary to repatriate computer equipment from employees abroad, redo physical inventories, etc. During this time, it was impossible to collect customers as usual, to deliver them, to order raw materials to properly prepare for the next season...

The restart of the business is only slow. As a result, the end-of-year celebrations and Valentine's Day are "failed" even though these are key events for the manufacturer, which had generated a turnover of 60 million euros in 2018. The group regains all its operational resources in September 2020, i.e. ten months after the shock.

In the meantime, the company has opted for receivership, four months after the attack. A way to give yourself some oxygen, especially vis-à-vis the banks. Even if this measure of legal protection, associated with the rout of a company, adds "another layer of opprobrium", Olivier Piquet is pleased to have had recourse to it.

The payment of the ransoms in question

It enabled the company to restructure its debt and review its organization. But also to score points in the battle between him and his insurer on compensation for the damage suffered. The conflict is not resolved. And Lise Charmel can at least take advantage of “cyber” insurance.

Only 8% of ETIs could say the same in 2020, according to a survey published this year by the French association of corporate “risk managers”, Amrae. SMEs could be even less equipped while 87% of large companies have this type of coverage.

However, insurance can cushion the shock of cyberattacks by covering the operating losses generated. Bercy has promised an action plan on the subject by the beginning of 2022. Because faced with the soaring cost of attacks, insurers tend to increase their prices and become more cautious. They also warn against "systemic" attacks, which are impossible to cover because they are far too destructive.

False good idea

However, the authorities are expected at the turn on the issue of ransoms. According to the consulting firm Wavestone, 20% of large groups attacked end up paying, including sums of up to millions of euros. Insurers may offer to cover this payment. But this practice is criticized. In particular by Anssi, which considers that it maintains cybercrime.

Cybercriminals "are now targeting the files of insurers in order to then attack their customers and thus have increased guarantees of payment", writes Guillaume Poupard, the boss of the authority in a report by the LREM deputy, Valéria Faure-Muntian . This one does not hesitate to throw a stone in the pond by recommending to prohibit the payment of ransoms by the companies and the assumptions of responsibility by the insurers.

NEWS - Cybersecurity: how young companies protect themselves from threats

A false good idea, however, argue insurers and brokers. What is at stake, they argue, is often the survival of a company and the fate of many employees. For them, a ban would be useless, taken at the scale of a country, to counter cybercriminals operating across borders.

On the other hand, the experts are unanimous on the fact that the level of security of French companies must be raised. By focusing heavily on prevention. Because very often, attacks thrive on common and basic mistakes that could be avoided. At Lise Charmel, for example, hackers managed to get their foot in the door when an employee consulted his personal e-mail box and opened a spoofed e-mail.

“No system is inviolable”

The blow also started from a clumsiness at Pullin. This SME in the South West, which sells men's clothing, was the victim of a cyberattack this summer which paralyzed its headquarters for a few days. “My old IT manager had not replaced some passwords. To access the server, the password was Admin,” recalls his boss Emmanuel Lohéac.

Luckily for the company, the stores were able to keep running. The company decided not to pay the demanded ransom was able to count on backups to move forward. However, "no system is inviolable", considers the leader.

This feeling is shared. At XXII, a start-up specializing in video surveillance and artificial intelligence, the virus, encountered this summer, was quickly neutralized. But the feeling of insecurity remained. “When I see that the big players in cybersecurity have not been able to help us, I tell myself that it is impossible to be up to date,” laments his boss William Eldin.

More lucrative than drug trafficking

The apparent impunity of criminals also raises questions. The entrepreneurs we interviewed do not expect law enforcement to arrest criminals who have attacked their business.

In fact, cybercriminals most often operate outside of French territory and international cooperation works poorly. When a network is dismantled by international police, others take its place. Globally, cybercrime earns more than drug trafficking, experts point out.

Alerted by the rise of this threat, the State has promised a one billion euro plan by 2025 to strengthen corporate security and train cyber defense experts. The National Gendarmerie has this year set up a "cyberspace command" bringing together 7,000 cyber-investigators, with the aim of increasing to 10,000 next year, its commander Marc Boget recently declared.

“Very enlightening” gendarmes

What - perhaps - to put some balm in the heart of Olivier Piquet for whom the gendarmes "were very enlightening on what happened", but did not have enough means to help him when the cyberattack is occurred.

"I filed a complaint but in the end, we paid a criminal to stop bothering us," said the leader of southeastern France, who paid a ransom. Who laments: “I didn't really feel any struggle. »