AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

The Effect of Ransomware After The Investigation

Ransomware. It’s a word that has become interwoven into the fabric of global corporate, business and legal vernacular. The threat is briefed to executive leadership teams during security update calls and to boards of directors during quarterly earnings calls. Its risks are part of mergers and acquisitions (M&A) strategy planning and are specifically identified in cyber insurance coverage policies with exclusions and sub-limits. And an entire industry exists around threat intelligence, in which the proverbial “cat and mouse” game is played between organized crime groups looking to profit and the incident responders looking to defend and counter their attacks. However, the side of ransomware that many do not focus on is the human element.

The Changing Landscape

Ransomware warfare has been taking place for more than three decades. Its modern forms, which emerged in the mid-2000s, have been thoroughly and well documented. My focus with this article is not to spend more time on self-sensationalizing threat actor groups or their newest threats and trends, or their latest malware, but rather look at the victim side and the real-world impact of criminal activity against businesses and educational institutions.

Recently Lincoln College announced it was closing due to the lingering after-effects of a ransomware event that compounded Covid-related enrollment and resource challenges. The college was founded in 1865, and it shared the same early years from which American history captures stories such as Butch Cassidy and the Sundance Kid, who robbed trains and banks — in many ways, a 19th century precursor to the ransomware “robber” stories of the modern 21st century. Lincoln College noted that it had survived the “economic crisis of 1887, a major campus fire in 1912, the Spanish Flu of 1918, the Great Depression, World War II, the 2008 global financial crisis, and more”, across 157 years, to be finally undone by one modern ransomware event.

This is the other side of modern ransomware stories. The human, emotional, and economic impact. The town where Lincoln College is centered boasts a population of around 13,300 in the last census, but the college had record enrollments of approximately 1,000 students as recently as 2019, most from the Chicago and St. Louis areas, and also attracted overseas transfer students. However, when the college was hit by a network intrusion and ransomware event in December 2021, it was already facing significant disruptions to campus life due to Covid. The ransomware attack further restricted its ability to access institutional data, raise money, recruit new students, and process admissions in time.

It was only after the Lincoln College team ultimately regained access to their systems after several months following the attack that they were able to realize the full damage they had sustained. Fall enrollments had declined from the prior year. Critical dates to recruit and sign-up students had been missed. All of this combined with a COVID-19 era, which had already forced the school to lay out cash for “technology and safety measures”, to trigger a final, negative domino effect. The college that had employed and instructed thousands over the years was forced to conclude that it would not be able to continue to pay its bills. As Lincoln College’s president, David Gerlach, said in the announcement, “The loss of history, careers, and a community of students and alumni is immense.”

Ransomware’s Human Toll

In my six years so far at Kroll, I’ve been working investigations alongside businesses and victims of cyberattacks. Before Kroll, I spent almost a decade conducting investigations on both the national security and criminal sides of federal law enforcement as a Special Agent for the FBI. Prior to that, I owned and operated a technology company that mainly helped everyday people troubleshoot technology problems and issues.

There is a psychological toll that results from high-stress situations, especially when life, limb and family are at risk. During my years as a Special Agent, I encountered situations where families’ lives were changed in a moment and their capacity to realize what was happening around them or to them was frozen, as if someone had stepped out of the shadows and punched them without warning. It was a shock to their core, to their mental state and view on reality around them. I’ve seen the same happen with ransomware attacks, where business executives showed up at work expecting a normal 9 to 5 workday and their career trajectory was forever altered into a different course that they had not woken up to that morning or planned.

At Kroll, I regularly speak with and counsel team members about how in consulting work, there are often moments during our careers where we will have observed the rawness of human emotion, both in person, and remotely over a phone call. We’ll be having a conversation with a client whose emotions plunge to sadness or escalate to anger, and we recognize it as an outpouring of an emotional response to the events that they are facing at that moment. It’s the resulting 24/7 pressures of trying to balance personal lives, professional lives, interpersonal relationships, expectations of managers and supervisors, expectations of direct reports, stressful situations where jobs may be on the line, or in some cases, the health, safety, and lives of those they server. And all this while working with and having to trust a new consultant firm like Kroll Cyber that they may have just met for the first time.

This is the reality, playing out across the globe, every week, every month. Ransomware criminals that pursue their modern day “bank robbery” mindset are robbing from real people, with real jobs, with real ambitions and dreams, both in the present time and as we saw with Lincoln College, for generations to come.

Related Posts