"We've got another one Eddie."
Eddie let out a long sigh, leaned back in his chair, and stretched. He tried to remember why he decided to take this job in the first place. Something about the opportunity to work closely with C-level executives and board members, broaden his horizon beyond the nitty gritty details of computer security. Eddie had always been comfortable with technology. Truth be told, if he filled out his Match.com profile the way he really should have, his likes would have included pina coladas, getting caught in the rain, and finding buffer overflow bugs in low level system software.
But, sometime during the week after his 47th birthday he decided to take his boss up on the idea that he would be suited for a management role helping his firm deal with their increasing cybersecurity problem from an organizational, management and policy perspective, as much as from a technical one. For one thing, Eddie knew from his years of experience that getting security right is a process that involves all of those perspectives and more. And as the locals down at Finn McCool's (the nearest establishment serving a full Irish breakfast all day) would tell you, Eddie's team "Show Me The Monet" took first place every week in pub trivia night. In other words, Eddie liked to get things right.
And in order to get things right in security Eddie had to move into management. That was ten years ago. Three promotions and two targeted headhunting processes later Eddie found himself sitting in his chair, mid stretch, as chief information security officer, a role he'd been able to settle into over the past 18 months.
"Well, tell me what we've got," Eddie said to Brenda, the systems administrator who worked closely with him to secure the senior executives' computers and other devices.
"It's a kind of ransomware, but not one I have ever seen before," said Brenda.
Eddie knew all about ransomware. He had actually attended a conference with the attorney who had represented the man who wrote the very first piece of documented ransomware back in the late 1980's. The pattern was always the same, an unsuspecting user clicks on a link in an email, or perhaps an attachment or suffers one of the innumerable other ways that malicious software can get on to a computer. Once it has infected the computer, the malware stealthily encrypts all of the data on board and, once it has finished, holds that data for ransom by making the user pay to get the key to unlock their data. The author of the original ransomware required you to send cash to a P.O. Box in Panama, the latest versions demand payment in Bitcoin. "Progress, of a sort," Eddie mused to himself.
"Well, we've certainly seen ransomware before and we know how to deal with it," Eddie said. "Just wipe the affected computer's hard drive and we will restore it's data from the backup we took last night."
Eddie was looking forward to the long weekend, he had on a whim this morning bought plane tickets to New Orleans and could already feel his feet tapping to the blues on Frenchman Street.
"I don't think we want to do that in this case Eddie," replied Brenda.
"What do you mean?" Eddie said. "There's nothing on our company computers that can't be wiped. All our email lives on our servers and all documents are on our private cloud. Hell, even if for some reason we can't wipe this machine, just go grab another one and we'll just install a fresh set of software on it for... um, whose computer did you say this was anyway?"
"I didn't, but it is Steve McDouglas's laptop," Brenda said.
"Steve McDouglas? The chairman of the board?" Eddie spluttered. "But wait, we don't even issue computers to board members. They all use their own systems. They aren't technically even employees."
"That's right, and that's why we can't just wipe and restore Mr. McDouglas' laptop. It's not one of ours," Brenda said.
"Yeah, and who knows what else he has on there. Isn't he on two other boards in addition to ours?" Eddie mused. "Ok, it pains me to say this, but we'll have to just pay these guys off to unlock the thing. Given the potential disruption to Mr. McDouglas and to us, the cost is trivial. What are they asking for, $500?"
"Well, that's the thing" Brenda said, hesitatingly. "They're not asking us to pay them off so that we can unlock the laptop."
"What? But, that's the way these things always work" Eddie said. "Their whole business model is to get paid to provide the key back, so what do they want?"
"It's the strangest thing, they're asking us to pay them to destroy the key" said Brenda.
"Huh?" Eddie asked. "That doesn't make any sense. If they destroy the key, there won't be any way to recover the data."
"That's right Eddie," Brenda agreed. "But the thing is, they've taken the data they got from Mr. McDouglas' laptop and posted it, encrypted, to the dark web, and they're going to post the key as well if we don't pay them."
Eddie turned white. "What?" he gasped. "What, ah, what data did they get?"
"Well, we're going to have to ask Mr. McDouglas that to really know," Brenda said. "But they did send a list of filenames, and there's some stuff here that I don't think we want out there."
"Like what?" Eddie asked.
"Like 'M&A targets', 'results of internal investigation', 'CEO performance evaluation', an email thread titled 'audit difficulties', and those are just the first four on the list," Brenda replied.
"Oh my God," Eddie moaned. "How much are they asking for to destroy the key?"
Brenda cleared her throat. "$5 million."
The story above is a work of fiction, any resemblance to persons or firms living or dead is purely coincidental. But, if you want to ensure that a story like this doesn't happen to your organization, be sure that you have the right tools in place to secure your board's files and communications. As the story relates, your board members have access to some of the most sensitive information your firm has, and if they use their regular email to receive it, often have it outside of the systems you have put into place to protect that data.