Ransomware Hits Little Red Door: Four Questions You Should Ask

Little Red Door, Cancer Services of East Central Indiana. Photo provided.Little Red Door, Cancer Services of East Central Indiana. Photo provided.

By: Michael Wolfe, Vice President, Chief Technology Officer, Ontario Systems—

Muncie, IN —In the light of the recent events involving the compromise of the Little Red Door’s company server, data, and privacy, I thought this would be a great time to note some safety tips for all of the non-profits out there when it comes to protecting your data.  But first, you should understand that Little Red Door is not alone.  The ransomware style of hacking which involves breaking into your systems and stealing your data away from you with a threat to either destroy it or leak it if you don’t pay the ransom is growing.  It has started to displace traditional credit card theft for most profitable organized crime activities and results in multiple millions of dollars a year in losses for you and profits for the criminal organizations.  These attacks target anyone with data that they value.  That includes pretty much every agency and organization out there today.  As the sophistication of the methods of attack grow each year in complexity and scope you might be tempted to conclude that you cannot stop these attacks and that you won’t take any precautions.  I would like to however offer a few questions you can ask internally that, if considered carefully, could result in your saving a lot of data and money for your agency or organization.

1. Do you have a server?

If so, why do you have a server?  There are legitimate reasons for having a server in your organization or agency but if you haven’t asked the question, “Why do we have to have a server?” in the last year or so, please, ask that question and don’t settle for a simple answer.   Short of it running a proprietary software system that is required for your business, there are very few reasons to have a server now unless you are a large, complex non-profit with a budget to protect it.

Both Google and Microsoft offer free cloud services to 501(c)3 non-profit organizations and I strongly encourage you to use them for email, file storage, team scheduling and collaboration, and office productivity applications like word processing, spreadsheets, and presentation creation.  You can find more information on their programs here and here.   There are likely many other solutions out there as well that are much better than you trying to take care of your own server. Even if you do have a server for proprietary software reasons, you should make sure it isn’t also being used as a file server or email server.  Leave these things to the cloud.

2. Do you have an adequate backup?

Ransomware works so well because it parts you from your data.  One way to help lessen the sting and costs of ransomware is to make sure you have a good and adequate backup.  In order to be an adequate backup, a couple things have to be true.

  • You have to check on it frequently to make sure it is still working and contains the data you want to protect and you can still read that data and that the files are not corrupt.
  • You have to store it somewhere different than where your files are. This can be an external drive, another cloud location, another read-only cloud folder, a local drive, or some traditional backup device like a tape or digital removable media.
  • Again, cloud is an easy win here as there are many cloud backup providers. There are also many good solutions for backing up your cloud providers if you choose to store your data in the cloud, which I highly recommend.

3. Has your staff been trained on ransomware?

I’m going to go out on a limb here and guess this isn’t something that many small groups have done as of yet, but this is perhaps one of the most helpful steps for a small non-profit.  In most groups, you are working with volunteers or part time staff that has a lot of work to do and probably full of people who are kind, well intentioned, and believe the best of people.  These are great characteristics for a staff of an agency seeking to serve the community.  It is also the perfect target for ransomware trolls.   Simply helping the staff understand that these things can happen and there is no shame in being targetted goes a long way to quick detection and limiting damages.  Ransomware almost always comes into your company through opening a document in an email or by clicking a link to a website.  The emails are always something the person is interested in and in a lot of cases, it comes from a name of a person that you know.  That makes it very difficult to protect against.   Training is important.   If your staff member clicks on a document and realizes it wasn’t what it was supposed to be or on a link that takes them to a site that doesn’t seem right or if their machine starts to get pop up messages that are not normal then they should know what to do.

  • Don’t panic, it could be nothing, but don’t be ashamed or embarrassed either. This happens to the best of us.  Whatever you do, don’t pretend it didn’t happen or try to hide it.
  • Disconnect your machine from all networks. This is something everyone should be trained on being able to do based on their machine and whether it has a wired connection, a wireless connection, or both.
  • Contact the designated person to take a look and see if there is something concerning or if it was just an anomaly. That could be your IT contact or an office staffer that has been trained on evaluating these kinds of threats.

With these kind of attacks, time does matter.  The sooner you can detect the attack and stop it properly, the less damage and cost to the organization.  Therefore it is really important that staff members understand that if they see their system acting differently than they are used to, they should not just ignore it.

4. Do we have adequate active prevention of these attacks in place?

This answer will vary a lot from organization to organization but it is a good question to ask as it will spark the discussion.  Risk is everywhere and how we chose to manage risk is very different between companies.  I’ll not prescribe a risk management strategy for you here, but know that you should have one and that you should know what kind of risk you are willing to take on as an agency.  Decreasing risks in this area costs money.  So risk tolerance is a trade off between using money to decrease your risk vs using money for your mission.  That’s a hard discussion you will need to have at the board level, but from it should come a decision on the level of prevention you wish to have in place.   This can include sophisticated firewall technologies and sophisticated artificial intelligence agents you can install on each machine or simple, free anti malware and virus protection to help reduce the chances.

No matter what your answers are to these questions, they are all great questions to consider right now before you have to deal with the ugliness of an attack.  For each of these questions, there are also good, reputable, local, trusted technology companies and consultants here in town that can assist you with this.   Almost all of them have special rates and programs for non-profit organizations in order to help you with these complex problems.

I have included the Little Red Door’s press release on their recent experience.  I think you will see that there are good reasons to ask these questions at your next opportunity.

Michael Wolfe is the Vice President, Chief Technology Officer for Ontario Systems and a strong advocate for our community and its success as a whole.

For Immediate Release

“Ransom and Cyberterrorism Attack on Cancer Services of East Central Indiana-Little Red Door”

Cancer Services of East Central Indiana- Little Red Door
2311 W. Jackson St.
Muncie, IN 47303
Contact: Aimee Fant, Executive Director
Phone: 765-284-9063
Fax: 765-284-9097
Email: Aimee@littlereddooreci.org

Cancer Services of East Central Indiana- Little Red Door’s terminal server and backup drive were hacked and the all the agency’s data was stripped, encrypted and taken for ransom by an international cyberterrorism organization on Wed. January 11, at approximately 10pm. Staff and the Board of Directors were made aware of the 50 Bitcoin ($43,000 US) ransom demand the following evening, Thursday Jan. 12.

Communicating first via text message to the personal cell phones of the Executive Director, President and Vice President, then through a “form letter” and several detailed emails, the self-identified dark web organization issued threats of extortion and also threatened to contact family members of living and deceased cancer clients, donors and community partners.

The staff and Board of Directors took immediate action to notify those affected by the security breech, relaying directives from the FBI, “not to open any suspicious email, link, to not engage with the cyberterrorists, not to respond to ransom demands and report communication from them to the agency and/or law enforcement.”  The FBI agents assigned to the agency’s case noted the unusual and pervasive nature of the attack, focusing on the contact made through personal cell phone numbers and noted the sudden surge in ransomware attacks.

On the heels of such cyberterrorism attacks, (the most recent as close as Madison County, in which a ransom was paid to retain control of the government’s server) Executive Director Aimee Fant is working with the FBI in an active investigation and reports that most of the agency’s data is in cloud storage and  “will not pay a ransom when all funds raised must instead go to serving families, all stage cancer clients, late stage care/hospice support and preventative screenings.” Fant also reports the agency will replace and rebuilding its data; replacing file-based terminal server with a secure cloud-based system, the agency is still continuing to serving cancer clients and will be running at full capacity by the end of the week.

Fant also emphasizes that Little Red Door of Indianapolis (unaffiliated with and separate from Cancer Services of ECI-Little Red Door) is unaffected by the cyberattack.

Cancer Services of ECI-Little Red Door has been consulting with IT firms and law enforcement to preserve the safety and security of those who receive cancer care services, donors and staff, extends its immense gratitude to all who have helped in its efforts to gain control of the ransom attack.

Many ask how they can help. How can the community help?

One of the Cancer Services of ECI-Little Red Door’s very own staff members, just days before the attack, learned she has an aggressive form of breast cancer. She is the cheerful, hopeful face who greets cancer clients every day. The agency is calling on the community of ECI to now support her through her cancer journey.

The agency will not raise money to pay the criminals’ ransom, but is always in need of caring volunteers, Boost and Ensure for those experiencing chemotherapy as well as other resources to serve cancer clients, and improve their survivability.

Separately, the agency’s January 21st gala “Community Hope Benefit Wonderland” (Horizon Convention Center) is being rescheduled for September 23rd and will feature Good Morning America Anchor Amy Robach, who learned of her own cancer diagnosis on while receiving a routine mammogram on live television.

To report any suspicious ransomware activity, please alert the FBI at (317) 595-4000 or with  questions about the local cancer care agency breach, please contact Aimee Fant aimee@littlereddooreci.org or 765-284-9063