Norm Hullinger was heading into work one day in October when he got a call that his company’s network was acting up. It was no simple glitch. Hackers had started freezing the data of Alphabroder, a sportswear distributor. They wanted more than $3 million to restore it. Grappling with whether to pay, Hullinger, the chief executive officer, embarked on a journey that’s increasingly familiar to law firms, hospitals, and cities that have found themselves on the other end of negotiations with ransomware criminals.
Even as experts raise alarms about the spread and increasing sophistication of such attacks, incursions on companies such as Hullinger’s have remained almost entirely out of the public view. That’s likely because a private equity firm, Littlejohn & Co., owns the business. Since private equity firms rely on their reputations as savvy investors to woo pension funds, wealthy individuals, and other clients, they aren’t keen to publicly admit that they or one of their companies has been hit by a ransomware attack.
“Most of the time with ransomware attacks, private equity firms don’t report it,” says Dan Burke, who heads the national cyber practice at insurance brokerage Woodruff Sawyer. “There’s under-reporting due to reputational damage.”
According to more than a dozen experts in cybersecurity, private equity, and insurance, ransomware attackers see the companies in private equity portfolios as rich targets. After all, the owners have deep pockets. At the same time, they’ve generally bought the companies with the goal of raising profits, and this often results in lean cybersecurity operations. Best of all for the attackers, these people say, targets aren’t hard to find: Private equity firms themselves have detailed disclosure requirements, and when they acquire a company, they often announce it with a press release.
“You’re telling attackers you’re going to inject a large amount of capital into a company that presumably has valuable intellectual property,” says Mike O’Malley, vice president at Radware, a cybersecurity firm, of the buyout announcements. “It’s like giving them a road map to the pot of gold.”
There are no statistics to show that private equity companies are hit more often than others. But the industry has been victim of a growing number of targeted and increasingly sophisticated attacks. “The private equity community as a whole is very concerned,” says Gregory Garrett, head of cybersecurity at BDO Digital, a technology advisory firm. He recently gave a talk on the subject to about 40 industry executives at a large private equity firm on New York’s Park Avenue that he declined to identify. “The major banks have invested an extraordinary amount of money in hardware, software, and training,” he says. “The private equity firms have not.”
Ransomware attackers are moving away from the scattershot “spray and pray” attacks on many organizations at once and focusing more on “big game” that promise bigger paydays, according to ransomware experts. Attackers may explore company networks for weeks or months before encrypting data. They’ve also started threatening to make company data public unless payments are made, either to bolster the ransom demand or as a second part of the scam.
These criminal rings also appear to search out operational details, such as who approves large payments or names of key employees, that can help them penetrate a network—just the sorts of specifics that private equity firms, as registered investment advisers, are required to file. Some experts who respond to ransomware crises say they’ve seen attacks apparently triggered by acquisition announcements. Austin Berglas of the cybersecurity firm BlueVoyant says he’s helped respond in recent months to attacks on five private equity portfolio companies, including ones focused on cosmetics, e-commerce, technology, and finance.
While the FBI strongly advises against paying ransom, many companies do it anyway—perhaps 50% to 85% of those who call in experts to handle the attacks, according to several of the experts, including ones summoned to negotiate with attackers.
Many private equity companies are paying for cyber insurance policies that cover ransomware attacks, which can include ransom payments and the cost of restoring operations. Insurance brokerage Aon Plc has arranged cyber insurance policies for the portfolio companies of more than 20 private equity firms, says Christian Hoffman, an executive at the firm. To get coverage, private equity firms have to show their cyber defenses are strong, Hoffman says. “Private equity firms are taking cyber and security very seriously,” he says.
Some of the attacks have delayed or killed private equity deals. Aon executive Eric Friedberg described two $1 billion dollar-plus acquisitions that were delayed for a month or more by ransomware attacks while the private equity firms evaluated the cyber-security risks of the companies they were selling. Two years ago, an e-commerce company that had been in business for several years was close to being acquired by a private equity firm when ransomware hackers struck. The attack spanned five days. Spooked by the computer security lapses the attack had exposed, the private equity suitors withdrew their buyout offer, according to Chris Duvall, a senior director at the Chertoff Group, who declined to identify the firms.
“Regardless of whether you pay or not, you have to rebuild your network,” says Charles Carmakal, a FireEye vice president who leads a team that has responded to more than 1,000 security breaches. “You have to remove back doors. If an attacker wanted, they could come back in right away and redeploy ransomware.”
Not all ransomware attacks end up with companies resuming normal operations. Last August, Denver-based printing firm Colorado Timberline announced on its Facebook page that its computers had been infected. The attack came two years after private equity firms Frontenac and Charter Oak Equity acquired the company. “We have recently been plagued by several IT events, unfortunately we were unable to overcome the most recent ransomware attack,” its website stated.
The company, with estimated revenues of about $23 million and 100 employees, closed. Frontenac, which declined to comment, and Charter Oak Equity, which did not respond to requests for comment, were left to share proceeds of a liquidation sale with other stakeholders.
Details about the attack on Alphabroder emerged after Hullinger discussed it at a November industry conference. Video of his comments was posted on YouTube. In those remarks, he said he understood within hours that his company’s network, which processes some 40,000 orders a day, faced a ransomware attack. The firm’s cyberinsurer introduced forensics experts and negotiators who were on the job within hours. (Alphabroder and Littlejohn declined to comment, as did Hullinger.)
The negotiators managed to cut the Russian-speaking criminals’ initial $3.2 million ransom roughly in half. “I’m not the type of person where, if someone in the street says ‘Give me your wallet,’ I’m going to hand it over,” Hullinger told conference participants. But he agreed to pay. The day after the attack, Alphabroder received a decryption key. The company was back working at full speed two days after the attack.