April 2017
By Diane Strzelecki
It was just a normal January day at an LCMS Northern Illinois District church and school in a quiet suburb—until it wasn’t. The business manager was having problems with the church management software. After some unsuccessful troubleshooting, he called the software company, which used remote access to examine their network.
“The help desk representative got to a certain point and could tell a bunch of files had been corrupted,” he says. “Upon further investigation, she told me to call our IT people. We’d been hacked.”
The business manager and his staff quickly determined that other programs, some individual files, and several shared networks had been corrupted. They were locked out. They soon learned it wasn’t a typical virus or malware: it was a cyber threat known as ransomware.
With ransomware, hackers “cast a net” for data, looking to access computers attached to the Internet. Once they find a way in, the hackers scramble the files with an unbreakable code, rendering them inaccessible to computer owners. The hackers then send a message, or ransom note, demanding payment for “releasing” the files.
After shutting down all the church and school computers, the business manager called on a colleague who had dealt with this issue in the past. First order of business: call the FBI.
“My friend said the FBI might have seen our particular brand of ransomware already and could have an immediate answer for us or could steer us in the right direction,” the business manager said, who called the FBI at once. “They were very helpful and spent a lot of time with us on the phone, walking through some of the various scenarios, and advised us that our next step should be to hire a cybersecurity team.”
After a quick but thorough evaluation of several recommended firms, they hired a cybersecurity team that arrived on site within an hour. “The company we used was nothing short of phenomenal,” notes the pastor. “As soon as they heard it was a church, two of the four technicians who came volunteered their time and the firm gave us a bargain basement price.”
The team worked through the night, scouring each computer in the church and school to determine where the ransomware came in. Fortunately, the church’s installed malware protection software had been able to shut down the ransomware before it could completely lock up all the files and “send” the ransom note.
Once the root source of corruption was determined, the team uncovered the ransom demand. In this case, the hackers demanded 2 bitcoin in return for unlocking the church’s files, which at the time was worth about $3,000. Bitcoin is purchased through marketplaces called “bitcoin exchanges.” Like any other currency, the value fluctuates daily. Bitcoin is similar to sending cash digitally, but without credit card fees. It’s anonymous, untraceable and unregulated—perfect for ransom.
The board members and staff then prayerfully considered the options before them: negotiate with the criminal enterprise demanding ransom, pay the ransom and get their data back, or ignore the demand and spend even more money to recreate lost data. They settled on the most fiscally responsible solution: pay the ransom.
Through their negotiations, the cybersecurity team was able to reduce the ransom to 1.5 bitcoin, which at the time was valued at $1,700. The team then ran a series of checks to guarantee that the “key” the hackers sent to unlock the files was “clean.” Finally, they evaluated the system carefully before bringing it online once again.
“We learned later there were thousands of small companies and businesses that got hit with the same ransomware that got us,” the pastor says. “When we informed the congregation, there was a general indignation that hackers ‘went after a church’ but really the target is anonymous. They are after data.”
The business manager says although all computers were back up and in use in about three days, the whole process to restore the system took two to three weeks. In the end, with the exception of a few replaceable programs, everything was restored, including all staff files and all the databases for membership and accounting software.
“It was a difficult process to go through, but in the end I think we’ll be better off for it,” he says. “Hopefully other churches can learn from our experience and be better positioned down the road.”
Lessons learned from being hacked
BACK UP YOUR FILES on a daily basis. Cyber security experts recommend two levels of backup, one on site through regular external drive backup software and one the cloud. “Make sure you have a good plan in place for that,” notes the business manager. “One of our teachers could have lost 17+ years of lesson planning. You can’t recreate those kinds of files.”
MAKE SURE STAFF LOG OFF THEIR COMPUTERS. In this case, the ransomware had accessed a computer that had been left logged on and connected to the Internet. Once it did so, it was able to access other computers in the network.
LOOK INTO A CYBER INSURANCE RIDER ON YOUR EXISTING POLICY. The business manager notes that the small cost of the additional insurance saved the church and school a lot of money. “A smaller church with a couple of laptops might not need it, but it saved us a lot of money,” he says.
GET A CYBERSECURITY FIRM ON YOUR TEAM. Professional connections made it fairly easy for this ministry to retain a firm, but it’s good to have a resource lined up. The pastor notes that their cybersecurity firm is now retained for future safeguards. “We’ve now arranged annual visits for protocol updates and software updates so we can be protected,” he says.