The Heritage Company, a 61-year-old telemarketing firm that works with nonprofit organizations, sent a letter to its more than 300 employees saying it has lost hundreds of thousands of dollars due to the attack. The letter was obtained by local media.
According to The Heritage Company CEO Sandra Franecke, who penned the letter, the company’s servers were hit by a ransomware attack two months ago, after which it paid an undisclosed ransom to get systems back up and running. “Since then, IT has been doing everything they can to bring all our systems back up, but they still have quite a long way to go,” according to Franecke. “Also, since then, I have been doing my utmost best to keep our doors open, even going as far as paying your wages from my own money to keep us going until we could recoup what we lost due to the cyberattack.”
The Dec. 23 letter told employees to check back on Jan. 2 for a message left on a hotline, which would give “updated information on the restructuring of the company and whether or not we’ve made progress on our system.”
However, according to recent local reports this week, when employees called the hotline on Jan. 2 they were given a vague message: While efforts are being made around recovery post-ransomware attack, more work needs to be done, and “we do not want to prevent you from searching for other employment.”
Neither the company’s website nor its social-media pages make any mention of the incident. Threatpost has reached out to The Heritage Company multiple times for further information about the cause of the cyberattack, the ransom amount and whether the company was able to recover the stolen data, with no response.
Other questions exist around the incident that the letter does not clarify, such as why employees would not be aware beforehand about the ransomware attack, especially given that it may have led to system downtime or disruption; why employees needed to call a hotline on Jan. 2 for further communications regarding their jobs; and whether the company is permanently shut down at this point.
In an additional bizarre twist, Franecke told employees that she had continued giving away holiday gifts and prizes — including seven cruises — even after learning of the cyberattack, because she “didn’t want to disappoint everyone by taking them back.”
I know how confusing this must be, especially after we just gave away 7 away seven cruises just this week, but again, that was money that I spent out of my own personal money to give you the best Christmas gift I possibly could, but that was before our systems were hacked. Afterwards I didn’t want to disappoint everyone by taking them back. We started the Prizes and Bingo the first of November when again I was being told the systems would be fixed that week.
The incident is not the first time over the past year that ransomware attacks have led to employees losing jobs – and even entire businesses being shut down.
In September, for instance, California-based Wood Ranch Medical announced that it would shutter operations in December after the provider was unable to recover patient records on the heels of an August ransomware attack. And Michigan’s Brookside ENT and Hearing Center announced it was closing in April after refusing to pay the ransom to attackers – resulting in the hackers deleting all their patient data.
Allan Liska, a threat intelligence analyst with Recorded Future, told Threatpost that small firms, or those that operate on very small margins, often lack the ability to absorb the loss of paying the ransom and the costs associated with recovery.
“Most of the focus on ransomware attacks has been directed at large organizations, healthcare providers and governments hit with these attacks,” Liska told Threatpost. “But, there are tens of thousands of small businesses that are hit by ransomware every year. The Heritage Company and others that were forced to closed their doors because of ransomware attacks were unfortunate victims of a confluence of two trends: The increase in ransom demand, which is now in the six figures, and the refusal of newer ransomware actors, such as those behind the Maze and MegaCortex ransomware, to negotiate.”