When the Unthinkable Happens: Contractor Shares Lessons Learned from a Ransomware Attack

Recent reports have shown that the construction industry is among the most targeted for ransomware attacks. In fact, contractors of all types and sizes are among the leading businesses impacted by targeted data and cybersecurity threats like phishing scams, malware, wire and electronic fraud, and more. Given that the average cost of a data breach in the United States is around $9 million, doing business without the proper technology and data protections in place can be a risky venture.

Although large companies that generate more revenue tend to attract more hackers, small companies are also appealing to hackers because they usually do not have the most modern technologies or robust construction cybersecurity protocols in place. Recent work on cybersecurity impacts on contractors shows that while the industry once enjoyed relatively few attacks, this is no longer the case—and it's likely to continue to get worse. 

E.R. Snell Contractor, Inc. is a premier contractor for road and bridge construction, with a focus on concrete and asphalt construction of roads, bridges, and culverts. In 2020, before moving to the cloud, it was the target of a ransomware attack.

E.R. Snell’s vice president of technology, Justin Snell, recently spoke with Trimble Viewpoint to share the company’s story about the attack for the benefit of other contractors, and the changes made to protect against cyber risks. Here is a segment of that discussion:

Snell: During the Labor Day weekend, we started receiving alerts that our antivirus software had been disabled so we immediately went into the office to determine what was going on. Upon closer inspection, we realized that all of our files were being encrypted and our servers had been hacked. The next morning, I was on the phone with the FBI to report the incident.

At the time of the attack, only 10% of our data was hosted in the cloud with the majority of data hosted on-premise. Luckily, both our cloud and on-prem servers were backed up daily so that we could access our data in case of an emergency. However, the hackers had deleted almost all of the cloud backups, likely to provide even more leverage for us to pay the ransom.

The hackers got in via an employee’s email account and had placed a key-logger on the on-prem mail server to gain administrative access. Through the chat service, they then demanded a ransomware payment through bitcoin.

Snell: In the first 24 hours we hired an incident response team and attorney. Fortunately, we had cybersecurity insurance, so we were able to quickly file a claim. We then engaged Trimble Viewpoint to help move our Vista ERP to the cloud and to the connected Trimble Construction One suite of solutions. They jumped into action immediately, helping to move our data and getting everything set up so we could continue to work. All of our critical services were back up within a week.

We also set up multi-factor authentication on all critical accounts, including email. During these processes, the backups being held for ransom were recovered so we were able to ignore the ransom demands.

Snell: Technology evolves so fast. You have to not only stay ahead of the competition, but stay ahead of threat actors. If anything, this was a sobering experience of understanding the threats, which are growing more severe by the day.

In addition to moving to the cloud, create a written disaster recovery plan and regularly review and test it. We conduct an annual in-depth review of our plan and run monthly and quarterly reviews and DR tests where we simulate all of our servers going down and restoring the backups.

Education is also key. Everyone in your company should be aware of the importance of data security and be on the lookout for threats when they open every email, visit every website and perform any action on their computing devices. Host training sessions and show employees exactly what they should look for to prevent an attack.

All high-security logins should require employees to verify their identities in more than one way with multi-factor authentication. Employees should use an entire phrase when creating a password and include spaces between a minimum of four words. Adding in characters, numbers and case-sensitive words will make it even more complicated and thus harder to crack.

Looking back at why we were targeted, it makes perfect sense that a construction company may not have the best security protocols in place but today, we do.