September 27, 2022
Jeremy Kirk: An internet search for United Structures of America turns up a photo of a steel beam and a photo of a factory. Its name evokes a feeling of American patriotism and blue collar graft. Its acronym is of course USA. It was a steel fabrication facility near Houston, Texas. But under the two…

Jeremy Kirk: An internet search for United Structures of America turns up a photo of a steel beam and a photo of a factory. Its name evokes a feeling of American patriotism and blue collar graft. Its acronym is of course USA. It was a steel fabrication facility near Houston, Texas. But under the two photos is a red banner that says “permanently closed.” The business was founded in 1980 and provided jobs for more than 400 people.

How does a business that once thrived by manipulating steel to its will have to call it quits? Well, steel – for all of its renowned strength – can’t save you from hackers.

Dain Drake: First, I had a false pretence that we had backups and everything was backed up.

Kirk: This story is about a CEO who tried his best to rescue United Structures of America. He was left with little choice, and it drove him to corners of the internet and even corners of his own town where he had never been before.

Drake: That’s why it was a no brainer to pay the ransom. The ransom was two bitcoins per computer.

Kirk: This is The Ransomware Files. I’m Jeremy Kirk.

In this podcast series, I’m exploring the impact of ransomware, which is one of the greatest crime waves to ever hit the internet. Schools, hospitals and companies have fallen victim to cybercriminals encrypting their data and demanding payment. But technology professionals are fighting back, and they have stories of resilience and fortitude.

Kirk: Dain Drake took over as CEO of United Structures of America when he was just in his early 30s. He was taking over a family business. Well, to put it more accurately, it was a business belonging to families. There were two families who founded it around 1980. Due to retirements and deaths, the business came under the control of their descendants. By that time, it had seven partners in all, which was a somewhat numerous plate of stakeholders. Plus, many of the 450 employees were either family members or extended family members. Here’s Dain.

Drake: So you look at payroll, and you may have 450 employees, but we may only have 30 different sets of DNA.

Kirk: He is mostly joking. As with any family, they had their share of relationship issues.

Drake: My brother in law has a joke: Thanksgiving and Christmas is when you leave your friends and loved ones behind to spend time with your family.

Kirk: United Structures of America designed and fabricated what are called pre-engineered metal building systems. Think airplane hangars and even schools and churches. It is one of the most economical ways to build a structure. Dain even designed a hangar that now stores drones for the U.S. military. When Dain took over the business, it was an opportunity to employ technology to bring it into the modern age.

Drake: We were the second generation and were really trying to bring on technology. Prior to us being involved, there was virtually no technology; the machines and equipment were manual. To be honest, that sounds crazy. But not till I joined the company after leaving university, there wasn’t even an email at the time. This was in 2000. That’s how archaic it was.

Kirk: Dain was looking to see how technology could help him improve the business’s bottom line. That included improvements such as integrating the accounting software with manufacturing to better account for costs and expenses and that also would help understand how revenue flowed through the business on a daily basis – real-time financial data. Dain estimates the business was 10 to 15 years behind in using technology to improve its operations. But there were obstacles. Long-time employees bristled at change.

Drake: We had a culture where people were nostalgic of previous times that were good, but just didn’t want to advance and see the world as it changes. And you just have to change, you have to evolve – new customers, new ways of doing business, new ways of invoicing, new ways of customer service. And it was very difficult.

Kirk: As those improvements were taking place, someone else who wasn’t an employee was inside the systems of United Structures of America. In fact, that person had even created their own administrator accounts. Lurking. Watching. Waiting.

At the end of May 2019, the company and Dain were looking forward to a three-day Memorial Day weekend. When he came back to work, he booted up his computer and saw an odd note.

Drake: It looked like child’s play, didn’t look real. It was just kind of a basic Microsoft font bold letters. It kind of looked like a silly message. But I couldn’t get through the screen. So I couldn’t log in as well. This is pretty serious.

Kirk: He unplugged his machine and disconnected it from the network, hoping that it was just his computer. He went to an adjacent office and looked at the computers there. Same message on the screen. His IT administrator who lived outside of Nashville helped with shutting down the company’s servers in hopes of preventing further infection. Dain put notes on the entrances of buildings warning to not turn on the computers. About half were infected by the ransomware, but half had been turned off before the long weekend.

Drake: And then once I started getting my head wrapped around the issue, then it was deciding how bad this was, and the biggest gut punches when I was focused solely on the PCs, but the CNC equipment in the factory I found out was also hit.

Kirk: CNC stands for computer numerical control. This meant that the factory computerized machinery had come to a full stop. That led to another problem.

Drake: And so that’s when I realized I had 350 men with nothing to do.

Kirk: At that point, Dain had a think. The company had installed a backup system not too long ago. He thought if they could just roll back to backups from a week prior, they’d just lose about a week’s worth of data. So overall for the year, that would amount to around 2% lost data. Not great, but not terrible. But there was bad news about the backups.

Drake: We have the hardware, all the equipment, it was just never initiated.

Kirk: What kind of conversation did you have with your IT manager? Did that conversation go like, well, we’ve got the backups, right? And he’s like, uhhhhhhh.

Drake: He was confident they were installed and working. And by the way, maybe a month or two months prior, we had talked about that, because the backups were a recent purchase and upgrading from a previous backup system. I was asking, how does this work? Let’s back up.

Kirk: Dain patiently waited for a few hours for an answer.

Drake: I don’t know what the exact timing was, but three or four hours later, I asked IT department, how’s the backup going? And total silence.

Kirk: Dain explains what happened.

Drake: They backed up a blank, another blank storage device. So the backup was backing up blank, if that makes sense. It was just directed to the wrong drive. So pretty tragic situation.

Kirk: The gravity and impact of it slowly sunk in.

Drake: It wasn’t till the following day, when I realized I didn’t know what my accounts receivable was. I didn’t know what invoices I had outstanding. And then I realized, if I don’t know what invoices I have outstanding, I don’t know what payables I have, I don’t know who and what I owe. So the books are totally off balance. And that was just not a good situation. Of course, everybody you owe money will call you. Everybody owes you money, doesn’t always work the same way.

Kirk: He needed to understand the company’s finances in order to rebuild and understand the company’s ongoing cash flow needs. United Structures of America did more than $100 million a year in revenue so every missing week of data could represent $2 million or more in business depending on the time of the year. Other members of his team had been in touch with the hackers, who had planted a type of ransomware called Mr. Dec, which appears to be short for Mr. December.

Drake: That’s why it was a no brainer to pay the ransom. The ransom was two bitcoins per computer.

Kirk: At the time, bitcoin was bouncing around the $10,000 mark. So paying to decrypt everything would have been millions of dollars. Dain made a strategic decision.

Drake: So I selected two computers that I thought I could rehabilitate. And one of the computer systems was my accounting system. And so I thought I could back that up. And another system was my production details that were required for the equipment and machinery. Nothing else had that much value.

Kirk: Decision made, Dain needed five things: around $40,000 in cash and four bitcoins.

Dain’s not a technology novice. He was online in the 1990s when the commercial internet took off. He’d built PCs when he was younger and used bulletin board services on a dial-up modem. And by the time of the attack against United Structures of America, he’d known a bit about bitcoin. But he wasn’t sure where to buy it. So he went on the internet.

He landed on a website where people sell their bitcoins directly to other people. They accepted payment for the bitcoins via Western Union wire transfer. This wasn’t the safest option of course. There didn’t appear to be much of a guarantee that the bitcoins would come after the money was wired. The money was going to places like Medellin, Colombia, and Palestine. It was, as Dain says now, pay and pray.

So Dain went to the bank and withdrew $40,000 in $100 bills. That’s around a pound of money if it was weighed, or 400 grams in the metric system.

Kirk: How did that feel? Did you ever have $40,000 in your hands before?

Drake: No, I had never. You see wire transfers and ACH is in bank statements and checks but you are not in ancient time where you carry $40,000 cash.

Kirk: The bank was curious about his withdrawal.

Drake: I do remember – not that I’m quick to lie. But the bank teller asked me what it’s for. And everything was going on. But I realized, and I’m sure it’s a standard banking practice they ask what it’s for. There was a camera there, and I said, I’m buying a car and the person only takes cash. I don’t know why, it just came out so fast and so easy. But the last thing I want to say is I am wiring money to the guy in Medellin, Colombia.

Kirk: Luckily the bitcoin came through without issue. He received the bitcoins and then transferred them to the hacker. But there was another problem. The value of bitcoins had gone up overnight, so he didn’t get a whole four bitcoins back from those transfers. After he sent them off to the hacker, the hacker wasn’t happy. The person wanted a full four bitcoins. Dain had to come up with more bitcoin to make that last bitcoin a whole one rather than a fraction of it.

Drake: I did not have the full one bitcoin I needed to give to the hacker. So I had to go to a bitcoin ATM to subsidize the rest, which was fine. I remember being at a very shady store putting $20 bills into this little tiny ATM that’s the size of a footlocker thinking I have no idea how this works.

Kirk: There were two bitcoin ATMs in Dain’s area. One was at a large bus stop in downtown Houston. But for personal safety reasons, Dain didn’t think it was a great idea to take a bunch of cash there and feed it into a bitcoin ATM. So he chose the other option.

Drake: It happened to be an adult novelty store. I went and it was the South Main Love Boutique. I’ll remember this till the day I die.

Kirk: He drove there. It was 10 AM on a Sunday morning. It was closed. Dain was desperate. The hacker wasn’t going to wait.

Drake: I needed to get the bitcoin quickly to the person. There’s a phone number on the door and I called the number. The guy answers, “Hello,” and I said is this the owner of the South Main and he’s like, Yeah, I just I need to get into your store. He said, “I’ve never had anybody call me ten o’clock in the morning on a Sunday.”

Kirk: The owner showed up and had his breakfast while Dain was at the ATM. The owner was curious what was going on.

Drake: And he asked me, he said, “Are you in trouble?” I said, “I mean personally no but yeah, I’m in a bad situation. I need a bitcoin right now.” He said okay, I figured that’s what it was. You’re not here for whatever else he sells.

Kirk: The transaction took a while, so Dain chatted with the owner of the love boutique. Then Dain’s friend called, who was a criminal defense attorney.

Drake: He says, “Hey, I don’t mean to get your business but your wife called – she’s a little concerned. Are you in trouble? Do you need anything?” I said no, we’ll talk about later. You want to have dinner tonight? And he said, sure. He’s like, “where are you?” And I said, “I’m at the South Main Love Boutique right now.” He said that’s not what I expected. I said, I’ll tell you all about it.

Kirk: The owner of the boutique was sympathetic.

Drake: And so I’m sitting there talking with the proprietor the whole time, and I gave him the whole story what was going on and he was interested. He had given me a bunch of CBD products for my issues.

Kirk: CBD stands for cannabidiol [can-uh-bi-dial] and it is the active ingredient in cannabis that has therapeutic uses. It’s not the stuff that sends you in the clouds.

Drake: He gave me a bunch of gummy bears for all my sorrows.

Kirk: Three or four hours later, the hacker sent the decryption keys.

Drake: And it worked. So what I got really helped me start piecing back things together. I got skeletons for the financial system. I got skeletons of drawings and schematics.

Kirk: But even with the decryption key, not everything worked out. He couldn’t recover the account receivables and outstanding invoices.

Drake: The information I had gotten was more of a balance sheet and past records not current situation of the company’s finances, which historically was good, but it just wasn’t. I needed to know the snapshot of again, what I owe to my vendors and what my customers owed to me. And that was very difficult. So I have no idea, I can’t even forecast what I left on the table by not trying to figure out what was invoiced. The way I was trying to do is going through old paper receipts of trucking bill of ladings to find out what I may have shipped to various people, but it didn’t have a value of that shipment. So because that was destroyed, all that was held electronically.

Kirk: Dain didn’t have cyber insurance, but the company hired consultants to help rebuild systems and also to figure out how the hackers infiltrated the network. United Structures of America did have contracted IT server support, and it ran antivirus software on machines. But none of that was enough to stop some of the well-known vectors for attack from being used. The incident response team figured out within about an hour a likely explanation for how the hackers came in.

Drake: The hack came in through my IT administrator’s personal laptop that he had open through remote desktop into the company’s servers. And his password was the mailing address of the company.

Kirk: A weak password and the notorious RDP. RDP stands for remote desktop protocol. It’s a protocol created by Microsoft that’s used for remotely accessing systems. It’s also one of the most favorite ways attackers get access to an organization’s systems.

A common method is to start by scanning the internet for RDP gateways. Then, there are various ways to break in. Exploiting software vulnerabilities in remote access software is another. Also, ransomware actors can buy login credentials for RDP gateways from darkweb vendors known as initial access brokers. Those type of hackers often just specialize in stealing logging credentials, often by leveraging large botnets.

Another way to get into an RDP system is to start guessing what might be the right combination of username and password. The security situation is even riskier if the RDP account hasn’t been set up with multifactor authentication, or MFA. MFA requires entering a time-sensitive passcode in addition to the username and password. Although there are ways to get around MFA, it’s still the best way to stop most attempts at recycling usernames and passwords.

Also, the administrator’s password, which was the mailing address of the company, was a dubious choice. The advice is to use complex passwords that are nearly impossible to guess and use different ones for every type of services. Password managers can keep all of that neatly organized. Strong passwords combined with multifactor authentication can thwart most attempts at account takeovers.

Dain says to this day, he’s still friends with that IT administrator and there were no hard feelings.

Drake: He was a homegrown IT guy and maybe if he was more classically trained, he would have had a different perspective. And do what’s right, not what he understood if I don’t know if that makes sense. But he did what he understood was best, not necessarily what was best. I’m sure it crosses his mind regularly.

Kirk: But the administrator’s poor password was far from the only IT security problem at United Structures of America.

Drake: We had older operating systems; the entire company was based on a Windows 2003 operating system, which apparently was not being serviced anymore by Microsoft. And as a result, hackers knew how to find it and knew how to penetrate it.

Kirk: I looked at Microsoft’s website and found that mainstream support for Windows Server 2003 ended 12 years ago. Microsoft did offer extended support through July 2015, but it did cost a lot of money. But after that month, Windows Server 2003, for most people, no longer received any security updates. That meant that organizations continuing to run it were at great risk. Dain says he now realizes how important it is to keep operating system up to date even if the licensing costs are high.

Drake: Keeping up to date your server and all your licences, it can be very pricey. And depending on what you’re doing as a company, you don’t gain more function with that. But I realize now that you’re gaining security, and security is again a function that you don’t know, you’re using day in day out.

Kirk: As mentioned at the beginning of this episode, United Structures of America eventually filed for bankruptcy. Ransomware can definitely be an existential threat to a company. But it also can be a catalyst, just another bad thing in a string of bad things, and that’s the role that ransomware played in this story.

Dain wasn’t happy at the company despite it being a family business that he’d literally grown up around. Dain says the previous five years had been rough, and the environment at the business wasn’t healthy.

Drake: It just kind of exposed issues more. And so I just made the decision that look I’ve got to make a decision. And I don’t want to fight here anymore.

Kirk: Shortly after the attack, Dain decided to wind the company down. It fabricated its last building in November 2019. At that point, there were only about 15 employees. When it ended, Dain was actually using a welding torch to finish the last building.

The company didn’t file for bankruptcy until early this year. Dain says he thought the company had been successfully shut down, but there were some unforeseen issues that forced it into bankruptcy. Some of those issue are still in court today.

Kirk: Dain now runs his own steel design business called DRD Designs. Many United Structures of America customers came back to him for more work after he moved on. He didn’t lose relationships or friends.

Drake: I’m in a lot better place than I was, though, for the previous 10 years. So it sounds strange, but I’m working for myself. And I have only me to blame or meet a reward, if that makes sense, when things go well, so I’m in a much happier position where I’m not subject by the successes or failures of other people that I may be financially tied with. And so it’s actually I’m in a much better place now. It wasn’t fun getting to this place. But I think it made me wiser all the less.

Kirk: But he’s acutely aware now of the importance of information security. And Dain has been very public about what his business went through. So far, he is the only person or organization The Ransomware Files has spoken with who paid a ransom and explained the reasons why. Dain does this because he wants other organizations to be aware of the risks and how it can devastate a business. How it is important to use current and maintained operating systems. How important it is to have backups and, as we heard, test to ensure those backups are not just backing up to something that doesn’t exist. How important it is to have good password hygiene.

Drake: Information technology and how you protect that is equal among all the priorities in the business. That is the blood that runs through the operation and protecting that it’s just key. And I didn’t have that perspective until after it happened. Sometimes we have a hierarchy of departments that is a faction of the business that runs through every department. And it is absolutely essential in a security standpoint, and there should be no compromise.

Kirk: This episode of The Ransomware Files was written, researched, edited and produced by me, Jeremy Kirk. The production coordinator is Rashmi Ramesh. The Ransomware Files theme song and other original music in this episode is by Chris Gilbert of Ordinary Weirdos Records.

If you enjoyed this episode of The Ransomware Files, please share it and leave a review. It will help keep this project going. The series has its own Twitter handle @ransomwarefiles, which tweets news and happenings about ransomware. I’m on Twitter at jeremy_kirk. If you would like to participate in this project or have an idea for it, please get in touch. The project is looking for other people, organizations and companies that can share their unique experiences for the benefit of all until ransomware, hopefully, becomes a thing of the past.

Source