On a Friday morning in late April, Cathy Kowalczyk, part of the family that owns Willoway Nurseries, rushed into the company’s Huron, OH, location, not in the least sleepy despite the early hour. Her IT team member, Dan White, had called her less than 15 minutes earlier saying a ransomware attack was underway. He happened to log on at 4:30 a.m. and realized what was happening. He told her he was shutting down every system as quickly as possible. But it had been underway for a couple hours already.
As she came into the offices, she was shocked to see that the cyber criminals had managed to print out their “offer” to help retrieve Willoway’s data. The offer was everywhere, even on a sheet of paper on the copier tray. A physical ransom note for a digital crime.
The attack took place right in the middle of the prime shipping season. Garden centers across the country needed their hydrangeas, boxwoods, and other plants during the most profitable time of year — the weeks leading up to Mother’s Day.
Modern growers have a lot in common with their ancestors millennia ago. Crops, even the ornamental kind, still need to be planted, cultivated, before maturing enough to be useful.
But like any other business, it relies on technology to operate. Each treatment each plant receives is stored online, as are purchase orders. At Willoway, it’s machines that help make life easier for workers, like the watering station after cuttings are placed in their pots, or the one that adds rice hull mulch to spinning pots to ensure an even application. Sensors connected to weather stations automatically open and close the greenhouse panels to ensure a healthy environment for the plants, as well as run the lighting system, which turns on only when the plants need extra light.
Flowers Take Center Stage at 2024 Grammy Awards
It turns out a number of businesses in that part of rural Ohio had been targeted. Yet despite the sophistication of the attack, over the next few days Willoway continued operating, meeting their customer obligations without paying a dime to the extortionists.
Have a Plan in Place
“We did have a Disaster Recovery Plan (DRP), which was helpful,” White says of the cyberattack at Willoway. “Most impactful, though, was a good working relationship with our managed services provider. I reached out to them at 4:30 a.m. and we immediately began remediation.”
The DRP, which White developed using an online template, was helpful as a structure for how to respond, what systems to restore in what order, and was an offline list of key vendors to contact.
“The response could not have gone much better. We were attacked on a Friday morning and our systems were crippled, yet we were back online and shipping on Sunday,” White says. “Teamwork was a huge part of the successful response; we pressed tech-savvy employees into service to aid in the IT recovery. The biggest lesson was to not sacrifice security for convenience.
Willoway was also saved by an “air gapped” secondary backup, White says.
“Most of our computers were infected with ransomware. Our backups were deleted,” White says. “But our backup of the backups were not found, and we were able to restore
Willoway also worked quickly with the authorities. The CFO contacted the police, who in turn contacted the FBI. Due to the sophistication of the attack, the FBI came onsite to collect evidence and interview the team about the attack.
When it comes to offering advice for other growers, White says it’s important to have a multi-layered security plan (firewall, anti-virus, anti-malware, intrusion detection, multifactored authentication, and security training).
“Have experts on standby to assist, and make sure you have a current response plan with them,” he says of planning in advance. “In the middle of an attack/recovery is not the time for a security firm to be learning how your business and systems work.”
Redundancy Is a Good Thing
Coincidentally, another Ohio-based company that asked not to be named for this article experienced a similar but unrelated attack right around the same time. This company did not have a disaster recovery plan in place, and once the breech hit, it was all hands on deck for support while the team went back to excel sheets and clip boards to execute daily business.
The biggest lesson learned? Have a disaster recovery plan in place, not just for a cyber-attack, but for things like power failure, water failure, workforce strike, etc. The company also recommended training staff on recognizing potential cyber threats coming through their e-mail.
“It would be easy to go overboard on preparation, but I think it’s important to at least sit down with your key management team and go through some what if scenarios,” a spokesperson for the company says. “Create a template/three ring binder that you can refer to and evaluate the plan on an annual basis.”
The spokesperson, who has previous experience as a small aircraft pilot, likens the process to flight training, which creates a mentality of redundancy.
“It makes you think through the process of ‘what if this happens, what if that happens; what will I look at as a backup to maintain safe operations?’” the spokesperson says. “The training forces you to always be assessing and re-assessing, so when something does happen, you can stay calm, assess the situation, evaluate the best solution, and above all, be decisive.”
The company spokesperson offers additional advice:
- “As senior management, it’s your responsibility to spend the time with your IT department or IT firm if you outsource, and make sure there is a proper back up isolated from the cloud/internet that you can reload all of your data and software. And don’t forget about all the software that is specific to a single department and not used by the entire company. Have an inventory of all your software and licensing. Many of us have separate production software from our business, versus sales software.”
- “Make sure there is a plan in place if there is an attack: what are the actionable items, what are the priorities? For us, our phone system was part of the network and was knocked out as well. You don’t necessarily think about that, but it shut us down from the outside world except for cell phones.”
- “Have a backup copy of all your historical financial data.”
- “If your software is on your own network, not cloud-based, what will you do if they shut down or encrypt your software or your server? Do you have a backup copy of all your data, software, and the licensing? If not, you’re buying new software and starting over on all the customization to your software.”
- “Buy business interruption insurance or cyber insurance. This is a big deal, especially if you are offline in the middle of peak shipping season. It’s easy to be insurance poor, but talk to your insurance provider about what is best for you and your business. And know that if/when you get attacked, it’s going to be expensive and you will lose productivity, even if you have a solid back up plan.”
- “Most importantly, work with your IT department, insurance provider, and management team to have a plan in place,” the spokesperson says.