“The attack brought us closer”
Office supply store Schäfer Shop came to a grinding halt after falling victim to a cyber attack. Fabian Pfütze and Andreas Dietz tell us how they and their teams got business back up and running.
The attackers hit shortly before Christmas 2022, stopping German office supply store Schäfer Shop from doing business. Instead, the company had to focus all its energy on responding to the attack and surviving it.
We talked to Fabian Pfütze, IT director at Schäfer Shop, and Andreas Dietz, who is in charge of finance, about the incident, how they managed the situation, what lessons they learned, and what advice they have for other companies.
When did you realise that something was wrong and that you were dealing with a cyber attack?
Fabian Pfütze: December 23, 2022 was my first day of vacation and I was in the middle of Christmas preparations when my team informed me about our IT systems behaving strangely. My immediate thought was that this could well be a security incident – something for which I had the utmost respect seeing as I am responsible for the company’s IT environment.
An analysis of the problem quickly confirmed our suspicions and by around 11 a.m. we were certain that we were dealing with a ransomware attack. A text file was found on our servers with a message from the attacker that our systems had been encrypted and data had been leaked. A link then took you to the attacker's darknet site with further instructions on the ransom demand and payment options.
As an immediate measure, we cut our internet connection and switched everything offline.
What happened next? What steps did you take?
Andreas Dietz: You can't go into a state of shock. Decisive and targeted responses are vital within the first few minutes and hours.
By a stroke of luck, we had taken out insurance against cyber risks around three or four years previously – in fact, we were one of the first companies to do so. We contacted the insurance company and asked them for advice on what to do. Their experts then helped us, for example by telling us who we needed to contact. This took us into a relatively orderly process very quickly.
First, we informed the State Criminal Police Office and the Data Protection Authority. At the same time, we called the contact list of forensic experts that the insurance company had given us. Since the time around Christmas is basically the peak season for cyber attacks, it took us half a day to find a team of experts who were able to start work that evening. We then brought in a second team on Christmas Eve.
-
Fabian Pfütze
-
Original text file containing the cybercriminal’s blackmail letter.
-
Christmas decorations in a storage room of the Schäfer Shop office building.
-
In the basement of the Schäfer Shop office building, where power and fiber optic cables enter the building.
-
In the data center: these eight fiber optic cables connect the company to the outside world. All communication goes through this.
-
In the data center: magnetic tape drives form the backbone of Schäfer Shop’s IT systems.
-
View of the separately contained backup data center.
-
During the IT restart, USB sticks were used to transfer data between employees.
-
Desk for “green zone”
-
Andreas Dietz
How did you organise yourself?
Andreas Dietz: We set up a task force and assigned tasks among ourselves. Fabian took care of the technical issues and I concentrated on the administrative issues, such as communication with the Data Protection Authority and informing our employees. On December 23, hardly anyone was in the building, but there are functions like accounting that work right up until the end of the year and they needed to be informed.
Fabian Pfütze: The communication channels were a challenge. Imagine sitting at your desk and basically nothing works anymore, no address book, so you start looking through old emails for your colleagues' mobile phone numbers. We then set the old phone chain in motion and used text messages to get word out to staff.
Andreas Dietz: We were open and transparent from day one, telling staff in the text message chain on Christmas Eve that we were dealing with a cyber security incident.
Tell us about what the forensic experts did?
Original text file containing the cybercriminal’s blackmail letter.
Fabian Pfütze: The first step is to find out what you’re dealing with. The forensic experts go through each system with a fine-toothed comb, scanning the entire system landscape using special software to identify anomalies and breached or contaminated areas.
The following day we had a fairly clear picture of the situation. This is important because you cannot put a system back online unless you know with a very high degree of probability that the attackers are no longer in the system and cannot get back in through a back door.
Andreas Dietz: And we spent around two to three days – some of it manual work – analysing the leaked data for its criticality, to see whether it contained data that was in particular need of protection, such as our customers’ personal data or that relating to our employees – applications or terminations, for instance. On this basis, we were then able to estimate how high the risk was and weigh it up against the ransom demand. In our case, a relatively small amount of personal data had been lost.
Did you ever consider paying the ransom and how did you communicate with the blackmailer?
Andreas Dietz: The blackmailer had given us a deadline of seven days. We had the support of a professional negotiator for communication, who was able to extend the deadline by another two days so that we could get a better picture of the situation and better assess the risk.
Even if you agree to the demands, there is no guarantee that your blackmailer won’t still make the data public. First and foremost, you cannot trust that the decryption code actually works.
Fabian Pfütze: We were pretty confident in being able to restore our systems from our backup copies. Our backup concept is completely separate from the production environment and we always back up on magnetic tapes that are physically removed from the device and then stored in a safe. We were therefore sure that we did not need the decryption code. Even if it worked, it would take a long time for the systems to be decrypted again and even then, they would not run error-free as some errors would always remain. In addition, you would have to reinstall the entire IT system landscape anyway because you have to assume that remnants of the malware are still there.
When were your systems back online?
Desk for “green zone”
Fabian Pfütze: Our goal was to be able to serve our customers again from January 2 and to run our business as normally as possible – and we succeeded. To do that, we first had to get the most important systems up and running so that we could make payments, for example.
Our concept was as follows: we introduced a "red zone" – the "contaminated" and completely isolated zone, in which any interaction could only take place in a very controlled manner. Then we had a "blue zone", our internet zone. Here we set up internet cafes in our buildings, which our employees always went to when they had something to do with the outside world, since they otherwise worked in the isolated zone.
And finally we started to set up the "green zone", i.e. the completely new system landscape. Each of the more than 1,000 end devices in the building had to be set up again, every server, the building's locking system, the telephone server, everything without exception had to be set up again, and that takes time.
Andreas Dietz: A huge compliment to the entire IT team. Dealing with such an incident within ten days so that we were back up and running on January 2 – albeit with restrictions – was a great achievement. We know from other companies that we contacted relatively early on that in comparable cases, operations are usually completely shut down for three to eight weeks.
Our goal was to be able to serve our customers again from January 2 and to run our business as normally as possible – and we succeeded.
The IT department had “used” and “cleaned” USB sticks ready for security reasons at a specially set up exchange point. Employees had to register their name, date and sign a list provided.
You dealt with the incident very openly and transparently. Why are you convinced that this was the right approach?
Andreas Dietz: It has brought us closer together. Everyone wanted to help to get through the difficult time together and fight against the unknown enemy.
And externally, exchanging information with other affected people helped us. Especially in the first phase, you ask yourself: "Why us?" A former colleague, whose company was also targeted by a hacker attack a few years ago, told me that it had helped him at the time to exchange information with others. That also prompted me to deal with it openly. There is no more stigma – especially when you look at who is affected by IT incidents or falls prey to cyber security attacks these days. It is much better to be proactive and share the knowledge you have to help others avoid damage or at least keep it to a minimum.
Fabian Pfütze: The question is not whether you will be attacked, but when and how much damage will be done. I have spoken to many IT security managers of large companies that are our customers and explained what happened to us, what data was affected and how our damage might affect their own systems. I have received very positive feedback. You are then perceived as authentic and it shows what the culture is like in the company.
There is no more stigma – especially when you look at who is affected by IT incidents or falls prey to cyber security attacks these days. It is much better to be proactive and share the knowledge you have.
How did you change your security measures after the incident?
Multifactor authentication was introduced as a further security measure.
Fabian Pfütze: At the time of the incident, we were already in the process of upgrading our technology, for example setting up a Security Operations Center (SOC) team that would work around the clock. We then revised many guidelines and I can tell you: it has never been so easy to get a 15-character password policy approved. We have also set up multi-factor authentication for all access to the company network. And we have invested a lot in training our employees to raise their awareness, for example of phishing emails.
What advice do you have for other companies?
Andreas Dietz: Think about what you would do in such a situation beforehand. Then you at least have a kind of roadmap that you can follow.
Fabian Pfütze: It is also helpful to build up a network of contacts, i.e. which forensic expert can I call, which negotiation professional, which legal advice – in other words, to really think about what you have to do in an emergency. Sit down with your team and say: "Okay, from now on everything is offline, what do we do now?" Usually, you look at each other and say: "good question".
If you go through this from time to time, you will get a better understanding of how processes work in an emergency.
This Interview was conducted by Markus Dahlem, 07/2024. Photographs by Heinrich Holtgreve, OSTKREUZ Agentur der Fotografen
About Schäfer Shop
Schäfer Shop GmbH is a mail order company for office equipment, office supplies and warehouse equipment. In addition to office furniture, office equipment and office technology, Schäfer Shop offers storage racks, tools as well as paper, office materials and stationery. The product range currently comprises over 85,000 items.
Markus Dahlem
... oversees the bank's global technology division in Group Communications. He is convinced that, in view of increasing threats, we must all take a closer look at how we can contribute to greater security.
Recommended content
Digital Disruption | Outlook
Digital siege Digital siege
Digitalisation is making companies and people more productive, but also more susceptible to cyberattacks. What Next examines how hackers operate.
Digital Disruption | Opinion
”We operate in a zero-trust environment.“ ”We operate in a zero-trust environment“
Cybercriminals look for weak points in value chains and use them as a gateway, for data theft or blackmail. At the same time, the cyber skills gap is growing, warns WEF expert Gretchen Bueermann.
Digital Disruption | Insights
From data theft to ransomware: threats and protection in the financial sector From data theft to ransomware: threats and protection in the financial sector
Sven Schaumann and Petra Leclaire, cyber security experts at Deutsche Bank, talk about the evolving threat landscape – and shed a light on how to protect.
What Next: our topics
