Throwback Attack: Teamsters refuse to pay after Labor Day cyberattack

Image courtesy: Brett Sayles
Image courtesy: Brett Sayles

As Labor Day arrives once again this year, it is a great time to talk about a ransomware attack that also happened on Labor Day — the attack on the Teamsters Union in 2019. This attack is unique because even though the Teamsters were advised by the FBI to pay the ransom, they declined. This attack also managed to stay out of the public eye until this year.

Who are the Teamsters?

The Teamsters Union, the largest and most diverse union in America, was established in 1903 from two leading team driver associations. They are known for working with freight drivers and warehouse workers but have organized workers in almost every occupation. According to their website, there are nearly 1,900 Teamsters affiliates throughout the United States, Canada and Puerto Rico, and 1.4 million members are public defenders.

The Teamsters organize workers and give them the tools to enforce contracts and receive their properly negotiated benefits and wages. They allow workers’ voices to be heard and help secure their rights.

The details of the attack

The attack itself was essentially the same as any other ransomware attack. The hackers locked down the Teamsters’ system and demanded a seven-figure payment of $2.5 million. In exchange for the money, they said they would send the Teamsters the code to unlock their files.

The Teamsters alerted the FBI of the attack, but the FBI said they couldn’t help identify or pursue the hackers. According to an article from NBC News, one of their sources said the FBI advised the Teamsters to “just pay it.” There were many hacks similar to the Teamsters cyberattack going on around the D.C. area at that time, and the FBI seemed overburdened. The Teamsters initially tried to lower the ransom to $1.1 million, but their insurance company still advised them not to pay.

This question of whether victims of ransomware attacks should just pay the fee and get their systems back up and running is hotly debated amongst experts. And there’s no easy answer.

“From a business sense, if we move on from the morality and the ethics of paying criminals, it makes sense that a business analyst and executive would say, ‘Well, this outage is going to cost me $10 million an hour, and it’s going to be down for a week. This is a no-brainer if my ransom is only $5 million.’ It’s a cost-benefit analysis problem,” said Ron Brash, director of cybersecurity insights at Verve Industrial Protection. “But here’s the thing: Because [many businesses] just pay it, as if it’s like a tax that someone decided — it’s like a toll going over a bridge that you didn’t really want to pay, but you will pay — they’ll just do it and they’ll write it off. It’s a business loss. Great. Shareholders don’t care. The company is still making money. Everything’s wonderful.

“That’s where we start to wind up in problems, where you start to apply the ethics of it. Does it make sense to be paying someone that’s very likely to attack you again. Or are you financing something else that you shouldn’t be financing in another country. That’s another conflict of it. So I think what needs to happen is paying ransom should not be your playbook. That should not be what your go-to plan is when this event occurs.”

In the end, the Teamsters didn’t pay. Instead, they chose to rebuild their systems using archived files and hard copies. According to the NBC News story, 99% of their data has now been restored.

This cyberattack, along with countless others, wasn’t publicized. The public didn’t know anything about it for almost two years, but it was easier to keep these sorts of breaches private before some of the recent, major cyberattacks like SolarWinds and JBS. There are many reasons companies would want to keep cyberattacks under the radar. One of the most obvious is that they don’t want their clients and investors to to think that the company is in trouble.

Evolution of ransomware attacks

In 2019, it was common for hackers to just destroy the stolen information if they didn’t receive the ransom, but attacks have evolved into something more dangerous now. These days, the threat is that the attackers will start releasing stolen information to the public. This affects the targeted company and everyone who does business with them. This newer threat affects companies’ futures as well as their present. For example, when the Visser Precision cyberattack happened in 2020, information about partnerships with Tesla, SpaceX and General Dynamics was leaked to the public.

Ransomware attackers are finding more ways to make their attacks bigger and harder to ignore. In response, legislation is being put into place such as the National Security Memorandum and the cybersecurity executive order. It’s essential that companies take preventive actions to stop ransomware attacks before they start and educate their employees on effective security techniques.

While there are many unreported ransomware attacks daily, there are strategies that can combat these attacks, and more are being developed every day. The Teamsters are a prime example of how to come back from a ransomware attack. Because they had strong backups, they were able to rebuild their systems, without giving in to the demands of the attackers or harming their valuable reputation.




Keep your finger on the pulse of top industry news