A Sudden 'Love Letter' Leaves Hearts Sinking... Three Months of Paralyzed Operations and 8 Billion Won in Losses, All Kept Quiet [Concealment ②]

In December of last year, at a home appliance parts manufacturing plant in Gyeonggi Province, operations were running nonstop to meet export volumes for the new year. However, just one week before Christmas, this routine came to a sudden halt. When an employee arrived at the quiet office and turned on the computer, an unfamiliar icon titled 'ick43b8w-readme' appeared on the desktop. Every file he routinely opened for work now had the '.ick43b8w' extension attached. For example, the Excel file 'FinancialStatement.xlsx' had been renamed to 'FinancialStatement.xlsx.ick43b8w'. The same was true for all files on other employees' computers.

▲Work files infected with ransomware have the extension '.ick43b8w' attached. Excel files such as 'SettlementData.xlsx' have been renamed to 'SettlementData.xlsx.ick43b8w'. (Photo by the affected company)

He felt his heart sink. The company CEO rushed to the scene after receiving the call. All the employees gathered, but with no other options, they clicked on the icon, not knowing who had installed it. The message was in English. The title read, 'Welcome. Again.' It was the hacking attack they had only heard about in stories.

The warning continued: "Your files have been encrypted and are currently unusable. Only we possess the recovery key. Our goal is to make a profit. We don't care if you don't comply with our demands, but you will lose both time and data." The company's security officer described it as "the feeling of making direct eye contact with a burglar inside your own home."

In the cybersecurity industry, ransom notes left by hackers are often called 'love letters.' The 'ick43b8w' prefix before 'readme' is a serial number assigned by the hacker to distinguish between attack targets. By locking the files in this way, the hacker held the data hostage, preventing anyone from accessing it until a ransom was paid.

▲A text file titled 'ick43b8w-readme' on the desktop of a computer infected with ransomware. It is a ransom note left by hackers demanding payment to recover encrypted data. The victim company informed that it was infected with ransomware and specified the cost and method for data restoration. (Photo by victim company)

From that day forward, all operations at the factory had to be performed manually. There was no way to know how much inventory was available, what parts had been ordered, or when those parts would arrive, as all historical data was inaccessible. Each manager had to sift through years of emails exchanged with suppliers and partners to reconstruct the data. Even the company messenger was down, further delaying confirmation times. When additional orders came in, they had no choice but to decline them.

The company CEO said, "Above all, keeping the employees silent was the most important thing. As a KOSDAQ-listed company, it was critical that word of the hacking did not get out." He added, "I heard there was a team that specializes in negotiating with hackers on behalf of companies, so I contacted them."

The hackers demanded 14 Bitcoins, which was about 2 billion won at the time. The company agonized over whether to pay, missing the one-week deadline set by the hackers. Then, the company received a phone call. The hacker used a synthesized voice to say, "Since you ignored our warning, we will begin a second attack." The CEO explained, "After the first attack, even the new files we created were locked, and the ransom was raised to 20 Bitcoins. We had no choice but to pay that enormous sum." As a result, the company suffered losses totaling 8 billion won over the three months of slowed operations.

The easiest targets for hackers using ransomware are typically companies in the manufacturing sector. According to ransomware incident statistics surveyed last year by SK Shieldus, 40% of all victims were manufacturers. This was followed by trade, communications, and transportation at 16.7%, IT, web, and telecommunications at 15%, construction at 14.4%, and services at 13.8%. Hackers favor manufacturing companies because they can achieve maximum profit with minimal attack costs.

Cybersecurity experts say that small and medium-sized factories with annual sales between 50 and 100 billion won are at the highest risk. Many of these companies are too busy with production to pay attention to security. However, since a single shutdown can threaten the company's very survival, hackers find these companies the easiest to extort money from.

An energy company faced three attempted ransomware attacks over five months starting in January of this year. The attacks targeted the factory's valve control system. If hackers had manipulated the valves at will, other business sites supplied by this company would have immediately faced energy supply disruptions. Fortunately, the attacks were blocked early, so there was no actual damage, but if word had gotten out, clients would have surely come rushing in with concerns.

A company representative said, "After the incident, a company-wide notice was issued instructing everyone not to say a word about it. Now, after the end of each workday, all computers are shut down simultaneously, and the next morning, they are restarted along with a factory-wide reset. Every employee now resets their computer every day."

Two years ago, a nuclear power company in South Korea had all of its nuclear power plant maintenance data stolen by hackers. At the time, the ransom demanded was only $200 (about 270,000 won). The actual amount of Bitcoin transferred by the company was only a fraction of a coin. According to a cybersecurity expert who requested anonymity, "It is highly likely that the hacker was after data rather than money. Such information is being sold on the dark web where hacked data is traded. In the worst-case scenario, not only could nuclear-related technology be leaked, but the safety of all nuclear power plants in the country could be at risk."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.