The monochromatic alert blinking on screens triggered tremendous anxiety within Knights of Old, a 158-year-old delivery company in the UK: “If you’re viewing this, it indicates that your company’s essential infrastructure is entirely or partially compromised.”

Both Knights’ trucking management network and their payment booking system were rendered inoperable. Operating from 2,000 miles away, the hacking group known as Akira, believed to be affiliated with Russia, had disrupted the systems of Knights of Old and two associated trucking companies. To kickstart negotiations, the attackers released harmful software in June 2023, encrypting Knights’ files and threatening to expose sensitive internal data online. Akira claimed that paying a ransom would grant the company a decryption key to unlock the affected computers and servers.

“Let’s hold off on tears and resentment for the moment and strive to foster a productive conversation,” stated the group in a message displayed on Knights’ compromised systems. “We acknowledge the damage we’ve inflicted by restricting your internal resources.”

According to the SANS Institute, a cybersecurity research and training organization, ransomware incidents surged by 70% in 2023 compared to the previous year, totaling 4,611 incidents. Since March 2023, Akira has targeted over 350 organizations, extorting around $42 million, as reported by the U.S. Federal Bureau of Investigation and an analysis by Bloomberg. The hacking group, which has a website, did not respond to inquiries.

Notable victims of Akira include Nissan Motor Co., Stanford University, and Yamaha Motor Co. However, cybersecurity experts have indicated that approximately 80% of its targets are small and medium-sized enterprises, primarily in North America and Europe. “No business can overlook this threat, regardless of its size,” insists Paul Abbott, 58, co-owner of Knights.

Embroker, a digital insurance firm, revealed that most smaller companies typically set their cybersecurity damage policy limits around $1 million, which was approximately the coverage Knights had. This amount could help cover ransom expenses and assist in restoring compromised systems, but it often proves insufficient. The median ransom payment sky-rocketed to $6.5 million in 2023, up from $335,000 in the previous year, as reported by insurance broker Marsh & McLennan Cos.

Will Thomas, a cybersecurity expert monitoring Akira’s attacks, explains that the group identifies its targets by scanning for servers running outdated software, and then opportunistically infiltrates them. “Their methods are not particularly complex or sophisticated,” states Thomas. “However, they are tremendously effective and completely ruthless.”

In 1865, William Knight began making deliveries using a horse and cart in a village known as Old, situated about 80 miles north of London, which led to the establishment of Knights of Old, currently based in Kettering. Abbott, having grown up in the area, was acquainted with the Knight family and joined Knights of Old at the age of 20. He started as a traffic manager, organizing truck logistics and aiding drivers and clients. Gradually, Abbott ascended the ranks, and by 2007, he and two partners, who did not respond to requests for comment, became directors and co-owners. They later merged Knights with two other delivery companies — Nelson Distribution and Steve Porter Transport — under the KNP Group brand.

At the time of the cyber breach, KNP boasted nearly £100 million ($126 million) in annual revenue, with 900 employees, seven depots, and a fleet of 400 trucks. Knights was the largest and most seasoned of the three companies, recognizable by its bright blue trucks emblazoned with the motto “Service With Honour” in large yellow lettering, along with an emblem of an armored knight. The company serviced significant clients like Penguin Random House LLC and Hachette Book Group, facilitating the distribution of millions of books for Amazon.com Inc. and other retailers. Earlier in 2023, KNP had secured a lease on a 140,000-square-foot warehouse in Luton, near London, in pursuit of expansion.

Having encountered computer issues before, Abbott and his team had already developed a backup operational method. They were prepared to revert to using paper tickets and job sheets for deliveries while utilizing mobile phones and Gmail.

Abbott had believed the company to be secure; just a month prior to the cyber incident, he had arranged a £1 million cyberattack policy through Aviva Plc, which declined to comment. The management team had also provided cybersecurity training for employees and paid roughly £60,000 annually to a contractor for support. However, following the attack, Abbott claims that the contractor, whose name he withheld, offered little help and “was clueless” about the next steps.

After the breach, Aviva dispatched a response team from the security firm Solace Cyber for assistance. The following morning, the team commenced a digital cleanup of all devices — computers, laptops, and even photocopiers — connected to the company’s network. Paul Cashmore, managing director and co-founder of Solace, indicated that the breach caused significant damage. He recounted navigating Knights’ employees through a tumultuous emotional spectrum: “First came shock. Then realization. Finally, managing the aftermath.” Solace is currently involved in tackling about two significant ransomware cases each week, with no signs of slowing down, Cashmore noted.

According to Abbott, Knights sought assistance from Coveware Inc., a US-based firm specializing in ransomware negotiation. The company, which did not comment, indicated that given KNP’s size and revenue, the Akira group would likely demand a Bitcoin payment between $2.7 million and $5.3 million. Law enforcement typically advises against paying ransoms, as it could encourage further attacks. Moreover, transferring cryptocurrency to these groups could breach existing sanctions against some of the involved criminals.

Abbott and his partners decided against negotiating with Akira or paying any ransom, convinced that there was no guarantee the data could be fully restored, even with the decryption key. The hackers subsequently made good on their threat by releasing more than 10,000 internal documents online, mostly consisting of employee payroll records, invoices, and various financial documents.

The company worked diligently to restore its systems. Within a few days, Knights’ technicians established a new transport management system and retrieved an older version of the warehouse software. However, the financial management databases remained initially unrecoverable, as hackers had obliterated another backup that was intended to be securely stored.

Facing cash-flow issues, KNP sought a loan. Abbott stated that the bank would only approve it if the company could produce the missing financial documents and performance metrics. While awaiting an insurance payout, the co-owners attempted to sell the company. A European investor showed considerable interest but required personal guarantees from the three partners concerning the company’s financials due to the missing records, putting their homes and savings on the line. Unsurprisingly, they declined; as Abbott remarked, “My wife would have never allowed that, no matter how confident we felt about the business.”

On September 25, 2023, KNP Group filed for administration, an equivalent of declaring bankruptcy in the UK. In Kettering, Abbott conveyed the disheartening news to his employees, many of whom he had worked alongside for years. Another firm acquired one of KNP’s subsidiaries, Nelson Distribution, preserving around 170 jobs. However, the remaining 700 employees, primarily from Knights of Old, were laid off. Jeff Maslin, a truck driver for Knights, reported that drivers are still owed weeks of unpaid wages. “I know individuals who lost their homes, vehicles, and even went through divorces,” he noted.

KNP later discovered that Akira had infiltrated the systems using a technique known as “brute forcing,” which exploits software to make countless attempts to guess an employee’s password. Abbott suggested that more advanced security monitoring tools might have detected the breach. “If you don’t have that, acquire it,” he advises other businesses.

Earlier this year, the administrators initiated the process of selling Knights’ headquarters and other KNP assets. The truck fleet, predominantly leased, has been surrendered. Eventually, the insurer completed the £1 million policy payout, though it didn’t cover Knights’ losses during the administration process.

Now working as a consultant for other logistics companies, Abbott has recently acquired a single truck and plans to start afresh. “I’ve had to rebuild my life,” he reflects. “I’ve lost everything.”

© 2024 Bloomberg

Stay informed on Moneyweb’s extensive finance and business coverage on WhatsApp here.