Mogens Daarbak: when a ransomware attack hits

Mogens Daarbak went through a fusion in the start of 2022 and is now part of Daarbak Group A/S. Daarbak Group A/S is a family-owned and Danish company which is operated on the basis of two divisions; Daarbak Design (Furniture & interior design) and Daarbak Redoffice (Office supply).

Daarbak Group A/S employs more than 40 consultants, they have 18 stores and 2 logistics centers throughout the country.

Two employees at Mogens Daarbak A/S experienced problems logging on the IT system on a Monday night. A few hours later, everything was shut down. The IT team then received a message from the hackers about paying a ransom.

With seven stores across the country and online shopping on a large scale, Mogens Daarbak A/S is one of the major office supply companies in Denmark. From printer cartridges to office equipment and complete workplaces, anything is possible, and there was nothing unusual about two employees of this dynamic company sitting in the office on Monday evening, 15 March, to get the last bits and pieces done.

“The employees in the office contacted our System Administrator, Torben, around 7.30 pm to say they were having difficulty getting online and that their PCs were operating slowly,” says Jan Poulsen Skrubbeltrang, Head of IT at Mogens Daarbak A/S. “In the end, they couldn’t get onto the platform at all, at which point, Torben and I rush in to start an intense round of troubleshooting.”

The two IT personnel checked the virtualised server environment, where they found files with strange extensions when trying to reboot. It rapidly became clear to them that their system was the victim of a targeted attack and that the company’s data has been compromised. A read-me file turned out to be mail directly from the cybercriminals responsible for the attack.

Precise payment instructions in bitcoin

The read-me file was a message to us from the hackers about how we can easily access a payment portal that can receive the ransom in bitcoins. It also includes a guide on how to create a bitcoin wallet, and to make it absolutely perfect, there is a number for a call centre that can help us. It is simply shocking how well organised it was,” says Skrubbeltrang.

In a company with a turnover of DKK 1 million a day, being out of operation is expensive. Anyone who is attacked will, of course, include payment of the ransom in their deliberations. This was also the case at Mogens Daarbak A/S, where payment was included as an option, while moving fast to find alternative solutions that could get the business up and running again. In the end, a ransom was not paid, something Jan and his colleagues are happy about.

The Head of IT says: “If everyone pays the ransom in ransomware attacks, it will be never-ending, as it will become a safe and fixed source of income for the criminals. We choose to openly tell our story because it is no longer taboo to be affected by an IT attack. It’s no longer a question of whether you will be affected, but rather when. Our story may serve to encourage more people to take their precautions, and we can stand together to fight it. In any case, I can testify that the process is highly professional and that they will not stop if they can get money out of it.”

The first hours and days after the attack

There are many wheels put into motion after the type of IT attack that Mogens Daarbak A/S was exposed to. On the one hand, damage must be minimised. On the other, documentation and evidence must be collected for the investigation later.

Immediately after the attack, Jan and Torben were joined by an external consultant, who also recommended they contact Dubex, which has experience with attacks and ransomware. They contacted Dubex’ 24-hour call centre, which put an incident response team on the case. The team provided suggestions of what to do immediately, what data to collect and what type of ransomware was involved. Subsequently, Dubex advised on construction of the new infrastructure, securing it and training the employees for expanded awareness of signs of attack. Dubex also helped with reporting the attack to the police in the hope of catching the individuals behind ransomware attacks, which are currently ravaging many large companies around the world.

“Time is of the essence when a cyberattack threatens to put a company out of the game,” states Søren K. Lauritzen, Security Services Advisor at Dubex. “We did not have a prior agreement with Mogens Daarbak, so our DIRT team was caught off-guard with the attack. But Jan and his colleagues reacted quickly, so we were familiarised with the situation after a few hours and could hopefully help minimise the damage. Unfortunately, I can only agree with Jan that this type of attack occurs frequently and that the criminals are extremely professional. It’s an entire industry.”

A puzzle with many pieces

It quickly became clear to Mogens Daarbak that the system would not be up and running at 8 am the next morning. At least two days of operation had been lost, but with the help of tape back-ups, personal files and so on, the Head of IT and his staff were once again able to assemble the puzzle into a working IT platform. A local hosting partner helped establish an emergency operating platform. On Wednesday and Thursday, 200 PCs were reinstalled from scratch.

“Within a week, our central warehouse in Nørresundby was up and running again and employees in our stores just improvised as much as they could,” says Jan Poulsen Skrubbeltrang. “The system needs to be upgraded to new hardware, and it’s going to cost us a pretty penny, but here’s an important point: It would also have cost us if we had paid the ransom. Then we’d have to go through this exercise anyway. We were fortunately able to make quick decisions and had the money to get the upgrade started. We are happy about that today.”

But surely you had control over IT security?

It’s part of the picture that the IT infrastructure at Mogens Daarbak A/S was secure, but the criminals still found a way through their defences. But now the Head of IT and his staff are taking a number of initiatives to further secure the infrastructure, train the staff even better, upgrade the system’s firewalls and enter into an ongoing collaboration with the monitoring team at Dubex.

“And we’d like to share our story as an example and warning. This is far more common than you might think, and paying the ransom offers no guarantee. The criminals can return, and there may be more encryption keys hiding somewhere, which will be even more expensive to get unlocked. We were on the case within a few hours, but it still became expensive. This is a challenge we must all take seriously,” concludes Head of IT, Jan Poulsen Skrubbeltrang from Mogens Daarbak A/S.

About Dubex Incident Response Team

Time is of the essence when a cyberattack puts your business out of play. A quick response can minimise damage. Dubex’s specialists respond with the right tools and knowledge to quickly identify the problem, ward off the attack and get your business up and running again in a matter of hours. Read more

About Dubex

Dubex is a market-leading cyber security partner, supporting 500+ locations worldwide.

Since 1997 we have helped companies and public institutions managing risk, adapting to changes and grow more flexibly. With deep industry and technical expertise, a comprehensive product portfolio and a proven track record, Dubex is the ideal partner for IT teams who want to contribute to their company’s success.

Dubex is today a full-service IT security company, helping with security products, governance, processes, implementation, analysis, operational support, full operation of our customers’ solutions and more. We also offer a wide range of security services, including penetration testing, monitoring and security incident management.

Address tomorrow’s challenge, today.

Talk to an expert about how we can secure your business