“There are so many points when I felt as though we were going to lose everything,” says Nicholas Scullion. “It was a crazy situation like I’d never experienced before, and I’m a criminal lawyer by training. I’m used to unpredictable situations, but you couldn’t plan for this.”
The first indications of the impending cyberattack had been on the Friday afternoon, when the internet started to slow. Initially, Scullion, who runs his family business, Scullion LAW, put it down to an issue with the network connection, so carried on working.
Then on Monday, the company received a “mysterious phone call”, purportedly from the police, informing them that they were under attack from hackers.
Not knowing whether to believe the caller, one of the firm’s employees called the number back, and it was the police – not a scam, as they’d feared. That’s when things started to take an even more bizarre turn.
“They couldn’t tell us who it was, or how they knew. It was so cryptic, nobody really knew. All we’d been told is to speak to our IT people, but we didn’t really know what to tell them, so we basically put them on the phone to each other,” said Scullion, who gave a talk last week at an event hosted by Cyber and Fraud Centre – Scotland at the Barclays campus in Glasgow.
Unbeknownst to Scullion, whose family have offices in Glasgow, Hamilton, Edinburgh and Madrid, the Russia-linked Black Basta ransomware gang had already initiated a large-scale ransomware attack, targeting the firm.
While these calls were happening, the gang was preparing to lock them out of their own corporate network. Other than the system running slow, Scullion really hadn’t noticed anything out of the ordinary, apart from a strange login by a New York web address, despite no-one in the company being based there. When that passed without further incident on the Tuesday, Scullion thought the worst was over.
But all hell was about to break loose. Being a global firm in nature, a colleague in Pakistan was the first to try and log into the system the following day, but she’d been locked out, as the incident began to unfold in February.
“There was nothing, literally nothing,” adds Scullion. “And then she contacted colleagues within our business, and then they logged on. Again, nothing.”
Frantically, Scullion insisted all the machines were disconnected from the internet, until they could work out what to do. But then, when they powered up the server, they got the sinister message: ‘Do not call the police’.”
“It was like, ‘We’ve got all your worst nightmare data, we’re about to ruin your entire lives. It was then we saw the name ‘Black Basta’.”
Over the course of the next few days, the company entered survival mode. Everything went back to paper; lawyers were phoning in for instructions, mortgage fees for conveyancing jobs had to be arranged manually, the whole apparatus of the firm had to pivot back from digital to analogue.
It was a kind of “Dunkirk spirit” operation, Scullion said, and – ironically – they were becoming even more efficient in problem-solving, and getting tasks ticked off the list.
But he had been nervous about sharing the causes of the IT outage, putting it down to a broadband issue, as they had to work on a plan of action, and get through the day, without dealing with the human consequences of a cyberattack.
He characterised it as getting through the morning, pause, and then going again for the afternoon, and that’s how he mentally broke up the days in the initial phases of the incident.
“It was a great training exercise from a creativity and team-building point of view,” he added. “But I wouldn’t recommend it.”
Unfortunately, the firm’s IT company were unable to help, as they didn’t have a disaster recovery function. So, Scullion was left seeking answers from elsewhere.
What followed was a complicated, and at times, frustrating journey, where he felt as though the immediate tendency was to “victim blame” his company for having lost the data, rather than it being stolen from them.
That applied not only to his dealings with his own professional regulator, but also the Information Commissioner and sometimes even members of staff.
“It shouldn’t be a blame situation, it’s a survival situation,” said Scullion, who lives and works in Madrid.
As well as dealing with the IT fallout, there was another approaching fork in the road. When they received the ransom note from the Black Basta gang, there had been a countdown timer, threatening to release the company’s data on the dark web if they didn’t pay.
Scullion was acutely aware of the deadline, but after a few weeks of living in a highly animated state, he opted to go ahead with a pre-planned weekend break in Lisbon. As he was about to board the flight, the police let him know things had changed again.
“I’d decided to go as I probably needed a blow out, at that point,” he says. “And I’d got all the best people working on it anyway. But as my phone was going through the airport scanner, all this data had been published, and I was like, ‘Oh my god’.”
As soon as Scullion looked at the so-called “proof pack” the hackers had published, he knew he had to get ahead of them. He immediately started ringing round the people whose data had been compromised, in a series of hurried calls between connecting flights at Heathrow.
It was a difficult process, but Scullion praised the police for the “compassion and care” his company received.
However, he said there must be more support at a societal level to help victims of cybercrime, from data regulators to insurance providers and beyond.
In the end, the hackers overreached, and did not have the quantity of data that they claimed, and so the broader implications were minimised. But the overall effect of the cyberattack was almost existential for his legal company, which was set up by his father, a former boxer.
Looking back, he said it was exceedingly difficult to get sound advice from his professional oversight body, the Law Society of Scotland, and at one point because of the regulatory hoops they had to jump through, it meant they could barely transact as a business.
Scullion is determined to put that right. “The vibe wasn’t, ‘How can we help you through this?’ It felt like it was, ‘We’re going to stamp you out, and that’s got to change,” he says.
“It’s why I’m motivated to try and ensure this doesn’t happen to others.”
Scullion’s firm is now joining Cyber and Fraud Centre Scotland’s newly-formed Incident Response Cadre – to try and help organisations get back on their feet, especially in the first 28 days, which he says were critical for his firm’s own survival.
“It’s the most difficult period, when you really are blind as to what’s going on,” he adds. “If our experience can help someone else, then I think that’s a worthwhile thing to be doing.”