A

From recorded future news and prx, this is click here. Hey, it's Dena. The Click Here team is taking a break as we get ahead on some reporting you'll hear in the new year. And we have a surprise for you coming in January. The sort of surprise that involves transmitters and antennas and maybe a new way to find us. More details later, but today we're revisiting one of our favorite stories from the past year. The story is a reminder of just how fragile businesses can be when a hacker decides it's their turn in the barrel. For more than a century, Knights of Old kept the UK moving. It was a logistics company that weathered two world wars, economic downturns, and even Brexit. But then a ransomware gang called Akira forced its way into the company's systems. Since Akira first surfaced in March 2023, the FBI says the group has hauled in more than $244 million in ransom payments. And for Knights of Old, the damage from the hack was so severe, a company that had endured so much just couldn't endure this. We first reported the story back in January. Take a listen. For over 35 years, Paul Abbott worked at a logistics company in the UK with a name that was almost aggressively British. Knights of Old, Yes, Knights, as in the guys in armor jousting and maybe storming a cast. The company oversaw a fleet of hundreds of trucks crisscrossing the countryside.

B

General cargo handling, warehousing and transportation across the UK and Europe and also international freight forwarding services across the globe. We were a one stop shop.

A

Paul started out as a transportation planner and then worked his way up to part owner. Is Knights of Old like a company that people in the UK just know?

B

Oh, yes, yeah, I've been around it. Got a very good reputation for many, many years.

A

Many, many years is a bit of an understatement, actually. Knights of Old opened its doors in 1865. So in the early days, they weren't transporting goods by truck. They were using the technology of the time, a horse and buggy. And they literally trotted through decades of change, from the introduction of electricity to the telephone. Its trucks rumbled under the night sky as the first men landed on the moon. And through it all, they always found a way to adapt and change, whether it was working with this new thing called the World Wide Web or dealing with the complexities of Brexit. And for more than a century and a half, Knights of Old delivered everything from books to food to farming supplies, providing thousands of jobs and countless on time arrivals. And then two years ago. After surviving two world wars and a great Depression, Knights of Old found itself battling something it had never faced before. And it brought the company to its knees. I'm Dena Temple Raston, and this is Click Here. A podcast about all things cyber and intelligence. We tell true stories about the people making and breaking our digital world. And today, what happened when Knights of Old did battle with a new kind of menace, one sitting behind a keyboard half a world away.

B

I was in the operations office, and the tech guy came through and said, look, I think we've got a problem. They identified a file that they didn't recognize. They opened it, and there it was, the ransom note.

A

And we look at how, after decades of planning for every possible contingency, Nights of Old still couldn't stop what came next. Stay with us.

C

Looking for more of the cybersecurity and intelligence coverage you get on Click Here. Then check out our sister publication, the Record from Recorded Future News. You'll get breaking cyber news from reporters in New York, Washington, London, and Kyiv, among others. And you'll see for yourself why it attracts hundreds of thousands of page views every month. Just go to the Record Media.

A

From Recorded Future News. This is Click Here. The beginning of the end was a day like almost any other. It was June 2023, and when Paul came into the office that morning and heard the computers were down, he didn't think much of it.

B

I saw an email that comes from our nighttime operations guy, and he flagged on there that there was problems with the computer systems.

A

Do you think it was just like a software snafu?

B

Yeah. The characteristics of what had gone wrong didn't look particularly out of character.

A

So Paul and the team just decided to go old school. While it got fixed, they were texting drivers, writing out tickets by hand, and manually processing orders.

B

Keep cargo moving. But we did it.

A

The hours ticked by, and still no one could get online.

B

The morning went on, and it was evident that, you know, the problem was.

A

Stretching until finally Paul Abbott's tech guy pulled him aside shortly after lunch and broke the bad news. He said, it's a ransomware attack. And he showed him the hacker's message.

B

It said, you need to tell your insurance company to contact us and we'll negotiate a way where we can get back information to you so that you can carry on with your business. Hi, friends. If you're reading this, it means the internal infrastructure of your company is fully or partially dead.

A

This is an AI voice reading the ransomware note, all your backups, virtual, physical.

B

Everything that we manage to reach are completely removed. Keep in mind that the faster you still get in touch, the less damage we cause.

A

Paul's mind started racing.

B

I felt a bit cold, really. It's a bit of a sobering moment. You think, oh, my God. Right, okay, so, okay, they're going to want a load of money. We didn't know how much money they were going to want. We didn't.

A

This whole thing came as a huge shock for all the obvious reasons, not just that vital data had been stolen, but also because the company had been really focused on preventing something like this from happening in the first place. In many ways, knights of old were model tech citizens. They focused as much on securing their tech systems as the physical cargo they moved.

B

You've got to have the same focus on protecting your data and your infrastructures, because somebody's going to break in. Not to steal goods, they're going to steal your data.

A

So to guard against that, they'd invested heavily in all kinds of cybersecurity in.

B

Terms of training, in terms of protocol, in terms of password management. As simple as they were, you know, sharing PCs and desktops, we just didn't do it.

A

They had cyber insurance, government certificates for their data protection practices. But even with all of that, here they were standing in a conference room reading a note from a ransomware gang. And it didn't take long for Paul Abbott and his team to decide that this wasn't something that they could handle on their own. So they turned to a different Paul.

D

My name is Paul Cashmore. I'm the now CEO of Solace Global Cyber. We provide first response services for people that have had ransomware type incidents. We are waiting for that type of phone call, so we're very much on standby.

A

Okay, so you have, you kind of have go bags and someone says, okay, we've got something and you guys load up a bunch of vans and drive up. Is that the idea?

D

More Mercedes than vans.

A

Okay.

B

There was four or five tech guys that rocked up at the door. We were very pleased to see them.

D

Most of the execs are already there because they are fully understanding of how serious the event is.

B

I joined them in what we called the war room at that time.

A

Paul Abbott showed Cashmore the note and laid out what little they knew. And then the Ghostbusters meet. First responder team got to work surveying the systems, trying to understand just how deeply the Akira hackers had burrowed into the company networks. They were on the hunt to determine what the group had stolen and what they had encrypted A few days later, they returned to the war room and told Paul the extent of the damage. Kashmore explained that the hackers broke in using something called a brute force attack. They used a software program that basically cycles through a bunch of potential passwords until it finds one that works. And once it did, it gave Akira a toehold inside the company's network. In this case, they cracked one employee's password and then used that to get into the knights of old network.

D

More generally, once those threat actors have a foothold, they're then going to try and set up multiple backdoors, work their way through your system. They're looking for your backups, they're going to destroy them, they're going to evade your antivirus, they're going to look for your sensitive data, and they're going to what's called exfiltrate that data.

A

He means take the data. And they took it. And then they went one devastating step further. Cashmore explained to Paul Abbott.

D

It was what we call a data store attack. This is where they are encrypting at speed all of those virtual servers at a virtual server level.

A

Virtual servers often host critical applications or databases or websites. So for hackers, they're kind of a holy grail. Lots of high value data is all in one place. And the Akira hackers got into those and then took data for themselves and likely stored it on their own servers and then encrypted the company servers.

D

So it was devastating for them because they had all of their data encrypted. Every server that they had was completely destroyed.

A

And to wreak that havoc only took the hackers minutes. It was a gut punch for knights of old. After all that work to protect their systems, the hackers got in anyway. Now that it was clear that all their data was truly gone, Paul Abbott was left with one big question.

B

Do we look to pay the ransom? Do we try and raise the funds to pay a ransom?

A

That's when we come.

E

You should tell the people who we.

A

Are and what our new show is. I'm Robert Smith, this is Jacob Goldstein.

B

And we used to host a show called Planet Money.

A

And now we're back making this new podcast about the best ideas and people and businesses in history and some of the worst people, horrible ideas and destructive companies in the history of business. We struggled to come up with a name, decided to call it business history. You know why? Why? Because it's a show about the history of business available everywhere you get your podcasts.

E

I feel like every year now that we hit 2025. Like, people are always like, you know, what's going to be the hottest thing on the scene, Right? What are we going to see from cyber? And I mean, for years now, ransomware is top right.

A

This is Carrie Schaefer Page. She manages a team of ransomware negotiators at an American cybersecurity company called Arctic Wolf.

E

These groups are coming in, Akira being one of them. And like, I feel like it's like the Amazon of the dark web, right? These threat actor groups are learning from each other.

A

There's actually a name for it when all these threat actor groups band together, it's called ransomware as a service. And Akira is a relative newcomer to this world. Kerry says it even has an MO it targets companies that haven't gone the extra mile to secure their systems. Ones that, for example, don't have multi factor authentication or have employees with passwords like 1234, I think, too, because, you.

E

Know, the other thing that Kira is known for is vulnerabilities, right? So, yeah, you can get in from weak passwords, but the other thing they do is to take advantage of unpatched networks.

A

A tech company finds a vulnerability in their product and sends out a patch. But if companies are slow to apply the patch, groups like Akira take advantage.

E

This really open season for a threat actor to aggressively start to attack folks.

A

She says Akira has been able to be effective because they're always iterating, borrowing and learning from other hacker groups, leaving one gang, starting another.

E

No different than any other kind of employer. If you become disgruntled with who you're working with, you may adopt some of their behaviors or attributes and then go splinter off and do something on your own. Right? It happens all the time, right? These groups come together, work with one another.

A

Origin stories for hacker groups are always a bit sketchy. In the case of Akira, some analysts say they're based in Russia. Others say the group just speaks Russian and is based somewhere else.

E

When you get these different groups coming together, they can be from different areas. It's the ttp. If you've heard that tactics, techniques and procedures, right. That these groups kind of use from each other. So what we saw with Akira, for.

A

Example, Kerry says that lots of Akira's malicious code looks really familiar. It looks like a version of code that a group called Conti used for its attacks a few years ago.

E

There was also similarities in the way that they processed the crypto wallets. So when they extort somebody and then you get the payment from them, the addressing and the sequencing, there were Similarities that were detected.

A

We talked about Conti in previous episodes. They were one of the most notorious ransomware gangs in the world, a kind of boogeyman of cyberspace, taking down hospitals, governments, you name it, and then holding the critical data hostage for millions of dollars. Shortly after Russia invaded Ukraine, a bunch of their emails and chats leaked, and that set off a lot of infighting, and all the hackers that were working with them started looking for a new home. Kerry says some of them may have landed at Akira. And there's this other thing about the group. While they promise to give their victims back their data if they pay a ransom, they don't always do that.

E

So unfortunately, if a victim chooses to pay, they're like, great, but guess what? We also took a copy of it. And now if you want us not to release that out into the, you know, the ether in the Dark Web, we're going to require another financial payment for you to do that.

A

Ransomware negotiators explained this to the people at Knights of Old. They told them they might have to cough up anywhere between two and a half to $5 million, which is a lot for a company their size, even in the best of times. And this was not the best of times.

B

Even before the hack, we just opened up a new warehouse, so our cash reserves were at probably the lowest point in the year.

A

Paul Abbott was also warned that even if they did manage to scrape together the money and Akira sent their data back, it might not come in a very useful way.

B

It might not be in the order that you need it. It might just be a bucket of numbers. You know, it's corrupted the information that you probably can't work with.

A

This is the gamble every company attacked with ransomware faces. It's like a game of chicken with your entire company on the line. For Paul Abbott and his team, knowing they could pay all that money that they barely even had and maybe not even get their data back, it wasn't worth the gamble. They decided not to pay, to just not respond to Akira and let the clock run out. They turned back to the business of getting back to business, trying to put Akira in their rearview mirror, only to learn that the group had left with a parting shot. The hackers released the company's stolen information on the Dark Web.

B

There was an advert that appeared on the Dark Web, we understand, that said, oh, we've got this data from Knights of Old Group. We're going to be releasing in the next few days. So it seems to whet the appetite of the malicious. You know buyers or acquirers of this data.

A

It turned out Akira had leaked all kinds of sensitive data, internal documents that included things like employee payroll files, invoices, and other financial information.

B

We were told by the lottery just that the biggest risk you've got is data, personal data, and mainly personal data of former employees that may have a grudge or may be willing to become quite aggressive with a claim.

A

They held their breath, waiting for the leak to bring them more bad news.

B

But nothing came of it. And, you know, they didn't get any money out of us, so it was all very pointless and very destructive for no gain.

A

It had been a very painful chapter, but they felt like at last it was over.

B

We just felt that this is going to be hard work, but we'll get over it as long as we keep the customers and people which. Which we did, potentially.

A

They survived for now. But a few months after the attack, they got more bad news, this one outside their control. Knights of Old's parent company went into bankruptcy, and even this would not have necessarily been a death blow. Market conditions for their own company were pretty good, but their cash reserves were pretty low because they'd built this new warehouse and set it up about six months before the attack. Even that could maybe be something they'd overcome. They could just get a loan. But then Akira came back to haunt them one last time. The company's lender would only engage with them if they produced a variety of financial reports, the very reports that had been lost in the hack, and they were still working to recover. With a little more time, Paul Abbott said, they likely could have gotten them back. But the company's lender said, time's up. And with that, Knights of Old, the company that had survived for more than 150 years, was finally forced to shut its doors. All told, about 600 people at Knights of Old lost their jobs.

B

You know, 150 years, and it's been closed. People have lost their jobs.

A

And that had some ripple effects.

B

I mean, all the employees did get paid everything they were owed. At the end, they just lost a job that they dearly loved, you know, and a community that was broken up. Some of that communities continued to work in different places.

A

But there was this general sense among outsiders, Paul said, that somehow Knights of Old had actually done something wrong, that they weren't just unfortunate victims of a hack, but somehow had been careless and brought this upon themselves.

B

My wife witnessed a situation only a few weeks ago where somebody said something quite derogatory about the business. You know, they haven't forgotten about it. It's still hanging around.

A

And that's been hard on Paul.

B

We weren't negligent people, you know, we, we, we just ran out of luck.

A

For 150 years, Knights of old had survived everything. And now, in a blink of an eye, it was gone. This is Click Here. Today's episode was written and produced by Sean Powers, Megan Dietre, Zach Hirsch, Erica Gaeda and me, Dina Temple Rosted. It was edited by Karen Duffin, Fact Checked by Darren Ancrum and contains original music by Ben Livingston with some other music from Blue Dot Sessions. Our staff writer is Lucas Riley and our illustrator is Megan Gough. Jesse Niswonger and Jake Cook are our sound designers and engineers. Click Here is a production of Recorded Future News and prx. We'll be back on Friday with one of our favorite conversations of the year. We'll see you then.

C

Looking for more of the cybersecurity and intelligence coverage you get on Click Here. Then check out our sister publication, the Record from Recorded Future News. You'll get breaking cyber news from reporters in New York, Washington, London and Kyiv, among others. And you'll see for yourself why it attracts hundreds of thousands of page views every month. Just go to the Record Media.