Representatives of StoredTech took Collision Industry Conference (CIC) meeting attendees through the minutes, hours, days, weeks, and months of a fictional auto repair shop owner following a cybersecurity attack on his business. 

Allan Polak, StoredTech senior of technology, describes “Lucky Bob” as the owner of “Lucky Bob’s Autobody and Paint,” a business that makes about $1.2 million in revenue. 

Lucky Bob built the business from the ground up after being a technician at a few different shops, Polak told the audience during the meeting held in Richmond, Virginia, last week. 

“In a lot of ways, Bob is a lucky guy,” he said. “He saw through the years of COVID and disruptions through the supply chain, he has seen competitors come and go, and he’s got a beautiful family at home. He has one son in college. He’s got one that’s ready to take over the business when that time comes.” 

Bob showed up to work early, like he usually does, Polak said. He opened his computer and saw an email from his trusted supplier, “Tool Titans.” 

The email asks for some information before it an order for a tool can be completed, Polak said. It also asks him to use multi-factor authentication. 

“He’s gone through this in cybersecurity training,” Polak says. “They’ve instituted authenticators. He takes out his phone, enters the two-factor authentication information. At this point, Bob gets up from his desk, sees his managers are coming in for the day, and goes to grab a cup of coffee.” 

About an hour later, Bob returns to his desk, Polak said. “Bob is about to have a turn of luck,” he adds. 

He opens his computer to find a screen that says, “I want to play a game with you, and here are the rules. All your important files have been encrypted and are now inaccessible to you. To regain access to your files, you must pay a ransom Bitcoin.”

Polak said in the scenario, the hackers threaten to permanently delete all of Bob’s data and leak it to the dark web if half a Bitcoin is not paid within 72 hours.

“Lucky Bob is getting that pit-in-his-stomach feeling right now,” Aleks Pavlinik, StoredTech chief information security officer, said as he picked up the explanation of the scenario from Polak. 

Soon, Bob realizes the message is not a fluke, Pavlinik said. He learns that the parts department cannot access order forms, the phone system is disconnected, and technicians aren’t able to access technical information. 

Bob looks up what half a Bitcoin costs to find that today’s value is $50,000, Pavlinik said. 

Polak then took the audience through Bob’s decision to pay the ransom after three days of no operations at his business. 

An IT team is dispatched from the insurance company, and they find the tool company email that Bob logged into, Polak said

“Threat actors used the stolen passwords to gain access to multiple computers in Bob’s office, and they gained access to other resources, like phones, cloud, files, et cetera,” Polak said. “And once they gained access to those computers, they also found an Excel spreadsheet. That Excel spreadsheet was a treasure trove. It had all kinds of passwords for them, including some personal accounts, and they use that to just gain a larger foothold and go deeper and deeper.” 

The hackers also lie and don’t release all of the information after being paid, Polak said. 

“These are criminals,” Polak said. “There’s no honor amongst them.” 

Polak added that the hackers also leaked some information to the dark web. 

In addition to the $50,000 ransomware payment, Bob also paid $150,000 in IT recovery, Polak says. And the insurance company is contesting the claim. 

“At some point, when Bob applied for that cyber insurance policy, he was sent a form to fill out, about 10 pages or so, and it asked questions like, ‘Do you have multi-factor authentication on every system? Do you use strong passwords?’ et cetera,” Polak said. “He filled it out the best he could, but the insurance company said it wasn’t good enough.” 

Bob is also subject to mandatory public reporting because of some of the information that was stolen, Polak said. 

Pavlinik then switched gears and told the audience how the scenario would go if Bob did not pay the ransom. 

“The systems were disconnected, which stops the ransomware spread,” Pavlinik says. “IT support cybersecurity teams were dispatched and they were able to restore some email and communication and internet communication, so they were able to access their cloud-based services, which, as you all know, is critical for running your businesses.” 

A forensic team also finds the Titan Tools email. 

Bob is left with the $150,000 in IT services but no ransom payment. Insurance is still contesting the claim. There is lost revenue in the downtime. 

Pavlinik says Bob learns that the service department has been copying down driver’s license numbers into a file, which is personal identifiable information in Virginia. Penalties can be more than $5,000 in the event of a breach. 

Neither option is good, Polak says. He adds that paying the ransom does come with a few extra legal consequences. It isn’t something that can be reported to the IRS, and the FBI instructs businesses not to pay the fine because it could potentially be a terrorist group. 

“The only good choice in this situation is really to prevent it to begin with,” Polak said. 

Pavlinik says a business’s first step in the event of a cyber attack should be to call its attorney. 

“You want to establish an attorney-client privilege in this situation,” Pavlinik said. “You are now facing hundreds of thousands of dollars in civil penalties and depending on if you pay the fine, felonies. I would highly suggest that you establish that communication first and then move on to the insurance company.” 

The insurance company will send a team of responders to recover data and investigate the event, he said. 

“You cannot use your friend down the street,” Pavlinik said. “You can’t call up your smart son at this point. You have to follow what the insurance company is going to do.” 

Recovery can take a week to months, he said. 

Bob could have avoided the email if he had noticed a few red flags, Pavlinik said. This includes a sense of urgency in the email and misspellings found on links. 

However, Pavlinik said hackers are becoming more advanced and can spoof exact webpages, making it harder to determine the legitimacy of a link. 

Polak told the audience that it is not a matter of if it will happen to your business but when. 

“Sixty percent of small businesses close within six months of cyber attacks, just like the one you saw today,” Polak said. 

He said 90% of those attacks start with a phishing attempt, often an email with a clickable link. 

Unsecured networks that don’t have proper firewalls or strong passwords are a few ways hackers gain access, Polak said. He said disgruntled employees are another cause of concern. 

Attacks on business supply chain networks can cause issues for small businesses as well, Polak said. 

It is important to do software updates for all programs and networks, he said. 

Pavlinik said other safety measures include multi-factor authentication and security awareness training services. 

“It’s layers and layers of security,” Pavlinik said. “We’re layering all these different security technologies on top, because if there’s a failure somewhere in that chain, we have backups on that in the sense of something else might be able to block it.” 

Lucky Bob could have invested about $5,000 annually to get all the protections he needed to build a strong security layer, Pavlinik said. 

“It pays to invest on the cybersecurity front to secure your business versus going through the legal implications and going through this process of being compromised and breached,” Pavlinik said. “It’s always good to prepare and prevent instead of repair and repent.”

IMAGE

Allan Polak, StoredTech sr. of technology and Aleks Pavlinik, StoredTech chief information security officer, present at CIC’s April 30, 2025 meeting in Richmond, Virigina/Teresa Moss