CRE Firms Are Ripe for Ransomware Attacks

Attacks are already happening under the radar, say some experts.

Huge oil transportation company Colonial Pipeline and major meatpacker JBS Foods both made headlines when they fell victim to ransomware attack earlier this year. Little wonder:  This form of criminal activity, in which malware placed on computer systems encrypts everything making operations impossible unless someone pays a ransom, is a high-profile subject.

Real estate firms have less frequently been reported as being hit by ransomware, but in this case, no news is not good news. Some experts say companies in various parts of commercial real estate have already fallen prey, only without major publicity. And for those firms that have remained unscathed, experts say it is only a matter of time. 

CoreLogic warned in 2019 about ransomware gangs targeting real estate companies. And while names don’t generally get mentioned, some professional services organizations have mentioned cases they’re familiar with.

“It’s certainly something I have seen occurring,” Heidi Tandy, a partner in the intellectual property department at Berger Singerman, tells GlobeSt.com. “I’m not saying it’s happening more often now than 18 months ago. It’s just happening differently. Some of the bad guys are getting more creative with how they are getting inside of a business’s servers.”

A “medium-sized national office property owner” fell prey to three separate ransomware attacks, Jeff Ewing, vice president of operations for commercial real estate computer technology provider 5Q, tells GlobeSt.com—twice on corporate data and once on the building network. 

“It’s not that they don’t care,” Ewing says, “but the bad guys have also gotten smart enough that if it’s not a publicly owned company, they can keep the ransom low enough that it will be paid. Some of these companies just want to fix the problem and move on, and then they don’t think about it anymore. Until it happens again.”

A blog post from Atlanta-based BoostIT describes a 2020 attack on a client in real estate. Recovery took days and up to 48 hours of data had to be discarded. This was with multiple layers of security. Not that such defenses are in place at all CRE firms.

“Across the industry, you’ve got some thought leaders that are at publicly traded companies that are already doing things in compliance with policies and procedures,” Ewing says. “They have procedures in place, technology in place, operations in place. But a large majority of the industry is lagging behind. They‘ve come along a lot in the last few years, but they still see security as a cost center. It doesn’t get the attention it needs. It will stay that way until another firm is hit.”

Human engineering—or the exploitation of lax actions by employees—is the most common approach to how breaches begin. 

“If you’re a large apartment complex, you‘re going to get email all the time from outside your domain,” Tandy says. “You might not trust those by nature or because there are large signs up in your office that tell you not to trust them. But you might assume something coming in from what looks like your own company can be trusted.” Or someone might click on a purposefully infected link on some webpage.

CRE companies can take various steps to harden their systems and gain greater protection. Those should be done with help from cybersecurity experts and require development of policies and procedures, as well as awareness training for employees. But it’s probably more palatable than Ewing’s offered alternative to “write out the speech [now] that you’re [eventually] going to give to the press.”