For generations of Mainers looking to swap guns, unload old motorbikes or pick up livestock on the cheap, Uncle Henry’s has been the place to find a match.
But last month, a group of foreign hackers went looking for something not found in the classified website’s thousands of advertisements: a crypto payday.
Uncle Henry’s was the target of a ransomware scam that deleted much of the business’s decades-old electronic database on the night of March 11, forcing the site to close for four weeks, president Kevin Webb said. The breach did not expose sensitive user data like credit card information, he said, and Uncle Henry’s is back online and ready to connect Maine sellers to buyers as it has for more than half a century.
“We’ve had a couple of tough hits in the last six to eight months,” Webb said. “But we’ve been around since 1970, and it was not my intention to go away.”
Uncle Henry’s joins a list of recent Maine targets of foreign ransomware attacks that includes grocery stores, health systems and municipalities. Typically, the efforts involve invading a vulnerable system and then trying to coerce a ransom payment.
Since cutting its print edition last year, Uncle Henry’s ads have run exclusively on its website, which lists everything from antiques to hot tubs to real estate. But on the morning of March 12, Webb got a notification that a “database error” had taken down the network. After some digging, Webb and freelance tech specialist Bradley Corson discovered that “database error” was an understatement. There was no longer any database at all.
Instead, where online code should have been, they found a note claiming the data had been stolen. The hackers demanded about $700 worth of Bitcoin for its safe return, Corson said.
“I’m not a hacker,” he said, “but my theory is they keep it low enough that a lot of people will just pay it and hope.”
The Uncle Henry’s team quickly figured out that wouldn’t do any good. Experts from a cybersecurity firm explained that the attack had the markers of a common scam where the hackers copy only a small amount of information and delete the rest. The goal is to convince a business that their data really has been taken hostage, something that can be much harder to do undetected than just wiping the database.
It didn’t look like the thieves could have been in the system long enough to transfer the massive amount of information it contained. With the FBI’s guidance, Webb and his team reached out to the hackers and asked them for more proof they really had the data. They couldn’t provide it.
“They copied a couple of ads,” Webb said. “That’s all they did.”
It took a few weeks to restore the system, implement new security measures and make sure that no trace of the hackers’ code remained any place where it could wreak havoc. Corson was able to recover most of the site’s active ads and user data. The decades-worth of deleted information was an interesting historical artifact, he said, but not particularly valuable.
“It’s no more useful than having an Uncle Henry’s book from the ’80s that you can look back through and see the ad content,” he said. “They wouldn’t be able to get much of anything unless they’re really interested in 1957 Buicks.”
Webb said Uncle Henry’s users should not be concerned about their own information being compromised. Even if the thieves had stolen the database instead of deleting it, he said, they would not have access to anything more sensitive than users’ email addresses and the contents of their ads.
He said he was more worried about losing the goodwill of online customers just months after having to cut the institution that was the print magazine. But Uncle Henry’s users have mostly been supportive during the blackout and since the website’s return on April 10.
The outlook for catching the hackers appears less rosy. Webb said that while the FBI took a report on the case, they didn’t give any indication that they had any insights on who the thieves were or how to find them.
“These are overseas actors, so not much is really going to happen unfortunately,” he said. “They’re very hard to track down.”
Send questions/comments to the editors.
Join the Conversation
We believe it’s important to offer commenting on certain stories as a benefit to our readers. At its best, our comments sections can be a productive platform for readers to engage with our journalism, offer thoughts on coverage and issues, and drive conversation in a respectful, solutions-based way. It’s a form of open discourse that can be useful to our community, public officials, journalists and others. Read more...
We do not enable comments on everything — exceptions include most crime stories, and coverage involving personal tragedy or sensitive issues that invite personal attacks instead of thoughtful discussion.
For those stories that we do enable discussion, our system may hold up comments pending the approval of a moderator for several reasons, including possible violation of our guidelines. As the Maine Trust’s digital team reviews these comments, we ask for patience.
Comments are managed by our staff during regular business hours Monday through Friday and limited hours on Saturday and Sunday. Comments held for moderation outside of those hours may take longer to approve.
By joining the conversation, you are agreeing to our commenting policy and terms of use. More information is found on our FAQs.
You can modify your screen name here.
Show less
Join the Conversation
Please sign into your Press Herald account to participate in conversations below. If you do not have an account, you can register or subscribe. Questions? Please see our FAQs.