Cyber Incident Victim: Apex Human Capital Management
Date:
Feb 2019
Location:
United States of America
Summary
A payroll software provider suffered a ransomware attack that disrupted services for hundreds of customers, forcing the company to take systems offline for nearly three days. The incident encrypted both primary infrastructure and mirrored disaster recovery systems, rendering failover capabilities unusable. After consulting security firms, the organization paid the ransom to expedite recovery, though the decryption key provided proved partially ineffective—corrupting file directories and executable files while prolonging restoration efforts. One legacy business unit remained offline post-recovery, with affected customers being transitioned to newer platforms. The attack originated through unknown vectors despite recent security audits, prompting ongoing forensic investigation. Service interruptions prevented clients from processing payroll during the outage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 19, 2019, at 4:00 a.m., Apex Human Capital Management (Apex HCM), a Roswell, Georgia-based cloud payroll software provider serving approximately 350 payroll service bureaus, detected a ransomware infection in its systems. The destructive ransomware encrypted files across the company’s primary network and its recently implemented off-site disaster recovery system, which had been mirroring live data in a separate state. This simultaneous compromise rendered both production and backup environments inoperable, forcing Apex to take all systems offline immediately. The company began issuing bi-hourly customer updates, initially projecting service restoration within hours but repeatedly extending timelines as remediation efforts stalled. By February 20, after consulting two external cybersecurity firms, Apex concluded that paying the ransom demanded by the attackers represented the fastest path to service recovery, though it declined to disclose the payment amount or ransomware variant.
The decryption key provided after payment failed to fully restore systems, corrupting file directories and rendering critical executable files unusable, which prolonged service outages. After nearly three days of disruption, Apex restored core payroll services but left its legacy ACA OnDemand business unit offline indefinitely, offering affected customers migration to costlier SaaS platforms instead. The incident prevented hundreds of Apex’s clients—payroll service bureaus supporting small and mid-sized businesses—from processing payroll during the outage window, with one customer confirming inability to meet payroll deadlines for their own clients. Forensic investigations into the attack vector remained ongoing at the time of reporting, with Apex noting it had recently completed a security audit prior to the breach. Parallels were drawn to a December 2018 ransomware attack against cloud host Dataresolution.net, which required 16 days to restore services without paying ransom, highlighting operational risks for SaaS providers during extended downtimes. The FBI’s general advisory against ransom payments contrasted with practical pressures faced by victimized firms, as Apex’s case demonstrated the business-critical imperative to resume operations despite uncertain recovery outcomes.