Ransomware started out as spam email blasts to see who
would click on a link or open an attachment containing
malware that would encrypt the victims’ Word, PowerPoint,
pictures, etc. for a standard ransom to get the data back,
usually in the neighborhood of $300. Cyber criminals were
just looking to spread the net as wide as possible and see what
would stick. Not anymore.
In late April, a managed service provider (MSP) in the
southeast was targeted. Being the host for over 280 customers—several from the financial service sector including insurance providers—makes for a target-rich environment.
A customer of the MSP called the support team and asked
for a port to be opened on a firewall for a backup system.
The password for the backup system was set to “backup1.”
Within a week, the MSP was compromised with the latest and
greatest ransomware. The ransom was set at $50k. The MSP’s
insurance company pulled in their law firm to help with the
logistical details under privilege. The lawyers then pulled in a
digital forensics company. It became clear the mission of both
of these organizations was to protect the insurance company,
not the insured.
The MSP then brought in our team to assist with the
investigation and cleanup to protect their interests and work
alongside the legal and forensic firms. Our triage of the scene
showed the attackers first deleted all of the backups. Next,
they wiped out of the co-location data and encrypted over 56
Terabyte of data making it useless without the keys.
Consultations with other forensics and incident-response
organizations and the FBI led to the conclusion the only way
to recover the data was to pay the ransom.
Technical teams worked 24 hours a day for four days to
decrypt and return all of the data to a usable state. There was
work to be done to find and remediate all additional vulnerabilities, which would be beyond the scope of the current
investigation. As we see in most cases, the attackers now know
the MSP will pay the ransom. They will be back and any vulnerabilities left behind will be used for round two.
Total costs estimated as of this writing exceed $100k and
there is still considerable remediation work to be done. There
has been no payment as yet from the insurance company
while the forensics team and law firm continue to evaluate
whether this is a payable claim. In many cases, the claims are
not paid if there is any negligence that can be proven on the
part of the insured.
Targeted Ransomware Hits Insurance Data
Managed service providers are new targets and the cost of rescuing their
data is exorbitant.
By Bryant Tow
There are two lessons to be learned from this event:
Lesson 1: Do not blindly trust your managed service or
cloud providers—or any technology vendor. Using vendors as
a launch point is a popular attack vector for cyber criminals.
Many service providers arrange impressive slide decks on
the security they provide, but it is sometimes just “Security
Some will provide a System and Organization Controls
SOC II report, which is where an accounting firm audits all
of the controls the MSP provides. There is nothing in these
reports that show missing security practices. They could be
doing everything they provided the accountants, but missing
entire areas of security standards and best practices.
The only way to be sure your business is properly protected is to manage your own vendor risk program. Each vendor
must be ranked and their dependence and business exposure prioritized so the appropriate level of evaluation can be
assigned. Evaluations should be done on regular cadence and
diligently managed with proper follow-ups on security gaps.
Lesson 2: The vulnerabilities in our systems are most
often not technical. Exposure comes through absence of
processes or lax procedures. This attack and the exorbitant
cost to the business could have been prevented with a proper
First, any client request for a change in the firewall rules
should be pushed through a change management process that
includes proper approval, back-out strategy, and management.
Second, the password used was about as weak as possible.
Lack of education and awareness of basic security requirements combined with absence of an enforced password policy
made this attack easy.
This story is merely one of thousands. Ransomware incidents have risen over 50 percent in the last year according to
the Verizon Data Breach Investigation Report. In the survey,
financial services was the top industry affected at 24 percent.
The only way to properly protect your organization is to
consider all of the attack vectors and have a complete security
program including executive leadership. An incident response
plan that includes a ransomware attack scenario should be
part of the program. The growth rate and the successful attacks we are seeing would seem to indicate is it not a matter of
if but when. Make sure your organization is prepared. ITA
Bryant Tow is managing partner with CyberRisk Solutions.