Targeted Ransomware Hits Insurance Data
Bryant G. Tow | May 15, 2017
Ransomware started out as spam email blasts to see who would click on a link or open an attachment containing malware that would encrypt the victims’ Word, PowerPoint, pictures etc. for a standard ransom to get the data back, usually in the neighborhood of $300. Cyber criminals were just looking to spread the net as wide as possible and see what would stick. Not anymore.
In late April, a managed service provider (MSP) in the southeast was targeted. Being the host for over 280 customers—several from the financial service sector including insurance providers—makes for a target-rich environment.
A customer of the MSP called the support team and asked for a port to be opened on a firewall for a backup system. The password for the backup system was set to “backup1.” Within a week, the MSP was compromised with the latest and greatest ransomware. The ransom was set at $50k. The MSP’s insurance company pulled in their law firm to help with the logistical details under privilege. The lawyers then pulled in a digital forensics company. It became clear the mission of both of these organizations was to protect the insurance company, not the insured.
The MSP brought in our team to assist with the investigation and cleanup to protect their interests and work alongside the legal and forensic firms. Our triage of the scene showed the attackers first deleted all of the backups. Next, they wiped out of the co-location data and encrypted over 56 Terabyte of data making it useless without the keys.
Consultations with other forensics and incident response organizations and the FBI led to the conclusion that the only way to recover the data was to pay the ransom.
Technical teams worked 24 hours a day for four days to decrypt and return all of the data to a usable state. There was work to be done to find and remediate all additional vulnerabilities, which would be beyond the scope of the current investigation. As we see in most cases, the attackers now know the MSP will pay the ransom. They will be back and any vulnerability left behind will be used for round two.
Total costs estimated as of this writing exceed $100k and there is still considerable remediation work to be done. There has been no payment as yet from the insurance company while the forensics team and law firm continue to evaluate whether this is a payable claim. In many cases the claims are not paid if there is any negligence that can be proved on the part of the insured.
There are two lessons to be learned from this event:
Lesson 1: Do not blindly trust your managed service or cloud providers—or any technology vendor. Using vendors as a launch point is a popular attack vector for cyber criminals. Many service providers provide impressive slide decks of the security they provide, but it is sometimes just “Security Theater.”
Some will provide a System and Organization Controls SOC II report, which is where an accounting firm audits all of the controls the MSP provides. There is nothing in these reports that show missing security practices. They could be doing everything they provided the accountants, but missing entire areas of security standards and best practices.
The only way be sure your business is properly protected is to manage your own vendor risk program. Each vendor must be ranked and their dependence and business exposure prioritized so the appropriate level of evaluation can be assigned. Evaluations should be done on regular cadence and diligently managed with proper follow-ups on security gaps.
Lesson 2: The vulnerabilities in our systems are most often not technical. Exposers come through absence of processes or lax procedures. This attack and the exorbitant cost to the business could have been prevented with a proper security program.
First, any client request for a change in the firewall rules should be pushed through a change management process that includes proper approval, back-out strategy, and management. Second, the password used was about as weak as possible. Lack of education and awareness of basic security requirements combined with absence of an enforced password policy made this attack easy.
This story is merely one of thousands. Ransomware incidents have risen over 50 percent in the last year according to the Verizon Data Breach Investigation Report. In the survey, financial services was the top industry affected at 24 percent.
The only way to properly protect your organization is to consider all of the attack vectors and have a complete security program including executive leadership. An incident response plan that includes a ransomware attack scenario should be part of the program. The growth rate and the successful attacks we are seeing would seem to indicate is it not a matter of if but when. Make sure your organization is prepared.
- Electronic Chat with Jeroen Morrenhof
- Legacy Systems Are Dead. Really? Don't Count On It.
- Now Accepting Nominations for the 2019 ITA Bridge Awards
- It's time to register for ITA LIVE!
- Registration is Now Open for ITA LIVE 2019!
- What to Expect from a Digital Experience Platform Implementation
- ITA Pro Magazine September Edition is Now Available
- It's National IT Professionals Day
- Save the Date for ITA-LIVE 2019
- OneShield Software and UrbanStat Work Together to Improve Real-Time Analytics and Risk Decision-Making
- ITA LIVE 2019 - SAVE THE DATE!
- Insurance Technology Association Announces New Editor-in-Chief
- August 2018 Edition ITA Pro Magazine is Now Available
- Enterprise Architecture in an Agile World
- Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data
- Industry Insight: 4 Global Insurance Trends in Digital, Data, Content Services and Security
- Diving Deeper into Prioritizing Your Strategic Digital investments
- Why Content Rules
- How Mass Personalization Will Open the Small Business Benefits Market
- At Year End 2017, Will Your Organization Be Protected from Cyber Risks?
- Do Insurance Bots Dream of Mitigating Risk?
- Conditioned to Respond
- Managing & Mobilizing Insurance Data in a Connected World
- Race to the Finish Line
- New Tools, New Opportunities in Claims
- ITA LIVE: Reaching Insurance Industry Crossroads
- Advice to Insurance IT Leaders: Keep Your Eye on the Ball
- New Date, Venue for ITA LIVE 2017
- Guidewire Makes Major Push to Small and Midtier Market by Acquiring ISCS
- Insurance Disruption is Happening Right Now
- Insurity Adds Strategic Investment Partner, General Atlantic
- Beyond Transformation: The Convergence of Finance, Risk, and Actuarial Functions
- The Rapid Evolution of Consumer Protection Regulation
- Talent Hunt: Finding, Attracting, Retaining Top People
- Insurers Flexing Their Distribution Models
- Technology Driving Disruption in Insurance
- Fear of ‘Next Bubble’ Challenges Life, Annuity Carriers
- Technology Allows Commercial Lines Insurers to Stand Out
- Single Sign-on Viewed as Biggest Tech Challenge for Agencies
- ISCS Observes 20th Anniversary; Scurto Predicts Major Changes Ahead
- Policyholders and Their First Impressions
- Progressive Making Progress on the UBI Front
- High and Dry: Insurers Search for Disaster Recovery Plans
- Insurers Sign The (Un)Dotted Line
- Reflections of a Retired Insurance CIO
- Mobile Device Management Just One Answer to BYOD Issue
- Lessons from GEICO and Progressive on Winning the Critical Buying Stage
- You Are a Target for a Cyber Attack
- Web-based Systems are the Next Evolution in Claims Technology
- Gaining a “Wow” Experience from Web Users
- Time to Shift from Business/IT Alignment to Business/IT Alliance
- Healthcare Insurers Changing to Consumer Model
- Organization is the Key for Selecting Software Vendors
- Analysts Expound on the Needs of the Mid-tier Insurance Market
- Finding the Cure for Obamacare’s Website
- New Software Solutions Benefit Insurers on the Inside and Outside
- Products, Market Impede Investment in Systems for Life Insurers
- Combatting Cyber Threats: Predict, Prevent, Persist
- The Future of Telematics Heads Beyond Insurance
- The Shame in Cyber Security Lapses
- Building Policy Administration Systems for the Future
- Insurers Look Into The Eyes of Their Policyholders
- It’s a New Dawn for the ITA
INSURANCE IT NEWS
- Crawford Technologies Announces Release of ePresentment Gateway for Box
- New Study of More than 100 Insurers Finds Success Among Early Adopters of Emerging Tech, Says Novarica
- Anshuman Purohit Assumes Senior Technology Leadership Role at CastleBay Companies
- AVYST Welcomes Kitty Ambers as Chief Growth Officer
- Agero Strengthens Executive Team with Bill Gerraughty as Chief Financial Officer
- Electronic Chat with Jeroen Morrenhof
- 2019 Global Insurance Accelerator Cohort Reflects Evolution of InsurTech
- Nearly 50% of US Insurers Are Enhancing Security Capabilities Across the Board, Says Novarica
The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.
ITA LIVE 2019
The tide is up! It's time to register for ITA LIVE 2019, our annual educational and networking conference! Our theme is "The InsurTech Revolution: Cutting Through the Hype." and we'll be bringing in a torrent of industry thought leaders, amazing insight and wonderful perspectives on the world of insurtech and its impact on the insurance landscape.
ITA LIVE 2019 will present real-life examples of true startup technologies that are helping insurers gain real advantage -- and a competitive edge -- in the marketplace. We’ll highlight the more successful InsurTech partnerships, while offering case studies that demonstrate exciting innovation and cutting-edge techniques impacting all aspects of the insurance ecosystem.
Ride the wave to LIVE 2019. Sign up today! We look forward to seeing you in May, 2019!
BLOGS AND COLUMNS
You have surely heard it said that small businesses are the growth engine for America. Today, the phrase has a special ring to it for benefits... READ MORE
With stagnant growth and lingering low interest rates, the life insurance industry faces a challenging future... READ MORE
Finding insurance carriers willing to write commercial lines risks has always been a challenge for producers... READ MORE
As Guidewire Software prepares for the start of Connections, its 11th annual user conference that begins on Nov. 2, Brian Desmond, chief marketing... READ MORE