Targeted Ransomware Hits Insurance Data
Bryant G. Tow | May 15, 2017
Ransomware started out as spam email blasts to see who would click on a link or open an attachment containing malware that would encrypt the victims’ Word, PowerPoint, pictures etc. for a standard ransom to get the data back, usually in the neighborhood of $300. Cyber criminals were just looking to spread the net as wide as possible and see what would stick. Not anymore.
In late April, a managed service provider (MSP) in the southeast was targeted. Being the host for over 280 customers—several from the financial service sector including insurance providers—makes for a target-rich environment.
A customer of the MSP called the support team and asked for a port to be opened on a firewall for a backup system. The password for the backup system was set to “backup1.” Within a week, the MSP was compromised with the latest and greatest ransomware. The ransom was set at $50k. The MSP’s insurance company pulled in their law firm to help with the logistical details under privilege. The lawyers then pulled in a digital forensics company. It became clear the mission of both of these organizations was to protect the insurance company, not the insured.
The MSP brought in our team to assist with the investigation and cleanup to protect their interests and work alongside the legal and forensic firms. Our triage of the scene showed the attackers first deleted all of the backups. Next, they wiped out of the co-location data and encrypted over 56 Terabyte of data making it useless without the keys.
Consultations with other forensics and incident response organizations and the FBI led to the conclusion that the only way to recover the data was to pay the ransom.
Technical teams worked 24 hours a day for four days to decrypt and return all of the data to a usable state. There was work to be done to find and remediate all additional vulnerabilities, which would be beyond the scope of the current investigation. As we see in most cases, the attackers now know the MSP will pay the ransom. They will be back and any vulnerability left behind will be used for round two.
Total costs estimated as of this writing exceed $100k and there is still considerable remediation work to be done. There has been no payment as yet from the insurance company while the forensics team and law firm continue to evaluate whether this is a payable claim. In many cases the claims are not paid if there is any negligence that can be proved on the part of the insured.
There are two lessons to be learned from this event:
Lesson 1: Do not blindly trust your managed service or cloud providers—or any technology vendor. Using vendors as a launch point is a popular attack vector for cyber criminals. Many service providers provide impressive slide decks of the security they provide, but it is sometimes just “Security Theater.”
Some will provide a System and Organization Controls SOC II report, which is where an accounting firm audits all of the controls the MSP provides. There is nothing in these reports that show missing security practices. They could be doing everything they provided the accountants, but missing entire areas of security standards and best practices.
The only way be sure your business is properly protected is to manage your own vendor risk program. Each vendor must be ranked and their dependence and business exposure prioritized so the appropriate level of evaluation can be assigned. Evaluations should be done on regular cadence and diligently managed with proper follow-ups on security gaps.
Lesson 2: The vulnerabilities in our systems are most often not technical. Exposers come through absence of processes or lax procedures. This attack and the exorbitant cost to the business could have been prevented with a proper security program.
First, any client request for a change in the firewall rules should be pushed through a change management process that includes proper approval, back-out strategy, and management. Second, the password used was about as weak as possible. Lack of education and awareness of basic security requirements combined with absence of an enforced password policy made this attack easy.
This story is merely one of thousands. Ransomware incidents have risen over 50 percent in the last year according to the Verizon Data Breach Investigation Report. In the survey, financial services was the top industry affected at 24 percent.
The only way to properly protect your organization is to consider all of the attack vectors and have a complete security program including executive leadership. An incident response plan that includes a ransomware attack scenario should be part of the program. The growth rate and the successful attacks we are seeing would seem to indicate is it not a matter of if but when. Make sure your organization is prepared.
- Race to the Finish Line
- New Tools, New Opportunities in Claims
- ITA LIVE: Reaching Insurance Industry Crossroads
- Advice to Insurance IT Leaders: Keep Your Eye on the Ball
- New Date, Venue for ITA LIVE 2017
- Guidewire Makes Major Push to Small and Midtier Market by Acquiring ISCS
- Insurance Disruption is Happening Right Now
- Insurity Adds Strategic Investment Partner, General Atlantic
- Beyond Transformation: The Convergence of Finance, Risk, and Actuarial Functions
- The Rapid Evolution of Consumer Protection Regulation
- Talent Hunt: Finding, Attracting, Retaining Top People
- Insurers Flexing Their Distribution Models
- Technology Driving Disruption in Insurance
- Fear of ‘Next Bubble’ Challenges Life, Annuity Carriers
- Technology Allows Commercial Lines Insurers to Stand Out
- Single Sign-on Viewed as Biggest Tech Challenge for Agencies
- ISCS Observes 20th Anniversary; Scurto Predicts Major Changes Ahead
- Policyholders and Their First Impressions
- Progressive Making Progress on the UBI Front
- High and Dry: Insurers Search for Disaster Recovery Plans
- Insurers Sign The (Un)Dotted Line
- Reflections of a Retired Insurance CIO
- Mobile Device Management Just One Answer to BYOD Issue
- Lessons from GEICO and Progressive on Winning the Critical Buying Stage
- You Are a Target for a Cyber Attack
- Web-based Systems are the Next Evolution in Claims Technology
- Gaining a “Wow” Experience from Web Users
- Time to Shift from Business/IT Alignment to Business/IT Alliance
- Healthcare Insurers Changing to Consumer Model
- Organization is the Key for Selecting Software Vendors
- Analysts Expound on the Needs of the Mid-tier Insurance Market
- Finding the Cure for Obamacare’s Website
- New Software Solutions Benefit Insurers on the Inside and Outside
- Products, Market Impede Investment in Systems for Life Insurers
- Combatting Cyber Threats: Predict, Prevent, Persist
- The Future of Telematics Heads Beyond Insurance
- The Shame in Cyber Security Lapses
- Building Policy Administration Systems for the Future
- Insurers Look Into The Eyes of Their Policyholders
- It’s a New Dawn for the ITA
INSURANCE IT NEWS
- Canadian Insurer Deploys Guidewire Solutions for U.S. Customers
- AmeriLife Partners with FAST to Administer Annuities
- Amica Deploys Guidewire’s Billing Solution
- ManchesterStory Selects O’Halleran to Lead Advisory Board
- SPLICE Releases Data-Driven Voice Apps for Alexa Skills
- EIS Introduces CoreVelocity Approach to Accelerate Delivery
- Finys Announces Release of Business Intelligence Solution
- Brunson Named President, CEO of Gulfstream and Catawba
The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.
ITA is pleased to present the 2014 Webinar Series. We have many topics for you to choose from and attendance is open to all ITA members. The webinar topics are current and exciting — ranging from predictive analytics to telematics and will focus on the direction insurance carriers need to follow for the future. All webinars are presented by insurance IT professionals along with some of the leading analysts and consultants in the field. There is no cost to attend an ITA webinar. For more information and to register for the webinar, click the “title” of the webinar below.
BLOGS AND COLUMNS
Robert Regis Hyle
As many insurance technology professionals prepare to travel to Orlando for next week’s IASA annual conference they will be happy to know the program... READ MORE
Bryant G. Tow
Managed service providers are new targets and the cost of rescuing the data is exorbitant... READ MORE
You have surely heard it said that small businesses are the growth engine for America. Today, the phrase has a special ring to it for benefits... READ MORE
With stagnant growth and lingering low interest rates, the life insurance industry faces a challenging future... READ MORE
Finding insurance carriers willing to write commercial lines risks has always been a challenge for producers... READ MORE
As Guidewire Software prepares for the start of Connections, its 11th annual user conference that begins on Nov. 2, Brian Desmond, chief marketing... READ MORE