One archive TL
Follow Us



Targeted Ransomware Hits Insurance Data

Ransomware started out as spam email blasts to see who would click on a link or open an attachment containing malware that would encrypt the victims’ Word, PowerPoint, pictures etc. for a standard ransom to get the data back, usually in the neighborhood of $300. Cyber criminals were just looking to spread the net as wide as possible and see what would stick. Not anymore.

In late April, a managed service provider (MSP) in the southeast was targeted. Being the host for over 280 customers—several from the financial service sector including insurance providers—makes for a target-rich environment.

A customer of the MSP called the support team and asked for a port to be opened on a firewall for a backup system. The password for the backup system was set to “backup1.” Within a week, the MSP was compromised with the latest and greatest ransomware. The ransom was set at $50k.  The MSP’s insurance company pulled in their law firm to help with the logistical details under privilege. The lawyers then pulled in a digital forensics company. It became clear the mission of both of these organizations was to protect the insurance company, not the insured.

The MSP brought in our team to assist with the investigation and cleanup to protect their interests and work alongside the legal and forensic firms. Our triage of the scene showed the attackers first deleted all of the backups. Next, they wiped out of the co-location data and encrypted over 56 Terabyte of data making it useless without the keys. 

Consultations with other forensics and incident response organizations and the FBI led to the conclusion that the only way to recover the data was to pay the ransom.

Technical teams worked 24 hours a day for four days to decrypt and return all of the data to a usable state. There was work to be done to find and remediate all additional vulnerabilities, which would be beyond the scope of the current investigation. As we see in most cases, the attackers now know the MSP will pay the ransom. They will be back and any vulnerability left behind will be used for round two.

Total costs estimated as of this writing exceed $100k and there is still considerable remediation work to be done. There has been no payment as yet from the insurance company while the forensics team and law firm continue to evaluate whether this is a payable claim. In many cases the claims are not paid if there is any negligence that can be proved on the part of the insured.

There are two lessons to be learned from this event:

Lesson 1: Do not blindly trust your managed service or cloud providers—or any technology vendor. Using vendors as a launch point is a popular attack vector for cyber criminals. Many service providers provide impressive slide decks of the security they provide, but it is sometimes just “Security Theater.”

Some will provide a System and Organization Controls SOC II report, which is where an accounting firm audits all of the controls the MSP provides. There is nothing in these reports that show missing security practices. They could be doing everything they provided the accountants, but missing entire areas of security standards and best practices. 

The only way be sure your business is properly protected is to manage your own vendor risk program. Each vendor must be ranked and their dependence and business exposure prioritized so the appropriate level of evaluation can be assigned. Evaluations should be done on regular cadence and diligently managed with proper follow-ups on security gaps.

Lesson 2: The vulnerabilities in our systems are most often not technical. Exposers come through absence of processes or lax procedures. This attack and the exorbitant cost to the business could have been prevented with a proper security program.

First, any client request for a change in the firewall rules should be pushed through a change management process that includes proper approval, back-out strategy, and management. Second, the password used was about as weak as possible. Lack of education and awareness of basic security requirements combined with absence of an enforced password policy made this attack easy.

This story is merely one of thousands. Ransomware incidents have risen over 50 percent in the last year according to the Verizon Data Breach Investigation Report. In the survey, financial services was the top industry affected at 24 percent.

The only way to properly protect your organization is to consider all of the attack vectors and have a complete security program including executive leadership. An incident response plan that includes a ransomware attack scenario should be part of the program. The growth rate and the successful attacks we are seeing would seem to indicate is it not a matter of if but when. Make sure your organization is prepared. 



Featured articles

On archive MR



The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.


April 5th – 7th, 2020
The Diplomat Resort
Hollywood, FL
Become a member today to receive updates –


only online

Only Online Archive

ITA Pro Buyers' Guide

Vendor Views

Partner News