Ransomware Attacks: Impacts to Businesses and Insurance ClaimsFebruary 18, 2019
Many companies often do not think of the depth of their cyber policy until it’s too late. Some businesses may be covered to a certain degree for basic business interruption and data loss through their insurer, but rarely is it a fully underwritten, comprehensive cyber policy. And, depending on the depth of the firm’s attack, finding the extent of damage or loss to their equipment and systems is imperative.
We have become so used to hearing about new ransomware cases in the news, and over the last few months, it has become even more common hearing about these types of attacks on organisations all over the world. Something that was previously considered to be isolated cases, is now turning into a headache for companies who are seeing their reputations and bottom lines affected by these threats. But what exactly is ransomware?
What is ransomware, and why it’s here to stay?
Ransomware is software designed to block access to a computer system until a sum of money is paid. The extent to which computer systems are blocked during and after ransomware attacks can vary, from a simple screen lock, all the way to complete encryption of all files. Ransomware attacks against companies continue to be more targeted, and the frequency of such attacks is likely to increase. For that reason, it is imperative that businesses and their insurers understand this growing risk.
Ransomware is here to stay, despite the rise in the more innocuous cryptominers, which hijacks a system's resources to generate bitcoins for the unscrupulous. Organisations are often insured under an umbrella policy. They are rarely protected with a specific cyber policy, and are therefore often surprised when insurers don’t send that cheque because ongoing monitoring and upgrading are perceived as betterment. Firms are all too often reactive rather than proactive.
The apparent good news is that ransomware has decreased overall, according to Kaspersky’s KSN report. However, anecdotal experience from Envista book of business shows that ransomware is just becoming more targeted, and the frequency of corporate claims are likely to increase and become more frequent due to the abandonment of “spray and pray” tactics. The hidden cost to organisations is reputational damage, downtime, lost businesses, and this does not include paying the ransom amount.
Prevention: How to weaken ransomware
Ransomware is not nearly as successful if a few key things happen within an incident:
- If the encryption key is known, if it can be cracked, or if it’s made public.
- If it can be easily detected by an anti-virus or malware solution.
- Security patches are up-to-date.
- If it cannot be spread laterally to other computers.
- The item is prevented from communicating to website URLs that control the operation.
The first stage of the investigation is to gain a high-level understanding of the infrastructure. Asking questions early helps a digital examiner get to the bottom of what happened much quicker. Questions that can assist include uncovering what sort of network technology and topology is being used, what type of network and physical security is in place, how is the security monitored, and moreover, how many workstations are on the network.
When the necessary information is answered, a competent examiner can attempt to find out if an attacker was present in the system and when, how the attacker (or attackers) accessed the system and what data was obtained. They can also find out what information the attacker exfiltrated and by what means.
In addition to the ransomware attack, if it is found that Personally Identifiable Information (PII), Protected Health Information (PHI) or Intellectual Property (IP) was taken from the compromised system(s), then an organisation must proceed with caution. Regulatory, legal action may be required as well as compliance expert reporting. Retention of information for further analysis and testimony may be required to show no new, or continuing breach, is present on the system.
Cyber security contingency planning
For most organisations, the financial ransom that may be asked, could be considerably less than the hours lost to the business. Preparedness by companies creates less of an opportunity for system hackers, whereas, lack of preparedness provides the opposite and thus encourages future attacks.
Contingency planning, vetting security firms that can aid before and after an attack, staff training and discussing options for obtaining an additional, more specific cyber policy can all soften the impact, or even stop altogether, the spectre of ransomware that looms over global businesses.
Working with a company, such as Envista, to provide expert forensic consulting and training to corporations, insurers and legal professionals can help professionals become more familiar with the changing risk environment. For more on this topic, please read our article in the February issue of eForensics magazine, Ransomware attacks in insurance claims.
About the Authors
Alistair Ewing has over eight years of experience in Digital Forensic Analysis, Data Recovery, Mobile Phone Forensics, Litigation Support, and has served as an Expert Witness in criminal and civil cases in the UK. Mr Ewing began performing digital forensics in 2011 and has had hundreds of hours of experience in this sector. Qualified as an expert witness for some years and vetted by Sweet and Maxwell, he has presented evidence in tribunals, civil and criminal courts in the UK, and been involved in corporate investigations, litigation support and collections.
Jason Bergerson is the Director of Envista's digital forensics practice and is a veteran in the industry. Prior to Envista, Mr. Bergerson worked in digital forensics for nearly 20 years at Kroll Ontrack. Mr. Bergerson has worked on cases involving fraud, IOC, murder terrorism, data recovery and ore recently cyber-attacks involving ransomware.
Infographic: How to be Safe Online