cyber insurance

Ransomware – Should the Ransom be Paid?

by
Ransom

Ransomware attacks remain a continuing threat to organisations as ransomware gangs introduce new strains which make them difficult to defend against.

http://cyberbrokers.co.uk/ransomware-is-still-a-real-threat/

With ransomware attacks comes the inevitable ransom demand. These demands in the early days were only a few hundred dollars and this has now developed into a multimillion dollar business for hackers.

Ransomware as a service (RaaS) is a subscription based model that allows other hackers to use already developed ransomware tools to carry out ransomware attacks.With this brings an increase in attacks together with an increase in the threat landscape and of course the actual ransom.

Should the ransom be paid?

Every organisation will have their own views on this and whether the ransom should be paid to the hackers or not. The type and severity of the ransomware attack will be the main factor as to how the organisation will wish this to play out.

What also is at stake – is it theft of data , is it loss of manufacture or it the use of the company website? All will have some form of financial implication.

Are there back-ups in place , are these isolated from the network and are these still secure ?

The role of insurance

If cyber insurance is in place the policyholder will advise their insurers  of the attack and they will appoint a forensic investigator and a ransom ware specialist from their vendor panel.

These two parties will ascertain the extent of the incident and also as to whether there is collateral damage in that a sideways attack has taken place where data is already being extrapolated and in place to be distributed on the Dark Web or the public domain.

The decision to pay

If the position is that the data cannot be retrieved through back-up or it is not possible to return the business to near normal functionality it may be necessary to pay the ransom.

Some of the possible implications of paying this are as follows:-

The hackers will not provide the encryption code

The data still not be released

A further ransom could be demanded

Paying the ransom

If cyber insurance is in place the specialist ransomware vendor will organise the ransom payment to the ransomware gang in Bitcoin currency via a Bitcoin account set up on the business’s behalf.

As a result of the high incident of ransomware attacks there are signs that cyber insurers are restricting coverage. A number of insurers are introducing coinsurance but recently Axa in France have decided not to provide coverage for the payment of ransoms for policyholders in France.

https://www.zdnet.com/article/axa-pledges-to-stop-reimbursing-ransom-payments-for-french-ransomware-victims/

Long term effects of paying the ransom 

  • The hackers could return to make subsequent ransom demands
  • The business could gain a reputation for paying a ransom and other ransomware gangs will try their luck
  • The original malware planted remains in the network and hackers return to exploit any vulnerabilities

The payment of a ransom following a ransomware attack is likely to be the last resort of a business but if robust cyber security is in place it provides every chance of having to succumb to the demands of hackers.

Image : Shutterstock

Solar Winds Blows Cyber Chill

by
Solar Winds

The Solar Winds cyber-attack at the end of last year was a great example of the implications that this type of incident can have on the supply chain of an organisation.

Background

Solar Winds are a major US IT firm which provide software globally to Fortune 500 companies and the US government who regularly send out updates to their customers.

What Happened ?

During one of the updates Solar Winds inadvertently sent out updates that included a code that had been hacked. The code it is understood was added into the computer system “Orion” which is primarily used by firms to manage their IT resources. This particular system has 333,000 customers.

This created a backdoor to many of their customers computer systems which once in hackers installed further malware.It is understood that the attack took place for a number of months before it was discovered. It has been reported that 18,000 customers installed these updates which contained the malware.

Worst was still to come when US government agencies updated Orion’s software with the vulnerability being utilised to install Supernova and CosmicGale malware.This ultimately allows a hacker to  use remote code on the Orion software.

Who Was Impacted By This ?

The most highest profile company to be affected was FireEye who is a leading cyber security firm. Other companies including Microsoft, Cisco, Intel and Deloitte.

In addition to this a number of US government departments were compromised including the Department of Homeland Security and Treasury Department.

Who Carried Out The Attack ?

It is believed that Russian group SVR were behind this although some sources believe it may have been a Chinese targeted attack. No one is sure.

What Damage Was Caused?

Numerous e-mail accounts were broken into giving the hackers access to information contained within these.The accounts of the US government departments announced that only unclassified information  was compromised.

Impact On The Supply Chain

With many computer systems being accessed the task is to try and secure these and the time it will take to carry this out.

Many companies rely on companies for services be these IT related or otherwise and when these are compromised the implications of a cyber attack can run through the entire supply chain.

How Can Cyber Insurance Help ?

This form of insurance can provide many benefits for an organisation hit by such an attack.

The policy provides 24/7 emergency responses access to a specialist panel of vendors who have the specialism and skill set to manage and help with incidents such as these.

For example a forensic investigation can be carried out to ascertain the extent of the attack and if data has been compromised. Costs associated with subsequent claims by individuals and legal fees can also be covered under this policy.

Image : Shutterstock

Norsk Hydro – A Ransomware Case Study

by

Norsk Hydro, the Norwegian aluminium manufacturer were hit by a ransomware attack in March 2019. The company is one of the largest aluminium producers of its kind with smelting plants and factories in 40 countries being managed by their 35,000 employees.

The ransomware attack impacted on their production in Europe and the US which resulted in the company having to revert to manual operations to manage their industrial control systems albeit on a much slower basis than normal whilst they battled against the ransomware attack.

Parts of the business were however still operational which allowed a degree of production to still be maintained.The stoppage of the primary metal and rolled products had some operation impact from a business interruption perspective.

The CFO announced that the ransom bitcoin demand had and will not be paid as they attempted to restore the company’s software and preserve their data.

The cause of the cyber attack was as a result of an employee opening an infected e-mail from what was thought to be a trusted customer which allowed the hackers to gain access to their IT infrastructure and put in place the ransomware virus.This was an example of an Advanced Persistent Threat (APT).

The type of ransomware is thought to have been LockerGoga which enables hackers to encrypt computer files very quickly which are then locked with a ransom demand then being made to release them. The hackers also threatened to increase the ransom should their be any be any delays in paying to add further pressure to the situation.

Norsk Hydro made three quick decisions which helped mitigate the attack:-

  • The CFO announced that the ransom bitcoin demand had and will not be paid.
  • Microsofts cybersecurity team ( Detection and Response Team know as DART)  were engaged to help restore the operation.
  • Norsk Hydro were very transparent about the attack and hosted daily webcasts and press conferences providing updates on the attack which does not normally occur.

A special team was build up in the coming weeks which helped the business re over and reconstitute its business operations . This helped remove the threat posed by the hackers and to understand the mechanism of the ransomware attack.

Norsk Hydro shared a video of how they dealt with the ransomware attack in their Toulouse plant.

https://securityboulevard.com/2019/04/norsk-hydro-shares-a-4-minute-video-on-how-its-employees-stood-up-for-the-firm-post-an-extensive-cyberattack/

The financial impact of the ransomware attack is through to be in the region of $70- 80M. NorskHydro also purchased a cyber insurance policy which is believed to date to have paid out $33M.

Image : Shutterstock

Loss of Reputation – The Biggest Cyber Threat ?

by
Ransom

Is the loss of reputation on the biggest cyber threats that a business faces today ?

A good reputation takes a long to build up but the emerging cyber threat landscape can ruin this reputation in a matter of hours. It is important therefore that businesses have in place a loss mitigation plan in place in order to manage this disaster case scenario.

One of the highest profile cyber attack in the UK was the data breach at TalkTalk where the long term consequences of this still being felt within the business today.

The impact on the reputation a business of a data breach 

  • Loss of existing customers
  • Loss of confidence in the business
  • Competitors exploiting the situation
  • Share price of the business
  • Loss of future earnings
  • The stigma of a data breach
  • The attractiveness of future investment in the business
  • Attracting new employees
  • Bad management of the data breach

Be Prepared 

It is essential that the business has an incident response plan in place in order to manage the cyber attack and the ensuing  fall out that will inevitably occur.  This would include a crisis management and business continuity plan.

These should be regularly updated with “dry runs” carried out in order to ensure that they work effectively..

Cyber Insurance 

This specialist form of insurance can help manage and mitigate a cyber attack at both the very early stages of a data breach and also help the business through the process. This is facilitated through the incident services that an insurer offers as part of the policy benefits . This includes public relations consultants and access to a solicitors so that sensitive data can be handled in the most effective manner.

The policy also provides coverage for reputational harm or business interruption coverage modules, typically this would encompass loss of profits and increased costs of working as a result of the data breach.

Policy wordings and intent vary considerably in the insurance market and it is therefore important that an insurance broker with a specialism in this area is utilized.

Image : Shutterstock

Will Ransomware Attacks Increase Under GDPR?

by
Ransomware

Business in the UK suffer on average 38 ransomware attacks a day and it is likely that we will see a significant increase in this when GDPR comes into force on 25th May this year.

According to cyber security product developer Sonic Wall there are over 2,500 different know variants of ransomware hitting UK businesses which makes the task of managing these attacks becoming a formidable job to combat. One of the current trends of cyber attacks carried out by hackers was is that their targets appeared to be that of data with ransomware being an ideal method of disrupting businesses by corrupting their data, stealing it or perhaps holding them to ransom.

This form of cyber attack on a business is perhaps one of the most difficult to handle due to its unpredictable nature and the impact that it can have on a business leaving it paralyzed to operate. It is also normally time limited which adds the factor of stress to the business owners with  the imminent threat of data being destroyed if the ransom is not paid within a specific deadline.

With GDPR there is added factor of a business being fined by the Information Commissioners Office (ICO) if data is compromised.The fines that could be imposed by the ICO are between 2 and 4% of global turnover depending on how the degree of the data breach. Uber would be an example of where the ICO could have imposed a heavy fine. Hackers held Uber to £750,000 ransom with the threat of releasing the data of 57 million customers. Uber would have been in the position of breaching GDPR rules on two occasions for the initial cyber attack and the fact that it was not disclosed as all data breaches will need to be advised to the ICO within 72 hours. It will be interesting to see how the ICO approach the question of fines and to what degree they are likely to impose the maximum fine threshold.

The paying of a ransom is am easy option to pacify alleviate a cyber attack but this could only be a short term solution as the hacker could return perceiving the business to be an easy target. There is  also no guarantee that the files containing the data will be released and will remain encrypted with the business still unable to access the data.

Cyber insurance can help with ransomware attacks , in paying the actual ransom and the costs associated with negotiating with the hackers. The policy would also provide coverage for the forensic and IT costs to investigate a possible sideways attacks by the hackers into computer systems. A data breach will need to be managed and this specialist form of insurance provides incident response services backed by a panel of experienced vendors.

Ransomware attacks will undoubtedly increase once GDPR comes into force and businesses will need to improve their cyber risk management in order to avoid the wrath of the ICO and the damage to their reputation that a severe data breach may cause.

Image : Shutterstock

Winter Olympics Viewed As Cyber Target

by
Winter Olympics

The Winter Olympics has already captured the attention of hackers and with this major event only a few days away the cyber threat is very real …..

Hackers have already targeted the Winter Olympics with a number of organisations being subject to attacks in an effort to gain access to sensitive information.

MacAfee have revealed that a hacking campaign has been in place for a while which appears to be backed by a nation state . The targets have been ice hockey teams and ski-ing suppliers discovered.

https://www.wired.com/story/pyeongchang-winter-olympics-cyberattacks/

Why the Winter Olympics?

Major sporting events grab the attention of the entire world but unfortunately this also attracts elements of the population who perceive this as an opportunity to be exploited  ….. the world of cyber crime.

The threat that cyber crime poses to an event such as this is similar to that which exists for any other business but on a much larger scale and with more dramatic consequences due its high profile and the many threat vectors that exist.

The Cyber Threat Landscape

Some of the targets for cyber criminals are likely to be the following :-

1.The Official PyeongChang 2018 Website

Distributed denial of service (DDoS) attacks preventing access to website by fans.

The accessing of the website by hackers, altering the data such as falsifying the results and interfering with medal tables.

Defacement of the website by a hacktivist.

Spectators and visitors will no doubt access the website via Wi-Fi and vulnerability will exist if they inadvertently log in through a rogue Wi-Fi connection which could lead to the stealing of their personal data.

2.Event Tickets

Ticket fraud with the setting up of bogus websites taking fans money and issuing counterfeit tickets.

Website scamming offering last minute match day tickets for the big events with no ticket actually being produced.

3.The Venues

Technology will be pivotal in all aspects of the running of the 15 venues being used in PyeongChang . Entry to the venues, ticketing processing, management of lighting and associated infrastructure would all be impacted in the event of a cyber attack.

4. Competitors Data 

The event will involve a huge amount of data ranging from credit card data of spectators, athletes confidential information or the database of the organizers which is likely to be targeted by hackers. This could occur through phishing attacks in order to steal personal private information (PPI)and then lead to possible bank fraud of individuals. Brazil does have an established reputation for on-line banking fraud.

5.E-mail Transmission

E-mail scamming could be caused by bogus e-mails set up to obtain athletes and officials personal information that could be disseminated over the internet. The endless sending and exchanging of e-mails also presents an opportunity or spamming.

6.Media Coverage

World wide coverage will be provided to this event by television companies who will be reliant on technology and the service could be interrupted or even blacked out by a hacker wishing to cause transmission downtime. For example a video re-run of the 200 m final could be disrupted by a ransomware attack.

7. Computer Network 

The spreading of a malware attack within the internal computer network and third party providers could cause enormous interruption to the running of the numerous events taking place. The reliance on technology reaches far and wide ranging from the transportation network to close circuit TV surveillance systems.

8. Mobile Applications 

Fake mobile apps devised by developers to give the impression of the official Winter Olympics app. Smartphones area also at risk if stolen and personal data is sourced.

9.Cyber Terrorism

Cyber terrorism could occur in a number of forms. A ransomware attack would limit or entirely restrict the use of computer systems affecting the running of the Winter Olympics.

There may be political motivation from countries that want to disrupt the event. This could be to make a political stand on an issue or perhaps a country that failed to win an event or perhaps a competitor that was disqualified and the country that was represented takes retaliation.

The threat of remotely controlled drones by cyber terrorist entering an event causing disruption and delay to matches.

10.Social Media

Infiltration of social media websites by hackers of the tournament and personal accounts pose a threat to fans , players and officials privacy.

Cyber Risk Management Program

The International Olympic Committee will no doubt have in place a comprehensive cyber risk management program to manage the programs of events which is likely to be broken down into the following :-

  • Identification of cyber risk vectors
  • The mitigation of cyber risk within the tournament
  • The transfer of residual cyber risks that they are unwilling or unable to manage.

Cyber Insurance

Cyber Insurance can assist with the transfer of cyber risks associated with sporting events by providing the following insurance modules :-

  • Network Security Liability
  • Data Privacy Liability
  • Multimedia Liability
  • Network Business Interruption
  • Data Asset Protection
  • Cyber Extortion
  • Crisis Management

A cyber insurance policy also provides post breach vendor assistance helping with data breach notification , forensic investigation and public relations.

The Winter Olympics is global event that is reliant on technology which does make it especially vulnerable to cyber security threats, it is therefore important that these are recognized and measures are put in place to mitigate the potentially severe consequences that could impact on the games.

This post is based on “Rio 2016 – The Cyber Threat”

http://cyberbrokers.co.uk/rio-2016-cyber-threats/

Image : Shutterstock