Skip to main content
Success Story | Decode Cyber Brief

Higher demands — tighter deadlines: Minimizing exposure in the next era of ransomware attacks

Cyber Risk Management|Risk Control and Claims Advocacy
N/A

By Ashley L Hart | August 5, 2019

A ransomware attack quickly escalates and Willis Towers Watson along with partners implement an alternative incident response plan to mitigate risk.

The emergence of highly sophisticated variants of ransomware has sharply increased ransom amounts demanded and paid. Attacks are commanding ransom payments of six to seven-figure sums, and are targeting organizations that cannot sustain the downtime. As such, implementing a rapid response plan including the broker, insurer and retained vendors is crucial to minimizing exposure to a ransomware attack. What follows is an example of an organization that was impacted by such an attack. Some fairly unique circumstances complicated matters further, but the Willis Towers Watson FINEX Claims & Legal Group (CLG) helped the company achieve a favorable outcome in a few short hours.

The clock is ticking

Late on a Sunday night, our client, a technology services provider, discovered that a ransomware attack had completely encrypted its servers and networks. A nearly seven-figure ransom was demanded by the threat actor(s) in exchange for the decryption key. Almost immediately, CLG assisted the client by providing a recommendation and coordinating the retention of legal and computer forensics vendors to assist with the incident response.

Within five hours of receiving the notice documentation, we secured insurer approval for payment of the full, nearly seven-figure ransom demand and the estimated incident response expenses.

Timing was of the essence, as this appeared to be a Ryuk ransomware attack, a highly sophisticated and severe variant of malware, which recently gained notoriety for disrupting the operations of several major U.S. newspapers.1 The client wanted to pay the ransom demand as soon as possible, but this required its insurer's consent. Further complicating matters, the client's bank had a deadline to wire funds that was dangerously close to the bad actor's deadline for receipt of the ransom. Finally, based on the client's complex corporate organizational structure, it was unclear to the insurer's claim adjuster whether this particular entity qualified as a covered insured under the policy.

With the clock still ticking, the company enlisted CLG to work with the insurer. We immediately provided the insurer with a chart illustrating the client's status as a covered insured. Within five hours of receiving the notice documentation, we secured insurer approval for payment of the full, nearly seven-figure ransom demand and the estimated incident response expenses. The client was relieved, and pleased, we were able to obtain consent for such a large ransom payment within less than 24 hours of notice.

Consent was just one hurdle

As it turned out, obtaining the insurer's consent would only be half the battle. Once the computer forensics vendor confirmed the means to decrypt the client's servers and networks, the client was required to deposit the forensics vendor's incident service fees and the ransom payment with the forensic vendor as soon as possible. Generally, computer forensic vendors that also offer ransomware payment services provide clients with specific instructions for wire transfer payments, specifically as it relates to labeling the purpose of the wire transfer. This is to ensure that the bank does not block the wire transfer and/or freeze a client's bank account due to suspected suspicious activity.

With the client's bank account frozen and no indication when the bank investigation would be completed, an alternate option was necessary.

With both the bank's deadline to wire funds and the bad actor's deadline quickly approaching, the client expedited the interbank wire transfer to the forensic vendor for the service fees, but failed to follow the forensic vendor's wire labeling instructions. As a result, the bank would not fulfill the client's transfer request, and instead froze the bank accounts of both the client and forensic vendor, citing suspicious activity. Despite the client's pleas to the bank that the authorities were aware of this matter, and that the wire transfer request was legitimate, the bank broke off direct communication and directed the client to the bank's outside counsel.

With the client's bank account frozen and no indication when the bank investigation would be completed, an alternate option was necessary. With the assistance of outside legal and forensic vendors, the client took a line of credit from the forensic vendor to complete the transaction and pay the ransom demand immediately. As a result, the forensic vendor obtained valid decryption keys, and the client slowly got its business operations back up and running.

An alternate solution saves the day

After successfully securing insurer approval for payment of the entire nearly seven-figure ransom demand, the client overcame an unanticipated obstacle with an alternate solution. The threat actor's ransom demand otherwise could have subsequently been increased, or files could have been destroyed/permanently encrypted. Fortunately, this incident concluded favorably, but it underscores the need to prepare, act with speed when an incident is discovered and incorporate contingent steps in an incident response plan to counter unanticipated obstacles.

Endnote

  1. Ryuk ransomware attacks businesses over the holidays.” Adam Kujawa.
Contact

Ashley L Hart
Claims Advocate
FINEX North America

Contact Us

Related solutions