An attack on the IT systems of the insured took place through a malicious program of the ransomware type known as “Detractor”. Three servers of the infrastructure were affected, which were encrypted, leading to encryption of the folders.
The available back-ups, which were on a different server, were deleted (presumably by the cyber-criminals). Therefore, the affected systems could not be restored through the back-ups.
Simultaneously, the attackers demanded that the insured pay a ransom in order to decrypt the system. The insured’s operation had ground to a halt as a result of not being able to restore the affected systems. It could not deliver shipments or receive materials and was not able to make payments or to collect accounts receivables.
The aim of the ransomware was not to steal information and there had not been a breach of personal information. On Event Day 10 therefore, the insured paid a ransom of €25,000 in BitCoin and was able to restore its operations. The insurer covered the cost of the ransom, incident response costs and the extensive network interruption, which included an increased cost of working and cancelled orders.
The insured is an international retailer with over 100 stores and an online presence. Whilst they were undertaking some changes to their IT systems and data storage they suffered what appeared to be a targeted, sophisticated cyber attack which encrypted all their files, including those held in the cloud. The cyber-criminals demanded a ransom for providing a decryption code.
The insurer immediately appointed forensic IT specialists who were onsite non-stop for long periods, initially working to secure the system and attempting to retrieve unencrypted data. This proved very difficult and was not achievable in a timescale to allow resumption of normal business. The shops were still able to trade using manual tills but the attack left them unable to replenish stock in stores or process online orders, which led to a major business interruption.
Although reluctant to engage with the cyber criminals, after a prolonged period of being unable to fully trade the insured decided to pay the ransom demand ($150,000 in Bitcoin). The insurer assisted their client in sourcing Bitcoin. After the ransom was paid, the decryption code was provided but all files had to be manually decrypted using the code, a painstaking and costly process in terms of labour, which was paid for by the insurer consistent with the terms of the policy.
The insurer also covered the cost of additional fees to the insured’s various existing software providers for additional support and equipment to facilitate the decryption process. The insured held only £1M of cover, which proved inadequate and the policy limit was paid to the insured when interim business interruption losses exceeded £550,000. IT forensic fees alone exceeded £500,000. On this occasion the IT investigation confirmed that there was no evidence to suggest any personal data was accessed or extracted, and legal advice was given to the effect that notice to the ICO was not required. The terms of the insured’s policy covered the cost of the legal advice & IT investigation.
An electrical engineering firm with revenues of £12 million suffered a ransomware attack on a Friday that encrypted all of their systems.
The attack was deployed using a RDP brute force of an externally facing system and the demand was for US$30,000.
The engineering firm’s main back-up was also encrypted although business critical data had separate backups. The entire system required a rebuild which was completed over the weekend.
The company had to write orders out by hand and run them over to a warehouse to be fulfilled. As temporary measure, the company had to hire 120 laptops and had to rebuild their entire network which was a real challenge.
Source: AIG and Hiscox. The scenarios described above are offered only as examples. Coverage depends on the actual facts of each case and the terms, conditions and exclusions of each individual policy.
Register here FREE to receive trade news & updates, our Newsletter and guest access to the tools available.
If you save password you can return to your progress
on other devices, so you don't lose anything you've saved.