Early on a September morning, at roughly 5am, an IT professional at a large manufacturing company booted up their computer and logged in. What they saw stopped them dead in their tracks. They immediately noticed a series of mass file changes on their network. This was a clear sign of a ransomware attack.
Pro tip: Volatile memory (vs. non-volatile memory) is computer data storage that requires power to maintain stored information. Most general-purpose random-access memory (RAM) falls under this category. When a system is shut down, memory data is no longer accessible. This is why we ask that you don’t shut down your systems when an incident has occurred. Instead, turn off the internet to break ties with bad actors until a response plan can be executed.
This company is responsible for manufacturing a variety of items you use every day. But, due to the ransomware attack, all production was completely halted. You can imagine the huge impact this had on their business. When you can’t take new orders or put out data, being down for just an hour can be devastating.
Ransomware is a specific type of malware that locks the files on your computers unless a ransom is paid. Ransomware payments can be quite expensive, and we’ve seen a 47% increase in the average ransom payment in the first half of 2020 alone. Typically, ransomware is downloaded via email attachments and can even be embedded in common Office documents. When the unsuspecting user opens the file, malware encrypts the user's files and replaces them with ransom notes.
Tackling a new variant of ransomware
Our client contacted Coalition, we brought in counsel, and counsel reached out to Coalition Incident Response (CIR). Within 90 minutes, we were discussing the steps we needed to take next to diagnose, eradicate the threat, remediate the systems, and get their business up and running again.
We deployed an endpoint detection and response (EDR) tool, Carbon Black. We were able to collect and visualize comprehensive information about endpoint events (or events happening in each computer or device), giving us visibility into their environments to see how wide-spread the infection was.
We preserved all data we could, changed all passwords, and got a copy of the ransomware note: a request for $2,000,000. We also discussed their existing backups and asked them to check for encryption or corruption. This would be crucial to our recovery process.
Tip: All policyholders with an issue, please call 24x7 toll free at +1 833 866 1337 or email email@example.com. Don’t wait to get in touch.
We discovered a ransomware variant that was fairly new at the time known as Mount Locker. What we knew was that this variant had high ransom demands and in all cases the malicious actor threatened to publish stolen data if they were not paid. Attack vectors used by Mount Locker are similar to other forms of ransomware, where infections typically occur through externally facing RDP or malicious email attachments. This was Coalition’s first encounter with this type of ransomware, but we were ready for the challenge.
The battle for their data
Even though they were across the country from Coalition’s offices, I happen to be a remote employee of the company, working just 40 minutes from their main office. I knew I needed to get on-site to physically access the machines which were offline at the time. I was there in-person just two days later.
Side note: In a typical ransomware incident, we rely on the IT team on the ground to be our hands. In dire situations, where in-person assistance is critical, we arrange another scoping call, make sure we have all paperwork in order and approved, and factor in travel time to the client site. This was a very fortunate circumstance where we spent the first 48 hours advising on the most critical items to 'stop the bleed,’ and after that I was able to hop in my car and be the onsite help that is so often requested.
Due to restrictions put in place because of the COVID-19 pandemic, there were strict security measures to follow with a limited number of employees present. I worked in their lab, with a face mask and hazmat suit, on and off for five days.
We took a forensic image, which is a bit-by-bit copy of a physical storage device, including all files, folders, and unallocated space. In some cases, additional evidence is discovered — incriminating data that has been deleted or left in the slack space (aka leftover storage on a computer hard drive). This is also a way to gather legal evidence to present in court.
This wasn't the first time
In this situation, we believe the attacker utilized TrickBot, a modular banking trojan that uses man-in-the-browser attacks to target user financial information and act as a dropper for other malware.
This client had a previous infection in 2018 with powerful ransomware that they didn’t fully remediate. Often in ransomware cases, a banking trojan enters the network prior to a ransomware infection. In the most basic scenario, an end user opens an email attachment which contains a banking trojan and after opening the attachment the trojan installs itself on the network. These banking trojans are powerful pieces of malware, and are utilized to steal information and drop additional malware into the client network (i.e. a ransomware payload).
When my team went through the system data, we noted a TrickBot banking trojan that appeared to be on a handful of systems from 2018. The connection to the bad actor was persistent and most likely aided the new Mount Locker infection. This is why our number one recommendation when we find any type of banking trojan infection is to rebuild the network as soon as possible. I know it seems like a drastic suggestion, but I assure you — you don't want to suffer a ransomware attack more than once.
We worked tirelessly over a 5-day period to image various systems, move them to a new, clean network, give legal advice, provide security recommendations going forward, and work with counsel to negotiate the ransom. While they did end up paying the ransom, we got it down from $2 million to $200,000. That’s a difference of $1.8 million dollars — an amount that could cripple any business.
While the situation was extremely stressful, we kept a level head, giving live updates to the CEO, shareholders, and IT directors. They appreciated our swift response, attention to detail, and calming presence during this business-critical event.
How cyber insurance can help
All of the aspects of the recovery — including the forensics investigation to identify the extent of the data encryption, rebuilding their entire network, the interruption of their business and manufacturing processes, legal fees and investigation, and more — were all covered by insurance.
Many clients are surprised by just how expensive ransomware attacks can be. Before we negotiated the ransom payment down, the event would have cost the company well over $2.5 million. Even after we negotiated the ransom payment to $200,000, the event still cost over $500,000 across all expenses. And, since the client was insured, they paid only $15,000 out of pocket.
Cyber insurance covers many expenses relating to ransomware, including:
- Cyber extortion: Costs to respond to an extortion incident, up to and including payment of a ransom demand
- Breach response: Costs to respond to a security failure or data breach, including 3rd party incident response and public relations experts, customer notification costs when required by a privacy statute or regulation and credit monitoring, media purchases, and legal fees
- Business interruption and extra expense: Financial losses resulting from a failure in your security, data breach, and even systems failure, as well as the extra expenses you incur to bring your company back online
- Crisis management: Voluntary notification costs, even if no PII was accessed but the clients wants to provide notification or credit monitoring services to their customers
- Digital asset restoration: Costs to help recover or recreate digital assets that have been destroyed via the encryption and/or decryption process of the ransomware event.
What you need to know
Although we thoughtfully balance all of our cases, we are willing to drop what we’re doing to help clients most in need. Other firms might say they are ‘at capacity’ with no time to begin work immediately. Coalition’s teams are agile. We skip the red tape. We prioritize our clients and have people around the globe who are ready to help before, during, and after an incident.
Coalition’s Claims and Security Incident Response teams respond immediately to keep our policyholders safe after an incident, at no additional cost. If you have questions about our claims process or ways to better protect yourself, feel free to reach out to our team.