Ransomware Attacks

Business Vulnerabilities

Ransomware Prevention and Mitigation

Cyber Insurance

Post Ransomware Attack

Endorsements

Growth of Ransomware

Ransomware (malware that encrypts data pending an extortion payment) threat is growing more pervasive and profitable for criminals. Cyber security firm McAfee has been quoted as saying it catalogs 244 new cyber threats every minute, the equivalent of more than four every second. In the first half of 2018 alone, there have been nearly 2.4 million new types of malware detected. The WannaCry ransomware attack of 2017 affected over 300,000 computers in at least 150 countries, and highlights the advancing global impact, speed and extent of the ransomware problem. Cyence, a firm that specializes in cyber risk modeling, has estimated the total economic damage of WannaCry to be around $4 billion. WannaCry was followed up by Petya in June; however Petya was not ransomware but rather a 'wiper' disguised as ransomware. Wiper malware is designed to destroy systems and data, but the attacker does not offer a recovery and as such is far more destructive.

Description of Ransomware

Ransomware is also known as cryptoware, as it attacks data by encrypting it and holding it 'hostage' until a ransom is paid. CryptoLocker is a family malware attack variant where the Crypto encrypts files, folders and hard drives via a Trojan (worm), and Locker locks users out of their devices requiring the user pay a ransom within a specific time period, such as with the WannaCry ransomware. In the case of WannaCry, the data was encrypted with a file extension ".WCRY." There are two other family malware attack variants that generally encrypt in the same manner as CryptoLocker, called CryptoDefense or CryptoWall. Regardless of their term, the common goal of this family of malwares is to extort money from their victims. The WannaCry ransomware, once it encrypts files, attempts to spread to computers on the same network and to other connected computers. The FBI has reported that CryptoLocker command and control servers were seized and even though the investigation into the criminals behind it continue, the malware is unable to encrypt additional computers.

Ransomware is quite lucrative for criminals as it allows them to lock the computer and require direct payment, usually via Bitcoin, on many computers at the same time. It encrypts the files on a victim's computer with an algorithm that is virtually impossible to break, leaving the victim with either paying the ransom or losing their files. Estimates are that approximately 70% of those affected will pay the ransom, especially if the amount is less than $500. However, some businesses have learned the hard way that even paying the ransom did not guarantee they would be able to restore their encrypted files, as a vast majority of files that have been encrypted with ransomware cannot be decrypted and require that files be restored from backups. Also, some victims who paid the ransom were not provided with decryption keys, and some were even asked to pay more to get the promised key. Recently, a ransom note was found on the dark web that wants a $100 bitcoin or $250,000, for a security key for the NotPetya malware attack that can decode any file hit by that particular malware. However, Forbes has proved that the solution works, but it only decrypts certain files which still could leave victims locked out of their systems.

Malware does not need to be complex, overt or malicious right from the time it is detected. Annoying or seemingly innocuous behavior, such as being re-directed out of a browser or using cookies excessively can be considered a malware threat. The majority of ransomware attacks start with a phishing attack, such as with WannaCry.

Ransomware Attacks

Ransomware can be brought into a computer in a number of ways, such as the following:

Phishing (pronounced 'fishing') emails – a user opens an email that either has been infected or contains a web link or attachment that is infected, such that upon opening it encrypts their files. A form of attack that became popular in 2016 (Zepto, or Zcrypt) was inserting malicious script in a ZIP file attached to an email – if the ZIP file was opened and launched, the script executed and downloaded malware into the user's system from a remote server. Another attachment to emails appears as a shortcut .pdf file but is actually a malware known as LNK (Shell Link Binary Files) that when opened reveals a pop-up message box that freezes the screen and encrypts the files. The only difference between the LNK file and an actual .pdf file, is the LNK file contains a shortcut icon ; 'Locky' – This is the newest term of ransomware that comes by email with a Word document attachment that when opened by the user the macros in the document infect the computer. It deletes any security copies that Windows has made and encrypts the files using a .locky extension. The user is left with a frozen screen file called "_Locky_recover_instructions.txt", or "_Locky_recover_instructions.bmp", in the notepad; Infected media – a user opens a video or article that has been infected with malware that encrypts their files. A document arrives in an email that looks legitimate and sneakily invites the user to enable macros. If the user follows through, the malicious script executes and downloads malware; JavaScript attachments – A user opens an email that already has JavaScript in an attachment and it does not have to be downloaded. The JavaScript appears in the email with an icon that looks like a scroll of parchment and looks like a document , and may have a .txt extension. The JavaScript connects to a download server, fetches the actual ransomware in the form of a Windows program (an .exe file) and launches the infection; Ad frauds – this malware hijacks a system to automatically visit websites where it triggers clicks on ads, increasing income for the people who placed the ad; USB memory devices – a user inserts an infected USB device into their computer, which upon opening it encrypts their files. For example, a criminal can 'drop' many of these USB memory devices in a corporate parking lot, and curious individuals may insert them, triggering the attack – once it is in one computer it quickly spreads throughout the network; Subtitle files for films and TV shows – these can be manipulated to allow hackers to take complete control over any type of device when a user loads the video – malicious subtitles can be sent automatically to millions of devices, bypassing security software, giving the attacker full access to the data on these devices; Downloadable games or customizable toolbars – a user downloads a game, program or toolbar (especially free games) and these can be manipulated in the same manner as subtitle files for films and TV shows; Web link attachments to social media platforms – a user opens what they think is a friendly attachment, such as an offer for a vacation package, and upon opening the link it takes over their computer; Botnets – a bot program can be planted on a device, such as when a user clicks on a harmful website and the 'bot' malware exploits a vulnerability in the user's system to install the bot; or when the 'bot' is attached as a file to spam emails and a user opens it. Once the bot program is installed, it will try to contact the server or website where it can retrieve instructions.

Business Vulnerabilities

Business costs of ransomware can range from temporary to permanent loss of data or records, loss of intellectual property, loss from disruption or suspension of operations, financial loss from disruption or loss of payment systems, investigative costs, ransom payments and possible regulatory fines; reputational harm and possibly loss or disruption of public trust; and restorative costs of these losses. For businesses or manufacturers with automated and/or interconnected machinery or equipment, the losses can be huge and detrimental to continuing operations.

Small to medium businesses are especially vulnerable to attack, particularly because they tend use older software and do not have the staff or resources to keep all of their systems patched in a timely manner. Criminals can buy ransomware toolkits that take little to no programming skills to run an attack on these older systems. As a 'service', ransomware is offered on the dark web for as little as $39. A small business or start-up may not think they have information that would be of interest to a hacker. However, a hacker may use a small business as a testing ground before moving on to larger businesses. And, a small business still has customer information, accounts receivables and account payables, supplier information, etc. Personally identifiable information (PII) and credit card information is obtained and rapidly sold. For example, a hacker can easily use a stolen identity and use it to create a driver's license, credit card, or even set up a bank account. Even if they stole only email addresses, the hacker can spoof an email to a customer and ask them to pay an invoice to a bank account unknowingly controlled by the hacker. Or, a hacker could email a business investor and request that funds be deposited into what appears to be the bank account of the business, but actually is a bank account controlled by the hacker. There basically isn't any information of a personal or business nature that would not be of any interest to a hacker, and that they couldn't use to their nefarious advantages.

Ransomware Prevention and Mitigation

There are some steps that can be taken to help prevent or mitigate a ransomware attack:

Human: • Corporate recognition that small to medium size businesses have just as must exposure to cyber threats as a large business, and that while technology and software to prevent cyber theft are good, they will not suffice at preventing all attacks; • Management attention to cyber-security as a priority – planning, expenses and resources. • Know what data you have, where it is located, who has access and why. Then determine whether or not it is sensitive data that you need to protect and how it will be protected. • Pro-actively establish a plan for what to do if there is an attack – will they pay the ransom or not, or at what amount, and plan the steps that will need to be taken to resume operations. • Remind employees to regularly update the software on all of their devices, including their mobile phones, tablets and other devices. While all software should be kept up to date, updated Java programs and antivirus software are especially important. • Implement a policy, or encourage staff to use their personal devices for their personal technology needs to keep them separate from the business systems and prevent attacks that originate from personal email, social media and other channels. • If there are older operating systems, consider moving them from the company network or from the internet. Even older back-up servers are susceptible to attacks. • Implement staff awareness and training to recognize phishing emails, being particularly wary of emails from unknown senders, especially those with attached files. A few ways to spot a 'phishy' email include: o Looking at the email address of the sender to see if it looks legitimate. o Checking for obvious typos and errors in the body of the email, and incomplete sentences. o Hovering over hyperlinks so you can read the name of the website it is linking before clicking.

Technological: • Back-up data, preferably off-site. If all of the pertinent files are backed up and available, it may be unnecessary to pay the ransom to continue operations. However, it is a good idea to store periodic snapshots rather than do regular overwrites of previous backups, so in event of an attack backups will not be encrypted. • Apply system patches as soon as possible from the time they are released, so that operating systems, security software, and patches are up-to-date for all systems, servers and devices. Software makers frequently issue security updates for their products and send these updates to their users to 'patch' their systems. In fact, the WannaCry worm was able to access systems because they had not been patched by the Microsoft patch distributed in March 2017. • Disable the hidden file extensions in Windows, as this will help recognize an attack when file attachments are opened. • Take steps to detect and block malware through monitoring and detection. Use a pop-up blocker, and only download software, especially free software, from sites that you know and trust. Implementing suitable firewall protection and utilizing security breach detection systems can block unauthorized access, and alert of potential cyber threats. • Make sure that the company's IT provider will share information on cyber-attacks so that steps can be taken to prevent or minimize these attacks. Newer attacks and methods are taking place regularly and it is important that the IT provider communicate this information to their customers. • Consider using cloud based systems where possible.

Cyber-attacks are becoming increasingly sophisticated and targeted, which signifies the importance of early detection for businesses. A new report commissioned by McAfee reveals that the median timeframe between attack and detection is 38 days, which is based on half of successful data breaches. In the other half, detection took as long as four years. This lag in time gives cyber criminals the advantage, in that the impact is greatest at the beginning of a data breach. Research reveals that with faster detection and incident response, businesses may be able to mitigate the effects of a breach by up to 70%, depending upon the type of breach. This highlights the importance of implementing software patches, fixes or workarounds before or as soon as possible after an attack, rather than waiting months before updating their systems. Cyber Insurance ISO has several insurance products available that include some form of coverage for cyber related losses. Cyber insurance can help minimize the costs associated with a cyber-attack in several ways:

• It can help offset the costs of determining the validity and severity of a ransom threat; • It can enable the insured to meet a ransom demand and resume business operations, potentially offsetting any undue financial strain; • It can potentially cover a reward payment for identification of the attackers, if the reward offered leads to their arrest and conviction; • Some expenses of hiring a security firm to increase a company's data security can be covered; • It can provide business income coverage as a result of an attack that forces a shut-down of operations, or for downtime resulting from the attack.

The following ISO forms and endorsements are currently available:

Additional Coverage – Electronic Data – This provision in the Building and Personal Property Coverage Form [IDL:CP 00 10 12.pdf^CP 00 10 10 12^CP 00 10 10 12], provides for the cost of replacing or restoring electronic data destroyed or corrupted by a covered cause of loss, which includes a computer virus.

Electronic Commerce (E-Commerce) CP 04 30 06 07 – This endorsement provides coverage for loss arising from e-commerce activity, but does not extend to loss arising from the use of a computer system in internal operations. The coverage provides for replacing or restoring electronic data destructed or corrupted by a covered cause of loss, which includes a virus, malicious code or similar instruction if the computer system is equipped with anti-virus or virus scanning software. (An anti-virus waiver is available.) The virus or other incident that occurs on the internet may originate anywhere in the world; however coverage is restricted to the coverage territory described as the U.S., its territories and possessions, Canada and Puerto Rico; and the electronic data must originate and reside in computers in the coverage territory.

Information Security Protection Policy EC 00 10 01 14 [IDL:EC 00 10 01 14.pdf^EC 00 10 01 14^EC 00 10 01 14] – This is a claims-made policy covering first party and third party coverage through eight insuring agreements that address data breach and other cyber-related exposures. The coverage is provided for loss that the insured becomes legally obligated to pay as a result of its wrongful acts that result in a security breach or transmission of a computer virus to a third party. The coverage provides liability and defense costs for web site publishing, security breach, programming errors and omissions, replacement or restoration of electronic data, extortion threats, business income and extra expense, public relations expense and security breach expense. Coverage may also be provided for expenses incurred by the insured, including costs to notify all parties affected by the security breach, fees and costs of a company hired to operate a call center, post-event credit monitoring services and other reasonable expenses. A number of exclusions apply that will prevent coverage or otherwise curb the offered coverages. Some of the exclusions are loss based upon: war, bodily injury, any interruption in normal computer function or network service due to insufficient capacity to process transactions, power surge, pollution, and arising out of any claim brought by one insured against another. The insured has the responsibility to read the policy in order to know the exclusions.

Financial Institutions Information Security Protection Policy EC 00 11 01 14  – This claims-made form is designed to provide protection for financial institutions including banks, insurance companies, securities brokers and dealers and others. Coverage is geared to electronic losses including security breaches, ransomware, and public relations expenses among others. The exclusions are similar to those in EC 00 10 but the policy must be read in order to know the exclusions.

Electronic Data Liability Endorsement CG 04 37 05 14 – The CGL provides coverage for physical injury to tangible property, such as computer hardware, but not for loss of data. This endorsement provides for sublimited coverage for loss or corruption of computerized or electronically stored data or software which results from an occurrence that causes physical injury to tangible property (such tangible property includes computer hardware, but not loss of data). An example of the coverage this endorsement provides would be when an insured is liable for an incident which causes a power outage to occur, which leads to computer malfunction, which in turn results in loss of data stored on the computer.

However, it is important to note that the endorsement would not provide coverage for liability arising from the transmission by the insured of a malicious code, virus, etc., since that type of loss does not result from physical damage to tangible property. In 2013, ISO added an exception that will cover the insured's liability for damages because of "bodily injury" from the electronic data exclusion, which is consistent with the underlying liability policy wording. In 2014, ISO further revised the endorsement to add an exclusion under Coverage A and Coverage B addressing access or disclosure of confidential or personal information, since these exposures were never contemplated to be covered under the policy and are more appropriately covered under a cyber liability policy.

Endorsements:

In 2014, ISO released several mandatory and optional CGL exclusionary endorsements to address access to or disclosure of confidential or personal information:

Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – With Limited Bodily Injury Exception CG 21 06 05 14 [IDL:CG 21 06 05 14.pdf^CG 21 06 05 14^CG 21 06 05 14] (use with CGL Coverage Part). This is a mandatory endorsement that excludes coverage under Coverage B for personal and advertising injury arising out of any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non-public information. The endorsement highlights some examples of the types of information that would be excluded. The endorsement provides that the exclusion will apply even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by the named insured or others with respect to that which is subject to the exclusion.

Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – With Limited Bodily Injury Exception Not Included – CG 21 07 05 14 [IDL:CG 21 07 05 14.pdf^CG 21 07 05 14^CG 21 07 05 14] (use with CGL Coverage Part). This endorsement may be used in lieu of CG 21 06, the only difference being that this endorsement provides an exception for bodily injury.

Exclusion – Access Or Disclosure Of Confidential Or Personal Information (Coverage B Only) – CG 21 08 05 14 [IDL: CG 21 08 05 14.pdf^CG 21 08 05 14^CG 21 08 05 14] (use with Commercial General Liability Coverage Part). This endorsement may be used in lieu of either CG 21 06 or CG 21 07, so that the exclusion (same as CG 21 06) applies only to Coverage B. As with CG 21 06, some examples of excluded confidential or personal information are highlighted. Since the exclusion only applies to Coverage B, there is no related exclusion with respect to Coverage A, and the Electronic Data exclusion is not replaced.

Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – With Limited Bodily Injury Exception Not Included – CG 33 53 [IDL: CG 33 53 05 14.pdf^CG 33 53 05 14^CG 33 53 05 14] (use with Owners And Contractors Protective Liability and Products/Completed Operations Liability Coverage Parts);

Exclusion – Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability – With Limited Bodily Injury Exception Not Included – CG 33 59 [IDL:CG 33 59 05 14.pdf^CG 33 59 05 14^CG 33 59 05 14] (use with Owners And Contractors Protective Liability and Products/Completed Operations Liability Coverage Parts).

Exclusion – Access Or Disclosure Of Confidential Or Personal Information – CG 33 63 [IDL:CG 33 63 05 14.pdf^CG 33 63 05 14^CG 33 63 05 14] (use with Electronic Data Liability Coverage Part). This is a mandatory endorsement under the Electronic Data Liability Coverage Form, which replaces the existing Use of Electronic Data exclusion by combining the provisions of that exclusion with new provisions in the Access Or Disclosure Of Confidential or Personal Information exclusion, as part of the Access, Disclosure Or Unauthorized Use Of Electronic Data exclusion. The exclusion retains part of the verbiage from the policy's Unauthorized Use Of Electronic Data exclusion and also excludes coverages for damages arising out of any access to or disclosure of any person's or organization's confidential or personal information. As with the other CGL endorsements, the exclusion will apply even if damages are claimed for notification costs, credit monitoring expenses, forensic expenses, public relations expenses or any other loss, cost or expense incurred by the named insured or others with respect to that which is subject to the exclusion.

Cyber Insurance News:

US and international snack food giant Mondelez, owner of Nabisco, Oreos, Ritz, Chips Ahoy, Belveta, Toblarone, Chickletts and other products is suing its insurer, Zurich American Insurance Company, for $100 million after its claim for cleaning up a massive NotPetya ransomware infection was denied. Although the policy affirmatively granted coverage for "all risks of physical loss or damage" and "physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction" Zurich claims the ransom attack was an act of war and excluded by the policy. The claim stems from a 2017 ransomware cyber-attack that resulted in the loss of 1,700 servers and 24,000 laptops. Similar NotPetya attacks also affected Fedex and shipping giant Maersk. Security experts believe the NotPetya virus to be the creation of Russian hackers although the Russian government has formally denied any responsibility. Establishing that the ransom attach was initiated by the Russian government, and a so-called act of war, is likely to be extremely difficult for Zurich to prove. If Zurich does succeed in arguing in case in court and wins, it would have an immediate impact, causing all large companies to review their policies and most likely creating a new market in cyberattack insurance almost overnight.

Post Ransomware Attack

Once a computer has been infected the nature and scope of the attack needs to be assessed to determine the extent of the systems and data affected, whether or not it has been contained, and the security that needs to be restored. To keep the ransomware from spreading to additional drives on the network, disconnect any affected computers from the network. Have IT professionals isolate and remove the ransomware threat from systems. If backups are available, restore the systems with the backups. The cyber incident may trigger a legal notification requirement, depending on the facts and nature of the data. Notification may be required for anyone whose personally identifiable information (PII) was acquired or accessed, or was reasonably likely to have been acquired or accessed. While most states require some form of notice to their residents, some states also require notification to public agencies, such as the state attorney general. The National Conference of State Legislatures, Security Breach Notification Laws identifies notification breach laws by state: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

The FBI advises that if anyone is a victim of CryptoLocker, they should visit the Department of Homeland Security's U.S. computer Emergency Readiness Team (CERT) CryptoLocker webpage for remediation information: https://www.us-cert.gov/

The FBI continues to combat ransomware and other cyber threats. They advise that if you've been the victim of a ransomware scheme or other cyber fraud activity, to report it to the Bureau's Internet Crime Complaint Center: https://www.ic3.gov/default.aspx