Lucas Bressanutti (pictured above), from Crawford & Company Australia’s cyber team, recently presented a webinar about cyber claims. The financial and forensic accountant provided an example of a ransomware attack his firm dealt with about 18 months ago.
“We had a firm call us on a Monday and they said, ‘On Friday we discovered a ransomware note on our system and it was Friday afternoon, so we thought we’d just leave it to Monday,’” he said.
Bressanutti said when the employees returned to work on Monday their entire system was compromised.
“At this point, no data was accessible, everything had been encrypted, all applications were rendered inoperable, no computer would brute pass the ransomware note, so everything was completely dead in the water,” he said.
Bressanutti said the Crawford team discussed options with the firm, including whether they had backups and what a restoration process could look like. They also engaged forensic IT specialists who started their investigation on Monday night by taking images of all the servers.
“We came back to work on Tuesday and had a conversation with the insured: ‘Obviously you have the ransom note so do you want to negotiate with the threat actor?’” said Bressanutti.
The business suggested, he said, that at this stage it didn’t want to negotiate with the criminal. They also said that their business stance was to refuse negotiating with potential terrorists.
Bressanutti said Crawford was happy with that decision and continued with the forensic IT investigation.
“We looked at mitigating the business interruption exposure by creating a temporary IT environment to see if we could get some work completed on the clients’ accounts so that the interruption loss was a little bit less than what it potentially could have been,” he said.
Fast forward to Thursday.
“Wednesday night, despite telling us nothing, the business decided to call the threat actor and pay the ransom,” he said.
The firm sent the criminal the amount requested in bitcoin. “The threat actor said, ‘No problems, here’s the password to decrypt the system,’” said Bressanutti.
However, the decryption code didn’t work. The business recontacted the criminal and asked what was going on? The criminal, said Bressanutti, offered to fix the problem if they shared their screen using Teams and let him back into the system. The business went ahead and shared its screen.
“The threat actor was in their environment for another 55 minutes before they thought they should call someone to make sure this is OK,” said Bressanutti.
Crawford told them to immediately disconnect the Teams call and take everything offline.
“We had to recommence the forensic IT analysis from day one,” he said. “Forensic IT was able to remove everything and restore everything from the most recent backup, which was four months prior to the incident, and then they looked at restoring the data that had been lost in that four month period.”
Bressanutti said several insurance issues arose from this ransomware attack.
“From an insurance point of view, there was obviously a little bit of concern regarding payment of that ransom demand and that was because there was no discussion between the insurer, the insured, our office, or the forensic IT specialist before that was paid,” said Bressanutti.
These concerns included, he said, the legal implications of potentially funding terrorism.
There were also the extra costs arising from the company allowing the criminal back into their system. This kept their systems out of action for a further four days when it could have been restored in a week, he said.
There were also arguments over what should be covered.
“There was a bit of a pushback on the business interruption because the insured business contributed to the interruption period, which everyone accepted,” he said.
There were also legal implications, said Bressanutti, from the theft of tax file numbers, ABNs and personal contact information.
“It was assumed that all data within that IT environment had been extracted,” he said. “So it was an arduous process of notifying all those individuals and then dealing with a little bit of backlash following that.”
However, the ransom payment was covered under the policy.
“Only because it did go to a sanctioned entity,” he said. “However, that business interruption component thereafter wasn’t.”
Bressanutti said this claim highlights the importance of a firm communicating when a cyberattack occurs and always working collaboratively to find a solution.
What have you learned from a cyberattack? Please tell us below.
