Insurance software company SSP allegedly offered $400,000 in a bid to recoup data held hostage in a ransomware attack, hacking group Lockbit has claimed.
The global software house was first hit by an alleged ransom demand of $7 million in mid-November, with Lockbit having claimed responsibility for the attack. SSP had to pay by December 4 to avoid its data being published, the hackers alleged online.
The original ransom demand was later removed from the hackers’ blog, leading to speculation that the company may no longer be under threat. However, in a since deleted Lockbit 3.0 blog entry added in late December and updated on January 2, the business was threatened with an updated January 4 deadline to pay, else data – including on brokers – would be leaked.
SSP allegedly offered $400,000 to pay ransomware claim
In the dark web blog post, in which SSP and its advisors were accused of behaving “like children”, hackers appeared to take issue with SSP’s alleged $400,000 ransom payment offer.
“Mr. CEO [of SSP] your insurance company or lawyer or negotiator is giving you very unfortunate and bad advice or they are just being very greedy,” representatives for the Lockbit group said in the update.
“You are offering $400,000 for data that is worth much more and will cost your company and individuals reputational damage.”
The hacking group called for SSP’s business partners to prepare “class action” lawsuits and labelled it “the worst platform for brokers and insurance to keep confidential information”.
Brokers “will find their information too”, it said.
The reported comments made on the Lockbit blog were detected and shared by an automated ransomware victim information dark web scraper developed by RedPacket Security, which has said it is not affiliated with or involved in any activity that its tool relays information on.
Despite the January 4 deadline threat, no data has been published by Lockbit at time of writing and the blog post has since been removed. SSP’s website returned to functionality in the early hours of Thursday following a period of downtime.
SSP usability not affected, broker says
SSP’s platform continued to perform well during the incident and there has been no disruption to service, according to one of its broker partners.
Systems and services have been “working perfectly fine” for his brokerage, Andrew Willows, Dervensure Insurance Brokers CEO, an SSP client, said on Wednesday. Willows said he had last heard from SSP regarding the cyber incident in November.
SSP Worldwide website, captured Wednesday 4 January 2023
SSP has been owned by Volaris Group, part of Toronto Stock Exchange listed technology business Constellation Software, since 2021. Volaris and SSP did not respond to requests for comment.
Hacking group Lockbit hit headlines this year for its New Year’s Eve apology and pledge to unlock data stolen from SickKids, a children’s hospital in Toronto it had targeted. The move was perhaps unprecedented for the group, which takes a slice of affiliates’ profits from the use of its malware, cyber experts told the Canadian Press.
On its blog, the gang claimed to “formally apologize” for the attack on the hospital and said it had “blocked” the partner responsible for a rule violation.
The ransomware threat
High profile insurance businesses to have been hit by past ransomware incidents have included Chubb, Gallagher, and CNA Hardy. The latter paid a $40 million ransom in 2021 after hackers accessed its network, Bloomberg reported.
Cyberattack risk and prevention has become a big issue for businesses, with insurers, brokers, and suppliers among them.
“It’s a number one priority,” Steve Whitelaw, Applied Systems Canada VP and general manager, told Insurance Business at the insurance software company’s Toronto symposium in October, which was prior to the data breach at competitor SSP.
“We wake up every morning and hope that everything that we’ve done is good enough, and then we get up again and make it better,” Whitelaw said.
Ransomware frequency has dropped in recent months, but the severity of attacks has increased and ransomware-as-a-service is likely to pose a growing threat, according to cyber insurance experts.
Ransomware incidents made up 75% of cyber insurance claims in 2020, according to AM Best. Cyber insurers are a key part of the ransomware solution, The Geneva Association found in a 2022 report.
“With ransomware we see an example of the important ‘prevention and mitigation’ role insurers play as risk managers,” Jad Ariss, The Geneva Association managing director said in July on the report’s release.
The UK’s financial services regulators have been consulting on rules for tighter scrutiny over third party critical service providers. The Bank of England, Prudential Regulation Authority, and Financial Conduct Authority launched a joint discussion paper on operational resilience and sought stakeholder feedback last year in response to the Financial Services and Markets Bill.
SSP stepped away from FCA regulation in July 2021, when it ceased to offer contracts under the scope of credit agreement regulation.