Hour One
It’s a bitter cold day in Hrodna, Belarus. The hacking team that has branded themselves as the “Jigsaw Gang” has gathered to plan a new malware attack. Always trying to stay one step ahead of the European Union Police agency, Europol, Jigsaw has ramped up their encryption efforts to include new undetected malware and ransomware software. Today’s project is a full-scale attack on employees in the United States. Their goal is $500,000 in Bitcoin currency and they plan to raise that money within the next 10 hours.
Hour Two
The gang’s marketing and design experts craft an email along with a full-color invoice that appears to come from a U.S. fabric manufacturer. The email is short and directs the user to “click on the attachment,” and also informs the employee that “the balance is 30 days past due.” Several members of the Belarus team who are well-schooled in the English language scan both the email and the invoice for grammar, American word usage and spelling. Other members of the team scour the dark web to purchase hacked email lists of US office workers. At 1:45 a.m., the team launches the attack. It’s early morning in the United States and employees will be arriving at their work stations and opening their email for the next three hours.
Hour Three
The customer support team (many of the larger gangs employ agents to assist their ransomware victims in procuring bitcoins, and unlocking their files once payment has been received) is notified that a large email blast will be sent to approximately 325,000 clothing, shoe and apparel store employees across the United States. The trap has been set. The Jigsaw gang monitors their computer screens and waits.
Hour Four
At 9:00 a.m., April Horton arrives at her job in the accounts payable office of Venice Vintage T-Shirts, an online and brick-and-mortar retail clothing manufacturer. She opens her email and discovers an invoice to be paid. She clicks on the attachment and sends it to her printer. The file, however, isn’t an actual PDF. She prints the bogus invoice and goes through the remainder of her emails. After two minutes, she notices a large text box in the background of her monitor:
Hour Five
The CryptoLocker malware races through her computer and then enters the mainframe servers. The mainframe pings the server in Belarus to identify itself and two cryptographic keys are generated. One key is kept on the business computer in the U.S. and the second key is stored securely on the criminals’ server. With the keys established, the ransomware begins encrypting every file it finds, from business plan documents to JPG catalog images to sales spreadsheets.
Hour Six
The ransomware is now established in the business’s servers as well as all laptops, PCs, and connected printers and scanners in the building. The virus is programmed to set keys in every Windows Registry to launch the warning each time anyone tries to reboot their computer.
Hour Seven
April and 63 other employees at Venice Vintage T-Shirts are now staring at the extortion message on their computer screens. There is a ticking clock showing the time left until their files are permanently erased and the amount to pay to release the encryption key to unlock the files. The typical price is from $500-$1,000 and must be paid in Bitcoins or other untraceable currency. There is, however, a helpful customer service email address prominently displayed that will assist them in securing the money and paying the ransom.
Hour Eight
Both members of the business’s IT team rush to the servers to power down the mainframe and run anti-virus software in each of employee’s computers. Unfortunately, it’s too late; the malware has already encrypted all the files throughout the system and registered each computer with the Jigsaw Gang’s servers.
Hour Nine
With their website down and their customer service agents unable to pull up client information and inventory or handle credit card or monetary transactions, Venice Vintage T-Shirts and the third-party websites who work with their company as co-branded online stores are forced to place a “Temporarily Closed” message on their sites and telephone systems.
Hour Ten
Disgruntled customers, vendors and retailers are calling; cash flow has stopped; employees are sitting impatiently at their desks and browsing customers who are now unable to access the Venice Vintage T-Shirt site are finding other shopping options. The management team contacts the Jigsaw customer service team via email on their cell phones and attempts to navigate the complex world of Bitcoin payment, ransom negotiations and the dark side of the web.
On this day, 674 employees across the United States opened the email, clicked on the bogus PDF and watched helplessly as their businesses ground to a halt. The Jigsaw Gang earned an average of $750 per transaction and put $505,000 in untraceable monies into their bank account.
-----
While the above is a fictional account of a real ransomware attack, as agents, it is important that you help your clients understand these risks. Offer security training (often available from carrier partners) and encourage your clients to carry out “penetration tests” that use social engineering techniques to help train their employees and discover any vulnerabilities in their infrastructure. The Risk Placement Services team is seeing multiple ransomware claims every week and it represents the highest frequency of all cyber-related incidents.
Various insurance coverages are available to address the myriad of social engineering and hacking exposures that exist in business today. Some of these exposures have traditionally been handled by Commercial Crime policies and in some cases, such as computer crime or funds transfer fraud, that remains the case. However, more and more options are becoming available through Cyber Risk policies as well. The threat landscape is changing at a rapid rate. Fortunately, insurance options are expanding as well. Secure the proper coverage for your clients, contact our Technology & Cyber experts today.
