A UK based re-insurer paid nearly one million US dollar ransom (£725k or CA$ 1.25m) to unlock the hijacked files of a Canadian insurance firm. Both parties remain anonymous, but some details were released after a British court ruling in January. The extend of the data breach remains unclear.
1,000 Computers Infected
The facts date back to October 2019, when cybercriminals managed to infiltrate the Canadian insurer’s network. A total of 20 servers were compromised and all 1,000 of their computers were infected.
The hackers managed to install a type of ransomware, called BitPaymer. One after another, the computers began locking up, displaying a ransom note.
The ransom message said: “Hello […] your network was hacked and encrypted. No free decryption software is available on the web. Email us at […] to get the ransom amount. Keep our contact safe. Disclosure can lead to impossibility of decryption. Please use your company name as the email subject.”
Nearly $1m in Ransom Paid
The Canadian insurer had previously bought coverage against cybercrime attacks with a UK based re-insurer. This firm instructed an Incident Response Company (IRC) to intervene on their behalf. IRCs are specialists in negotiations relating to crypto currency ransom payments.
Initially, the hackers demanded a ransom of well over a million dollar, to be paid in bitcoin. After negotiations a total of US $950k was paid.
Within 24 hours, the Canadian company had received a decryption tool. However, the tool, a click through application, needed to be used on each system to be decypted separately. Therefore, it took the company another 10 business days to have all computers up and running again.
Re-insurer is Trying to Recoup Money
The British re-insurer is now trying to recoup their money. To be able to do so, they hired a blockchain investigations firm, called Chainalysis, that specializes in tracking cryptocurrency payments.
Now that the investigations are advancing, the re-insurer has sufficient information to sue the yet unidentified hacker as well as the owner of the account and the bitcoin exchange platform. Details of the judgement were released in January. The case was heard by the Commercial Court, which is part of England’s High Court of Justice, in London.
The case is seen as a landmark case. This is because it is the first time that bitcoins and other cryptocurrencies were classified as a form of property. Because of that, the re-insurer was able to successfully obtain an injunction to freeze the majority of the ransom paid.
To Pay or Not to Pay
Law enforcement agencies and security experts are clear in their stance on the matter: they do not support paying a ransom in response to a ransomware attack.
Several reasons support the “No More Ransom” stance:
- The more companies pay, the more cybercriminals might target other organizations or up ransom amounts
- Paying a ransom does not guarantee an organization will get all their data back
- Cybercriminals might have taken copies or might have left unknown backdoors to hack systems again at a later date
- Ransom payments might be funding other illicit activities associated with criminals
- An increase in claims might hike up insurance premiums
Nonetheless, the American FBI recently softened their guidance: “… The FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.” In many cases paying the ransom is also cheaper than the cost of rebuilding systems, the loss of business and the cost and consequences of a possible data breach.