One Broker’s Ransomware Scare

Grant Patten, Digital Media & UX Specialist | BC Broker, December 2016

$209 million was paid to ransomware criminals in Q1 2016 and ransomware is on pace to generate at least $1 billion for the cybercrime industry by the end of the year (CNN).

 

Perhaps the fastest-growing cybersecurity threat in Canada right now is ransomware, a type of malware (malicious software) that uses sophisticated encryption to block access to a computer, network and/or data until a sum of money is paid. The 2016 State of Ransomware report from security firm Malwarebytes revealed that companies in Canada are the likeliest to pay ransom demands (75%), compared to their counterparts in other countries. In British Columbia in particular, CBC reported in 2015 about three BC law firms that had been targeted with ransomware; one firm even paid the ransom to get back control of its files. The University of Calgary recently paid $20,000 to retrieve research data that had been encrypted via a ransomware scam.

Ransoms typically range from $800 to $2,500, as a business can’t operate without its computer system or important client data and the fee is just manageable enough for most companies to pay.

Ransomware Case Study

One brokerage based in Montreal – J. Gérard Fortin & Associés – experienced a ransomware attack firsthand in early 2016. A mysterious error message began appearing on their BMS: “The system cannot access the database.” Upon consulting their IT firm, it was discovered that ransomware had been installed onto the brokerage’s system through an email attachment that an unsuspecting employee had opened. The ransomware had encrypted all the brokerage’s client data, including emails, PDFs and other policy documents attached to the BMS, rendering the data completely inaccessible unless a sum of money was paid – $2,300.

“To deal with the ransomware, I called my tech support team and we had backed up our data, but unfortunately it wasn’t completely up-to-date; the latest backup was six weeks in the past,” recalls Bruno Fortin, President of J. Gérard Fortin & Associés and CSIO Board Member. “It was important for us to retrieve the latest data, so I made the difficult decision to pay the ransom. It came down to paying $2,300 or losing six weeks of work, so I chose the former.”

The ransomware attacker insisted Fortin pay via the digital currency system Bitcoin in order to make the payment untraceable. Due to the elaborate software architecture that stands behind this currency, which uses cryptography to secure transactions, it’s extremely difficult to find out who is actually exchanging the Bitcoins, much less what they’re selling. After going through this Bitcoin payment process, Fortin was able to get all of the data back, except for the attachments because those files were corrupted. Fortin’s team was able to find copies of most of these attachments by looking back through old emails, but this cautionary tale demonstrates that even paying the full ransom unfortunately does not guarantee retrieval of all the encrypted data.

Ransomware Prevention/Remediation

So, what should other brokerages do to avoid the same thorny situation as Fortin & Associés? Maintaining an on-site data backup solution, as Fortin did, is certainly prudent; however, these backups must be frequent and thorough to be effective, and relying solely on local backups is generally inadvisable. Brokerages could also implement a backup in the cloud, which means sending copies of data to at least one secure off-site server. Leaders in the cloud backup space include Amazon Web Services and Microsoft Azure.

But, of course, the best approach is to avoid being infected with ransomware in the first place. Educate employees about how to recognize suspicious emails – typos, lack of personalization and odd-looking domains in the “From” header are all red flags. It is true, however, that criminals are getting better at making these emails appear legitimate, so employees must simply be more vigilant about not clicking links or opening attachments in emails unless they’re quite certain about what they’re opening. As the primary installation source of ransomware is online advertisements, according to security firm Symantec, avoid clicking on Internet ads. Brokerages could even consider implementing ad blocking software such as Ghostery to prevent online ads from appearing at all.

Most BMS products have different authorization levels that can be customized; brokers should take advantage of this feature to create different access levels for employees, giving each employee access only to the areas they need for their work, and restricting them from the others. And, of course, don’t neglect the basics: make sure your antivirus software is regularly updated and that your systems are regularly patched. A multi-layered defense comprised of a next-generation firewall (NGFW) will substantially reduce the number of successful ransomware attacks on your internal network. NGFWs can cost under $1,000 and leaders in this space include Palo Alto, Cisco, Barracuda and Juniper.

“After this ransomware scare, we increased our level of protection against spam and cyber attacks by adding some extra layers of security in our antivirus software, and now we’re doing more regular, up-to-date backups,” says Fortin. “The experience spurred our brokerage into action to make our security systems and policies more robust, so you could say something positive came out of it.”

The insurance companies you work with could likely provide further guidance on the subject of security; Fortin mentioned that some insurer partners offer courses and educational resources on security practices for brokers. Visit the newly redesigned CSIO.com for more information on cybersecurity, including videos, articles and an upcoming white paper on the subject.