Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

Coalition Claims Chronicles: Remote access leads to ransomware attack


The last thing you want is to have your business disrupted by a cybersecurity failure. Nobody expects to be the victim of a ransomware attack, funds transfer loss, or data breach. But, once a cyber incident occurs, it’s important to know you have a team of experts ready to help you figure out what happened — and what happens next. This series shares real stories from Coalition policyholders who navigated a cyber insurance claim. The organizations will remain anonymous to protect their privacy and security.

Do you trust your digital vendors? Relying on cloud services, managed service providers, and other digital vendors has become a common practice. Many industries, such as manufacturing and construction, traditionally less hyper-connected, are in the middle of digital transformations to remain competitive, and they tend to outsource some or all of their IT services. Unfortunately, this leads organizations to undertake risks they can’t control and expose their critical information to an environment they do not own.

Signs of ransomware

On 17 April 2020, late in the afternoon, the project manager of a general contractor began noticing unusual file extensions and receiving error messages that files had been corrupted. Shortly afterward, they confirmed the data server had been encrypted — likely due to ransomware. The project manager knew it was critical to isolate the infected machine, and disconnected the workstation suspected to be the source of the incident. Next, they implemented two-factor authentication on all payroll services and disabled VPN access before contacting Coalition for support.

Coalition Incident Response (CIR) began the forensic discovery process and prepared to negotiate with the threat actor for a decryption key. Unfortunately, the policyholder did not have viable offline backups to complete a restoration. CIR determined that the policyholder had been infected by the Sodinokibi ransomware variant, an older variant of REvil ransomware commonly spread by brute-force attacks and server exploits.

Identifying the source of the infection

With backups unavailable, the policyholder had no choice but to pay the ransom to restore their operations. Two days after the initial attack, the attackers directed the negotiation team to a TOR site requesting a $1,000,000 ransom — a steep price for a small business. Early communications with the threat actor revealed that a mere 20 hours earlier, the policyholder’s managed service provider (MSP) had also visited the TOR site. The attacker had targeted the MSP and not their downstream clients.

The decision was made to negotiate the ransom and work with the MSP, who confirmed they had multiple clients impacted by the ransomware but had been able to restore data for all other victims. The MSP had stopped backing up the policyholder’s servers the previous July. During forensic investigations, CIR determined that ScreenConnect, a remote desktop software application, was likely used as the vector for the ransomware compromise.

Negotiation, restoration, and backup

On 22 April 2020, we received the decryption tool from the threat actor after successfully negotiating the ransom down to $11,000 in bitcoin. CIR began the decryption process, which was complicated by the Webroot SecureAnywhere software the MSP had installed on the policyholder’s systems. Ultimately, CIR was able to get the policyholder back online and installed an Endpoint Detection and Response (EDR) solution to monitor their endpoints and prevent future cyber incidents.

Identify digital supply chain risk

Identify known risks across the supply chain, both upstream and downstream. When picking a vendor, it’s essential to ensure that they address all of your needs and have a process in place if something goes wrong. Ideally, they should have a dedicated security team, and an incident response (IR) plan with people in place to handle breaches as they occur. Don’t hesitate to ask how they will alert you in the event of a cyber incident — remember, speed is critical. Look closely at:

  • Potential vendors – evaluate more than one, compare offerings

  • Customers and what types of industries they support

  • Networks, systems, and software they access

  • Their update/patching schedule of the software they offer

  • Their internal best practices (MFA, etc.)

  • Where they access your IT ecosystem

  • How they access your network

  • What information they access or transmit

Manage your digital risks with Coalition Control

Coalition Control is our integrated risk management platform that lets you take a proactive approach to manage cyber risk, all for free. Our Automated Scanning & Monitoring finds organizational risk and shows you how to fix it before the unthinkable happens. Organizations can monitor vendors, partners, and other third parties, thereby keeping an eye on vulnerabilities in outsourced or shared infrastructure. Sign up for free today and get unmatched visibility into your organization’s IT infrastructure. Also inside Coalition Control is our cybersecurity partner marketplace, which provides policyholders with exclusive savings on services such as phishing training, two-factor authentication, and other cybersecurity solutions (including EDR).

Find out more about how we work to get businesses back online in other Coalition Claims Chronicles posts. Find out how we helped a healthcare policyholder recover after a devastating Hello Kitty ransomware attack or helped to recover $1.3M for a customer after a phishing attack leading to funds transfer fraud.