Cyber extortionists have many tools and vectors for deploying ransomware on victims’ systems. Fortunately, Coalition policyholders have the benefit of our Claims and Incident Response teams also have extensive tools and expertise for actively preventing attacks, remediating vulnerabilities, and — if worse comes to worst — reducing ransom demands.

Coalition’s teams are agile –– we skip the red tape and have people around the globe who are ready to help. Our Claims and Coalition Incident Response teams respond immediately to keep our policyholders safe after an incident, at no additional cost. 

Early one September morning, at roughly 5 am, an IT professional at a large manufacturing company booted up their computer and logged in. They immediately noticed a series of mass file changes on their network –– a clear sign of a ransomware attack. The policyholder contacted Coalition, and within 90 minutes, we were discussing the steps we needed to take next to diagnose, eradicate the threat, remediate the systems, and get their business up and running again.

We deployed an endpoint detection and response (EDR) tool, Carbon Black, to collect and visualize comprehensive information about endpoint events to see how widespread the infection was. Next, we preserved all the data we could, changed all passwords, and got a copy of the ransomware note: a request for $2,000,000. The ransomware variant, known as Mount Locker, was fairly new at the time. Finally, we took a forensic image, including all files, folders, and unallocated space. 

The attacker had likely utilized TrickBot, a modular banking trojan that acts as a dropper for other malware. This policyholder had a previous infection in 2018 with powerful ransomware that they didn’t fully remediate. While combing through the system data, we noted a TrickBot banking trojan that appeared to be on a handful of systems from 2018. Thus, the connection to the bad actor was persistent and most likely aided the new Mount Locker infection. 

Ultimately, we worked tirelessly over five days to image various systems, move them to a new, clean network, give legal advice, provide security recommendations going forward, and work with counsel to negotiate the ransom. While they did end up paying the ransom, we negotiated it down from $2 million to $200,000. That’s a difference of $1.8 million dollars — an amount that could cripple any business.

Coalition provides Active Risk Assessment of an organization’s real-time cyber risk, Active Protection through continuous threat monitoring, and Active Response to incidents if they occur — providing the most comprehensive insurance available to solve cyber risk.