Canadian insurance company lost nearly US$1M in ransomware attack

TORONTO -- Computers at a Canadian insurance company were disabled for more than one week due to a ransomware attack that resulted in a payout of nearly US$1 million.

The attack happened last October, but is only coming to light now as efforts to reclaim the ransom make their way through the British court system.

The U.K. court action is being led by a British insurance firm with which the Canadian company had a policy protecting it against suffering losses from cyberattacks.

Neither company is named publicly in the lawsuit the British company has filed against the unknown attackers. In a court decision made last month and published Jan. 17, Justice Simon Bryan ruled that hearings in the case would be held in private and that the involved insurance companies' names would not be published, saying anything else would open the insurance companies up to retaliatory and copycat attacks while also potentially giving the hackers a chance to cover their tracks.

"Publicity would defeat the object of the hearing," Bryan wrote.

COMPANY TURNED OVER US$950,000

According to Bryan's written decision, the hacker or hackers somehow "managed to infiltrate and bypass the firewall of [the Canadian company]." From there, they encrypted files on the company's servers and locked desktop computers. They also left a note.

"Hello [company name] your network was hacked and encrypted. No free decryption software is available on the web. Email us … to get the ransom amount. Keep our contact safe. Disclosure can lead to impossibility of decryption. Please use your company name as the email subject," the message read.

The Canadian company got in touch with its British insurer, which hired ransomware response specialists. The hacker told the specialists they were demanding US$1.2 million in Bitcoin, but eventually agreed to US$950,000 "as an exception."

The specialists then transferred 109.25 Bitcoin – roughly equivalent to US$950,000 at the time – of the British company's money to the specified account. Although they had been promised a quick response, nearly 16 hours elapsed before the hacker got in touch again, giving them a decryption program.

Even with the program, it took five days to run the program on each of the company's 20 servers and five more to decrypt and unlock all 1,000 desktop computers.

Some of the Bitcoin was sold for other currency before specialists were able to locate it, but the bulk of the ransom – 96 Bitcoin – was traced to one specific account on one specific exchange.

The British company is suing the hacker as well as the owner of the account – it's not certain if they're the same person or not – as well as the Bitcoin exchange. The insurance firm is seeking a court order to force the exchange to reveal the identity of the account owner.

A RISING THREAT

The Canadian Anti-Fraud Centre (CAFC) described ransomware last September as "an increasingly common threat, targeting everyone from individuals and small businesses to large private enterprises and government organizations."

There have been several high-profile cases in Canada in recent years, including an attack that paralyzed the Nunavut government's computers for nearly two weeks last November.

Insurance companies are also known targets. One of the largest insurers in Oman was reportedly hit earlier this month. In Canada, Andrew Agencies Ltd. was targeted last fall but said it did not pay a ransom – implying that they are not the Canadian company at the centre of the British case.

The CAFC notes that there is no way to completely safeguard against these attacks, but says training employees to recognize cybersecurity threats, restricting access to computer administrative privileges and storing backup data offline can help protect an organization.