Canadian Underwriter

New ransomware strain results in surge of claims

August 28, 2019   by Jason Contant

Print this page Share

A new strain of ransomware caught the attention of one cyber insurer after it experienced a surge in claims over the past few months.

The Sodinokibi strain first came to the attention of specialist insurer CFC in April. Cyber criminals exploited a bug in Oracle WebLogic, a piece of software that servers use for running Java applications. But the full effect wasn’t seen until June, when the bad actors began targeting managed service providers (MSPs).

“It ended up being so successful, it definitely impacted us as an insurer,” Tom Bennett, cyber incident specialist with CFC, told Canadian Underwriter in an interview Friday.

“It was in June and then July when it really started kicking off in terms of claims, because that was when they moved to this model of attacking managed service providers, which led to such a volume of calls in such a short period of time. We had upwards of 12 [claims] in a 24-hour period at one point in June. It really spiked in June.”

Since CFC first noticed Sodinokibi, they have identified that nearly one-quarter of ransomware claims are coming from the strain. Of all recent infections, Sodinokibi has accounted for about 40% of all ransomware in the last two months.

Sodinokibi gained traction in Canada, the United States, United Kingdom and other parts of Europe. In Canada, there were claims in Quebec, British Columbia and elsewhere, Bennett said.

In June, attackers began targeting MSPs – outsourced IT companies that remotely manage a customer’s IT infrastructure and/or end-user systems. Businesses that don’t have any internal IT employees and outsource their IT infrastructure and/or end-user systems to MSPs are particularly vulnerable to this new strain.

Why? In this case, sometimes MSP employees were not setting strong passwords, or they were reusing passwords. “So, an employee might sign up for an online shopping [site], that company gets breached, the password is stolen by hackers and then reused in a password stuffing attack,” Bennett explained. “The majority of the instances we’ve seen have been just that, where someone at an MSP has a password breached [and] that has been reused.”

As a result of just one breach, cyber criminals can get dozens or hundreds or more successful infections. “So it’s kind of an amplifying effect for their efforts,” Bennett said. “They go for the central point and infect many companies per attack and that’s why it’s been so prevalent. It’s probably not a large group of people doing it, but they’re able to hit a lot of targets through that method.”

What can companies do to help prevent these types of attacks? Bennett said because many attacks were through the MSP, it’s difficult to say how companies can secure their systems. Beyond having up-to-date software patches, he recommends companies put pressure on their MSPs to have good passwords and “even if the passwords are weak, you can usually protect it by having multi-factor authentication.”

The strain has even evolved to include phishing attacks. For phishing emails, Bennett tells users not to open attachments, “especially anything with an executable code in it, like a macro in a Word document if it’s not from somebody you definitely trust and you verify that you were expecting it.”

Bennett said he often sees companies that have back-up procedures. They’re backing up things regularly. They store things on a different server, but also on the network. “What happens is the attacker encrypts the back-ups as well as the main computers, so having it siloed so it can’t be attacked like that is absolutely crucial,” he said. “An encrypted back-up is no back-up really.”