What happened?
The Insured, a manufacturing business with ~$40.000.000 turnover, discovered that a threat actor had encrypted their windows servers overnight. Around 25 virtual machines and 5 physical devices were affected by the ransomware attack. The shutdown of the Insured’s manufacturing equipment led to significant business interruption.
How did the team assist in the incident response?
The Insured notified the Emergence Incident Response team of a suspected cyber incident. Our incident response experts contacted the Insured immediately. Within an hour, a conference call was held with the Insured, Emergence, and a Digital Forensics expert. Investigations commenced immediately. The priority was to restore operations quickly to reduce the risk of significant business interruption losses.
Emergence responded quickly, coordinating with appointed experts to begin digital forensic analysis of the Insured’s IT systems. Emergence also appointed forensic accountants to assess the business interruption loss. This prompt action helped contain the incident and reduce its overall impact.
How was this incident covered?
This incident was covered under policy Section C – Cyber Event Response Costs. The policy covered reasonable costs to respond to the incident including:
- IT forensic costs to conduct the forensic investigation and securing the Insured’s IT systems.
- Data Restoration Costs to rebuild various systems and programs, and reactivating the Insured’s physical devices.
This incident was also covered under policy Section A – Losses to Your Business. The insured was non-operational for a significant period of time which resulted in a business interruption loss of over $1,000,000.
Emergence was able to engage a forensic investigation on the day we were notified and were able to assist the Insured with remediation. Whilst the business interruption losses were significant, these could have been much larger if Emergence and its appointed experts, did not act as quickly as they did.
What led to this incident, and what can be learned from it?
A lack of logs kept by the Insured made determining the root cause of the cyber event difficult. It is believed the threat actor gained access to the Insureds system via Remote Desktop Protocol. Our The Emergence appointed Digital Forensic & Incident Response expert was able to provide a list of recommendations for the Insured to improve their IT capabilities including implementing an Endpoint Detection and Response (EDR) tool with monitoring to help identify suspicious behaviour in the Insureds system. It was also recommended that the Insured implemented Multi Factor Authentication (MFA) for RDP connections.