What happened?
A manufacturing business with an annual turnover of ~$80 million experienced a major cyber incident: The Insured’s warehouse staff arrived at work to discover their systems had been encrypted by ransomware, resulting in their manufacturing equipment being unable to function.
The ransom note found was attributed to a well-known ransomware group. A significant amount of the Insured’s IT Infrastructure was encrypted, in addition to the Insured’s local and cloud backups. The incident impacted their operational software, financial accounts, HR systems, artwork files and operation files, resulting in significant operational impact company-wide for over 2 months.
A threat actor encrypted the Insured’s systems and exfiltrated data, interrupting business operations for a 2-month period.
How did the team assist in the incident response?
The Insured contacted the Emergence Incident Response team after discovering the incident. The Incident Response team immediately coordinated a panel of experts to assist, including digital forensics, legal and public relations. The expertise of these vendors enabled a swift response and freed up the Insured’s capacity to focus on the recovery of their systems. Fortunately, the Insured had an alternate backup solution with a third-party provider, however this was 3 months old, resulting in a loss of some data.
Digital forensics experts guided the system recovery, ensuring it was carried out securely. They also provided recommendations to help prevent similar incidents in the future. Legal experts reviewed the Insured’s contracts – particularly those with major clients – to ensure all contractual obligations were being met and advised on regulatory obligations. Public relations experts also supported the Insured with communications to help maintain client confidence.
Emergence arranged a full panel of experts to triage and respond to the incident within 30 minutes of receiving the initial hotline call. The swift support enabled the Insured to focus on returning to operation as soon as possible, mitigating the loss of revenue and maintaining client relationships.
How was this incident covered?
Section A – Losses to Your Business responded to the loss of revenue (impact on business costs) that the Insured incurred because of the interruption to their operations. This was the most significant cost on the claim, totalling approximately $800,000.
Section A also responded to the increased costs of working (impact on business costs) that the Insured incurred to avoid a greater loss in revenue. These costs consisted of additional staffing expenses for temporary staff, totalling $40,000.
Section C – Cyber Event Response Costs responded to the costs incurred by the Insured. Due to the complexity of the Insured’s systems and network, 12 different vendors were engaged to assist with the incident response and recovery efforts. These costs included:
- IT Forensic costs – $90,000
- Legal costs – $60,000
- Public Relations – $15,000
- Notification Costs (eDiscovery) – $40,000
- Data Securing costs – $20,000
- Data Restoration Costs – $160,000
Section D – Optional Cover – Tangible Property costs covered the replacement of hardware devices that were encrypted and could not be recovered, with total costs amounting to $12,000
What led to this incident, and what can be learned from it?
A lack of logs kept by the Insured made determining the root cause of the cyber event difficult, it is believed the threat actor gained access to the Insureds system via Remote Desktop Protocol (RDP).
This claim highlights the importance of secure offline back up solutions that are tested and contain up to date data. It was recommended that the Insured implements an Endpoint Detection and Response (EDR) tool with monitoring to help identify suspicious behaviour in the Insureds system. It was also recommended that the insured implements Multi Factor Authentication (MFA) for RDP connections.
The Emergence Incident Response team guided the Insured through a swift and effective incident response. With the assistance of Emergence panel experts , the Insured was able to recover their systems in a timely manner. The swift incident response meant downtime was minimised, and client relationships and reputation were preserved, which prevented more significant long-term revenue loss.