Cybercriminals Were Paid Nearly a Million Dollars After Ransomware Attack on Canadian Insurance Company

A recently published decision by the High Court of Business and Property, a division of the High Court of England and Wales, revealed that the attacker or attackers behind the ransomware attack on a Canadian insurance company were paid nearly a million U.S. dollars.

The ransomware attack at a Canadian insurance company and the issuing ransom payment, which were hidden from the public, only surfaced after the insurer of the Canadian insurance company, an insurance company based in the UK, filed a case in court to recover the ransom paid to the attackers. Ransomware is a type of malicious software (malware) that encrypts victims’ computers or data, locking out legitimate users from accessing these computers or data. In ransomware attacks, attackers force victims to pay ransom in exchange for the decryption keys that would unlock the locked computers and files.

In the recently published decision, the UK High Court, which refused to name the Canadian insurance company and the UK-based insurance company, found that the attackers managed to lock 20 servers and 1,000 desktop computers of the Canadian insurance company on October 10, 2019. Posted on the screens of these locked servers and desktop computers was a ransomware notice with the following message: “Hello [Canadian insurance company] your network was hacked and encrypted. No free decryption software is available on the web. Email us at […] to get the ransom amount.”

The attackers initially asked to be paid in the cryptocurrency Bitcoin valued at 1.2 million USD. This amount was, later on, lessen to 950,000 USD. “Given the importance to the Insured Customer [Canadian insurance company] to obtain access to its systems, the Insurer [UK-based insurance company] agreed to pay the ransom in return for the tool,” the court document showed.

A total of 109.25 Bitcoins was transferred by an agent of the UK-based insurance company to the Bitcoin address provided by the attackers. In exchange for the ransom payment, the attackers gave a decryption tool that enabled the Canadian insurance company to decrypt 20 servers for a period of five days and decrypt 1,000 desktop computers for a period of 10 days, court document showed.

Following the ransom payment, the UK-based insurance company engaged the service of Chainalysis, a blockchain investigations firm. As Bitcoin transactions are public, the 96 Bitcoins paid to the attackers by the UK-based insurance company was traced to have been deposited by the attackers in the cryptocurrency exchange Bitfinex.

In the decision released on January 17, 2020, the UK High Court ordered Bitfinex to freeze the 96 Bitcoins and to reveal the identity of the person or persons who deposited the cryptocurrency. “Bitfinex has the ability to access its records and its KYC [Know Your Customer] material to identify the information that is sought …,” the court said.

In the decision, the UK High Court clarified its stand in hiding the identities of the Canadian insurance company and UK-based insurance company. The court said that by its very nature, Bitcoin “can be moved at the click of the mouse and therefore steps should be taken for the proprietary injunction to come to the attention of the account at the exchange at which the Bitcoins are held at the earliest possible opportunity.”

BitPaymer Ransomware

The UK High Court document showed that the ransomware attackers managed to bypass the firewalls and anti-virus software of the Canadian insurance company, leading to the installation of the ransomware called “BitPaymer”.

To date, the initial infection of BitPaymer is currently unknown. While most ransomware programs are distributed via Exploit Kits (EK) and malicious email campaigns, this ransomware is suspected to be distributed via targeted attacks. One suspected entry point of BitPaymer ransomware attackers is by brute-forcing RDP connections on unprotected systems in an organization’s network.

“After the attackers gain access to an organization’s network, BitPaymer

might be deployed on business-critical systems to cause maximum disruption of services, and in turn warrant a considerable ransom,” McAfee Lab said in its analysis of the BitPaymer ransomware.

Brute Forcing RDP

RDP stands for Remote Desktop Protocol. It’s a proprietary network communications protocol developed by Microsoft that provides remote access over port 3389. In the blog post “Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks” dated December 18, 2019, Microsoft said that computers with Windows Remote Desktop Protocol (RDP) exposed to the internet are an “attractive target for adversaries because they present a simple and effective way to gain access to a network.”

According to Microsoft, attackers attack RDP connections through brute force – a form of attack that uses the trial-and-error method in guessing the correct password of an RDP server. Targeted RDP servers are those without virtual private networks (VPNs), multi-factor authentication and other security protections.

Microsoft added that attackers attempt to illegally access RDP accounts using login usernames that were harvested from credential theft or using common usernames such as “administrator”. According to Microsoft, brute force attacks on RDP servers last for 2-3 days on average, with nearly 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.

“Through RDP brute force, threat actor groups can gain access to target machines and conduct many follow-on activities like ransomware,” Microsoft said.

Our team can help you mitigate the RDP brute-force attacks saving your organization significant dollars. Call today (416) 920-3000 or email sales@genx.ca and leave nothing to chance.