What to Do After a Ransomware Attack

Advice from insurance professionals following the WannaCry malware crisis

Photo: iStockphoto

A growing wave of ransomware attacks around the world should have engineering, design and construction firms looking long and hard at whether they are prepared for the worst, say risk and insurance experts.

Cyber insurance brokers say they have been bombarded over the last few days with anxious calls from clients in a range of business sectors following the global “WannaCry” malware crisis.

The attack has succeeded in holding hostage hundreds of thousands of computers in more than 150 countries, with the mysterious Shadow Brokers demanding a ransom of $300 to $600 in hard-to-trace bitcoins.

The attacks are also expected to further speed up the pace at which construction and engineering firms buy ransomware coverage, with project owners often now requiring that contractors and their subs have policies in place.

The attacks are also expected to further speed up the pace at which construction and engineering firms buy ransomware coverage, with project owners often now requiring contractors and their subs to have policies in place.

“It’s opened a lot of people’s eyes,” said Judy Selby, national lead on cyber insurance and data privacy for BDO USA. “Ensure that you are insured.”

Even so, companies already protected by data loss insurance must act carefully to avoid some easy-to-make pitfalls in the frenzied hours following a ransomware attack, experts say.

Amid the panic and confusion that can follow the malware's encryption of data, there may be a rush to take immediate action, such as hiring IT security experts and other outside help, Selby noted.

However, contractors and other companies must first contact their insurance companies and get their blessing before making any major moves or potentially face pushback later when trying to recoup costs under their insurance coverage, according to Selby.

In fact, calling the insurance company should be the first step even if the amount being sought by hackers – reportedly $300 to $600 – falls below the retention or deductible number, which is likely with such relatively small numbers, Selby said.

Most policies are not likely to cover such small ransom payments. But paying off the cyber criminals is just the first step.

Malware viruses, on average, may remain undetected for about 200 days, said Joe Salazar, a cyber insurance expert and broker at Aon Risk Solutions.

During that time, the hackers are effectively casing the joint, studying the internal communications of its victim to determine the most opportune time to seize the system and demand a payment.

In hacking and cybersecurity circles, this preliminary assesment of the target is sometimes known as "footprinting."

“That is when they establish their level of comfort, getting familiar with your email traffic and correspondence,” Salazar said. “In turn, they can identify an adequate time to attack and vulnerabilities and weak areas they can penetrate.”

As a result, a company hit with a ransomware attack will likely face the need to hire a forensic investigator to examine and scrub its computer system, something that may be covered under its policy.

Without such a clean sweep, the malware may remain in place, leading to future ransomware attacks or other schemes involving the company’s private data or that of its clients, said Roberta Anderson, a Director at Cohen & Grigsby, P.C.

“If you just pay the ransom, it could happen again,” Anderson said. “It might be a diversion from the true purpose. It could turn into a digital data loss.”

To speed up the recovery process, Anderson said the cyber extortion policies she helps write for her clients includes a specific forensic specialist ready to be called upon.

Insurers are likely to have a team of anti-cyber fraud experts ready to go, which can be a major benefit of having ransomware coverage, Selby said. “You get a cyber swat team. It may be your first incident but they have handled thousands of them.”

There is also an 800 number provided on some insurance policies that will provide a company hit with a ransomware attack with a “cyber coach” to help, said Aon’s Salazar.

While ransomware insurance has been around for a decade, until recently there has been little focus on it, with most of the attention going to other forms of cyber insurance that cover the costs of data breaches.

Will Insurance Premiums Rise After WannaCry?

That low profile has also meant fairly low premiums for ransomware insurance. While it can be difficult to generalize, up to $1 million in coverage for, say, a manufacturer might cost $10,000 to $17,000 a year, Salazar said.

But with rising demand, this is likely to change, Anderson said. Underwriting standards are also likely to become tougher.

While the payments are low, they are a sign that cyber criminals have figured out a way to generate quick cash from their hacks.“There has been a tremendous uptick,” Anderson said. “The criminals have figured out how to monetize what they are doing.”

Scott Van Voorhis writes regularly for ENR about risk management, insurance, and the Canadian engineering, construction and infrastructure sectors. He launched his own freelance writing business in 2008 after nearly two decades as a reporter and business columnist for the Boston Herald, Boston Business Journal and The Eagle-Tribune.

Post a comment to this article

Enhancing Collaboration and Surpassing Traditional Design-Build Methods with Progressive Design-Build

Earn: 1 PDH; 1 AIA LU/Elective; 0.1 IACET CEU

Progressive Design-Build is reshaping large infrastructure projects by addressing key issues with the traditional Design-Build approach. We'll explore how PDB fosters collaboration between owners, design-builders, and design teams to develop a well-defined scope and budget, plus minimizes cost overruns and reduces liability claims.