Monster Mutual Cyber Insurance: It’s Your Funeral Bro
It’s a crisp fall morning. You’re walking out to your car with a spring in your step, and a smile on your face. It’s almost the weekend during football season, and you’ve managed to get up early enough to go get a Pumpkin Spice Latte before work.
Just before you reach the car, your inflatable Halloween decoration suddenly begins to inflate and gives you a slight fight. You had forgotten that it was on a timer. The first thing to inflate is the “BEWARE!” sign that the monster is holding. It rises quickly to eye level. You chuckle and shake it off as you proceed on to your morning commute.
The drive-thru line is, of course, backed up around the building—it always is on those first cool days of the fall. Worried this may take too long, you grab your phone to check the time to make sure you can still get your PSL. As you unlock your phone, you’re flooded with a barrage of alerts, text messages, and missed calls. All coming from… inside the office. The first message you read is from Renfield, your long-time IT assistant. It reads:
“Something spooky is happening to the servers! Call me now!”
You grumble and get out of the coffee shop line. Guess you’ll just have to have the swamp sludge that they make in the office today. Rushing into the office, you are met by a horde of the seemingly undead wandering the lobby and halls. Everyone seems lost, not knowing what to do. You brush past them as best you can, slipping through their outstretched arms and hearing their moans of:
“Heeeeeelllpppp Meeeee. Heeelppp Meee…. Eeemail is doooown! It’s doown!”
Speeding up to get to your office before you’re overrun, you find that Renfield is already waiting.
“Master, err- I mean sir, all the servers are down. We don’t know why.”
You power on your laptop, use a remote desktop to connect to the email server and are met with a monster from your nightmares—a ransom note. Rushing to check a few more servers, you find that the monster exists on all of them.
You scramble to think of what to do, but ah! You remember you have an IR plan. Reaching into your desk, you pull out the dusty tome and flip to the first page.
- Step 1: Call IR Retainer Firm
- Step 1a: Call Cybersecurity Insurance
You instruct Renfield to call your IR retainer firm. You pick up the phone to call the cybersecurity insurance company as you’re the authorized party to invoke them. As you’re waiting for the insurance company to pick up the phone, you flip to the next page to see what other steps you may need to take and it reads:
- You have reached the end of this document.
You mumble to yourself that you should’ve used that free template you heard about at Hacks and Hops. The phone line clicks, and you’re met with an automated voice saying, “Please Hold.” This repeats every three seconds while you wait for someone to answer the phone. As you’re waiting, Renfield pops back into the room and says with excitement, “Master—, sir, the IR firm says they’re ready to help and would like to set up a triage call after you speak to the insurance company.”
You give Renfield a pleased nod as the insurance company finally answers your call.
“Monsters Mutual, how may we direct your soul- err- I mean call,” the receptionist asks with a hint of agitation.
You ask to speak to your agent, and the call is directed with a few button pushes (but no pleasantries). Once on the line with your agent, you inform them of what’s going on. They insist that you must use their preferred IR firm, Crude Dudes Cyber. Mentioning that you have a preferred IR firm is met with immediate hisses and growls. You hear the moans and can see the wandering horde outside your office, so you decide that you don’t want to fight this fight. You go with the firm your insurance is providing.
Many frightful hours later, after boarding up your office door to keep the wandering mass of aimless employees out of your office, you receive a callback from the Crude Dudes. You answer the call, and are met with:
“Sup dude, so you gonna pay this ransom?”
Again, no pleasantries and no fanfare. You inform the Crude Dude that you are in fact not going to pay the ransom. He scoffs and says:
“Alright bro, it’s your funeral. So, what do you want us to do?”
You inform him that you’d like for them to investigate the issue, find the attackers, eradicate them from the network, and provide some guidance on how to keep this from happening again. You know, standard incident response. The Crude Dude stifles back a laugh and asks if he can put you on hold for a moment. You hear him hit a button on his phone, but it doesn’t send you to hold.
“Hey, guys…. This guy thinks we’re going to investigate and quote ‘eradicate the attackers,’” he says, with an obviously mocking tone.
In response, a roar of evil laughter can be heard in the background. The Crude Dude hits another button, this time the hold music plays. It’s odd. You notice that it sounds like the theme music from the movie Halloween, but you only hear it briefly before the Crude Dude hits the button again, thinking that it just didn’t work the first time.
“Alright bro, yeah, we can do that. We’ll get started right away,” he says, and you can picture the sinister smile on his face.
Though you feel a bit uneasy after this call, you grab a handful of candy corn and shove those feelings down deep. For a whole day, you wait by the phone in your office, frozen in fear and hearing the moans of “Eeeemmaiill, ShaaarrreeeePoint!” coming from the cavernous halls. You wait all day, but no response from the Crude Dudes.
Finally, when morning comes the phone rings a sickly and stuttered ring. You jolt up from your desk, candy corn falling off your cheek as you do. You noticed the odd ring but figured it must just be that you heard it wrong in your sleep. Answering your phone, you find that it’s the Crude Dudes calling back to give you some tools to install. You do this immediately, let them know it’s done, and then they hang up the phone.
Again, you wait at your desk, dipping into your emergency supply of miniature candy bars and tiny bags of chips for survival. Eventually, you fall asleep on your desk again. The moans and complaints are still coming from the hallway—and getting closer to your office.
You receive an update call the next day.
This time it’s a different Crude Dude, he notes that he’s been assigned to your case.
“Sup bro, so yeah, we see you’ve been ransomed. So, you wanna pay this ransom?” he asks.
“No! No, I don’t. I want you to investigate,” you reply, incredulously, trying to understand why they’re still asking the same question. You think to yourself, “Have they not even started investigating yet?”
“You sure? We could just pay this ransom and the whole thing would be over?”
“No, just what I asked,” you reply sternly.
“Alright bro, your funeral,” as they hang up the phone.
This process repeats every day. You feel like you’re in the twilight zone. Each day you sit at your desk with the hordes of aimless employees outside your office door, banging and scratching at the door. Occasionally a spooky chant breaks out from the sales department. They’re chanting, “Email! Contracts!” repeatedly in a ghostly voice.
This goes on for an entire month. Your family misses you, and you’re running dangerously low on miniature candy bars and chips. Each day is the exact same as the last. A call from Crude Dudes, asking if you want to pay the ransom. No real updates on the point of ingress, TTPs, IOCs, or anything actually useful in a case.
The horde outside your door gets smaller each week. The undead—err—aimless employees see that they will not get what they want, and they move on to haunt other companies.
Your customers turn to ghosts.
Your company is going toward the light, unable to bring in revenue and unable to pay even the electric bill.
All you can hear, as the final light goes off in the building is:
“Alright bro, it’s your funeral.”
Lessons Learned
We learned a few things from this tale of horror:
- Have an updated IR plan. Don’t have one? Start with our template!
- Test your IR plan regularly. The best way? Tabletop exercises. These are ‘spooky’ scenarios where you play out an attack, see how your team would handle it, and find potential issues BEFORE an incident occurs.
- Have discussions before an incident with your insurance partner. Find out who their IR panel vendors are, and vet them as best you can.
- Know what you’re going to do and have a trusted IR partner who will fight for you—not fight to get the attackers paid.
- Establish your trusted IR partner with your insurance company before an attack.
Backup Slasher Camp
You arrive at the cabin for a weekend of fun with your four best friends. The trip had been planned for months, but due to the other member of your IT team being out with an illness, you had to take this weekend’s on-call rotation. It should be fine—it’s a small company and nothing ever really happens on the weekends anyway. But, you brought your laptop and a cellular hotspot just in case.
As evening falls and the group is sitting around a fire enjoying some beverages and telling scary stories, your friend Michael Myers begins telling a story that happened near this very cabin on a night much like tonight.
As he begins telling the story, your phone rings. You look down to see that it’s the office.
You’re looking at your phone, about to answer and Michael says, “Dun dun dunnnnnn!” to provide some emphasis for his story.
You step away from the campfire, Michael still telling the story in the background, and take the call.
“This is Freddy from IT, how may I help you?”
A panicked voice on the other side of the call replies:
“This is Jason, from sales. We can’t access any of our files, and we’re giving a presentation to Cyberdiner Systems about AI in the morning! We need you to fix it NOW!” he says, nearly yelling into the phone.
“Alright, I’ll log in and take a look at the sales server. Let me call you back in a few minutes.”
You grab your laptop and return to the campfire to set up. You figure it’s likely just a permissions issue, or someone saved something in the wrong location. You fire up the laptop, connect to a VPN, and then connect to the sales server. In the background, you hear Michael still telling the story:
“…the 5 kids were trying to barricade themselves inside the house, but the killer was already inside.”
You’ve heard this story before, and you know Michael is going to try to scare everyone later tonight with a mask. You smile and make a mental note to not be afraid.
However, as you look at the sales server, the horror becomes real.
You see the dreaded ransom note right on the desktop of the server. You quickly browse the sales shares and see that all the files have had their file extensions changed to .h3ll. Again, you hear Michael in the background,
“…and they put a dresser against the bedroom door as a backup…”
“Backups,” you think to yourself!
I sure am glad I bought that backup system from Shredder Systems. They said it’s immutable, so it must be safe. You figure that you can restore from backup, get sales what they need, and deal with the rest on Monday. Pleased with this realization, you connect to your backup system.
You are met with an even greater shock as Michael continues his story in the background.
“…but the backup dresser was no match for the Camp Site Killer, he pushed right through…”
The color drains from your face as you realize that all your backups have been deleted.
“But this was supposed to be immutable!” you say out loud, startling your friends.
Michael replies, laughing a bit, “It’s just a story dude, calm down.”
You shake your head, and look back at your screen in disbelief, now realizing that the Backup Slasher—err—attacker has done more damage than you initially thought. Those network-connected backups, as you remember, could be deleted by an administrator account.
You quickly check the other servers in your environment, and they all bear the same sinister mark of the .h3ll extension.
You step away from the campfire and back into the house. You’ll need to call the CEO and let them know what has happened. With your hands shaking, you make the call and give them a horror-filled summary of what’s happened.
The CEO asks: “What options do we have? That meeting with Cyberdiner tomorrow is life and death for the company.”
You inform the CEO that, unfortunately, without backups, the only option to get back up quickly is to pay the ransom. The CEO responds, “Just pay the damn thing and get the servers back online.”
Luckily, you have some accounts on cryptocurrency exchanges, and the accounting department has been informed to give you whatever you need to make the purchases.
You log into the cryptocurrency exchange and purchase 10 SlasherCoins—the currency that these attackers requested. When the transaction is complete, a message pops up on the screen:
“Note: SlasherCoin has been utilized for terrorist activities. As a courtesy to our customers here at CryptExchange, we must inform you that the FBI has placed the primary threat actor utilizing this currency on the OFAC sanctions list. If you are utilizing SlasherCoin to pay the TexasBackupSlashers group, you will be violating federal law.”
That’s odd, you’ve never seen anything like that before. Quickly, you open the ransom note again to see if these attacker group has left their names. To your horror, you see that the end of the note is signed:
“Happy Halloween from The TexasBackupSlashers!”
You can’t pay the ransom, the files can’t be restored, and the company will likely not get the Cyberdiner contract.
You turn off your phone, disconnect from the VPN, and begin updating your resume.
Lessons Learned
What did we learn?
- Backups are important. Offline backups are more important.
- Immutable, doesn’t always mean impossible to delete. Research your solution and ask questions of your backup vendor.
- Test your backups regularly to ensure you know how to restore—and that the backups are viable.
- Both IR and DR tabletop exercises are incredibly helpful in finding potential gaps in your plan before an incident occurs. The best way is to have an external partner conduct these exercises. We’re all human (except maybe some of the folks in these stories) and we’ll tend to design an exercise to hide our flaws—not expose them. Expose the flaws before you’re dealing with an aimless horde.
- You can’t always just pay the ransom to get your files back. Some organizations are labeled as terrorists, and the US government prohibits you from paying them.
While presented in a way to entertain you, stories like these happen constantly in our industry. We bring them to you not to frighten or make you anxious, but to help you understand real-world challenges in incident response, and how they can be prevented or remedied.
To avoid horror stories like these in your organization:
- Have an updated IR plan.
- Know what you’re going to do and have a trusted IR partner who will fight for you, as opposed to fighting to get the attackers paid.
- Establish your trusted IR partner with your insurance company before an attack.
- Backups are important. Offline backups are more important.
- Immutable doesn’t always mean impossible to delete.
- You can’t always just pay the ransom to get your files back. Some organizations are labeled as terrorists, and the US government prohibits you from paying them.
It is our mission at FRSecure to fix the broken information security industry, and helping organizations better prepare for and respond to incidents is a critical component. So, if you need help with any of the concepts, practices, or recommendations from these stories, please don’t hesitate to reach out.
Fascinating read! The incident response horror stories are both eye-opening and educational. Thanks for sharing these valuable lessons on handling cybersecurity crises!