We were sent a note drawing our attention to the following story from a company engaged in cyber security protection. It raised interesting questions about not only future insurance coverage, but also what exclusions might exist that we haven’t thought about.

Insurance policies from Lloyd’s to have an exclusion for “state-backed cyber-attacks”

Lloyd’s of London will require state-backed cyberattack exclusions in policies beginning in March 2023, according to a market bulletin sent out by the company. The bulletin stated that in addition to any existing war exclusion, any new or renewed cyber policies should exclude losses from a war – whether or not the policies already have a separate “war exclusion.”

Which raises some interesting questions. Does your policy have an “act of war” exclusion now? If so, does it consider:

an attack by a state sponsored group, regardless of target, an act of war? Would a ransomware attack by a North Korean, Russian or any other state sponsored group be considered an act of war?
an attack on critical infrastructure of a nation an act of war? More and more ransomware attacks are targeting infrastructure.
an attack on a firm engaged in government contracts for defence or other services also a possible act of war?

Companies will need to read their current, as well as new or renewed, policies carefully for these and any other possible exclusions, especially as the costs of ransomware impact insurance premiums.

Upping the ante – from double to triple extortion

The LockBit ransomware gang said that it will be adding distributed denial of service (DDoS) attacks to its current “double extortion.” Like many other ransomware gangs, they have incorporated theft and threat to reveal company data in addition to encrypting data.

A spokesperson posted this quote on a hacker forum, outlining the gang’s recruiting of expertise in DDoS attacks.  “I am looking for dudosers [DDoSers] in the team, most likely now we will attack targets and provide triple extortion, encryption + date leak + dudos, because I have felt the power of dudos and how it invigorates and makes life more interesting,”

Ironically, LockBit was itself subject to a recent DDoS attack that prevented access to data published on its corporate leaks site. The gang indicated that it will be increasing its DDoS defence as well as offensive strategies.

Sourced from articles on Bleeping Computer

80 per cent of attacks rely on common configuration errors

Microsoft’s recent Cyber Signals report makes particular mention of the growing risks presented by Ransomware as a Service (RaaS) and notes that “80 per cent of ransomware attacks can be traced to common configuration errors.”

Some of the most common errors are:

not utilizing Multi-Factor Authentication (MFA)
installing with the “default state” and not making adjustments to increase security. Default settings are set to make installation easier in a wide variety of situations, not to optimize security in a specific context
allowing unnecessary access to users, who are at times given permissions that span the entire company network, which allows attacks to spread horizontally
not applying vendor (in this case Microsoft’s) “surface reduction rules” such as preventing execution of malicious macros and scripts

The report also contains strategies for prevention of attacks and ways to minimize damage, as well as a profile of a Microsoft threat intelligent analyst, ironically named – Emily Hacker.

Major French hospital forced to close due to ransomware attack

A 1000-bed hospital located 28km from the center of Paris experienced a ransomware attack last week. Center Hospitalier Sud Francilien (CHSF) was forced to send patients to other facilities and to postpone surgery and other treatment.

CHSF serves an area with over 600,000 people, and the shutdown presents a serious danger to the health of that population, both in terms of emergencies and in delays in necessary treatment.

According to an announcement by CHSF, not only were the business related and patient systems affected, but also storage for medical imaging, making the shutdown necessary.

Millions of customers of a streaming service compromised

Plex, the popular video streaming service, is requiring all of its 30 million customers to change passwords after hackers stole data containing the usernames, passwords and emails of at least half of them.

In our third point of irony for this edition, among those affected was Troy Hunt, who runs the popular site “Have I Been Pwned.” Hunt announced this in a tweet, stating “Aw, crap, I’m pwned in a @plex data breach. Again, I can’t do anything to *not* be in a breach like this (short of not using the service), but a @1Password generated random password and 2FA enabled makes this a mere inconvenience rather than a genuine risk.”

The post Is “state-backed” ransomware excluded from cyber insurance? Plus three points of irony. This Week in Ransomware – Monday, Aug 29th first appeared on IT World Canada.