
Having technical details on how their AD was infected and what they did to clean up would be useful for everyone. Much more than financial data, unless El Reg wants to become the new WSJ?
Sopra Steria has said a previously announced Ryuk ransomware infection will not only cost it "between €40m and €50m" but will also deepen expected financial losses by several percentage points. The admission comes weeks after the French-headquartered IT outsourcing firm's Active Directory infrastructure was compromised by …
Once again, I see the same pattern emerging. Risk assessments that over-estimate likelihoods but under-estimate consequences. The most important failing is usually failure to aggregate all the consequential costs, as these can appear at several stages past the event (clean up, down time, restoration, liability defence costs &c.).
An organisation I consulted with a while back had a minor malware infection that they were slow to control the spread of. It did no actual damage other than a bit of day to day business disruption - all that was needed was some restores from backups. However the process of identifying, controlling and recovering from it took about four weeks and tied up the entire senior IT team - total cost in the region of $2M.
Having an insurance policy isn't the same as insurance paying out in the event you make a claim.
Ransomware taking out a large business smacks of a company paying lip service to the risk, not preparing for a known attack and probably not training staff to not click on phishing emails. Admittedly this may have been a targetted attack with well crafted emails but the characteristics of ransomware are well known, not new and mitigations can be put in place.
I would suspect the insurers will be investigating many ways to get out of paying.
If you have house insurance they won't pay out for a burglary if you don't lock your doors. I don't imagine cyber insurance will pay out if you haven't carried out best practice. TBh I don't know anyone that does, not really.
Having an insurance policy isn't the same as insurance paying out in the event you make a claim.
This. Anybody who’s ever made a car or home insurance claim knows what slippery, devious f***ers insurance companies are.
If data is exfiltrated and published by the attacker (e.g. Maze), you can start thinking about how big your GDPR fine might be...
"training staff to not click on phishing emails" - I don't doubt the insurance company will try and avoid paying out because of the lack of training, but we know that (to a first approximation) such training doesn't work. Training staff not to use email from privileged accounts is much more likely to be useful.
If training is a mitigation against the fines it's worth doing, considering how large the fines for GDPR are (at least the point of issue). It may only be marginally effective against the attack but even a small number of avoided minor incidents can easily make the training economically worth while especially if it is effective in stopping staff clicking on shit at home then taking days off to fix their mess.
The ICO expects DP training to be given to 95% of staff annually. Right down to your cleaning staff who may encounter presonal informaiton when clearing desks etc.
Insurance companies often have tricky wording to limit pay outs where the policy holder is underinsured.
Sopra may be insured for £30m (i.e. that is the maximum they expect the insurance to pay out in the event of a loss), but they claim they're losses are £50m. Taking the Insurance company words, they underinsured at 3/5ths, so they will only pay out 3/5ths the insured value, £18m.
"Ransomware attacks exist on Linux as well as Windows" - WRONG.
Please give us one example - only one, pleeeease! - of an attack vector similar to those in the M$ biotope. A malware attack similar to those under Windows is IMPOSSIBLE against a Linux (or xBSD) desktop and network. You always need a maliciuos insider (such as 'evil maid') and/or severe blunder of system management.
Web servers are even more endangered. Why do the majority of web servers world wide run on Linux or xBSD? All successful attacks against Linux/xBSD web servers I know of were based on administrators errors (weak password and the like) and/or security holes in application SW (CMS, shop, database, ...). Which again is an administrative or system management error: Available patches not applied. NEVER was a weakness in the underlying OS Linux or xBSD part of the attack vector - in all cases I know of. Do you know better?
To make that clear: I am talking about the usual mass attacks. If you are target of a governmental "service" - they find their way sooner or later, so good luck! :-)