A Manitoba-based insurance agency serving Western Canada has confirmed it was recently hit by ransomware after the gang behind the attack publicized the incident because the firm refused to pay up.
Andrew Agencies of Virden, Man., told several news services including the CBC and CTV it had been hit. CTV quoted Dave Schioler, the executive vice-president and general counsel as saying there is no evidence sensitive personal information or data being stolen or compromised.
“We can advise that the incident has had minimal impact on our operations,” he said.
He is quoted as telling the news agency that his firm didn’t pay a ransom.
According to the CBC, Andrew Agencies was among the first companies outed by the group behind the Maze ransomware which has promised to publicize the names of organizations that refuse to pay to get decryption keys to unlock data and to publicly release sensitive data it has stolen. The group says its version of ransomware includes data-stealing as well as encryption capabilities.
Andrew Agencies has 18 offices in Manitoba, Saskatchewan and Alberta.
Bleeping Computer says the Maze group told it by email that Andrew Agencies was attacked on October 21st and encrypted 245 computers. As “proof” of the attack, the news site says, it was sent a list of 245 encrypted computers, their IP addresses, computer names, and sizes of the data encrypted by the ransomware.
The news site also says the person it communicated with released a text file containing a list of 876 user names and hashed passwords for users on the network. Depending on the quality of the system used by the insurance agency, the hashes may be safe.
Maze told BleepingComputer that the ransom amount was $1.1 million, or 150 bitcoins. The insurance agency, it says, had some communications with the attackers but then stopped responding. The attackers said their deadline for receiving the ransom was the end of November.
Earlier this week incident response expert Ed Dubrovsky told IT World Canada that the Maze group has the ability to steal some data before encrypting a victim’s systems, but usually nowhere near as much as it often claims. However, he added, it would have enough stolen data to be damaging.
The fact that the insurance agency didn’t publicly confirm it was hit by ransomware until news reports emerged raises questions about the effectiveness of changes to Canada’s recent privacy law. The changes to the Personal Information Protection and Electronic Documents Act (PIPEDA), oblige organizations to notify victims and the federal privacy commissioner if there is a breach of security controls that would result in a “real risk of serious harm” to individuals. That would cover certain data copied by an attacker.
While Maze threatens to release “databases and private papers” belonging to the Manitoba firm and other victims, CTV quoted Andrews Agencies lawyer as saying the firm has no evidence that “sensitive” personal details had been jeopardized.