IT system unavailable

THE CONTEXT

An accounting department employee opened an email attachment on her computer.

Before the IT manager was able to take action, the files accessible from the user profile had been encrypted: each file targeted was unreadable and renamed with an “.mp3” extension. In addition, files appeared on the computer demanding 500 dollars before 2 March 2016, or 1000 after that date, in BITCOINs.

GM CONSULTANT INTERVENTION

Upon receiving the mission, our cyber risk loss adjuster visited the company to help the IT department. We assisted the policyholder with the appropriate response and worked with the company to verify that the origin and the nature of the incident, as well as the scope of the damage, had been identified before validating the plan of action that was already underway. Immediately sending the loss adjuster to the site also meant it was possible to recover the malicious email that triggered the incident. The server applications were gradually restored the next day, once the virus had been contained and treated.

Then the GM Consultant loss adjuster analysed the evidence gathered at the site and established the nature of the virus: Teslacrypt 3.0 ransomware, the date and time, the entry point, the connection between the ransomware and what had happened, and the scope and consequences of the virus.