Island Community Perseveres Amid Ransomware Attack
Imagine life on an island only accessible by boat.
No cars, just golf carts. Daily ferry rides to the mainland. Slow-paced and blissfully isolated from the stress and chaos of the modern world.
Now, imagine how quickly life on that island could be turned upside down by a ransomware attack.
That’s exactly what happened to the island’s real estate development and ferry transportation company. We had an opportunity to chat with the System Administrator and Chief Financial Officer of the development company to hear their firsthand account of their experiences.
When did you first think about how cyber risk could impact your business?
System Administrator (SA): We were hit with a small ransomware attack before this incident, and that was the first time I realized it could happen to us. It locked down one server that we really needed. Thankfully, it was pretty minor, and we could handle it on our own. It was a wake-up call to make sure we had certain systems working better.
Chief Financial Officer (CFO): We tried to purchase cyber insurance the year after that incident as we headed into our business insurance renewals. At first, we struggled to find insurance, but we finally locked down cyber with Coalition after a few years.
What role does technology play in your company?
SA: It’s at the center of what we do. Because we operate the ferry and marina, we rely on certain software for ticket sales, reservations, and carrying vendor trucks to the island. We have programs that track all of that. We could operate without technology, but it would be a paper-intensive operation. We also have accounting software and back-of-the-house operations like HR and IT working together seamlessly.
When did you realize you were hit with a ransomware attack, and how did you react?
SA: I’d gotten up and had my first cup of coffee at 5:45 a.m. It was a Saturday morning, and I was planning on it being an ordinary day. That’s when my phone rang. The call was from someone on my team saying they couldn’t access our system. I figured it was probably a server that needed to be re-started, something minor.
Since I was still logged into the system, I hopped on, and the first thing I saw was a great big ransomware note that said, “You’ve been encrypted. Don’t tell your boss. It’ll be okay; we’ll get this taken care of. You just need to follow our instructions.” My stomach fell through the floor. That’s when I knew my day was not going to be good.
I went into reaction mode. I started an investigation to get an idea of the scope of the incident, and I noticed it was pretty extensive. That’s when I called our CFO and said, “Did we get that cyber insurance policy? We’re going to need it.
"My stomach fell through the floor. That’s when I knew my day was not going to be good."
CFO: He called me around 7 a.m. It can’t be good when the SA calls that early. I immediately started thinking about what we needed to do next and what impact it would have on the company. I contacted our internal person who works with all of our insurance policies and she was able to contact Coalition and get our claim started. They quickly assembled breach counsel and an incident response team and connected us with the vendors we needed.
Within 15 minutes of notifying Coalition, I received a call from a claims manager, where she introduced herself and provided her phone number. Our work with Coalition and our cybersecurity team started that day. During the weekly calls, we sometimes spoke with 26 people between attorneys, incident response, and Coalition. Honestly, I only had to make sure we paid our retention. Behind the scenes, our claims manager handled everything.
How did Coalition help you navigate the next stage of the response?
SA: Once the incident response firm was involved, they immediately talked me through ways of making sure we shut the doors to the bad guys to keep them from doing more damage.
Then, we started the process of putting things back together. I’m not just saying this because we have a Coalition policy, I’m saying it sincerely: Coalition put together a team that was available to step in very quickly to provide support. I needed that. So much needed to be fixed, and I didn’t have to spend time negotiating with the threat actors. This team took care of all that, and I was able to work on getting the systems back up and functional.
CFO: Thankfully, we had almost total business continuity. Our Parking Manager had us use handheld payment devices that were still operable. Our marine manager used handwritten tickets and found other alternatives to keep up with inventory, as did our Shipping & Receiving Manager. We returned to the old-school way for a little while, which took longer, but it worked. Every level of the company was on board with the process and participated as needed to keep us afloat during the earliest hours and days of the attack, starting with the CEO and moving through the company.
Were you able to restore from backups, or did you decide to pay the ransom?
SA: Unfortunately, the threat actor did a very good job of scoping us out and finding where our weaknesses were. They deleted every backup we had, locally and in the cloud. So we were faced with the decision to build everything from the ground up or negotiate with the criminals. I don’t like it, but we did what we had to do.
CFO: We were in the middle of our busiest time of year. I think they knew that. We knew we didn’t have the tools to recover the back of the house. The accounting side was completely shut down.
The incident response team had dealt with these particular threat actors before, and they warned us that if we took too long to respond, they would likely keep destroying things. They were already making robocalls to our employees in scary voices, telling them they would release all the information. Our policy ultimately covered the low six-figure ransom payment.
How was your experience with a cyber claim different from traditional insurance claims, like property & casualty or auto?
CFO: This was different from any other claims experience I’ve been through with hurricanes or business interruption. With those events, you have weeks to collect data, submit your claim, and negotiate the best path forward. With a cyber claim, everything was so fast.
SA: From day one, Coalition helped us rebuild our business and went above and beyond a typical insurance experience. The threat actors didn’t just break our servers. They broke our infrastructure. On one of our early calls with the incident response team, I remember saying I was drinking from the firehose trying to rebuild everything. They immediately said they could send someone onsite to help me and arrived later that same day. They helped us get workstations back up and running. We were mostly back within two weeks despite the mayhem. The professionalism and level of skills that came to the table from Coalition and the incident response firm were impressive and outstanding. Active insurance was a lifesaver.
"The professionalism and level of skills that came to the table from Coalition and the incident response firm were impressive and outstanding. Active insurance was a lifesaver."
What would have happened if you didn’t have cyber insurance?
SA: You know, we talked about this. I thought, “Now isn’t a bad time to retire.” But I wouldn’t have done that. It would have been much more challenging to come back from this, and we would have been more exposed to the threat. The remediation tools, like SentinelOne®, prevented the threat actors from doing even more damage. Instead of two weeks, it could have taken two months or more to recover.
CFO: I don’t even want to contemplate what it would have been like without cyber insurance. It wouldn’t have been pretty. Getting the financial reporting back up could have easily taken six months or more just to return to where we were before they came in.
What would you say to a business that doesn’t have cyber insurance?
CFO: You should get it. I found out from the incident response guys that these bad guys ransomware veterinarian clinics, banks, and hospitals. They’ll attack for whatever they can get from you. If you have a hole in your network, they’ll find it and get in. They’ll take whatever they can get.
I can’t emphasize this enough: You don’t know how it'll go until you get hit. You can tell yourself it will shut a system down and cause this kind of problem, but until you’re standing in that deep water, you have no idea how that feels or how it looks. Suddenly, you’re responsible for a group of employees and maintaining operations. You have to be ready to respond immediately, and cyber insurance got us through this.
"You don’t know how it'll go until you get hit. You can tell yourself it will shut a system down and cause this kind of problem, but until you’re standing in that deep water, you have no idea how that feels or how it looks."
What have you learned from this experience?
SA: We have to protect ourselves better. We received recommendations from the incident response firm and implemented those going forward. For example, we continued using SentinelOne for endpoint detection and response (EDR). We added managed detection and response (MDR) for an additional layer of protection. It’s like adding a 24/7 alarm system to our house so we have help even when we can’t monitor all EDR alerts with our small team.
I’m more confident after being punched in the nose by these threat actors, but I’m not ignorant that they’re talented. We’ll do everything we can to make sure we have the guards at the gates.
Hear from more of our policyholders
No two cyber incidents are exactly alike. Our library of Active Insurance in Action stories highlights our policyholders’ experiences to help you understand what it’s like to go through a cyber event, no matter the industry or size of your company. Check them out!
