CASE STUDY

Industrial manufacturer pays less than half of initial ransom demand after data backups are compromised

Manufacturer working in the workshop

Industry

Manufacturing

Background

  • Employees: <100

  • Coverages: Breach Response, Cyber Extortion

An industrial machinery manufacturer with nine U.S. locations received a ransom note from an advanced ransomware group. They contacted the Coalition Claims Hotline and engaged Coalition Incident Response (CIR¹) for recovery. Within 3.5 hours, CIR deployed endpoint monitoring and initiated response efforts.

The manufacturer’s backups, managed through Veeam software, were also compromised by the threat actor, and 50-60% of the data was encrypted. The insured couldn’t fully resume operations despite recovering about 75% of the data from their Veeam and Azure Cloud backups. This issue, combined with concern that the threat actor would leak client data led them into negotiations with the threat actor, ultimately reducing the ransom demand of $1.5 million to less than half the initial amount. The threat actor provided the decryptor and confirmed the deletion of stolen files. The insured’s Cyber Extortion and Breach Response coverage under their policy² handled the ransom payment and the cost of CIR.

CIR’s forensic investigation couldn’t determine the exact cause of the ransomware attack due to the lack of logs maintained by the insured. However, they discovered an unauthorized device accessing the insured’s VPN, indicating a breach in the VPN’s firewall.

Coalition brings together active monitoring, incident response, and comprehensive insurance to solve cyber risk. To learn more, visit coalitioninc.com.

1. Breach response included the engagement of an incident response firm; the insured selected Coalition Incident Response. 2. The claim scenarios described here are intended to show the types of situations that may result in claims. These scenarios should not be compared to any other claim. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law.