Best practices are no longer enough; ransom demands are significant and the scrutiny placed on these insured incidents and payments are onerous. Based on the advisories which broadly cover all stakeholders, if you are not partnering with the right investigative team who can facilitate proper payment, you will be in a precarious position. Your partner needs to perform due diligence, have extensive forensic investigations experience, and knowledge of, and capabilities for, cryptocurrency payments.
At a minimum, there are four elements that constitute a compliant and successful investigation and ransom payment process:
1. Threat Intelligence and Ransomware Code Analysis - Threat intelligence data must be analyzed to support due diligence activities and proper identification of the threat actor group. This first set of facts will reflect indicators of compromise, hashes and queries that might provide insight into the characteristics of the group, individual, or malware responsible for the attack. The performance of malware reverse engineering will ensure visibility into the full picture.
2. Coordination with Law Enforcement - Any partner must have contacts with, and access to, the appropriate law enforcement personnel. Written attestations are key to showing the information gathered during the engagement was shared with the appropriate government representative(s). The information must be specific such as relevant email addresses, IP addresses, malware hashes, and suspicious domains.
3. Investigations - A team needs to have decades of practical experience in the field. The experience is essential to show they have the capabilities to determine root cause efficiently, identify the systems accessed by the threat actor and confidently state what data is suspected to have been targeted or exfiltrated.
4. Payments via In-House Wallet or Third-Party Relationships - A partner needs to be able to source and provide bitcoin when appropriate and quickly. Only work with a partner who issues ransom payments in conjunction with an investigation, to instill confidence in the fact-based decisions that prompted payment. This is critical for any insurance industry professional to be able to rely on and document in the file.
We all agree that ransomware attacks are a threat to our national security and the cyber insurance community provides another layer of defense. As the frequency and severity of these attacks increase, take this opportunity to add value to your clients by introducing them to the right partner and avoid sanctions.
Bios:
Austin Berglas, Global Head of Professional Services at BlueVoyant, spent 22 years serving in the US Government and was Head of the FBI’s NY Office Cyber Branch. In this role, he was responsible for all national security and criminal cyber investigations in the FBI’s largest cyber program, managing numerous high profile joint and international investigations.
Vincent D’Agostino, Head of Incident Response and Cyber Forensics at BlueVoyant, spent eleven years as a Special Agent in the FBI’s NY Office. As one of the most senior Special Agents within the Cyber Branch, he was recognized as a subject matter expert in TOR hidden services and cryptocurrency facilitated criminal activity. Additionally, Vincent was the trial agent for the Silk Road investigation, the case agent for Silk Road 2 investigation, and was the lead FBI Agent investigating the Mt. Gox Bitcoin exchange (which involved the theft of $700M in Bitcoin.) Although not currently engaged in the practice of law, Vincent is a member of the bar of the State of New York.
For more information, please contact any of the following:
Austin Berglas
Global Head of Professional Services
908.477.8871
Vincent D’Agostino
Head of Cyber Forensics and Incident Response
vincent.dagostino@bluevoyant.com
516.493.1016
Jennifer Rothstein
Business Development Head, Insurance & Legal
jennifer.rothstein@bluevoyant.com
917.596.0866