The Record published an interesting interview last week with “Unknown”, a representative of the notorious REvil ransomware gang.
What I found particularly fascinating was a claim made by “Unknown” that the REvil gang specifically targets firms who have taken out insurance against ransomware attacks – presumably in the understandable belief that those corporate victims are more likely to pay up.
But more than that, the claim is made that the insurance companies themselves are hacked in order to determine who the ransomware gang’s next victim should be:
Do your operators target organizations that have cyber insurance?
Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.
It’s certainly not unknown for cyber insurance firms to suffer a ransomware attack. For instance, a year ago the Maze ransomware gang claimed to have stolen data from Chubb.
The Maze gang are no more, having announced they had quit the ransomware business. But there are plenty of other ransomware operations that continue to follow the same business model – including REvil.
REvil (also known as Sodinokibi) has claimed responsibility for a slew of ransomware attacks against high-value targets, threatening to release stolen data to other criminals, or publish it on the internet, if a ransom is not paid.
One of REvil’s highest profile attacks was the compromise of Travelex, the now-defunct foreign currency exchange service.
Travelex reportedly paid out $2.3 million worth of Bitcoin to the REvil gang following the attack.
Be sure to check out the full interview by Dmitry Smilyanets with REvil;s “Unknown” on The Record.
Does this mean they've hacked the re-insurers? How else can they know which companies are insured for this?
That does appear to be what they're claiming, yes…
I wonder who is insuring the insurance companies?