Cybersecurity insurance firm Chubb investigates its own ransomware attack

A notorious ransomware gang claims to have successfully compromised the infrastructure… of a company selling cyberinsurance.

The Maze ransomware group says it has encrypted data belonging to Chubb, which claims to be one of the world’s largest insurance companies, and is threatening to publicly release data unless a ransom is paid.

The announcement by the cybercrime gang was published on Maze’s website, where it lists what it euphemistically describes as its “new clients”.

Maze’s normal modus operandi is to compromise an organisation, steal its data, infect the network with its ransomware, and post a pre-announcement on its website as a warning to the corporate victim that if they do not pay a ransom their stolen data will be be published on the internet.

At the time of writing, Maze has published no proof that it has successfully infected Chubb’s systems. It has published the email addresses of its Chief Executive, Vice Chairman, and Chief Operating Officer, but this is information which could have been easily obtained through other means than hacking.

When asked to provide more information, the Maze group is currently keeping its lips sealed – presumably waiting to see if Chubb will pay a ransom.

For its part, Chubb told Bleeping Computer that – with the help of cybersecurity experts and law enforcement agencies – it was investigating whether hackers might have stolen data from a third-party service provider as it has not found any evidence that its own network has been compromised:

“We are currently investigating a computer security incident that may involve unauthorized access to data held by a third-party service provider. We are working with law enforcement and a leading cybersecurity firm as part of our investigation. We have no evidence that the incident affected Chubb”s network. Our network remains fully operational and we continue to service all policyholder needs, including claims. Securing the data entrusted to Chubb is a top priority for us. We will provide further information as appropriate.”

Whether it was Chubb or one of its external partners remains to be seen, but the mention of Chubb on Maze’s list of “new clients” was enough to prompt security researchers to explore the state of Chubb’s security – with some discovering that the company appeared to have left RDP open for anyone to access via the internet, and that the firm was using unpatched Citrix Netscaler servers (commonly exploited in past Maze ransomware attacks)

More and more companies are choosing to take out commercial cyberinsurance policies to mop up some of the costs if they are hit by ransomware and other forms of hacker attacks. For a large company selling cyberinsurance to potentially be one of the latest ransomware victims is particularly ironic, and sends a warning to all firms not to be complacent about the threat.