Full Report
Allardyce Bower Consulting paid more than $14,000 for a cyber insurance policy that included ransom coverage, but when they needed it, the insurer refused to pay. Had the business made a grave error in security? Over on SuspectFile, Marco A. De Felice writes: Allardyce Bower Consulting (ABC) was the victim of a severe cyberattack attributed... Source
Analysis Summary
# Incident Report: Ransomware Attack Leading to Cyber Insurance Denial
## Executive Summary
Allardyce Bower Consulting (ABC) suffered a severe ransomware attack attributed to the Securotrop group starting in late August 2025, resulting in server encryption on September 7th and subsequent data exfiltration. Although ABC held a cyber insurance policy with Coalition covering ransomware up to \$5 million, the insurer refused to pay the ransom demand. This refusal appears linked to ABC's violation of the policy's "Duty to Cooperate" clause, specifically by storing a copy of the policy document on an accessible server and potentially informing the attackers about the coverage during negotiations.
## Incident Details
- **Discovery Date:** Incident began late August 2025; server encryption confirmed September 7, 2025.
- **Incident Date:** Late August 2025 through September 7, 2025 (and ongoing data release).
- **Affected Organization:** Allardyce Bower Consulting (ABC)
- **Sector:** Consulting (Implied)
- **Geography:** Not explicitly disclosed, but insurance provider/context suggests North America (Canadian dollar limit mentioned).
## Timeline of Events
### Initial Access
- **Date/Time:** Late August 2025
- **Vector:** Undisclosed, but assumed to be initial compromise leading to ransomware deployment.
- **Details:** Intrusion into the company’s systems began.
### Lateral Movement
- **Details:** Attackers achieved significant presence, allowing them to encrypt servers system-wide on September 7, 2025.
### Data Exfiltration/Impact
- **Details:** A large volume of sensitive data was stolen and subsequently released online following server encryption.
### Detection & Response
- **Detection:** ABC notified its insurer, Coalition, of the attack, technically activating the policy.
- **Response actions taken:** ABC engaged the insurer, but the ransom demand was ultimately not paid by Coalition, and the full scope of ABC's incident response costs coverage is unclear.
## Attack Methodology
- **Initial Access:** Not detailed (but pre-policy audit passed, indicating a potential lapse post-policy issuance).
- **Persistence:** Implied through successful encryption and data theft.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Attackers became aware of the cyber insurance policy details (coverage limits, existence).
- **Lateral Movement:** Implied by the encryption of systems.
- **Collection:** A large volume of sensitive data was collected/stolen.
- **Exfiltration:** Data was exfiltrated prior to online release.
- **Impact:** System encryption and data leakage.
*Note on Attackers: The ransomware group involved was **Securotrop**.*
## Impact Assessment
- **Financial:** ABC paid over \$14,000 for the policy, but faced the direct costs of the unmanaged incident, potentially excluding the ransom payment and related expert fees due to insurance denial.
- **Data Breach:** A large volume of sensitive data was compromised and publicly released.
- **Operational:** Server encryption indicates significant operational disruption.
- **Reputational:** Public reporting of the incident and the failure of the insurance payout likely caused reputational harm.
## Indicators of Compromise
*No specific technical IOCs (IPs, domains, hashes) were provided in the text.*
- **Behavioral indicators:** Attackers were observed leveraging knowledge of the victim’s cyber insurance policy and coverage limits during negotiations/post-breach activities (known tactic used by groups like Conti, Hardbit, and Qilin).
## Response Actions
- **Containment:** Not detailed, but implied by the need to manage the ransomware encryption and data leak.
- **Eradication:** Not detailed.
- **Recovery:** Not detailed beyond the non-payment of the ransom.
## Lessons Learned
- Storing comprehensive cyber insurance policies, related correspondence, or internal memos about coverage on accessible systems significantly increases risk, as threat actors actively seek this documentation.
- ABC stored a copy of its policy on its server despite security concerns that have been publicly known since 2021 (e.g., Conti activity).
- ABC potentially violated the policy's "Duty to Cooperate" clause, which explicitly requires the insured to "make every reasonable effort not to divulge the existence of this coverage, without first seeking our prior consent." ABC reportedly exposed the policy details to the attackers.
## Recommendations
- Cyber insurance policies, correspondence, and related internal documentation must be stored in highly secure systems with strict access controls (e.g., treated like a physical safe deposit box).
- During an active incident response, organizations must avoid discussing incident response progress, coverage, or policy details over potentially compromised internal communication channels (email, messaging).
- Organizations must undergo regular audits to ensure that security hygiene standards that were met for the *pre-coverage audit* are maintained *after* the policy is issued.