Ransomware hits US-based Arthur J. Gallagher insurance giant

US-based Arthur J. Gallagher (AJG) global insurance brokerage and risk management firm confirmed a ransomware attack that hit its systems on Saturday.

AJG is one of the largest insurance brokers in the world with more than 33,300 employees and operations in 49 countries.

The company is ranked 429 on the Fortune 500 list and it provides insurance services to customers in over 150 countries.

All computing systems shut down to block the attack

AJG says that it detected the ransomware attack on September 26, 2020, with only a limited number of the company's internal systems being affected.

"We promptly took all of our global systems offline as a precautionary measure, initiated response protocols, launched an investigation, engaged the services of external cybersecurity and forensics professionals, and implemented our business continuity plans to minimize disruption to our customers," the company added on September 28th, in an 8-K filing with the U.S. Securities and Exchange Commission (SEC).

"As of the date hereof, we have restarted or are in the process of restarting most of our business systems," AJG further explained.

"Although we are in the early stages of assessing the incident, based on the information currently known, we do not expect the incident to have a material impact on our business, operations or financial condition."

BleepingComputer reached out to Arthur J. Gallagher via their media contact for more details regarding the ransomware attack to no avail. Since then, BleepingComputer was blocked from accessing their media contact page.

After this article was published, Troy Mursch, chief research officer at cybersecurity intelligence firm Bad Packets, said that AJG had two F5 BIG-IP servers vulnerable to CVE-2020-5902 prior to the ransomware attack.

If you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.

Data breach risks

While AJG didn't say in the SEC filing if any customer or employee data was accessed or exfiltrated by the attackers, there is a high chance that data was stolen depending on the ransomware group that was behind the attack.

Given that before issuing a policy insurance companies usually need medical records, blood tests, health and financial information and, in some cases, tax returns, a data breach could lead to extremely sensitive documents being exposed in AJG's case.

To be more exact and to illustrate the types of sensitive data that might get exposed, AJG says in its privacy policy that it collects the following data from customers:

BleepingComputer knows of 22 different ransomware operations known to first steal sensitive files from their victims' servers before encryption.

The stolen data is later used as leverage to force the attacked organizations to pay the ransoms under the threat of gradually leaking the info and, in some cases, increasing the ransom until the entire batch of stolen files is published on sites specifically designed for this exact purpose.

In November 2019, Maze ransomware operators were the first ones to publish a victim's stolen data for not paying the ransom, in that case, documents exfiltrated from the systems of Allied Universal.

They first started publishing the data via posts on hacker forums and, ultimately, through a dedicated data leak site. 

Update: Added information on vulnerable AJG F5 BIG-IP servers.