Read IT Now: Claim filed by Israeli company attacked by Ransomware
Press Publications

Read IT Now: Claim filed by Israeli company attacked by Ransomware

February 10, 2020

Read IT Now: Claim filed by Israeli company affected by Ransomware
Published since 1999
Categories by Read IT Now
Claim filed by Israeli company attacked by Ransomware
Categories: Information Security / Cyber ​​Law
The lawsuit, filed by attorneys Doron Afik and Yair Aloni [Afik & Co., attorneys and Notaries], states, inter alia, that the Plaintiff is engaged in development of digital platforms. “A very significant part of the Plaintiff’s business is based on its computing systems and their stability and protection against external causes. Thus, any disabling of the system means immediate damages involving huge sums.”

In July 2016, an agreement for the provision of IT, Internet and Telephone series as well as other services was signed between the Plaintiff and the Defendant - A Company which according to its representations provides storage and server management services.

” During January 2017, with increasing development capacity and a shift towards independent development, the company began to examine a contract with an external supplier aiming at a comprehensive and serious solution; Particularly with regard to hosting services, data storage and information security services of all the company’s IT and its database.”
As part of the search for a supplier, the Defendant’s CEO contacted the Plaintiff’s CEO, who had prior acquaintance with one another, “and embarked on a persuasive campaign presenting the quality of the Defendant’s one – stop – shop services”.

The Defendant’s CEO emphasized that the Defendant “Employs experts who can provide all possible communication resolutions and computing solutions for strategic organizations” as well as enabling “high survivability, security and mobility provided by five server farms based in Israel”. It should be noted, that those empty-handed promises were a crucial factor of the Plaintiff’s decision to hire the alleged services.

The statement of claim described that “On October 17th, 2019, at 09:00 p.m., several employees of the company first discovered that they were unable to operate the Plaintiff’s information management systems. After a thorough examination by the Company’s computer department, it turned out that the access to the Company’s servers has been fully blocked “.
Half an hour later, “the Plaintiff’s Technology Manager called a mobile number that was given to him by the Defendant, which has been subsequently directed to the Subcontractor, who informed the Plaintiff that there was a security breach during the previous night and that the company will be updated when the problem is solved, as it is being handled.”

Due to the severe implications on the Company’s infrastructure, the Plaintiff’s technology manager called the subcontractor again at 10:15 p.m. The subcontractor stated that the breach was in fact a Ransomware: A cyber – attack in which files are being encrypted when their release relies upon the payment of ransom to unknown causes, threatening that if they don’t do so- the encrypted files will be destroyed).

“As the severity of the situation became clear, the Plaintiff contacted BugSec, a cyber-company specializing in combating cyber-attacks, for assistance with the crisis.
In a joint conference call the subcontractor was required to transfer the server AS IS for BugSec to conduct a thorough forensic examination.”

“The call and further inquiries demonstrated the breach was done on the Cluster level, hence preventing the determination of the scope of the attack; for instance, whether it was “local” or “cross-server”.
In light of those disturbing findings, and in order to reduce damages and allow a-fast-as-possible return “to the straight and narrow”, the subcontractor was asked to renew the company’s operations using replication servers designed to perform as back up in situations as such”.

“[…] To the company’s astonishment, it turned out that the virtual server has also been compromised during the breach. Those outcomes clearly implied that the Plaintiff has breached its explicit obligation and any reasonable and acceptable security standard, which obligates to store the servers on separate farms.”

In order to prevent a complete loss of information […] Without any back up, the only rational resolution has been to resume operations through a clean and data-free server, slightly reducing the damage done.”

“[…] The Plaintiff kept contact with the Defendant through the whole process, while the latter has consistently assured that the matter would be resolved at any moment.
It should be noted, that this delay, among other things, resulted in the Plaintiff having to cancel the work schedule for the day of the breach and for the following day, to compensate all its customers for the change of schedule, alongside with the inability to work regularly and take new orders.
Beyond the financial damage, the incident resulted in a tremendous reputational damage to the Plaintiff – damage that could easily have been avoided had the Defendant notified the Plaintiff as soon as possible and handled the event immediately.”

After the weekend and the holidays where over and at the return to a work routine, and after “the Plaintiff has made it clear that it requires the AS IS transfer of the server in order “to perform a forensic examination”, it became clear that” the servers work on the old physical server, after it was formatted, in stark contrast to the requirements and guidelines posed by the Plaintiff and without its knowledge. The formatting not only prevented the data-saving and the reduction of the damage, but also caused serious evidential damage to the Plaintiff. The latter was deliberately caused by both Defendant and subcontractor, who destroyed the data after the Plaintiff has explicitly asked to receive all evidence.”

“Beyond the fact that the situation cries for a contractual breach, this case is clearly one of breach of trust resulting in the Plaintiff not being able to conduct a forensic examination for understating the causes to the breach, thereby causing it serious evidential damage.”
“The spreading of the virus to the “cluster” raises a high suspicion of serious information security failure, since the spreading is technically feasible only if a connection is made between the various live servers or third party backups being held upon the server. Such situation is clearly opposed to information security procedures.”
“As the backup servers (replication and daily backup) were still encrypted, the Plaintiff gathered these servers to conduct a forensic examination, in conjunction with the Defendant subcontractor’s investigation of the incident, when it was agreed that once conclusions are made, a joint meeting would be held for sharing them and deriving a conclusive outcome.”
“However, for a number of months now the Plaintiff is trying to reach the Defendant and subcontractor for receiving answers regarding the results of both investigations, but alas the Defendant hasn’t forwarded its report to this very day.”
The statement of claim stated that, “This is a serious security incident where allegedly 3 work circuits and survivability were hacked (live server, replication server and daily backup server) when each server was supposed to be a separate external network with a private Internet access with its own security system, so it is clear that had it not been for the Plaintiff's failure, a security breach would not have occurred. The mere damage caused by the evidence raises a strong suspicion that 3 security circuits were not breached at all, because they simply never existed!”
The Plaintiff further states that “in order to complete the picture, it should be noted that an attempt was made in January to resolve the dispute outside the court walls, but eventually bore no fruit.”
“The Plaintiff’s database was only partially restored (currently only for some parts of years 2018-2019), thus losing tremendous information accumulated over 6 years of activity – about 80% of the Plaintiff’s period of operation. The Plaintiff has invested many millions of shekels to date, including the creation of its database, being valued in the estimated in the amount of minimum ILS 2,500,000.”