Cyber Incident Victim: Andrew Agencies
Date:
Oct 2019
Location:
Canada
Summary
A Canadian insurance firm suffered a ransomware attack where threat actors encrypted 245 computers and claimed theft of 1.5GB of customer data, demanding a $1.1 million ransom. The company confirmed the breach but denied any evidence of sensitive data compromise, refusing to pay the ransom despite attackers threatening to publish stolen information. Maze ransomware operators, known for following through on data release threats, provided BleepingComputer with encrypted computer details and user credentials as proof, contradicting the firm's assertions about data security. The incident highlighted evolving ransomware tactics involving data exfiltration and extortion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 21, 2019, Andrew Agencies, a Canadian insurance and financial services firm with 125 employees across 18 locations in Manitoba, Saskatchewan, and Alberta, suffered a cyberattack by the Maze ransomware group. Attackers breached the company’s network and encrypted 245 computers, affecting approximately 63 terabytes of data according to proof provided by Maze to BleepingComputer. This proof included a list of encrypted machines with IP addresses, computer names, and encrypted data sizes. Maze operators demanded a ransom of $1.1 million (150 bitcoins at the time) and claimed to have exfiltrated 1.5GB of customer insurance data, though no evidence of this theft was shared publicly. As further leverage, Maze released a text file containing 876 usernames and hashed passwords from Andrew Agencies’ network. Initial communications occurred between the company and attackers, with Maze stating Andrew Agencies requested time to gather funds but later ceased contact. The group set a late November deadline for payment, threatening to publish stolen data—a tactic previously employed by Maze in attacks like the one on Allied Universal.
Andrew Agencies confirmed the breach through Executive Vice President & General Counsel Dave Schioler, who stated the company conducted an investigation with third-party experts and chose not to pay the ransom. Schioler emphasized no evidence of stolen sensitive personal or customer data was found, asserting minimal operational impact and comprehensive remediation efforts. This denial directly contradicted Maze’s claims of data theft. BleepingComputer’s follow-up inquiries regarding the disputed data theft allegations received no response from the company. The incident highlighted Maze’s escalation of ransomware tactics by weaponizing data exfiltration, transforming encryption attacks into potential data breaches requiring regulatory notifications and exposing victims to legal risks. This approach influenced other ransomware groups like REvil (Sodinokibi), marking a shift toward double-extortion strategies in the cyber threat landscape.