Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Analyze » Coalition, Inc. » COA1773095050

Incident Score: Analysis & Impact (COA1773095050)

The details regarding individual company incidents & reports gives you full view from every side.

Rankiteo Score Impact Analysis

Rankiteo Incident Impact-160
Company Score Before Incident760 / 1000
Company Score After Incident600 / 1000
INCIDENT NUMBERCOA1773095050
Type of Cyber IncidentRansomware
ATTACK VECTORVPNs, remote desktop applications, email
DATA EXPOSEDencrypted data, exfiltrated data, personally...
INCIDENT DATE31/12/2024
STATUSpublished

Key Highlights From The Incident Analysis

  • Timeline of Coalition, Inc.'s Ransomware and lateral movement inside company's environment.
  • Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
  • How Rankiteo’s incident engine converts technical details into a normalized incident score.
  • How this cyber incident impacts Coalition, Inc. Rankiteo cyber scoring and cyber rating.
  • Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.

Full Incident Analysis Transcript

In this Rankiteo incident briefing, we review the Coalition, Inc. breach identified under incident ID COA1773095050.

The analysis begins with a detailed overview of Coalition, Inc.'s information like the linkedin page: https://www.linkedin.com/company/coalitioninc, the number of followers: 210129, the industry type: Insurance and the number of employees: 727 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 760 and after the incident was 600 with a difference of -160 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Coalition, Inc. and their customers.

A newly reported cybersecurity incident, "Decline in Ransomware Payouts as Defenses Strengthen and Threat Actors Adapt", has drawn attention.

A new report from cyber insurance provider Coalition reveals a sharp decline in ransomware payouts, signaling improved resilience among enterprises.

The disruption is felt across the environment, affecting VPNs, remote desktop applications and email systems, and exposing encrypted data, exfiltrated data and personally identifiable information, plus an estimated financial loss of $269,000 (average per ransomware incident).

In response, teams activated the incident response plan, and began remediation that includes robust backups and timely patching.

The case underscores how teams are taking away lessons such as Stronger defenses, including robust backups, incident response plans, and proactive security measures, have reduced ransomware payouts. However, threat actors are adapting with AI-driven attacks and multi-layered extortion tactics, and recommending next steps like Strengthen defenses with robust backups and incident response plans, Proactively monitor and patch remote access tools like VPNs and remote desktop applications and Leverage AI for vulnerability prioritization and anomaly detection.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

MITRE ATT&CK® Correlation Analysis

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified External Remote Services (T1133) with high confidence (90%), with evidence including vPNs (59% of ransomware entry points), and remote desktop applications (14%) and Phishing: Spearphishing Link (T1566.002) with moderate to high confidence (70%), supported by evidence indicating business email compromise (BEC) dominated overall, accounting for 58% of incidents. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with moderate confidence (60%), supported by evidence indicating ransomware remains the costliest cyber claim. Under the Persistence tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (80%), supported by evidence indicating remote access tools...remain prime targets. Under the Privilege Escalation tactic, the analysis identified Valid Accounts (T1078) with moderate to high confidence (70%), supported by evidence indicating vPNs and remote desktop applications as entry points. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information (T1027) with moderate confidence (60%), supported by evidence indicating aI is reshaping the ransomware landscape, enabling attackers to automate and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate confidence (50%), supported by evidence indicating lack of timely patching, insufficient monitoring. Under the Credential Access tactic, the analysis identified Brute Force: Password Guessing (T1110.001) with moderate to high confidence (70%), supported by evidence indicating vPNs and remote desktop applications as prime targets and Adversary-in-the-Middle (T1557) with moderate confidence (60%), supported by evidence indicating business email compromise (BEC) rose 15% year-over-year. Under the Discovery tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with moderate confidence (60%), supported by evidence indicating initial access brokers targeting high-value enterprises. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with moderate to high confidence (80%), supported by evidence indicating remote desktop applications (14% of ransomware entry points). Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), with evidence including data exfiltration such as true, and personally identifiable information compromised. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (70%), supported by evidence indicating aI-driven attacks scaling operations. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), with evidence including triple-extortion schemes...exfiltrate it, and data exfiltration such as true and Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with moderate confidence (60%), supported by evidence indicating threat actors adapt with multi-layered extortion tactics. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (90%), with evidence including data encryption such as true, and ransomware remains the costliest cyber claim, Defacement: Internal Defacement (T1491.001) with moderate confidence (50%), supported by evidence indicating triple-extortion schemes...threaten to leak it to victims’ customers, and Financial Theft (T1657) with moderate to high confidence (80%), with evidence including funds transfer fraud (FTF) dominated overall, and bEC claims rose 15% year-over-year. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.

Initial Access
External Remote Services (90%)
Phishing: Spearphishing Link (70%)
Execution
User Execution: Malicious File (60%)
Persistence
Valid Accounts (80%)
Privilege Escalation
Valid Accounts (70%)
Defense Evasion
Obfuscated Files or Information (60%)
Impair Defenses: Disable or Modify Tools (50%)
Credential Access
Brute Force: Password Guessing (70%)
Adversary-in-the-Middle (60%)
Discovery
Account Discovery: Domain Account (60%)
Lateral Movement
Remote Services: Remote Desktop Protocol (80%)
Collection
Data from Local System (90%)
Command and Control
Application Layer Protocol: Web Protocols (70%)
Exfiltration
Exfiltration Over C2 Channel (90%)
Exfiltration Over Web Service: Exfiltration to Cloud Storage (60%)
Impact
Data Encrypted for Impact (90%)
Defacement: Internal Defacement (50%)
Financial Theft (80%)

Sources & References