Ransomware – current trends and the role of cyber insurance
Sharing our perspectives on current trends, the role played by cyber-insurance and strategies to reduce risk.
Cybercrime, and ransomware in particular, continues to dominate the global shadow economy. This year losses from cybercrime are expected to reach $6 trillion, with $20 billion of that figure forecast to come from ransomware attacks. Our CyXcel team continues to play an important role in the fight against cybercrime and in this article we share our perspectives on current trends and the (sometimes controversial) role played by cyber insurance.
Ransomware – current trends
The most common ransomware variants seen in the incidents we’ve handled in past 12 months are Sodinokibi, Egregor and Ryuk, although less frequently seen groups like Mamba and Conti have also been far more active than usual. With the most common point of infiltration into victims’ networks being either weak RDP protocols or phishing exploits, the importance of an holistic approach to cyber-security, emphasising both organisational and technical measures, has never been higher.
There have also been more attacks year on year in the first quarter of 2021 than at any other time. In contrast, however, data from ransom negotiation specialists, Coveware, points to a decline in both the number and value of ransom payments being made. Their stats suggest that the average ransom paid in Q4 of 2020 was $154,108 (down more than 1/3 against equivalent data for Q3), whilst the median payment decreased even more significantly to $49,450 (down more than ½ from Q3). But whilst this data looks positive, caution is advised, because it needs to be contrasted with the average downtime victim organisations incur before negotiations are successfully concluded and decryptors handed over. This data set points to an extra 21 days in Q4 2020, up 11% from Q3. The lesson to be wary of is clear: interruption and lost profits occasioned by a ransomware incident can easily outstrip the cost of the ransom, so keep this in mind at all times when deciding whether to pay, how much and when. Early evaluation of interruption losses is essential to a properly informed decision.
The data we have gathered also suggests that the size of the companies targeted is mostly small-to-medium organisations, with further data from Coverware backing up that view. The median number of employees was 234 for Q4, a 40% increase from Q3, likely because these companies have a greater capacity to pay but in contrast similar (i.e. lesser) security sophistication to smaller counterparts. Ransomware is therefore a risk that affects all businesses, and for the smaller and mid-tier organisations the rising tide is cause for concern.
The role of insurance
The role of cyber insurance in ransomware attacks is sometimes controversial, and former NCSC chief Ciaran Martin was recently quoted in the Guardian advocating banning such payments on the grounds that without insurance, companies would be unable to pay and cybercriminals would lose the revenue stream. A sensationalist headline for sure, but not altogether accurate, still less helpful.
The likely consequence of banning organisations from making ransomware payments, or preventing insurers offering cover for extortion, will simply be to deprive victims of support at a time when they need it most and drive the practice underground. Historically, of course, paying ransom has not been illegal in the UK (save where it would fuel terrorist financing). Indeed, in maritime piracy it has long been recognised that whilst paying ransoms might incentivise further attacks, it is the lesser evil to the risk otherwise posed to the lives of crew members and the safety of ships.
Whilst the risk to life from ransomware is perhaps not quite as tangible, neverthelessIt remains the case that a weighing-up exercise needs to be carried out, balancing the public interest in discouraging organised crime from perpetrating further extortion attacks on the one hand against the interests of the victims on the other, including ensuring that their businesses are not destroyed overnight; that jobs are not lost and livelihoods crippled on a vast scale; and that personal data, so often the target or collateral damage in cyber-security incidents, continues to be protected to the fullest extent possible,
Cyber insurance of course plays an important role in ensuring that ransomware incidents are dealt with appropriately. With a cyber insurance policy, the policyholder gains access to a panel of expert vendors including experienced negotiators who can ensure that the incident is managed with least consequences and that normal trading resumes for the victim as quickly as possible. It is not just a valuable but arguably essential service for public and private organisations alike. Banning cover for extortion or the payment of ransom altogether would deprive businesses of access to these services, exacerbating the risk that victims will simply take the issue “underground” and attempt to deal with threat actors themselves, which would invariably lead to worse outcomes.
Perhaps the most obvious hole in the anti-insurer rhetoric surrounding ransom though is the fact that the root of the problem is not insurers or the victims themselves, but rather the crypto-banking infrastructure that threat actors are able to exploit with impunity. Tighter regulation of cryptocurrency exchanges, and stricter enforcement action in respect of breaches by those who fail to implement appropriate systems and processes, is undoubtedly the missing piece. Indeed, whilst such exchanges are already subject to KYC and AML obligations, all too often the excuse is given that the volume of daily transactions and the anonymity enjoyed by users of the exchanges makes it far too difficult to be able to identify and police abuse properly.
But a market that now enjoys $560billion in capitalisation cannot be allowed to behave in this way, still less turn a blind-eye to such widespread criminality. Undoubtedly the challenges posed by cryptocurrency are difficult ones and it is probably unrealistic also to expect the crypto-banking sector to be motivated to solve the problem on its own; rather then it is the job of governments and law enforcements agencies to make the effort needed to deliver a solution, one that does not make the victims of crime facilitated by crypto the aggressor in the eyes of the law. Let us also hope that public statements from those responsible for protecting potential victims of extortion by organised crime are chosen more carefully in the future, and that the issues and their context are also reported by the media more responsibly.
Strategies to reduce risk
Ransomware is not a risk that can be eliminated entirely. Instead, steps to reduce it can and should be taken by all organisations.
An ounce of prevention is worth a pound of cure. It is important for businesses to ensure that they have robust measures in place to prevent attacks from happening in the first place. In addition to installing security software, businesses should ensure that security updates are regularly installed and that staff receive regular training on phishing and scam emails. Businesses should also proactively consider how they would respond if their network were to be accessed – in particular whether they have backups, and whether those backups are segregated from the computer network, and what policies and procedures are in place to respond to an attack.
Where a business has the benefit of a cyber insurance policy, we have recently observed that more sophisticated Threat Actors have actively searched for the policy in the network in order to ascertain the limit of indemnity. Businesses and insurers should consider whether alternative arrangements for the retention and storage of cyber policies should be implemented.
There are of course numerous other strategies to reduce risk – if your organisation needs help to improve its measures to combat cyber risk and data protection challenges, then don’t hesitate to contact us. CyXcel, with its “one-stop-shop” solution, is always ready to take your call. We also work with many of the well-known cyber insurers and actively support their programmes globally.