Ransomware has been hitting the headlines regularly, and that is no coincidence. In 2020, reports of this form of extortion increased by 485%, according to a report by cyber-security firm Bitlocker. Not only are these attacks becoming more frequent, but they are also becoming more sophisticated. A proliferation of off-the-shelf tools and franchise arrangements allows even less tech-savvy data thieves a route into the market. Insurance companies are certainly not exempt from these groups or their affiliates. Just days after the hugely disruptive and headline-grabbing Colonial hack, Axa announced that three terabytes of sensitive data had been stolen from its Asian business unit by the cyber-crime group Avaddon. The breach included sensitive personal data, and trends suggest this to be a move from simply locking data to threatening to leak it.
This practice makes sense from the hackers’ perspective. By threatening to leak data, the attackers move the event from one that can be treated like a hardware failure to one with huge reputational and privacy consequences, co-opting the ire of customers and regulators alike to turn the screw on reluctant-to-pay companies.
The percentage of those who pay ransoms is somewhere between 25 to 55%, depending on whose figures you believe. The wisdom of this, however, is less clear. Kaspersky found that of those who paid, only a minority (29%) recovered all of their files, quite aside from the obvious ethical concerns and the vicious spiral that comes from funding criminal enterprise. The FBI discourage paying the ransom, so does the UK government: but it is not illegal. Colonial paid 75 bitcoin, worth around USD 5 million at the time, but the unlocking tool they received was slow enough that that they reportedly continued to restore systems from internal backups.
Paying a ransom also creates a dilemma for insurers, and indeed, governments. It could be much cheaper than refitting systems; indeed, most hackers will set up demands this way. Therefore, writing a policy to reimburse the cost of doing so may be most effective for the insurer and the insured. The cost, of course, is encouraging cyber-crime and a potential cycle of more sophisticated hacks and ever-increasing payouts. On the other hand, not paying the ransom could be debilitating to some companies. At the same time, legislation making payment illegal might change targeting rationale and turn victims into criminals, killing incentives to report attacks and co-operate with the state. A representative of REvil, a ransomware gang, admitted to specifically targeting companies they believe have ransomware insurance, adding that getting inside an insurers’ data would allow targeted attacks on clients. Axa had been the first insurer to refuse to cover cyber-ransoms in France following concerns aired by government officials. However, at the time of writing, reports suggested this was unfortunate timing rather than direct retaliation.
There is a plethora of information available from governments and cyber-security firms on preparing for, preventing, and responding to a ransomware attack. Why, though, can they not be stopped at the source? Part of the reason, at least, is political. Many of the organisations behind ransomware are from states that have little incentive to stamp them out. A substantial proportion, including DarkSide, behind the Colonial hack, is thought to be based in Russia. While there is no suggestion of direct Kremlin involvement in that particular attack, there is little reason to believe that the Russian government will be bearing down hard on hacking groups. As the UK’s National Crime Agency points out, the lines between state and criminal groups are increasingly blurred in cybersecurity.
Indeed, some analysts have compared these hackers to modern-day privateers, thriving with the tacit agreement of state security forces, on the basis that they keep their targets firmly among the nation’s geopolitical rivals and don’t cause too many problems. Handily for hackers, Russia’s constitution prevents the extradition of its citizens. Combine that with the benign neglect of local law enforcement, and the business appears as a low-risk, high-reward endeavour. Fortunately for society, causing mayhem and attracting the attention that Colonial brought on DarkSide is not good for business. That explains why the group issued an apology as fuel shortages began to spread and promised to avoid critical national infrastructure in the future. Under the spotlight, the group now claims to have disbanded amid a wider reshuffle of the cyber-criminal underworld. Yet, ransomware is just a business proposition: if the risk-reward ratio makes sense, they’ll be back with new branding.
It isn’t just happening in Russia. Few nations are immune from homegrown hackers. Yet, until countries can come together and agree to make a concerted effort to clamp down on cyber-crime, the situation is unlikely to improve substantially. In the meantime, companies should spend a little more money and time on cyber-security. Perhaps through tightened minimum requirements and surging prices for cyber-cover, insurance will make the maths of proper protection more palatable and the moral hazard a little less. If you are lucky, data is quickly recoverable. Corporate reputation can take much longer.
Image by Pete Linforth from Pixabay
Axco is the leading supplier of global insurance market information with over 55 years’ experience in researching and publishing industry intelligence on insurance and employee benefits. Its unique business model and methods of research have enabled the development of an extensive suite of products comprising in-depth reports, focused profiles, Q&A databases, intelligent questioning tools, and email services which are delivered to every corner of the globe.