Illuminating the dark world of ransomware

As the new year begins, many businesses are fortifying cyber security plans, with ransomware, more than espionage, the word on everybody's lips. This malware, which encrypts user data and blocks access until payment of a ransom, has escalated during the past decade and looks set to dominate the landscape in 2022. Last year, AIG predicted that ransomware payment could amount to $20 billion USD - up from $315,000 six years before.

In May 2021, ransomware attacks underscored the vulnerability of critical infrastructure by causing fuel shortages on the United States' East Coast served by the Colonial pipeline, disruption to the Irish health service and shutdowns for meat processing giant JBS from Canada to Australia. These attacks bolstered the argument that ransomware has transitioned from a minor commercial menace into a national security threat.

The proliferation of attacks is supported by increasingly sophisticated business models used among hackers. DarkSide, the ransomware group that became a household name after the Colonial attack, operated a profit-sharing model with a suite of services offered to would-be hackers alongside terms and conditions. In addition, adoption of a model similar to the McMafia criminal franchise is growing in ransomware circles.

The increasing inclusion of user-friendly interfaces and customer service in Ransomware-as-a-Service (RaaS) packages lowers the barriers to entry for less technically sophisticated franchisees.

Perhaps inexperience and complacency have an upside: ln an unusual outcome, the FBI was able to recover a large chunk of the Colonial ransom after acquiring the private key to the hackers' Bitcoin wallet. Yet the influx of so many attackers is a troubling development – and one that presents a quandary for governments, businesses, and the insurance industry.

 

To Pay or Not to Pay

At the heart of the multifaceted dilemma facing government and business victims is whether to pay a ransom.

The U.S. and U.K. governments both advise against paying ransoms, further noting that companies have no guarantee of getting their data back. Statistics back up this stance: According to cybersecurity companies Kaspersky and Sophos, only 29 per cent of people who paid the ransom recovered all their files, and just 8 per cent got all their data back.

There are many estimates of the exact percentage of victims who pay the ransom, but any figures are prone to wide margins of error, as those who do pay quickly are unlikely to report a breach to markets or authorities.

This raises the other side of the dilemma: While governments may not like it, paying the ransom can make business sense, at least in the short run. Insurers and businesses know that paying the fee is likely to be less damaging and expensive than the cost of treating the attack as a hardware issue and starting from scratch, improving security architecture as part of a rebuild.

However, when an organisation chooses to go down the no-negotiations route, things can get very expensive quickly. Famously, the city of Atlanta decided to rebuild from scratch rather than pay a $51,000 ransom to unlock municipal computers, at a cost estimated at $17 million.

For some companies, the cost of the ransom plus the cost of a shutdown can threaten their very existence. In anticipation of such circumstances, transferring the risk of covering the ransom to an insurer seems to be a logical and reasonable solution.

The Role of Cyber Insurance

The recent spate of attacks has brought insurers under fire for complicity in the escalation of cybercrime. The thinking is that, by offering cyber insurance, insurers are legitimising cybercrime and perhaps even indirectly encouraging cybercriminals.

Ciaran Martin, former head of the U.K.'s National Cyber Security Centre, has called for changes to the current law, making payment of ransoms illegal, or at least for an extensive industry consultation over the practice. Martin's efforts underscore the complexity of, and concern around the current situation.

The fear of a cascading cyber risk event evokes caution among reinsurers, while the increasing prevalence of internet-connected technology means vulnerability is only continuing to grow. This situation prompted Swiss Re's chief executive officer Christian Mumenthaler to call the problem "so big it's not insurable."

There's evidence that ransomware groups target companies they know to have cyber insurance, and it's hard to rule out insurance payments as part of an increasingly vicious cycle. Yet underpinning the situation is something beyond the supply and demand of the cyber risk market: problems at the political level.

The Effects of Geopolitics on Cybercrime

States generally lack the regulation to deal with this new threat. Plus, while governments may find paying ransoms distasteful, any attempt to outlaw it will likely chase the practice further underground. Moreover, it criminalises the victim, who may end up garnering public support and determining that the consequences of not complying with the law are worthwhile- if a $1 million ransom attracts a $100,000 fine, that represents less of a deterrent then it does a 10 percent tax on data recovery.

International affairs become crucial because few cybercriminals are based in the West. FBI Director Christopher Wray has specifically singled out Russia, and a list of the top earners from ransomware is a who's who of the Russian cyber underground.

The targets, however, are mostly in the West. While that can be partially attributed to some of the largest companies being located there, ample evidence suggests that the criminal groups intentionally seek to avoid targets in Russian-speaking areas.

The groups enjoy the benign neglect of local security services by acting as a thorn in the side of geopolitical rivals and being careful not to upset anyone closer to home. Again, nothing is new here; tolerating outlaws who annoy your enemies is a phenomenon older than the modern nation-state.

With Russia joined by countries such as China, North Korea, and Iran in refusing to cooperate with western law enforcement, attackers are operating in a high-reward, low-risk environment that pays enormous dividends for skilled ransomware writers.

The problem has finally grown large enough to enter the geopolitical sphere in its own right, especially given recent attacks on major infrastructure. Hackers seem to be aware of this fact; DarkSide issued an apology for the colonial disruption and implied that a RaaS customer has been responsible for the inappropriate target selection.

The United States has made clear that it's willing to respond with its own disruptive measures. As of this writing, the effect of this threat remains uncertain. But simple economics suggests that unless countries cooperate to make it too risky to pursue expected payouts, the entrepreneurial will continue to gravitate towards cybercrime.

The Central Role of Insurance

Being asked to step into a legal void on the morality of paying ransoms is probably beyond the remit of insurers, whose domain is risk transfer, not political philosophy.

A Deloitte report suggests that insurers could benefit from applying more robust scrutiny to cyber insurance applicants to align more closely with major commercial property insurance products. As the market tightens and prices rise, scrutiny is sharply increasing, a correction that may well be positive. As criminals get greedier, insurers may reconsider the cost-benefit analysis of paying ransoms, a trend that could eventually be fatal to the practice of ransomware attacks.

It's unlikely that the problem will ever be resolved without progress within and among states regarding approaching the root causes of cybercrime.

In the meantime, cooperation between governments and industry to improve incentives for firms to upgrade their security architecture is likely key to bringing cyber risk back under control.

Governments are critically positioned to facilitate information sharing and to legislate, cajole, and subsidise businesses in the direction of improved cybersecurity. They should also provide clear legislation and guidelines on what they expect insurers and other companies to do to help with this task.

Insurers should continue to work with the government to increase risk awareness and bridge the data gap, sharing information and finding ways to encourage cyberattack reporting that will help the sector price risk better. But they can't tackle the problem alone. As the American Property Casualty Insurance Association (APCIA) 's new ransomware guiding principles point out, insurance is only one aspect of national cyber resiliency.

Ransomware has developed in the space created by geopolitical standoffs and thrived amid the unique circumstances of the COVID-19 pandemic. It is a societal malaise that will require a societal effort to control.

-----------------------------------------

This is an abridged version of the article. To read it in full, click here.