Insurance Watch: Ransomware
CIFFA member and global professional services firm Aon plc provides a broad range of risk, retirement and health solutions.
In a ransomware attack, threat actors gain unauthorized access to company networks and files using malicious software or malware. After gaining access, these cybercriminals encrypt files making them inaccessible, and demand a ransom payment in cryptocurrency in exchange for the digital key code(s) to decrypt the files.
Ransomware attacks have become more advanced in their approach, including pre-emptive measures intended to coerce ransom payment such as targeting and destroying data backups to prevent restoration, and stealing data prior to encryption with the threat of public release. This leaves many victims with the difficult choice of either permanent loss of data and extended business disruption or paying a ransom to regain access and restore operations.
For many ransomware victims, paying the ransom may seem like the only viable option. The possible consequences of business disruption and loss or public exposure of sensitive data are severe, and can include loss of revenue, breached contracts, missed deadlines, failure to meet customer or client expectations, damage to goodwill, or even, in the most extreme examples – such as with healthcare providers – possible loss of life.
The most recent statistics on ransomware are staggering. The total number of global ransomware reports increased by 715.8% from 2019 to 2020². Ransom payments have risen as well, making a 60% leap in payment value since last year³. Some of the most sophisticated ransomware attack groups and malware variants are now averaging over $780,000 per payment. At these rates and amounts, it is no surprise that the predicted damages from ransomware are expected to be $20 billion in 2021.
The Payment Conundrum
Amid this cyber crisis, law enforcement has remained mostly neutral on the issue of ransom payments. Generally, law enforcement provides cautionary guidance around the risks associated with paying a ransom, warning that either the supplied decryption files may not work, or that the payment of a ransom may attract further exploitation. But, there is also consensus across law enforcement that those experiencing ransomware events are victims. Not surprisingly, to date there is scant record of prosecutions, much less convictions, of ransomware victims who have chosen to pay a ransom to recover critical files or restore the operation of critical systems. Until recently, the difficult decisions facing victimized entities (or those companies participating in incident response activities) was not whether it was a legal risk to pay a ransom.
Rather, the primary focus in the ransomware conundrum was whether it made business sense to pay the ransom and, if so, how to both engage with the threat actor to negotiate and navigate the often-unfamiliar cryptocurrency landscape to facilitate payment. Post-payment, the most difficult issue typically facing a victimized entity was the often time-consuming and technically taxing decryption process.
Ransomware is, by multiple measures, the top cyber threat facing businesses today¹. Unlike data breach, ransomware is a risk without discretion. Any company that either requires access to critical data, or faces loss or hardship in the event of business interruption is a potential ransomware victim.
If law enforcement was involved or notified by a victimized entity at any point throughout this process, it was generally in the hope of receiving guidance (based on experience with similar previous attacks) or justice (if law enforcement could identify the ransomware threat actors). While law enforcement remained eager to work with victimized companies, the increase in ransomware attacks forced the selective prioritization of which cases to handle. Those cases that law enforcement could take on were appropriately focused on their mandate of criminal investigation and prosecution. This mandate, combined with the deluge of ransomware matters, ensures that victimized entities that notify and work with law enforcement still handle most aspects of the incident response investigation themselves, including root-cause analysis of the incident, the scope of the intrusion, and restoration of the business.
Risk Mitigation Strategies
Ransomware attackers often operate with the same discipline and approach of a traditional business, except in a criminal venture with criminal intent. Threat actors typically choose the path of least resistance to achieve their business goals, attacking vulnerable companies taking advantage of common exploits, or a lack of cyber defense and preparedness. To help mitigate the risk of falling victim to ransomware and in an effort to better prepare for a ransomware incident, consider these eight tips:
- Be proactive – Being victimized by ransomware is a jarring experience. It tests an organization’s emotional responses to crisis, escalation procedures, technical prowess, business continuity preparedness, and communication skills, especially because the organization must sometimes interact directly with the attackers. Ensure that the Incident Response (IR) Plan/Playbooks, and/or Business Continuity Plan/Disaster Recovery Plan has been recently assessed, reviewed, and updated. But, most important, these plans and playbooks must be tested through simulated practice across realistic scenarios to help improve resilience.
- Educate employees on cyber security and phishing awareness – Phishing is still a leading cause of unauthorized access to a corporate network, including as the entry point for ransomware attacks. Training users to not only spot a phishing email, but to also report the email to their internal cyber security team is a critical step in detecting the early stages of a ransomware attack. Companies must create a culture where all employees feel responsible for enterprise security, and are encouraged to participate in proactive detection of, and defense against, threats, risks, and attacks. Phishing awareness is a critical cornerstone to such a cyber secure culture.
- Employ multi-factor or “two-step” authentication – Multi-factor authentication (e.g., a password – something employees know, plus an authentication key – something employees have) across all forms of login and access to email, remote desktops, external-facing or cloud-based systems and networks (e.g., payroll, time-tracing, client engagement) should be a requirement for all users. In many—but not all—instances, the presence of multi-factor authentication may even prevent the exploitation of stolen login credentials because the attacker does not also possess the necessary second piece of the login process, the authentication key. It is important to ensure proper multi-factor configuration. Multi-factor access controls can be even more effective if coupled with the use of virtual private network (VPN) interaction.
- Keep systems patched and up-to-date – The rudimentary cyber hygiene activity of system updates and patching often falls by the wayside, especially as operations and security teams are stretched, systems and endpoints age and move towards legacy status, and new systems, hardware, and applications are introduced as businesses grow, mature, merge and divest. There are—and will continue to be—major unpatched vulnerabilities that allow attackers to compromise corporate networks. Attackers can often identify a vulnerable system with a simple scan of the Internet using free tools. They engage in this exercise broadly and indiscriminately, looking for exploitable systems on which to unleash ransomware and other cyber attacks.
- Install and properly configure endpoint detection and response tools – Tools that focus on endpoint detection and response can help decrease the risk of a ransomware attack and are useful as part of incident investigation and response. However, many entities that invest in these tools fail to properly configure them to be of assistance in the event of a cyber event and investigation. Properly configured security tools give a much greater chance of detecting, alerting on, and blocking threat actor behavior.
- Design your networks, systems, and backups to reduce the impact of ransomware – Ensure your privileged accounts are strictly controlled. Segment your network to reduce the spread of adversaries or malware. Have strong logging and alerting in place for better detection and evidence in the event of incident response. Having a technical security strategy that is informed by architects that know the latest attacks and adversary trends is important, as is the use of continuous threat intelligence monitoring in open source and on the dark web.
- Consider risk transfer options – Because a ransomware attack can threaten an entity’s reputation and goodwill, the complete risk of ransomware can never be fully mitigated or transferred. However, in practicing ransomware preparedness, organizations should consider obtaining appropriate cyber insurance coverage. In doing so, organizations should review how coverage addresses indemnification for financial loss, business interruption, fees and expenses associated with the ransom and incident response, as well as considerations for service providers, such as the ability to work with incident response providers of choice.
- Pre-arrange your third-party response team – an effective ransomware response will often include all or some third-party expertise across the disciplines of forensic incident response, legal counsel, crisis communications and ransom negotiation and payment. Seeking out, vetting and engaging with these professionals during a ransomware incident places additional burden on an already strained enterprise, and is ineffective and inefficient when every second counts and every decision is critical. As time is of the essence, it is critical to pre-vet and pre-engage a team of professionals to monitor and be ready to respond to a ransomware attack when it happens.
- Ransomware Is the No. 1 Cyber Threat This Year. Here’s What You Can Do.
- Bitdefender’s Mid-Year Threat Landscape Report 2020, page 14
- Coveware Ransomware Marketplace Report, August 3, 2020
- Coveware, January 23, 2020
- Cyber Security Ventures, https://www.thesslstore.com/blog/ransomware-statistics/
- FBI Ransomware Prevention and Response for CISOs
- Obama PPD-30