The State of Ransomware & Where We're Headed
This is the part one of our four part Ransomware Guide. Parts 2-4 can be located below.
Part 2: The Most Effective Ransomware Protection According To The Experts
Part 3: Ransomware Insurance: What to Look For
Part 4: Assessing Cyber Insurers’ War Exclusions & Terrorism Carvebacks
Cyber crime has always been a top concern among the c-suite, but never before have ransomware and cyber attacks ranked so high. For many companies cyber and ransomware concerns have replaced lost income (related to Covid) as the primary concern among executives…and for good reason. The sheer volume of attacks have doubled year over year, and appear on track to double again. Demands and remediation costs are ballooning and organizations are being forced to spend more on cyber security while encountering a difficult insurance market. So how did we get here?
Cyber criminals are deploying more effective tactics and most companies are opting to pay the ransoms which is only fueling more attacks. The alternative of dealing with the resulting lost income, PR damage, and lengthy restoration period is often perceived as a greater damage that companies wish to avoid. Paying a ransom however is highly risky and ill advised. Doing so does not guarantee the cyber criminals will actually cooperate and may wind up making the victim a soft target for following attacks. In fact, a recent survey reported roughly 90% of victims don’t have all of their data returned. Cyber criminals are also spending more time and resources in executing attacks than most companies are spending in trying to defend against them. Some of the evolving tactics currently being deployed by ransomware gangs include:
- TARGETING SOFTER TARGETS: CISA has issued a recent alert indicating that ransomware gangs are beginning to shift their attention to mid sized companies in order to avoid scrutiny following their recent string of large scale attacks. They are also shifting their attention to “softer” targets such as the public service sector, which may be particularly vulnerable due to their lower cyber security budgets and more lax security controls. In fact a recent report by MS-ISAC indicates attacks against schools account for upwards of 57% of all reported ransomware attacks.
- TARGETING VICTIMS' CYBER INSURANCE: After initiating an attack, it appears some hackers are searching for their victims' cyber insurance policies in order to use it as leverage during their ransom demands. As stated in a recent 2021 interview, they may also take a backward approach by infiltrating the insurance companies first, then subsequently launching attacks against individual policyholders.
- LEGITIMIZING OPERATIONS: Large ransomware gangs are operating less like scattered hackers and more like well established organizations with corporate-like work environments, which is proving to be an effective tool at recruiting new talent. A recently published set of findings demonstrates the extent to which some ransomware gangs are legitimizing operations. Perks such as bonuses and employee training are just some of the incentives organizations are utilizing, with some even going as far as utilizing arbitration to settle internal payment disputes.
- LEVERAGING COVID: Most ransomware attacks are perpetrated through phishing schemes and the current state of employment has created a ripe environment for hackers. Covid has created labor shortages, and an overworked/over-stressed workforce, both of which can result in decreased employee awareness, making employees more susceptible to phishing schemes. As a result cyber criminals have been launching more phishing attacks, targeting companies off hours when they’re most vulnerable, and increasing their recruitment of inside actors/employees for assistance with carrying out attacks. With work at home arrangements becoming the norm, many employees are also now accessing systems remotely which is also poses a security risk, particularly for companies not utilizing dual factor authentication.
- COUNTERING BACKUPS: Ransomware gangs are also increasing their intimidation tactics in order to maximize their efficacy. They understand an organization’s backups can deter ransom payments, so they are now applying even more payment pressure to circumvent those backups. In addition to threatening to sell or publish the stolen data, they are now threatening to: contact the victims’ clients or vendors, entirely wipe affected PCs (rendering them useless), and/or launch denial of service attacks if ransoms aren’t received.
- RANSOMWARE AS A SERVICE: The rise of Ransomware as a service is also contributing to the increase in attacks. RAAS is a platform akin to an ebay on the darkweb where less sophisticated hackers can lease or purchase malicious code to launch their own attacks, effectively reducing the barrier to entry. It has been reported that the Colonial Pipeline attack originated from a single stolen user credential, which can be purchased online for as little as $1.
- LAUNCHING SUPPLY CHAIN ATTACKS: The attacks against Solar Winds and Kaseya have demonstrated that hackers are increasing their ROI by targeting tech & software providers – this effectively allows them to infect hundreds or thousands of systems by infiltrating the software providers’ clients via corrupted software updates.
- TARGETING SYSTEMS & INFRASTRUCTURE: Instead of solely targeting protected info (such as credit cards or medical records), malicious actors are now expanding to target infrastructure and industrial control systems. This not only provides a broader range of targets (companies that don’t maintain protected information), but may also provide easier entry by penetrating systems that may not be as protected, such as legacy ICS systems. The most notable ransomware attacks in the past 2 years also highlight this shift. The attacks against Colonial Pipeline, JBS, Kronos and agricultural cooperative New Cooperative, which resulted in food production shortages, spikes in gas prices, and delayed payroll for thousands of employees have demonstrated, for the first time, the devastating effects of attacks on infrastructure, and the ripple effect they can have on the US supply chain.
Changes in techniques such as these, help explain the proliferation of ransomware attacks over the past 2 years, but where are we headed? An increase in ransomware was already anticipated however attacks launched in response to the Ukraine conflict could have a doubling effect on the number of attacks US companies will face in 2022. The ransomware group Conti gang, recently issued a statement calling for attacks against US infrastructure in retaliation for the sanctions imposed against Russia – a concern echoed by President Biden’s recently issued warning. US companies can also expect an increase in state sponsored attacks, as many experts speculate Russia may attempt to utilize ransomware payments (and crypto currency in general) to circumvent US imposed sanctions. Companies providing US infrastructure right now are primary targets for retaliatory attacks. This week the FBI advised hackers were caught scanning the networks of 5 US energy firms. These attacks could result in utility interruptions, supply chain interruptions, food/product shortages and price inflation. The victims of these attacks may also encounter considerable insurance coverage hurdles as some claims will ultimately be declined as insurers cite their policies’ war exclusions as a barrier to coverage.
Companies can also expect an even harder cyber insurance market. Premiums have already doubled anywhere from 20% - 50% for smaller and mid market companies (doubling for larger organizations), and rates will only increase further. Most insurers will also continue to heavily sub-limit their cyber extortion insuring agreements, with many already having reduced their overall capacity by half. Some carriers are taking an even more aggressive approach by applying coinsurance clauses. Lastly, companies can also expect a more challenging underwriting process with lengthier supplemental applications, requiring “best-of” practices in order to obtain favorable terms. Organizations looking to secure high cyber extortion limits and those operating in higher risk sectors should begin implementing advanced cyber security controls, policies and procedures. Policyholders should also expect more layered towers, as more insurers are going to be required in order to achieve desired limits. As we discuss in Part 3 and 4 of our guide (links above), organizations should also be performing careful assessments of their policies’ war exclusion and cyber extortion insuring agreements.
In an effort to mitigate the damages caused by these attacks, regulators are taking a multi-faceted approach. Strategic efforts so far have been primarily carried out by the DOT via OFAC sanctions against virtual currency exchanges facilitating ransomware payments, and aggressive criminal pursuit of foreign actors by the DOJ. The next phase of breach notification has also arrived. In the past 2 years lawmakers have introduced at least 3 separate bills aimed at mandatory cyber-incident reporting; the “Ransomware Disclosure Act”, the “Cyber Incident Reporting Act”, and the “Cyber Incident Notification act”. As opposed to current breach notification laws that only pertain to breaches affecting protected info, these acts all aim to require that companies report to the federal government, any significant cyber incidents and any made ransomware payments. In March of 2022, Congress passed the first of such acts: The Cyber Incident Reporting Act of 2022 which will require all critical infrastructure companies to report significant cyber incidents within 72 hours and report any ransom payments within 24 hours. While this particular act only mandates disclosures for companies providing critical infrastructure, broader acts may soon follow affecting a wider range of companies. Public companies are also encountering added regulatory pressure. On March 9 2022, the SEC also proposed new rules for listed companies. Among the proposed changes, public companies would be required to disclose their cyber security policies and procedures and any “materiel cyber incidents” within 4 days of being affected.
While regulators argue greater transparency around cyber security/governance and incident reporting will protect investors and provide greater insight into the attacks, allowing for better protection against future attacks, some companies believe these acts may inadvertently result in undue strain while potentially inflicting reputational damage. It could also subject companies to more follow on lawsuits and derivative actions (which are already on the rise). Colonial Pipeline Co, Scripps Health, CaptureRX, Eleketa Inc, and Candler Hospital Systems are just 5 recent examples. Each of the companies were hit with multiple class action suits alleging inadequate security/disclosures, following ransomware attacks that inflicted considerable downtime, resulting in 3rd party financial damages and/or the exposure of protected data. These lawsuits underscore the critical role (well structured) D&O insurance plays as it relates to cyber incidents.