With publications and cyber security professionals still discussing the fallout, it feels like the media grabbing Wannacry attack just happened yesterday. Included in that fallout dialogue was considerable future forecasting of worries and predictions on how such breaches might adapt and escalate. Among the many predictions were: industry coordinated attacks (as surveyed by AIG), smarter ransomware and increasing demands - a long held belief of cyber security experts. With its $500 demand, the recent wannacry attack luckily did not fulfill that prophecy, however, in what feels like an complete overnight shift, two attacks in the last week are making that long standing fear feel more like it may becoming a reality. 

The most recent cyber extortion iteration: SamSam, is currently demanding 35k per demand, which is roughly a quarter of the entire ~ 120k sum received by the authors of Wannacry. That's a huge leap. In fact, with SamSam acting as a more sophisticated, better hidden malware targeting the healthcare sector, this attack actually justifies three forwcasted security concerns: growing ransom demands, industry coordinated attacks and more intelligent code. At 35k per demand, the total damages sustained by those affected could easily surpass 500k when factoring in the lost income, reputational damage, customer loss and asset restoration. When cyber extortion attacks such as these target heavily regulated sectors, the attacks can snowball into regulatory investigations and fines as well. In this case, those affected are also likely to encounter additional damages in the form of follow up HIPAA investigations, fines and costs associated with corrective measures. The HHS/OCR recently warned companies/institutions about future ransomware attacks and the importance of maintaining adequate controls - adding that ransomware attacks are considered "security incidents" under HIPAA. The added cherry on the cake? Payers may find themselves added to a whitelist of “soft targets” for future hackers to re-exploit, which could mean even more demands and greater damages. Such an attack could be catastrophic for smaller companies and extremely damaging to mid sized companies - particularly those with lax cyber security controls and those without sufficient cyber insurance.

The fact that this SamSam attack is targeting the healthcare sector is likely a key contributing factor behind the large demands - in addition to their valuable PHI and critical infrastructure, they also have considerable assets. It will nonetheless be interesting to see how many companies actually pay. Meeting such high demands may be indicative of internal control failures and may promote further growth of extortion rewards. And if this attack isn't convincing enough, it comes comes just days after a record shattering extortion payout. After having their servers infected (and websites shut down) South Korean web provider Nayana received a demand in the millions which was later negotiated down to 1 Million in order to free its servers. It appears the attack was exploited through vulnerabilities in out of date software. While Nayana had been performing regular backups - all backups were also reportedly encrypted by the hackers. These 2 attacks send a clear message of where cyber extortionists are headed - maximization of ROI through ballooning demands and more effective/creative attacks. 

This serves as a strong reminder that companies should perform a careful review of their cyber policy’s cyber extortion insuring agreement and carefully review their limits and sub-limits for adequacy. Additionally companies that are heavily regulated such as healthcare institutions, financial firms and public companies should also review the regulatory defense insuring agreement to ensure proper coverage is in place for any resulting regulatory investigations, proceedings and associated fines.