Unfortunately for business leaders, ransomware is an ever-growing security issue. Jan van Vliet, VP EMEA, Digital Guardian, considers whether an intended solution to cybercrime has inadvertently contributed to a large part of the ransomware problem.
Ransomware has been an ever-present threat to businesses of all shapes and sizes for almost two decades. While it was originally conceived as a means to extort money from individuals, it wasn’t long before cybercriminals realised it was just as effective – and far more profitable – to use against organisations as well. Within just a few years, ransomware like Reveton, CryptoLocker and more recently, Wannacry, was being used to bring businesses around the world to their knees, with victims ranging from corporate entities and local governments, to universities and medical centres. In short, no one was safe.
As awareness of the threat grew, many organisations upped their cybersecurity game significantly and it wasn’t long before additional investment in both technology and employee security training started to translate into a noticeable fall in ransomware attack volumes globally. For a while, it even seemed like ransomware was heading for the rubbish heap. However, a recent resurgence has propelled ransomware right back to the top of the cyberthreat list. The question is, what’s behind it?
As unlikely as it may sound, there’s a growing body of evidence to suggest that the rise of the cybersecurity insurance industry may well have played a key role in ransomware’s renaissance. In this article, we’ll look at some of this evidence and evaluate whether something designed to be part of the solution to cybercrime has unintentionally become a large part of the problem.
Cybersecurity insurance – an unlikely villain?
Most cybercriminal operations are highly organised and extremely ambitious in their scope. Rather than simply encrypting victims’ data and demanding money for its return like they used to, many have quickly learned that threatening to release it publicly is a great way to expedite a desired response. That’s because in the age of the Internet, public exposure poses far greater risks to many victims, including potentially fatal reputational damage, as well as significant regulatory fines in some cases. For this reason, it’s no surprise that cybersecurity insurance has exploded in recent years, as organisations scramble to protect themselves as best they can against such a potent threat.
However, this rise in cybersecurity insurance has quickly created unexpected problems, primarily because so many victims are now finding it far quicker and easier to simply pay the ransom through their insurance rather than trying to deal with the fallout themselves. The more victims use insurers to pay ransoms this way, the more criminals are encouraged to keep carrying out attacks. It’s created a vicious cycle that’s proving to be both profitable and rewarding for hackers, while motivating more and more organisations to invest in insurance policies to cover themselves.
What’s more, many ransomware victims are paying off cybercriminals with the full agreement – and even encouragement – of their insurers, for whom paying the ransom is by far the cheapest option when compared to footing the bill for extensive data recovery. To put this into context, below are two recent examples of ransomware attacks that were handled very differently by the victims, leading to starkly contrasting outcomes.
In 2019, Lake City in Florida fell victim to a ransomware attack that crippled its government systems. Rather than pursuing data recovery options, it chose to pay the ransom of around £350,000 via its insurance policy. The government itself was only liable for the £7,500 policy excess, with insurance firm Beazley paying the balance under the terms of the policy. It was later discovered that the decision to pay was made on Beazley’s own recommendation after analysis suggested the work needed to recover the stolen data from data backups would likely have run into millions of dollars.
The pragmatism of such a decision is difficult to dispute in the face of the evidence. Not only was a significant amount of money saved in the long run, it allowed the government to get back to work much faster than would otherwise have been possible. Unfortunately, it also meant the perpetrators got away with both the crime itself and almost half a million dollars in ill-gotten gains.
By contrast, when the city of Atlanta fell victim to a SamSam ransomware attack in 2018, it refused to pay the £42,000 ransom demand and instead chose to recover the data at its own expense. While this decision left the criminals empty handed, it’s estimated that the total cost to the city was an eye-watering £6.8 million.
Criminals are getting bolder
As more and more organisations look to their insurance in the event of an attack, cybercriminals are also starting to demand ever-increasing payments. In the last 12 months alone, the average ransomware payment has risen six-fold to £27,000. What’s more, it appears that criminals are actively targeting organisations known to have cyber-insurance policies in place. The inevitable result is that insurance providers are steadily raising the cost of their premiums to cover the growth in claims – bringing us back to that vicious cycle again.
Ultimately, prevention is better than cure and businesses need to start treating cybersecurity insurance as a line of last resort instead of a strategy in its own right. Instead, they should focus on investing in security technology and training that will prevent them from falling victim in the first place. Until that starts happening again, ransomware’s renaissance looks set to continue for some time to come.