In a new report, cyber insurer Allianz Global Corporate & Specialty (AGCS) analyzes the latest risk developments around ransomware and outlines how companies can strengthen their defenses with good cyber hygiene and IT security practices.
During the Covid-19 crisis another outbreak has happened in cyber space: a digital pandemic driven by ransomware. Malware attacks that encrypt company data and systems and demand a ransom payment for release are surging globally.
The increasing frequency and severity of ransomware incidents is driven by several factors: the growing number of different attack patterns such as ‘double’ and ‘triple’ extortion campaigns; a criminal business model around ‘ransomware as a service’ and cryptocurrencies; the recent skyrocketing of ransom demands; and the rise of supply chain attacks.
Five areas of focus
In the report, AGCS identifies five trends in the ransomware space, although these are constantly evolving and can quickly change in the ‘cat and mouse’ race between cyber criminals and companies:
- The development of ‘ransomware as a service’ has made it easier for criminals to carry out attacks. Run like a commercial business, hacker groups such as REvil and Darkside sell or rent their hacking tools to others. They also provide a range of support services. As a result, many more malicious threat actors are operating.
- From single to double to triple extortion. ‘Double extortion’ tactics are on the rise. Criminals combine the initial encryption of data or systems, or increasingly even their back-ups, with a secondary form of extortion, such as the threat to release sensitive or personal data. In such a scenario, affected companies have to manage the possibility of both a major business interruption and a data breach event, which can significantly increase the final cost of the incident. ‘Triple extortion’ incidents can combine DDoS attacks, file encryption and data theft – and don’t just target one company, but potentially also its customers and business partners. A notable case was a psychotherapy clinic in Finland – a ransom was demanded from the hospital. At the same time, smaller sums were also demanded from patients in return for not disclosing their personal information.
- Supply chain attacks the next big thing: There are two main types – those that target software/IT services providers and use them to spread the malware (for example, the Kaseya or Solarwinds attacks). Or those that target physical supply chains or critical infrastructure, such as the one which impacted Colonial Pipeline. Service providers are likely to become prime targets as they often supply hundreds or thousands of businesses with software solutions and therefore offer criminals the chance of a higher payout.
- Ransom dynamics: Ransom demands have rocketed over the past 18 months. According to Palo Alto Networks, the average extortion demand in the US was $5.3mn in the first half of 2021, a 518% increase on the 2020 average; the highest demand was $50mn, up from $30mn the previous year. The average amount paid to hackers is around 10 times lower than the average demand, but this general upward trend is alarming.
- To pay or not to pay: Ransom payment is a controversial topic. Law enforcement agencies typically advise against paying extortion demands to not further incentivize attacks. Even when a company decides to pay a ransom, the damage may have already been done. Restoring systems and enabling the recovery of the business is a huge undertaking, even when a company has the decryption key.
Main drivers of losses
Business interruption and restoration costs are the biggest drivers behind cyber losses such as ransomware attacks, according to AGCS claims analysis. They account for over 50% of the value of close to 3,000 insurance industry cyber claims worth around €750mn ($885mn) it has been involved in over six years.
The average total cost of recovery and downtime – on average 23 days – from a ransomware attack more than doubled over the past year, increasing from $761,106 to $1.85mn in 2021.
The surge in ransomware attacks in recent years has triggered a major shift in the cyber insurance market. Cyber insurance rates have been rising, according to broker Marsh, while capacity has tightened. Underwriters are placing increasing scrutiny on the cyber security controls employed by companies.
Three out of four companies do not meet AGCS’ requirements for cyber security. Companies need to invest in cyber security. Losses can be avoided if organizations follow best practices. A house with an open door is much more likely to be burgled than a locked house
explains Marek Stanislawski, Global Cyber Underwriting Lead at AGCS.
Best practices
#1 Ransomware identification
- Are anti‑ransomware toolsets deployed throughout the organization?
- What proactive measures are in place for identification of ransomware threats?
- Are policies, procedures, access controls methods and communication channels updated frequently to address ransomware threats?
- Are in‑house capabilities or external arrangements in place to identify ransomware strains?
#2 Business continuity planning/incident response plan
- Are ransomware‑specific incident response processes in place?
- Have there been any previous ransomware incidents? If so, what lessons have been learned?
- Are pre‑agreed IT forensic firm or anti‑ransomware service provider arrangements in place?
- Anti‑phishing exercises and user awareness training
- Is regular user training and awareness conducted on information security, phishing, phone scams and impersonation calls and social engineering attacks?
- Are social engineering or phishing simulation exercises conducted on an ongoing basis?
#3 Backups
- Are regular backups performed, including frequent backups for critical systems to minimize the impact of the disruption? Are offline back‑ups maintained as well?
- Are backups encrypted? Are backups replicated and stored at multiple offsite locations?
- Are processes in place for successful restoration and recovery of key assets within the Recovery Time Objective (RTO)?
- Are backups periodically retrieved compared to the original data to ensure backup integrity?
#4 Endpoints
- Are endpoint protection (EPP) products and endpoint detection and response (EDR) solutions utilized across the organization on mobile devices, tablets, laptops, desktops etc.?
- Are Local Administrator Password Solutions (LAPS) implemented on endpoints?
#5 Email, web, office documents security
- Is Sender Policy Framework strictly enforced?
- Are email gateways configured to look for potentially malicious links and programs?
- Is web content filtering enforced with restricting access to social media platforms?
#6 Segmentation
- Are physical, logical segregations maintained within the network, including the cloud environment?
- Are micro segmentation and zero trust frameworks in place to reduce the overall attack surface?
- Monitoring patching and vulnerability management policies
- Are automated scans run to detect vulnerabilities? Are third party penetration tests performed on a regular basis?
- Does the organization ensure appropriate access policies, enforcement of multi‑factor authentication for critical data access, remote network connections and for privileged user access?
- Is continuous monitoring in place for detecting unusual account behavior, new domain accounts and any account privilege escalations (administrator level), new service additions, and unusual chain of commands being run during a short time period?
#7 Mergers and acquisitions
- What due diligence and risk management activities are performed prior to M&A?
- Are regular security audits conducted on newly‑integrated entities to ensure evaluation of security controls?
EXPLORE MORE AT allianz’S it security guidance
