The ransomware business model is arguably the most significant innovation in cybercrime in recent history, and the sophistication and variety of schemes is evolving.
Coalition’s newly released H1 2020 Cyber Insurance Claims Report examined cyber claims across 25,000 organizations. It found that the average ransom demand amongst policyholders increased 100% from 2019 through the first quarter of 2020 and increased another 47% from Q1 to Q2 2020 during the beginning of the pandemic.
Ransomware incidents tend to also be more severe than other reported cyber insurance claims by a factor of 2.5. These attacks often result in significant interruptions to ongoing businesses activities, and the process to recover and restore business operations, even when system backups are readily available, can be complex, expensive and lengthy. Organizations without backups, or where the backups were similarly encrypted, face an even longer road to recovery.
Perhaps most shocking right now is the dramatic increase in the severity of these attacks. The ransom demands are higher, and the complexity and cost of remediation is growing. Businesses should keep the following in mind:
1. Ransomware does not discriminate.
The most important thing to know is that every company with an internet presence, regardless of size, is at risk. Nearly every industry has seen an increase in ransomware attacks. Organizations that are particularly vulnerable often manage sensitive data, enable internet-exposed remote access tools (e.g., Remote Desktop Protocol), and use third-party IT providers.
According to the Coalition report, the top five industries for ransomware claims were: consumer discretionary such as retail, hospitality and food (28%), followed by professional services such as law firms (16%), health care (12%), financial services (9%) and information technology (8%).
2. Remote working increases ransomware risk.
Data from the report also showed a significant increase in the number and severity of ransomware attacks since the onset of the COVID-19 pandemic. The changes organizations implemented to facilitate remote work have given cybercriminals new opportunities to launch unprecedented campaigns, exploiting mass uncertainty and fear.
Much of the risk is found in the use of Remote Desktop Protocols or RDP, a common service used on Microsoft Windows networks to provide remote access to desktops. This is not the exclusive method to gain access for ransomware, but it is extremely popular. Coalition found that disabling RDP, along with implementing multi-factor authentication, eliminates 80% of ransomware events.
The underlying problem is that RDP is used to communicate between the client (the one viewing the desktop) and the server (the system being accessed). RDP is most commonly secured by a username and password—similar to how users normally log in to any Windows desktop. The protocol, or digital language that the client and the server use to communicate, has also repeatedly been a problem along with a history of vulnerabilities that have allowed hackers to completely bypass the need for usernames or passwords to gain access.
With no immediate end in sight to remote working, companies should consider alternatives to safely collaborate and connect.
3. The ransomware industry continues to innovate.
As with any lucrative business, innovation is needed for growth, and Ransomware-as-a-Service (RaaS) has been gaining traction since 2016. With its profit sharing model, any amateur can sign up for a free or inexpensive platform that provides access to ransomware, a user-friendly dashboard to monitor victims, and customizable features.
This market continues to expand, introducing more severe strains of ransomware to their customers. Traditionally, criminals would hold an organization’s data hostage by encrypting and disabling access to business-critical systems and data until the organization paid a ransom. Newer strains of ransomware, including DoppelPaymer and Maze, steal an organization’s data prior to encrypting it, and then threaten to publicly expose the stolen data if a ransom is not paid.
While the data exfiltration component of the attack increases the complexity, the additional leverage gained by the criminal actor allows them to demand much higher ransoms. The average ransom demand for Maze ransomware, for example, is six times the overall average demand.
4. The risk of cyber as a peril is real.
Unfortunately, 2020 will also be remembered in the cybersecurity world as the year that ransomware could have resulted in the loss of life. After a ransomware attack at Düsseldorf University Hospital in Germany, a patient was directed to another hospital and died. Later investigation determined that the delay likely did not cause the patient’s death.
Cyber risk is a peril that goes beyond the digital world and can result in bodily injury or property damage. Computers run everything from vital health care equipment to critical facilities operations. Interrupting these computers has consequences. It is imperative that every industry view ransomware as peril.
5. Response time is critical.
Security breaches will happen, but with ransomware, the breach is not the most significant point of failure. The inability to recover without paying an enormous ransom can be even more devastating. Timing is important, as some ransomware variants increase in the ransom demand if the attackers are not contacted shortly after the infection.
Speedy incident response can help “put out the fire” and stop the spread of ransomware. Incident response teams should test encrypted files against current tool repositories to see if decryption is possible without payment and facilitate attacker communication if necessary.
6. Have a sound backup strategy.
Malicious actors can cause all sorts of trouble, which is why having a proper backup strategy adds a layer of security to make sure a company has access to its most valuable data. Businesses should regularly back up systems and information, and store backups in an “offsite” location, not connected to the company’s main business network. This will make it far more difficult for a malicious actor to delete or encrypt the company’s backups.
7. Insurance is available to transfer risk.
No cybersecurity plan is 100% effective, but the right kind of cyber insurance can help. Businesses should assess how their cyber insurance policy will stand up in these pandemic times, as employees are now working remotely and companies face a steep increase in ransomware. It is important to understand what a policy covers and to take stock in the insurer’s ability to mitigate and manage risk before, during and after a cyber event. Businesses should know how their insurer will approach ransomware and their track record for managing an effective response.
In October, the U.S. Treasury Department released an advisory detailing sanctions for paying or facilitating ransomware payments. While this advisory doesn’t change any existing laws or sanctions, it reinforces the existing law and businesses must be confident that their insurer will comply. Failure to do so may result in substantial fines and penalties. Businesses should also check with their agents and insurers for ransomware best practices and keep the dialogue open about ransomware risk.