In February, Hollywood Presbyterian Medical Center was crippled by a cyberattack that encrypted patient and laboratory records and took all network and computer-related functions, including CT scans, lab work, pharmaceutical activity and patient records, offline for more than a week. Hospital president and CEO Allen Stefanek declared an internal emergency as staff manually logged registrations and records on paper and used fax machines to communicate. Despite the assistance of local police and security experts, the hospital ultimately realized the quickest and most efficient way to restore systems and administrative functionality was to pay the hackers’ demanded ransom of 40 bitcoins, worth around $17,000.
By the end of March, at least four other hospitals had also been the victims of ransomware, although it is unknown whether they ultimately paid ransoms. The FBI is investigating the cases.
Unlike other kinds of cyberattacks, ransomware attacks are not about data exfiltration; they are about freezing access, holding businesses functionally hostage. When this kind of malware infects a system, it encrypts important files and documents and demands a ransom, typically in the form of digital currency like bitcoin, in exchange for a decryption key. The encryption can be crippling and circumventing it very difficult, so the FBI surprisingly advises businesses that they may be better off paying the ransom, especially if the company’s system backup has also been infected.
While experts anecdotally cited ransom demands in the financial and professional services industries reaching well into the hundreds of thousands of dollars, most attacks thus far have been smaller, asking for a single bitcoin (about $400). The ease of launching these attacks and their efficacy adds up, though. Researchers at Intel Security report that one ransomware campaign alone netted $325 million last year, and security firm Bromium has seen a 600% increase in the number of ransomware “families” since 2013, in which time it has become one of the most common attack trends. Indeed, in a survey the firm conducted at information security industry conference RSA, 49% of respondents said they or someone they knew had experienced a ransomware infection.
In addition to its growing frequency, the actual means of attack have also improved significantly, as hackers get better at social engineering and develop better malware. In 2014, Trend Micro found that 80% of attacks used standard malware and 20% used crypto malware, which is far more impactful as it encrypts critical files and folders as opposed to installing simpler lockscreens. Now, the firm’s research shows a full reversal, with more than 80% of attacks using this more effective ransomware.
“If it wasn’t profitable, you wouldn’t be seeing this level of sophistication,” said Ed Cabrera, Trend Micro’s vice president of cybersecurity strategy, and former chief information security officer for the U.S. Secret Service. “That tells me it’s here to stay and it’s only going to get worse.”
The success of this threat vector has not only led to the development of more and better ransomware, but also to the development of ransomware as a service, with hackers selling the malware so even unskilled cyberattackers can lodge these attacks through basic social engineering campaigns. This is part of a “criminal supply chain,” Cabrera said, and it is poised to continue rapidly expanding.
“It’s being incredibly incentivized—it’s paying off. Just like any criminal enterprise, if it doesn’t pay, nobody’s going to be doing it, and these have developed into mini criminal businesses,” he explained. “As ransomware matures, so does the development of crime as a service and ransomware as a service. These solutions start to gain traction because now these criminal businesses realize there are different opportunities here and they create the ability for non-sophisticated actors to become extremely sophisticated and make a profit.”
That also means the targets will be unpredictable and from a broad range of sectors. Hospitals, schools and police departments make soft targets for ransomware attacks as they often lack the cybersecurity sophistication of, say, a bank, and the acute pressure of a service outage translates into an even greater need to restore systems quickly. But all entities that perform services or rely on internet systems to do business are vulnerable, whether that be e-commerce, financial services, government or professional services firms. For example, Yellow Cab of Los Angeles lost access to its primary phone lines in a ransomware attack recently, forcing calls to be rerouted to a backup dispatch center, increasing the possibility that more customers could be lost to competing services like Uber or Lyft.
“It’s almost like a three-pronged litmus test: Do they have the money, are they mature from a cybersecurity perspective, and do they have critical data that they need? If you meet all these, you’d make a great target,” Cabrera said. “That’s why we’re seeing law firms and all other kinds of entities being targeted. We’re in a knowledge-based economy, and if your business is all about having knowledge or providing a service and you’re not able to provide that service because of some kind of crypto ransomware attack, then you make a prime candidate.”
Cabrera believes the recent spate of publicized attacks speaks to the growing ubiquity of the threat. “I think the story is what we’re not seeing,” Cabrera said. “Right now, we have all these data breach notification laws, none of which have a requirement to notify when you’re being attacked for ransomware—they’re to notify the consumer if their data has been stolen. A lot of the attacks and a lot of the payment, the general public is not seeing.”
According to Tim Francis, enterprise lead for cyber insurance at Travelers, ransomware also represents a notable change in how extortion schemes are conducted, and many businesses have not fully recognized or prepared for the shift.
“It’s a false assumption to think, well, I won’t be targeted because I’m not a big company or I’m in an innocuous industry,” he explained. “The bad guys could care less. They’re not targeting you. It’s not personal—this is business. And if you happen to be the unfortunate company with an employee who clicked on a link, they’re just as happy to encrypt your data and try to extort some money out of you as they are the next guy down the street. If they have it their way, they’ll do both.”
Small and mid-sized businesses are also particularly vulnerable as they often do not have the necessary backup systems or IT resources readily available. “They’re more likely to be susceptible and it’s harder for them to extricate themselves when an event takes place,” Francis said.
Cabrera believes the threat illustrates the need to focus on resilience. “If you’re very mature from the side of your disaster recovery plans and you’re constantly backing up all your data, you’re in a better position to withstand some kind of attack,” he explained.
Insuring Against the Risk
Insurance is a critical element of preparing for ransomware attacks. The forensic and information security experts available through cyber insurance policies are an important resource in examining the extent of damage and attempting to minimize downtime, for example, and some of the costs of paying a ransom and losses from business interruption may well be recoverable.
Losses from these attacks could fall under a few different lines of coverage, depending on how they play out and where policyholders want to file claims. “It’s almost up to the customer or the agent which option is best for that particular customer. If anything, they now have more options,” Francis said. “More often than not, we are seeing agents making sure that a customer who wants coverage for cyber extortion gets that coverage through a cyber policy.”
As these cases involve extortion, some kidnap, ransom and extortion policies would also respond. In the event of concrete losses due to system shutdown, some business interruption policies may kick in as well, as could business interruption provisions within a cyber policy, if buyers elected to obtain that coverage. However, while there is available coverage for business interruption stemming from a cyber event and even specific coverage for cyber extortion, not all cyber insurance policies include these automatically. Rather, buyers and brokers alike should review the range of options in the cyber market and stay abreast of emerging threats.
“We have seen an increase in claims, but we haven’t seen as many claims as I suspect are actually taking place,” Francis said. “That tells me that there’s still a large group of companies out there that probably ought to be purchasing insurance that just aren’t, or perhaps have purchased insurance thinking they purchased it for a traditional data breach and may not realize that the coverage is even available.”