Security news that informs and inspires
A hand facing palm-up holding two coins against a greenish background.

Insurers See Ransomware Claims More Than Double

Ransomware attacks are on the rise, with one insurance company seeing the number of customer claims more than double in 2019. The spike in attacks were most evident in healthcare, professional services, and financial services.

The number of ransomware attack notifications against customers of London-based insurance company [Beazley Group](https://www.beazley.com] more than doubled in 2019 compared to 2018, Beazley Breach Response (BBR) Services, the insurer’s in-house breach response team, said in its Beazley Breach Briefing](https://www.beazley.com/news/2020/beazley_breach_briefing_2020.html). The increase is also dramatic: There were 775 incidents in 2019, a 131 percent increase from 2018, a 20 percent increase in 2018 compared to 2017, and a 9 percent increase in 2017 compared to 2016.

“Until four years ago reports from our policyholders of ransomware attacks were infrequent,” said the Beazley Breach Briefing. Back then, a ransomware attack typically did not also include data exfiltration, where the files were copied to a remote server. That is increasingly no longer the case. “Today, however, not only has the frequency of ransomware attacks increased substantially, but the added threat of a data breach makes them potentially much more damaging,” the report said.

More Ransomware

The figures from Beazley Breach Response Services are useful towards understanding the magnitude of the ransomware problem. Many ransomware victims don’t publicly disclose they’ve been impacted by ransomware attack, and even fewer notify law enforcement. This reticence makes it difficult to get an accurate picture of whether these attacks are becoming more common or not. Even in cases where the victims report the ransomware attack to the public, they often decline to divulge the amount of ransom asked for, or paid.

There is no doubt ransomware attacks are on the rise. Trend Micro reported a 10 percent increase in ransomware detections in 2019 in its Annual Threat Report 2019, and that the healthcare sector was the most targeted industry, with more than 700 providers impacted. The figures were even higher from Kaspersky, which reported a 60 percent increase in ransomware attacks in 2019 compared to 2018. Ransomware targeted 174 municipalities and 3,000 of its sub-organizations in 2019, Kaspersky said.

Government organizations were the “intended victims of nearly two-thirds of all ransomware attacks,” Barracuda said back in August.

Insights from insurers like Beazley that see ransomware infections that may not otherwise be reported help illustrate the situation. According to the Beazley Breach Briefing, the healthcare sector was hardest hit in 2019, accounting for 35 percent of attack reports. These included direct attacks against hospitals, health systems, and other covered entities, as well as attacks on IT vendors providing services to hundreds of dental and nursing home facilities. Financial companies were second most impacted, at 16 percent, followed by educational institutions at 12 percent, and professional services organizations at 9 percent, said the Beazley Breach Briefing.

The report included ransomware incidents where the customer wasn’t the actual target, but had its operations disrupted because its IT provider or other third-party entity was infected. In those cases, these attacks had a wider impact, because they affected many of the provider’s customers, not just a single victim. About 17 percent of attacks in Beazley Breach Briefing involved these third-party organizations.

"The targets of these attacks were not coincidental; criminals calculate the odds of receiving a ransom payment from an attacked MSP whose entire customer base and business could dissipate due to an attack," the Beazley Breach Breifing said.

Ransomware attacks against large and well-known organizations are more likely to be reported and talked about. But about three-fifths of the victims, or 62 percent, in Beazley’s data were small and medium-sized businesses. These are often the organizations that are frequently undercounted because they are small enough to not have to disclose the attacks.

Products and services with a large market share are likely ransomware targets. Communication devices, smart TVs, and cloud-based security and monitoring tools, “as they have a very larger attacks surface,” the Briefing said.

Attackers’ Entry Points

One reason why there are more attacks is because there are more ransomware strains than there used to be. The availability of ransomware strains such as Ryuk and Sodinokibi means it is easier for attackers to get started on their campaigns. Another reason is because employees are falling for phishing scams and organizations are still struggling to secure remote desktop protocol (RDP) properly. RDP allows employees to remotely access their corporate workstations and servers. However, many RDP systems can be found by scanning for IP addresses, and are generally are unprotected. Many organizations don’t bother assigning a password to RDP, or use a weak and/or compromised password, “giving a brute-force attack a high probability of success.” RDP is not always updated in a timely manner, and there are many recently discovered vulnerabilities which would allow someone to have unauthenticated access to the target computer.

Once in the network, the attacker can move around to infect additional systems and potentially steal information.

While protections such as email filters, multi-factor authentication, strong password policies to prevent recycled passwords, and employee training to recognize and report suspicious messages can help thwart phishing, “few of these solutions are broadly implemented,” Beazley Breach Response Services wrote. Similarly, requiring a virtual private network and using IP whitelisting to restrict who can connect via RDP can help mitigate the risks of someone unauthorized getting on the network.

Criminals are also combining ransomware with other attach techniques, such as breaching the network with the TrickBot banking Trojan and then encrypting the files with ransomware.

More and more attackers are using ransomware alongside other types of malware to steal and exfiltrate sensitive information. Criminals are also combining ransomware with other attach techniques, such as breaching the network with the TrickBot banking Trojan and then encrypting the files with ransomware, said Katherine Keefe, Beazley’s head of breach response services.

“This two-pronged attack leaves organizations not only with the debilitating impact of its critical systems and data being encrypted, but with the added risk of data being accessed or stolen,” Keefe said.

While protections such as email filters, multi-factor authentication, strong password policies to prevent recycled passwords, and employee training to recognize and report suspicious messages can help thwart phishing, “few of these solutions are broadly implemented,” Beazley Breach Response Services wrote. Similarly, requiring a virtual private network and using IP whitelisting to restrict who can connect via RDP can help mitigate the risks of someone unauthorized getting on the network.

Other recommendations include updating PowerShell to the latest framework and disabling PowerShell where not needed, automated patching of the operating system and web browsers, web filtering, and limiting administrative rights to only IT staff and not regular users.

Myth-Busting

The insurance industry is in the early stages of assessing risk and figuring out how to write policies for ransomware attacks. The insurer may assist with the forensic investigation, developing a course of action, and negotiating the ransom. The entire point of the insurance policy is to help the company resume normal operations as quickly as possible, said Stephen Boyer, CTO of security ratings company BitSight.

“As soon as possible” is the key phrase. There is a false assumption that paying the ransom immediately restores data and business operations. Paying the ransom only helps with getting the data back, the Briefing said, citing Bill Siegel, CEO of Coveware, a security company which helps victims negotiate with attack groups. According to Siegel, the organization still has to clean the affected systems, remediate the vulnerability which allowed the machine to get infected and to spread through the network.

“The process of remediating and ensuring the network is safe to use often takes much longer than the actual decryption of data,” the Briefing said. “In Coveware’s experience, restoring from backups is always faster than ransom payment as a means to recover even though it may seem like a time-consuming process.”

Paying the ransom isn’t always faster, but it can be cheaper than restoring from backups, but not by that much. Consider the city of Atlanta, which wound up spending at least $2.6 million to restore its systems rather than paying the $52,000 ransom. However, the ransom isn’t the only cost of recovery. The organizations still has other expenses, such as paying for the work performed by forensics investigators, costs associated with crisis communications, and overtime for its security and IT staff who cleaned the infection and repaired the vulnerabilities. Organizations that choose to pay the ransom are relying on their insurance providers to help cover the costs.

There is a perception that insurance providers don’t pay out security claims, but that is false, said Stephen Boyer, CEO of security ratings company Bitsight. Most insurance cover costs of cyberattacks for policyholders, especially in cases of BEC scams and ransomware, Boyer said.

It didn’t help matters when various insurance companies declined Merck’s claims relating to costs incurred by NotPetya, classifying the malware as “an act of war.” Within insurance circles, the decision to deny the claims was a controversial one, with some insurers believing that the “act of war” exclusion was used inappropriately, Boyer said.

The Beazley Briefing had a sobering conclusion: “ransomware is not going away any time soon.” The attacks are “far too successful and profitable for cyber criminals to shift course.”