Held to Ransom

The two large-scale, high-profile global cyber attacks — WannaCry and NotPetya — have recently put ransomware in the spotlight.

But this cyber crime tactic has been affecting businesses of all kinds for more than a decade and it seems no one is immune to it. Victims are as far flung as municipalities in the United States to banks in the Middle East and universities in Canada, and ransomware’s prevalence is only increasing.

Graeme Newman, Chief Innovation Officer, CFC Underwriting

For those less familiar with the term, ransomware refers to when computer systems are infected with a malicious software program that searches for data files and encrypts them so they are inaccessible without the decryption key. System owners are then asked to pay for the decryption key and threatened with losing their data unless payments are made.

It is a form of crime that is showing a significant uptick. In the first quarter of 2016, for example, ransomware accounted for 12.9% of claims received by CFC Underwriting, while it was the root cause of 20.5% of claims in the same quarter of 2017.

The advent of ransomware is part of a natural evolution of computer crime. In the early days of computers, viruses were mostly just an inconvenience, posing no real threat to business continuity or balance sheets.

However, as businesses began using technology to manage more and more of their operations and as data increasingly became one of their most valuable assets, it is only natural that criminals would try and monetize these attacks.

From the perspective of hackers, the attacks are fairly easy to implement, come with few risks and have the potential to reap significant rewards if done right.

TACTICS AND AIMS

Not all ransomware is created equal, however. In fact, as similar as the WannaCry and NotPetya attacks looked on the outside, each had a very different purpose and outcome.

The WannaCry attack this past May was a more typical example of the scattergun approach that many ransomware variants take. It just happened to identify a very common security gap in unpatched versions of Microsoft Windows and was unusually fast-spreading.

The aim was clearly to accrue a substantial sum of money from the US$300 ransom demands, but its actual success was minimal. A security researcher in the United Kingdom stumbled upon the kill switch, which dramatically slowed the attack shortly after it began.

Although enhanced versions of this particular strain of ransomware have cropped up since, it is believed the hackers only pocketed around US$125,000, meaning that only 1% of victims paid the ransom.

June’s so-called NotPetya outbreak displays a different motivation. The attack originated from an update to a software package primarily used by Ukrainian companies and some multi-national corporations. It was designed to spread only within systems initially infected, instead of spreading globally across many computer systems like WannaCry.

In addition, the mechanisms whereby victims could pay the ransom quickly disintegrated, leaving those affected with trashed systems and no way to recover data without an uncorrupted back-up. All of this suggests that any ransomware component present in this virus was actually just a smokescreen, and that this was, in fact, a highly targeted attack designed to destroy systems rather than make money.

NotPetya affected a wide range of companies around the globe from logistics company Maersk to advertising giant WPP. Still, 80% of the victims were organizations operating in Ukraine, leading some to believe a nation-state actor was behind the attack and that this might have been a trial.

This is a scary prospect, indeed. It would only need a combination of WannaCry’s wide reach and NotPetya’s destructive force to cost businesses — and their cyber insurers — billions of dollars.

COSTS ADD UP

Contrary to how the crime is described, the vast majority of that money is not going towards a ransom. In fact, the extortion demand — around US$300 on average and what the WannaCry attackers requested — generally represents the smallest cost to businesses when an incident like this occurs. Whether or not a victim pays the attackers, it is the aftermath of an incident that costs businesses money.

After an attack, it is not uncommon to need to bring in IT specialists to rectify and restore systems, forensic investigators to analyze how it occurred and where vulnerabilities lie, and even public relations specialists to publicly manage the issue. That does not even take into account probably the biggest expense a business will see following an event like this — business interruption. It is said that time equals money, and oftentimes just getting into a position where things can operate normally again takes weeks, meaning significant lost revenue.

All of these costs add up and before long, even a small event could lead to a daunting, sometimes bankrupting total.

Because of the way that ransomware infects systems, as a company grows, so usually does the cost. Maersk reports it estimates a business interruption loss of US$450 million while the loss experienced by British consumer goods company Reckitt has been estimated to be around US$100 million.

Logistics company FedEx, which was also hit by the NotPetya attack, has reported it will be looking at a significant material loss. This is as a result of remediation costs and decreased shipping volumes on the company’s express service, and partly because it did not have cyber insurance in place that would cover this kind of event.

Some systems are not recoverable, but it is too early to quantify total damages.

The good news is that all of these are insurable losses under a typical cyber insurance policy. And not only can it cover these costs, but a good policy will incorporate access to specialist providers who can help a business manage the incident when trouble first strikes. Many insurers have panels of specialists in place that can help firms through each stage of incident response.

What cyber insurance will not cover are improvements to systems to prevent similar future attacks. After all, patching systems sometimes involves upgrading them, so deciding who is responsible for what can be hazy and if expectations are not met on either side, a real source of frustration.

As well as obtaining a policy, clients need to be responsible for maintaining a reasonable level of cyber security and making improvements if certain strategies fail. Equally, many insurers need to be clearer about what kinds of things a policy is meant to cover, and what it is not.

WHAT TO EXPECT NEXT

Costs of ransomware attacks are likely to climb as the world experiences more and more so-called targeted extortion attacks. This is a more personalized form of ransomware, whereby fewer people are targeted, but for larger sums of money.

Ransom demands here are higher, running closer to US$10,000 to US$20,000 on average, but some can climb to US$100,000 if the attackers are confident the victim has no choice but to pay. Recent ransomware events are likely to galvanize hackers after seeing a series of large organizations affected.

Along with larger companies, hackers will, no doubt, increasingly target firms that rely heavily on technology or hold a lot of data, including financial services, education, healthcare and, worryingly, critical infrastructure.

Just last year, the University of Calgary reported that ransomware had encrypted the email server used by its faculty and staff. Nervous that some individuals could lose their life’s work if the information stored was destroyed, the university opted to pay the $20,000 extortion demand.

With more to lose, these organizations are more likely to pay up and will, presumably, be the most attractive victims for hackers going forward.

Recent events have demonstrated that ransomware and other forms of cyber crime are now part of the new reality. Cyber criminals will continue to find ways to circumvent end-point protection solutions to make money and wreak havoc.

For the reasons, businesses, must know that they have solid security software in place to protect as much as it can, but should the worst happen, a cyber insurance policy is vital for businesses to respond to and deal with this kind of modern-day crime.

-Graeme Newman, Chief Innovation Officer, CFC Underwriting

Looking for more? The following recent ransomware news may also be of interest.

Many global Internet users unprepared for dealing with ransomware attack, study finds

WannaCry ransomware attack “arguably the first-ever cyber-catastrophe”: RMS cyber expert

Ransomware attacks quadrupled in 2016, projected to double again in 2017, Beazley

Canadian companies likely to pay ransomware demands