Cyber criminals are adapting their methods by using ransomware in targeted extortions, often with more severe and costly results than indiscriminate attacks.
Targeted extortion is when cyber criminals set their sights on a particular, vulnerable organization and look to extort money out of them, explained James Burns, cyber product leader at CFC Underwriting.
“And because they have a better understanding of their victims, these cyber criminals are also raising their ransom demands accordingly, with many requesting amounts in excess of $50,000,” Burns told Canadian Underwriter Monday. “In short, while levels are remaining fairly steady, we believe many of these attacks are now more severe than they were previously.”
Burns was responding to a question about how the ransomware threat has changed over the past few years.
On Friday, CFC Underwriting released its 2018 cyber claims data. The specialist insurer reported that ransomware was the primary driver for claims in Canada, representing 32% of all cyber claims notified in 2018. This is a 9% jump from 2017, when it accounted for 23%.
CFC doesn’t usually share its total claims volume, but more than 10% of global claims came from Canada.
“Over the last few years – and through the 2017 WannaCry and NotPetya attacks – we’ve seem ransomware establish itself as common form of cyber attack, and levels are now staying fairly steady globally,” Burns said. “The biggest shift we’re seeing in terms of this category of claims is a move towards targeted extortion as IT security systems get better at blocking indiscriminate ransomware attacks.”
Non-malicious data breaches were the second largest cyber claim for CFC, accounting for 24% of claims notified in 2018, while malicious data breaches accounted for 20% of claims. A non-malicious data breach is an accidental disclosure of sensitive information like a lost laptop or mistakenly leaked file. Malicious data breaches refer to malicious actors hacking into systems or using phishing scams to access sensitive information.
CFC also expects that notifications of data breaches are likely to increase once new regulations, like the Canada-wide mandatory data breach notification law that came into effect in November 2018, have had a chance to settle.
The federal Digital Privacy Act requires organizations to disclose data breaches if they pose a “real risk of significant harm.” The act was passed in law in 2015 and amends sections of the Personal Information Protection and Electronic Document Act (PIPEDA).