Why clients are still forking over ransomware demands

Clients are still indeed paying ransomware demands, despite a report to the contrary, because the threat of having sensitive data exposed is very much a concern, according to a pair of cyber insurance experts.

Their comments come following a report earlier this year that claimed a sharp drop in the number of victims deciding to give in to cybercriminal demands. Coveware’s Q4 2020 study showed that commercial clients are increasingly opting not to hand over cash in a ransomware attack. The average ransomware payment dropped by more than one-third in that time period. The study signalled that, perhaps, ransomware — a thorn in the side of insurance companies due to high volumes of claims — was trending downwards.

This followed a spike in cyberattacks, primarily ransomware, due to the work-from-home environment many businesses implemented in the wake of the spread of COVID-19. Now, victims increasingly considered the trade-offs and decided to not pay, the report said.

But not so fast.

For a pair of cyber experts interviewed by Canadian Underwriter, they don’t see the same trends happening from their point of view.

iStock.com/glegorly

“The trend for cases that we handle continues to be an increase in frequency and increased severity. We don’t see a downtick in that,” reported Matt Cullina, Sontiq’s head of global insurance business.

“The Coveware report was really the first time I’ve been exposed to an analysis of that kind of a trend,” said Tim Zeilman, vice president of global products — cyber at HSB. “As far as I’m aware, I don’t think we’ve seen that sort of thing in our own business.”

That said, both recognized Coveware as being a respected source in the field. It just may be a finding that Coveware itself is seeing, instead of something that is industry-wide.

“Ransomware is still the top of event type that we’re seeing — this is going on two years now and that hasn’t dissipated at all,” Zeilman told Canadian Underwriter. “For the most part, we haven’t seen the trend that was outlined in that report where there’s a significant number of insured or companies saying no and not paying the ransom. The overwhelming majority of the cases we handle, the insured business is looking to have that ransomware paid.”

Cullina agreed. He said the threat of having sensitive data exposed — which a relatively new tactic — has clients concerned.

However, it wouldn’t surprise Zeilman if more commercial clients chose to not pay a ransomware demand.

“To me, frankly, it also makes sense. It’s fairly logical that something like this would happen,” he said in an interview. “The fundamentals of the extortion business model, whether it’s ransomware or any other kind of extortion, involves the fact that the victim always has an option — they’ve always got a Plan B. They can always not pay the ransom and just deal with the consequences. And because of that, there’s kind of a natural balance that a criminal has to strike.”

Usually, there are only two reasons why a company won’t pay a ransomware demand: They messed up the response or they have strong backups.

“It’s either they kind of flummoxed their response — maybe they didn’t submit it to their insurance company right away and tried to figure things out on their own. They just bungled the response and time ran out on the demand,” Cullina said. “Or their organization was so buttoned up from a backup data standpoint that they could just go to a backup file that was offline, and replicate their environment and be back in business in no time.”

Even if the latter is an option, “that business interruption is usually an overwhelming factor that businesses want to get that ransomware paid,” he added.

Feature image by iStock.com/tommy