Multiple factors are pushing ransomware, including growing attack patterns that include double and triple extortion, criminal business models taking advantage of ransomware, cryptocurrencies and wave of supply chain attacks
During the COVID-19 crisis, another outbreak took place in the cyber space: a digital pandemic driven by ransomware. In a new report, cyber insurer Allianz Global Corporate & Specialty (AGCS) has analyzed the latest risk developments around ransomware to put the scale of the crisis into scope.
The increasing frequency and severity of ransomware incidents is driven by several factors, the Allianz report determines:
- Growing number of different attack patterns such as double and triple extortion campaigns
- Criminal business model around ‘ransomware as a service’ and cryptocurrencies
- Recent skyrocketing of ransom demands
- Rise of supply chain attacks
“The number of ransomware attacks may even increase before the situation gets better,” said Scott Sayce, global head of cyber at AGCS. “Not all attacks are targeted. Criminals also adopt a scattergun approach to exploit those businesses that aren’t addressing or understanding the vulnerabilities they may have. As insurers we must continue to work with our clients to help businesses understand the need to strengthen their controls. At the same time, in today’s rapidly evolving cyber insurance market, providing emergency response services, as well as financial compensation, is now the standard.”
Government and private data indicate that ransomware and other attacks have surged, and these cyber risk trends are mirrored in AGCS’ claims experience. AGCS was involved in more than 1,000 cyber claims overall in 2020, up from about 80 in 2016, the company said. Specifically, the number of ransomware claims (90) rose by 50 percent compared to 2019 (60). Losses resulting from external cyber incidents such as ransomware or distributed denial of service (DDoS) attacks account for most of the value of all cyber claims analyzed by AGCS over the past six years.
Five Ransomware Trends
In the report, AGCS identifies five trends in the ransomware space, although the company points out that cyber criminals are clever and highly adaptable, which means conditions are constantly evolving.
- Ransomware as a service: Run like a commercial business, hacker groups such as REvil and Darkside sell or rent their hacking tools to others. They also provide a range of support services. As a result, many more malicious threat actors are operating.
- From single to double to triple extortion: Criminals combine the initial encryption of data or systems, or increasingly even their backups, with a secondary form of extortion, such as the threat to release sensitive or personal data. In such a scenario, affected companies have to manage the possibility of both a major business interruption and a data breach event, which can significantly increase the final cost of the incident. “Triple extortion” incidents can combine DDoS attacks, file encryption and data theft — and don’t just target one company but potentially customers and business partners.
- Supply chain attacks the next big thing: There are two main types — those that target software/IT services providers and use them to spread the malware (for example, the Kaseya or SolarWinds attacks) — and those that target physical supply chains or critical infrastructure such as the one that impacted Colonial Pipeline. Service providers are likely to become prime targets as they often supply hundreds or thousands of businesses with software solutions and therefore offer criminals the chance of a higher payout.
- Ransom dynamics: Ransom demands have rocketed over the past 18 months, which could make these attacks more enticing.
- To pay or not to pay: Ransom payment is a controversial topic. Law enforcement agencies typically advise against paying extortion demands to avoid incentivizing attacks. Even when a company decides to pay a ransom, the damage may have already been done. Restoring systems and enabling the recovery of the business is a huge undertaking, even when a company has the decryption key.
Business Interruption and Recovery Cost Main Drivers of Losses
Business interruption and restoration costs are the biggest drivers behind cyber losses such as ransomware attacks, according to AGCS claims analysis. They account for over 50 percent of the value of close to 3,000 insurance industry cyber claims worth around $885 million the company has been involved in over six years.
The average total cost of recovery and downtime — on average 23 days — from a ransomware attack more than doubled over the past year, increasing from $761,106 to $1.9 million in 2021.
The surge in ransomware attacks in recent years has triggered a major shift in the cyber insurance market. Cyber insurance rates have been rising, according to broker Marsh, while capacity has tightened. Underwriters are placing increasing scrutiny on the cyber security controls employed by companies.
