Ransomware attacks have reached epidemic levels. One reason is the ease with which ransomware gangs can make a lot of money because many organizations choose to pay ransom or extortion demands. A movement in Washington wants to ban ransom payments, but this may not be the best approach. Instead, the root causes of ransomware payments need to be identified and treated.
Ransomware attacks are usually launched by cybercriminals using a RaaS (ransomware as a service) provider. The use of RaaS makes quickly launching and managing one or more ransomware attacks easy and lucrative. James Rundle et al., writing for The Wall Street Journal, reportOpens a new window that RaaS providers take a percentage of any ransoms paid. This business model results in some providers making about $200,000 a month.Â
Although ransomware attacks against large businesses or government agencies usually make the news, most attacks target small- and medium-sized businesses. The Coveware Quarterly Ransomware ReportOpens a new window describes the number of attacks per business revenue, as shown in Figure 1.
Figure 1: Revenue vs Ransomware Targets (from CovewareOpens a new window )
The Coveware report also shows that over 70% of targeted businesses have 1,000 or fewer employees, with a median of about 168. However, these numbers will likely change in 2021.
Figure 2 shows a significant increase in attacks against larger businesses. This is likely due to lucrative, successful attacks against targets like Colonial Pipeline.
Figure 2: Ransomware Attacks vs. Company Size
Cybercriminals understand the ability of a target to pay. Matt Durrin, a technical forensic investigation lead, told The Wall Street Journal that “often the hackers have explored profit-and-loss statements, bank accounts and sometimes cyber insurance policies on a victim’s network to tailor their initial offer in a range they know is affordable.†This means that many ransomware attacks might be advanced persistent threats that begin before the actual encryption of information.
Learn More: Lessons From the Colonial Hack: Law Enforcement Action Isn’t Enough To Defeat Ransomware
The True Cost of a Ransomware Attack
The cost of recovering from a ransomware attack far exceeds the ransom paid. Depending on the nature of the attack, costs can be both short- and long-term.
The cost of a ransomware attack includes loss of business and related extortion demands. For example, GB&A, a cyber insurance broker, claimsOpens a new window that one claimant paid a $20,000 ransom but experienced business losses of about $700,000. Sophos’ The State of Ransomware 2021Opens a new window asserts that while the average ransom paid is $170, 404, the average total cost is $1.85 million. According to Sophos, the costs (including the paid ransom) include downtime, people time, device cost, network cost, and lost opportunities.
Cyber insurance will pay for all costs associated with a ransomware attack if the policy includes them. However, coverage might also depend on whether or not the victim organization had reasonable and appropriate security for its information assets. GB&A provides the following samples of how this type of exclusion might read.Â
“Failure to ensure that the computer system is reasonably protected by security practices and systems maintenance procedures that are equal or greater to those disclosed in the proposal.â€
“Failure to continuously implement the procedures and risk controls identified in the insured’s application.â€
The cost of cyber insurance is reasonable. Table 1 shows some actual annual premiums based on coverage. The low cost of insurance is an incentive for organizations not to spend more on information security. Why should they when they can recover expenses related to ransomware attacks?
Table 1: Cyber Insurance Premiums (from Christine MarcianoOpens a new window )
Learn More: New Ransomware Task Force (RTF) Report Urges More Aggressive Measures To Track Cryptocurrency
Case for Paying the Ransom
If an organization has full coverage ransomware insurance, paying the ransom quickly minimizes all collateral business costs, including possible long-term loss of business. For smaller companies with less financial ability to recover from long-term business loss, transferring cryptocurrency to get back to business looks very attractive.
Businesses without insurance will also want to return to full business functionality immediately. This is because a ransomware attack takes on the characteristics of a catastrophic event from which a business might not recover. This is particularly true for small- and medium-sized businesses.
A key takeaway is that the collateral costs increase substantially for each day the ransom is not paid.
The Case for Not Paying the Ransom
The most argued downside for the victims and other businesses paying the ransom is the incentive provided to ransomware gangs. If they know payment is commonly made, attacks will continue and increase. However, there is also an increasingly common impact on victim organizations.
Coveware warns that just because a ransom is paid does not mean complete recovery is assured. This begins with attacks that include threats of releasing stolen information.
- There is no guarantee that the stolen data is deleted after the gang receives the ransom payment. Netwalker and Mespinoza posted the victim’s stolen data after they had paid for it not to be leaked. Conti showed fake files to prove it had deleted stolen information.
- Several parties may have access to the stolen data, and one or more of them might retain a copy even if the attacker is paid.
- The data may be posted by mistake. Maze/Sekhmet/Egregor accidentally or intentionally posted stolen data on a leak site even before the victim knew it was stolen.
- The gang may return to the victim later with demands associated with the stolen data. For example, Sodinokibi returned to victims weeks after the initial attack with threats to release stolen data.
In cases where there is no stolen data, system recovery is still not guaranteed. Sophos’ The State of Ransomware 2021Opens a new window report claims that the chances of a victim organization getting access to all encrypted data are not good.Â
“On average, organizations that paid the ransom got back just 65% of the encrypted files, leaving over one-third of their data inaccessible. In addition, 29% of respondents reported that 50% or less of their files were restored, and only 8% got all their data back.â€
Key takeaways:
- Once data is stolen, victims should not pay a ransom unless it fits a clear risk-benefit.
- Paying the ransom does not ensure full system recovery.
Learn More: Why Transnational Cooperation Is Key in the Battle Against Cross-Border Cybercrime
Cyber Insurance: To Pay or Not to Pay
There are those in the U.S. government who want to pass legislation to ban ransomware payments. In addition, at least one cyber insurance provider, AXA, has stopped insuring ransom payers in France. However, AXA will continue paying for collateral losses.Â
Paying a ransom should be a decision made by the victim organization’s management. Furthermore, the decision should be based on risk: the total expected loss of paying vs. not paying. Yes, paying a ransom does encourage attacks, but banning ransom payments does not address the root cause of the ransomware epidemic.Â
Ransomware gangs protected behind the borders of The Big Four sources of cyber attacks (China, Russia, Iran, and North Korea) will continue attacks whether or not ransom payments are banned. If ransomware becomes less profitable, they will switch to something else. Until we can deal with the cybercriminal enterprise, we should not punish victims for the government’s failure to deal with the transnational threats.
As I wrote in a previous article, potential victim organizations and agencies can mitigate ransomware risk. Implementing proper controls and procedures is acceptable for larger organizations, but most ransomware targets are small- and medium-sized businesses. Cyber insurance may be more affordable for them. Basic risk management principles would indicate that purchasing cyber insurance is a good move if transferring risk is less costly than other controls. However, cyber insurance carriers have conditions.
The Obama administration released a document titled, Cyber-Insurance Metrics and Impact on Cyber-SecurityOpens a new window . It includes the following things an insurance carrier might consider when looking at a potential client.
- Â Â General risk exposure of the organization’s industry and business activities
- Â Â General risk exposure of the size of the company
- Â Â Loss history
- Â Â Years in business
- Â Â Financial condition
- Â Â Extent of use of outsourced network security services
- Â Â Dependency on third-party networks
- Â Â In-depth analysis of network security according to standards such as ISO 27001
The cyber insurance impact paper also asserts that cyber insurance carriers are better than legislators in managing what gets paid and how much paying will cost the carrier and the policyholders in payouts and premiums.
Insurance companies and organizations should work together to agree on what are reasonable and appropriate security controls. What is reasonable and appropriate is based on the resources available to the policyholder and the probability of a ransomware attack. If the policyholder fails to implement and maintain the agreed-upon controls, a successful attack will be followed by financial consequences.
Are Ransom Payments Becoming a Worrying Trend?
Here is an expert take from Natalie PageOpens a new window , Cyber Threat Intelligence Analyst at Talion, who speaks about whether the payment of huge ransoms by large-scale enterprises is becoming a worrying trend, is the decision to pay a ransom to restore operations a logical one, and the steps an organization should take to prevent debilitating ransomware attacks.
Do you agree a working relationship with the cyber insurance provider is the best way to handle ransomware response? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!