Do Ransomware Attackers Single Out Cyber Insurance Holders?Security Experts Express Skepticism That Criminals Would Bother
Do ransomware-wielding criminals specifically target organizations that hold cyber insurance policies?
See Also: Defining and Refining Next-Gen AML
Many ransomware attacks are "spray and pray," with criminals unleashing crypto-locking malware installers, often via spam or phishing campaigns, to opportunistically infect as many organizations as possible, regardless of their size or industry, security experts say.
"These guys go after the low-hanging fruit because it's cheap and the conversion rate is high. And whether or not those victims end up having insurance is just a roll of the dice."
Some ransomware-wielding criminals, however, choose to target specific organizations in pursuit of a payday. In March, for example, aluminum giant Norsk Hydro was hit by crypto-locking ransomware called LockerGoga, which researchers say is used in one-off attacks by attackers who purposefully hack into the targeted organization, often via poorly secured remote desktop protocol settings (see: Hydro Hit by LockerGoga Ransomware via Active Directory).
But some attackers could be going further. A ProPublica report published last week suggests that some hackers are actively selecting targets that they know carry cyber insurance on the basis that they'll be more likely to pay ransom demands.
To back up that assertion, the report cites Fabian Wosar, CTO of Emsisoft, a cybersecurity vendor based in New Zealand that has released free decryption tools for various strains of ransomware and assisted many victims. Wosar tells ProPublica that after one small insurer highlighted some of its cyber policyholders on its website, three got attacked.
Another, unnamed cybersecurity executive told the publication that the FBI had told him that "hackers are specifically extorting American companies that they know have cyber insurance."
Attackers could potentially gather such knowledge by studying insurance companies' sites to find the names of some organizations they insure. In addition, U.S. Securities and Exchange Commission cybersecurity guidance recommends that public companies tell shareholders - via their public, quarterly filings - whether they carry cyber insurance.
"My suspicion is that, in some cases, bad actors are specifically targeting entities that are known to be insured," Wosar tells me. "This would make sense as insured entities are probably statistically more likely to pay ransom demands. Like other businesses, criminal enterprises adopt strategies that have been proven to work - and attacking insured, public entities has certainly been proven to work."
He adds: "Of course, this is simply speculation based on the very limited of information that's publicly available. It could also be the case that the attacks are completely random and non-targeted."
Cybercrime: Time is Money
Several security experts, however, express skepticism that enterprising attackers are actively working to select cyber policyholders for infection over other potential targets.
"I don't think it's the way that this market works - and we very much view it as a market," says Bill Siegel, CEO, Coveware, a Connecticut-based ransomware incident response firm. "These guys go after the low-hanging fruit because it's cheap and the conversion rate is high. And whether or not those victims end up having insurance is just a roll of the dice."
By conversion, Siegel is referring to sales parlance, which looks at converting prospective customers into paying customers. Ransomware-wielding gangs take the same approach, except that they're criminally attempting to psychologically compel victims into paying. "Ransomware is a financial crime," he says.
"In my experience, criminals are mostly opportunistic. Weakly secured RDP will always get you hacked in no time - insurance or not," says John Fokker, head of cyber investigations for McAfee Advanced Threat Research. Prior to joining McAfee, he worked at the Dutch national police National High Tech Crime Unit, which investigates advanced forms of cybercrime (see: The Art of the Steal: Why Criminals Love Cyber Extortion).
His colleague, Raj Samani, chief scientist at McAfee, also is skeptical: "To be honest, I find it remarkable that ransomware developers/affiliates would go through the case studies of insurance customers and target them specifically."
Samani further notes that the attacks cited in the ProPublica report might merely be coincidental. "I would love to get more data from an insurance provider to validate - if true then this is a really staggering trend."
I reached out to some insurance companies and underwriters to see if they've found a correlation between an organization carrying cyber insurance and being at greater risk of becoming a victim of crypto-locking malware. I will update this blog post with any feedback I receive.
Pay: Less Now or More Later
The question of whether cyber insurance policyholders are more likely to be targeted - and potentially also to pay ransoms - obscures another issue: Organizations should have the defenses in place they require to repel such attacks, as well as to quickly wipe and restore systems should an attack succeed.
"It is about resilience and improving your security posture," McAfee's Fokker tells me. "This costs money and often much more than the ransom, unfortunately."
Meanwhile, crypto-locking attacks are mounting. Research from McAfee released last month found that in the first three months of 2019, ransomware attacks increased by 118 percent from the prior quarter.
Without a doubt, that's because ransomware continues to be lucrative. Earlier this year, ransomware-as-a-service operation GandCrab announced its retirement. Security firm Trend Micro estimates that the gang's operators generated more than $2 billion before signing off. In the meantime, newer offerings have moved to pick up the business (see: Ransomware: As GandCrab Retires, Sodinokibi Rises).
Cyber Claims Received by AIG in EMEA (2018)
With these types of market economies at play, insurers expect more organizations to fall victim to online extortion attempts. "We anticipate an increase in claims on a global level," says Mark Camillo, AIG's head of cyber in EMEA, in a July blog post.
"Targeted incidents, such as the attack at Norsk Hydro, could become more of a concern in 2019," he says. "The rapid spread of malware or an attack of a critical service provider by state-sponsored actors could cause widespread business interruption losses and impact a wide range of industries, potentially also causing significant physical damage."
Of course, AIG might be trying to sell you a cyber insurance policy, and some organizations are continuing to take out such policies to provide a safety net.
From a strictly cybersecurity operations perspective, experts say the smart money gets spent on protection, instead of having to shell out later to rebuild systems after an attack - whether or not a victim also pays for the promise of a decryptor, which remains a dicey proposition (see: Baltimore Ransomware Attack Costing City $18 Million).
In other words, however ransomware-wielding attackers try to infect victims, the financial reality remains clear: Pay now or pay later.