Increased Public Scrutiny Seems To Reduce Pace of Ransomware Attacks

Blueprint style abstract with the word ransomware centered above a broken white key with graphic drawings in background

November 29, 2021 |

Blueprint style abstract with the word ransomware centered above a broken white key with graphic drawings in background

While the level of ransomware attack activity has fluctuated through 2021 as public scrutiny of ransomware attacks has increased, the level of that particular cyber threat remains elevated, according to a new report from Aon.

In its third-quarter 2021 Cyber Insights for Insurers report (Cyber Practice Group, Aon Reinsurance Solutions, November 2021), Aon notes that after a fairly continuous increase in ransomware attacks in 2019 and 2020, the pace of attacks has risen and fallen several times during 2021.

"The main driver of this volatility seems to be unwanted attention being put on ransomware actors, with the largest drops in activity immediately following the SolarWinds Orion attack (December 2020) and the Colonial Pipeline attack (May 2021)," the Aon report says. That shows that when cyber attacks attract too much attention, cyber criminals will be deterred from committing additional attacks, at least temporarily, the report suggests.

The report notes, for example, that following the Colonial Pipeline attack, the threat actor behind the ransomware-as-a-service (RaaS) used in the attack indicated it was shutting down. Within months, however, a new RaaS emerged that had many of the characteristics of that used in the Colonial Pipeline attack, indicating that the group of cyber criminals had returned to business. In November, however, the group behind that latest version indicated it was shutting that RaaS down as well, citing "pressure from authorities," according to the Aon report.

Other ransomware variants remain threats around the world, however, Aon says, including North America, Western Europe, and the United Kingdom.

For insurers, the current ransomware threat landscape presents a mixed outlook, according to Aon. "While reported ransomware attacks in the first three quarters of 2021 are down from their peak in Q4 2020, they remain higher than all prior quarters," the report says. "The events of this year demonstrated how quickly attacks can fall, but also how quickly they can escalate. This underscores the significant volatility potential of cyber insurance."

Aon notes that cyber-insurance rates have increased dramatically, up 70 percent year on year through the first 6 months of 2021, according to Aon research.

The US government has increased its efforts to combat ransomware and bring ransomware attackers to justice, the Aon report says. The report cites a mid-October summit the Biden administration held, bringing together leaders from 30 countries to develop strategies to address the ransomware threat. Among other things, the group discussed hardening infrastructure and disrupting cyber criminals' use of cryptocurrency to receive ransom payments.

The group was particularly focused on bringing ransomware attackers to justice, Aon says, noting that the US Department of Justice brought charges in November against the Russian and Ukrainian individuals responsible for ransomware attacks against US entities, in addition to seizing $6.1 million in ransom paid to a Russian national.

"Threat actors have largely operated with impunity, shielded by government regimes that choose to look the other way when it serves their agendas," the Aon report says. "In this environment, bringing cyber criminals to justice is extremely difficult. Given the global scope of the problem, international cooperation between the US and its allies is necessary enough. That said, any meaningful progress in this area will help deter threat actors from their attacks."

The shutdown of the RaaS used in the Colonial Pipeline attack and others mentioned previously provides evidence that applying geopolitical pressure can help disrupt ransomware attacks, the report says, demonstrating one way governments can help create a more favorable environment for cyber security and cyber insurance.

The Aon report notes that beyond the software used in the actual attacks, another important element of the ransomware ecosystem is third-party access brokers specializing in gaining and maintaining access to the networks of potential ransomware victims. The brokers sell that access to ransomware actors and their affiliates on underground marketplaces.

In July, ransomware actors sought access to US companies with revenues of more than $100 million, the Aon report says, with almost half of those potential ransomware attackers refusing to purchase access to companies in health care and education.

Of those purchasing access through access brokers, the average price paid was $56,250, Aon reports, with the United States the most frequently requested target country, followed closely by Canada, Australia, and EU-member countries.

Aon suggests that access brokers might be the point in the ransomware attack ecosystem offering the best opportunity to identify and disrupt attacks before they occur. "Understanding the marketplaces, their targets, and the preferences of ransomware actors and affiliates can provide valuable intelligence to proactively identify trends during the underwriting process, as well as to mitigate portfolio risk on an ongoing basis," the Aon report says.

On another cyber-security front, a recent exploitation of a password management system highlights another potential cyber-catastrophe exposure, Aon says.

In September, the FBI, the Cybersecurity and Infrastructure Security Agency, and the Coast Guard Cyber Command issued a joint advisory warning that threat actors were exploiting a flaw in password management software that allowed remote code execution on unpatched servers, Aon says. Some 370 US companies were targeted, with at least 9 organizations compromised, the report says.

"The threat actors' motivation appeared to be espionage and exfiltration of sensitive documents, rather than ransomware or outright disruption," the Aon report says. "Targeted sectors included critical infrastructure, defense contractors, and academic institutions."

A patch for the vulnerability in the password management software had been issued several weeks before the advisory was issued, and Aon suggests that the episode is a reminder that rapid patching is essential for critical vulnerabilities.

"While some events with aggregation potential come with no warning, this one was preventable for organizations that are responsive," the Aon report says.

November 29, 2021