Latest Attacks Underscore Rapid Growth of the Ransomware Threat

With the recent shutdown of the Colonial Pipeline by a ransomware attack, the growing threat of this particular cyber-risk exposure is drawing even more attention.

In its 2021 Cyber Security Risk Report, Aon suggests that ransomware attacks "exploded" in 2020, with cyber insurers reporting a 336 percent increase in ransomware claims from the start of 2019 through 2020.

Two days after the Colonial Pipeline attack, the City of Tulsa, Oklahoma, became the latest municipality to fall victim to a ransomware attack, leading the city to shut down systems and websites as experts sought to determine the full extent of the attack.

As captive insurance companies play a growing role in their parents' response to cyber threats, it's important to monitor developments on the ransomware front.

Ransomware attacks can see cyber criminals encrypting or stealing data or blocking access to systems, demanding that the victim pay a ransom—typically in cryptocurrency—in order to regain access.

As with other sorts of cyber threats, the criminals behind ransomware attacks have grown increasingly sophisticated. Having seen that victims are willing to pay to regain access to systems and data, they've become bolder, selecting larger, more lucrative targets; demanding greater ransoms; and employing more sophisticated and invasive techniques.

The COVID-19 pandemic, which forced many organizations to move to remote working or serve customers and clients in a digital environment, has created new cyber-security vulnerabilities, providing criminals with new opportunities for various types of cyber attacks, including ransomware.

According to Aon, business costs associated with ransomware are expected to reach $20 billion in 2021. "Ransomware is no longer confined to the simple model of 'pay to decrypt,' and data may be extorted, breached, or even erased," the Aon report says. "Business interruption is highly likely."

Seven in ten ransomware attacks involved threats to leak data, with some attackers threatening to auction that data, Aon reports. There were also cases of data destruction, in which servers or clusters of data were permanently erased.

Aon cites several examples of ransomware attacks over the past year, as follows: In July 2020, a multinational technology company experienced a worldwide outage as the result of an attack. Ultimately, the company paid a $10 million ransom. Also in July, a business travel management company saw 30,000 computers shut down and confidential files stolen. That company paid a $4.5 million ransom. And in December, a worldwide money management company saw ransomware criminals copy and encrypt five gigabytes of data. The victim paid a $2.3 million ransom.

The risk will likely be exacerbated as privately operating cyber criminals get support from nation states who find that criminals' ransomware activities align with their state interests, Aon says.

Ransomware is certainly getting the attention of insurers. In a recent article, AXA XL notes that the ransomware trend has resulted in larger claims, including not just the price of the ransom but the costs of investigations, data recovery, business interruption, and legal expenses.

In its 2021 Allianz Risk Barometer, insurer Allianz offered a similar perspective on ransomware's impact. "Already high in frequency, ransomware incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands," the insurer says.

And, in its report, Aon says, "Underwriters, who saw their cyber insurance portfolios running at a loss predominantly due to ransomware, recognized the critical need to better evaluate and put a higher price on cyber insurance."

Aon notes that many insurers cited ransomware as having a major impact on their cyber-insurance loss ratios, with 62 percent calling access control a critical topic.

Governments are seeking to address the ransomware threat. The US Department of Justice has reportedly launched a ransomware task force that will work with major technology firms and law enforcement agencies in Europe and the United Kingdom to address ransomware as a national security threat ("Big Tech and Government Agencies Collaborate To Put an End to Ransomware Payments," by Scott Ikeda, May 11, 2021, CPO Magazine).

Days before the Colonial Pipeline attack, a public-private partnership delivered an 81-page action plan for combating ransomware to the White House.

The report, Combating Ransomware: A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force, was developed by the Institute for Security and Technology (IST).

"Ransomware is not just financial extortion; it is a crime that transcends business, government, academic, and geographic boundaries," the report says. "It has disproportionately impacted the healthcare industry during the COVID pandemic, and has shut down schools, hospitals, police stations, city governments, and US military facilities."

The report outlines 48 actions government and industry leaders can undertake to disrupt the ransomware business model and mitigate the impact of attacks, both in the immediate and the longer terms.

In 2020, nearly 2,400 US-based governments, healthcare facilities, and schools were victims of ransomware attacks, the IST report says. On average, a ransomware attack results in 21 days of downtime, and it takes 287 days on average for the victim to realize a full recovery. Ransomware victims paid $350 million in ransom in 2020, a 311 percent increase from 2019, the report says, with an average payment of $312,493, a 171 percent increase from the prior year.

The report includes five priority recommendations, as follows.

• Coordinated international diplomatic and law enforcement efforts prioritizing ransomware through a resourced strategy
• The United States leading by example by executing a sustained, aggressive, whole-of-government, intelligence-driven anti-ransomware campaign
• Governments establishing Cyber Response and Recovery Funds to support ransomware response and other cyber-security activities, requiring that organizations report ransomware payments and consider alternatives before making payments
• An internationally coordinated effort to develop a clear, accessible, and broadly adopted framework to help organizations prepare for and respond to ransomware attacks
• Closer regulation of the cryptocurrency sector that enables ransomware crime

Ultimately, faced with the ransomware threat, Aon concludes, "It is critical to demonstrate concrete risk mitigation actions, or organizations might be subject to sky-high cyber premiums."

Organizations should take steps to reduce their exposures and minimize the impact of data theft, Aon says. And they should employ qualified cyber-security professionals to help identify vulnerabilities, establish business continuity plans, and assist with the response to any breaches.