Ransomware Remains a Major Concern, Even as Attack Frequency Dips

Ransomware attacks have grabbed the headlines this year and become a top concern for businesses and insurers. Interestingly, though, data from the first two quarters of 2021 suggest the frequency of ransomware attacks is declining. Making too much of that trend would be a mistake, however, according to a recent report from Aon.

The August 2021 report, Cyber Insights for Insurers Q2 Review, from the Cyber Practice Group at Aon Reinsurance Solutions, notes that despite the apparent downturn in the number of ransomware attacks so far this year, the second quarter of 2021 saw several severe and very visible attacks.

"The second quarter of 2021 may have been one of the most consequential for victims of ransomware," the report says. "Although the data indicates ransomware trending downward, it is likely short-lived, as Q3 began with approximately 1,500 victims of the Kaseya mass ransomware attack."

The Kaseya attack, announced by the software provider in early July, affected a number of the company's managed service provider (MSP) customers, as well as those MSPs' clients, generally small and midsized businesses. By some estimates, the attack affected 1,500 businesses.

The second quarter, of course, was notable for the widely publicized Colonial Pipeline ransomware attack. The Aon report notes that in that attack, a former employee's compromised password was used to gain initial access to the network, according to company officials. In addition, Aon notes Colonial was not using multifactor authentication.

The Colonial attack "laid bare the dire need for companies to shore up their defenses by practicing basic cyber-hygiene," the Aon report says.

The criminals behind the Colonial attack were acting on purely financial motives, according to Aon, rather than a desire to interfere with the flow of gasoline on the US East Coast.

The attackers apparently employed Ransomware as a Service (RaaS), described in a Crowdstrike "Cybersecurity 101" post as a business model in which criminals lease ransomware technology in the same way as a legitimate business might lease a Software as a Service (SaaS) product. The existence of RaaS allows criminals with little technical knowledge to stage ransomware attacks with relative ease.

"Aon assesses that RaaS criminals are targeting companies based on signatures, not by name recognition or industry classification," the Aon report says. "Ransomware gangs are looking for the lowest-hanging fruit, conducting minimal due diligence on their targets, motivated solely by financial gain."

Earlier this year, in its 2021 Cyber Security Risk Report, Aon suggested that ransomware attacks "exploded" in 2020, with cyber insurers reporting a 336 percent increase in ransomware claims from the start of 2019 through 2020.

In the 2021 Cyber Security Risk Report, Aon said business costs associated with ransomware are expected to reach $20 billion in 2021. "Ransomware is no longer confined to the simple model of 'pay to decrypt,' and data may be extorted, breached, or even erased," the report said. "Business interruption is highly likely."

Regarding the apparent drop in ransomware attacks this year, Aon's new Cyber Insights for Insurers report suggests a connection between well-publicized cyber attacks and attack frequency—for a time. The decline in the number of attacks is likely a function of attackers tending to "go dark" in January, May, and June, following major attacks, Aon says.

"The ransomware patterns this year suggest an inverse relationship between ransomware frequency and severity—or at least, between frequency and notoriety," the Aon report says. "Most ransomware attacks are financially motivated, and a high-profile attack in the headlines may cause threat actors to sink below the radar—for a time. After the January drop, attack levels began rising again and by April exceeded their December 2020 levels."

The rise in ransomware attacks has led governments worldwide to make defending against the threat a priority, according to Aon, and they're recognizing it as a national security issue.

Aon notes that in the United States, the White House announced the creation of a ransomware task force shortly after the Kaseya attack. The task force is charged with disrupting ransomware purveyors, offering rewards to bring gang members to justice, and developing partnerships with other governments and public sector entities, Aon notes.

The US government also launched a new website intended to help organizations defend against the rise in ransomware attacks by providing a central location for ransomware resources and alerts.

A statement from the US Cybersecurity and Infrastructure Security Agency (CISA) said that StopRansomware.gov is a whole-of-government approach to help organizations better understand the ransomware threat, mitigate their risks, and, in the event of an attack, know what steps to take.

The StopRansomware.gov website is an interagency resource that provides guidance on ransomware protection, detection, and response on a single website. The site includes ransomware alerts, reports, and resources from CISA, the Federal Bureau of Investigation, and other federal partners.

Separately, some US lawmakers are pushing for a requirement that ransom payments be disclosed to the government, according to the Aon report. Others have suggested that paying the ransoms should be banned.

"While it is unlikely that paying ransoms will be prohibited by US law, it is apparent that Congress and US security and law enforcement services continue to grapple with the best way to thwart and disrupt ransomware actors," the Aon report says.

"Whether governments can cooperate enough to turn the tide—particularly with governments known for tolerating cyber-criminal syndicates within their borders—is another question," the Aon report says.