The ransomware “pandemic” could well get worse before it gets better, fuelled by the fact that three in four companies are failing to meet Allianz Global Corporate & Specialty (AGCS) cybersecurity standards, warns a new report by the insurer.
The report says four in five ransomware losses could have been avoided with better risk management and says supply-chain ransomware attacks are set to be the next big problem for corporates.
AGCS says a “digital pandemic driven by ransomware” has occurred during the Covid-19 crisis, with a “surge” in attacks globally.
The report flags figures from Accenture that show global cyber intrusion activity jumped 125% globally in the first half of this year compared to the same period in 2020. It highlights FBI figures that reveal a 62% increase in US ransomware incidents during the same period, following an increase of 20% in the previous 12 months.
And AGCS adds that these trends are mirrored by its own experience, where the number of ransomware claims rose 50% last year to 90.
In a further warning for risk managers, AGCS’s global head of cyber Scott Sayce says the “number of ransomware attacks may even increase before the situation gets better”.
The report says the increased frequency and severity of ransomware incidents is driven by several factors. These include a growing number of different attack patterns such as double- and triple-extortion campaigns, a criminal business model around ‘ransomware as a service’, the recent skyrocketing of ransom demands and the rise of supply-chain attacks, it explains.
The surge in ransomware attacks has seen the cyber market harden significantly, with underwriters heavily scrutinising cybersecurity. In concerning news for business, AGCS says that three out of four companies do not meet its requirements for cybersecurity.
Furthermore, its report says that about 80% of ransomware incidents losses could have been avoided if organisations had followed cybersecurity best practices.
“Companies need to invest in cybersecurity. Losses can be avoided if organisations follow best practices. A house with an open door is much more likely to be burgled than a locked house,” says Marek Stanislawski, global cyber underwriting lead at AGCS.
Rishi Baviskar, global cyber experts leader at AGCS Risk Consulting, adds: “If companies adhere to best practice recommendations, there is a good chance that they will not become ransomware victims. Numerous security gaps can be closed, often with simple measures.”
Regular patching, multifactor authentication, information security and awareness training, and incident response planning, are essential to avoiding ransomware attacks, says Baviskar.
The report goes on to warn that supply-chain attacks are the next big ransomware exposure.
It says there are two main types of such attacks. Those that target software/IT services providers and use them to spread the malware. Or those that target physical supply chains or critical infrastructure, such as the one that impacted Colonial Pipeline.
Service providers are likely to become prime targets as they often supply hundreds or thousands of businesses with software solutions and therefore offer criminals the chance of a higher payout, says AGCS.
The report also explains that ransom demands have rocketed during the past 18 months. According to Palo Alto Networks, the average extortion demand in the US was $5.3m in the first half of 2021, a 518% increase on the 2020 average. The highest demand was $50m, up from $30m the previous year.
But business interruption and recovery costs are the biggest cause of loss in ransomware attacks, according to AGCS claims analysis.
AGCS says this accounts for more than 50% of cyber claims – worth about €750m, or $885m – that it has been involved in during the last six years. The figures also show that the average cost of recovery and downtime from a ransomware attack more than doubled during the past year, increasing from just above $760,000 to $1.85m in 2021.
AGCS has published a checklist with recommendations for effective cyber risk management:
- Are anti‑ransomware toolsets deployed throughout the organisation?
- What proactive measures are in place for identification of ransomware threats?
- Are policies, procedures, access controls methods and communication channels updated frequently to address ransomware threats?
- Are in‑house capabilities or external arrangements in place to identify ransomware strains?
Business continuity planning/incident response plan
- Are ransomware‑specific incident response processes in place?
- Have there been any previous ransomware incidents? If so, what lessons have been learned?
- Are pre‑agreed IT forensic firm or anti‑ransomware service provider arrangements in place?
Anti‑phishing exercises and user-awareness training
- Is regular user training and awareness conducted on information security, phishing, phone scams and impersonation calls, and social engineering attacks?
- Are social engineering or phishing-simulation exercises conducted on an ongoing basis?
- Are regular backups performed, including frequent backups for critical systems to minimise the impact of the disruption? Are offline backups maintained as well?
- Are backups encrypted? Are backups replicated and stored at multiple offsite locations?
- Are processes in place for successful restoration and recovery of key assets within the recovery time objective?
- Are backups periodically retrieved compared to the original data to ensure backup integrity?
- Are endpoint protection products and endpoint detection and response solutions utilised across the organisation on mobile devices, tablets, laptops, desktops etc?
- Are local administrator password solutions implemented on endpoints?
Email, web, office documents security
- Is sender policy framework strictly enforced?
- Are email gateways configured to look for potentially malicious links and programmes?
- Is web content filtering enforced, with restricting access to social media platforms?
- Are physical, logical segregations maintained within the network, including the cloud environment?
- Are micro-segmentation and zero-trust frameworks in place to reduce the overall attack surface?
Monitoring patching and vulnerability management policies
- Are automated scans run to detect vulnerabilities? Are third-party penetration tests performed on a regular basis?
- Does the organisation ensure appropriate access policies, enforcement of multifactor authentication for critical data access, remote network connections and for privileged user access?
- Is continuous monitoring in place for detecting unusual account behaviour, new domain accounts and any account privilege escalations (administrator level), new service additions, and unusual chain of commands being run during a short time period?
Mergers and acquisitions (M&A)
- What due diligence and risk management activities are performed prior to M&A?
- Are regular security audits conducted on newly‑integrated entities to ensure evaluation of security controls?