Persistent ransomware threat requires holistic solution
Ransomware continues to present a major challenge for businesses, but there are new and innovative ways to understand and quantify this important risk, say Andreas Schmitt, global cyber underwriting manager at Zurich Insurance Company, and Vivien Bilquez, principal cyber risk engineer at Zurich Resilience Services.
Despite the efforts of government agencies and cybersecurity professionals, ransomware attacks continue to hit the headlines on a regular basis. In the first quarter of 2023, 838 organisations fell victim to ransomware attacks and were named on dark-web data-leak sites, according to the Reliaquest Quarterly Cyber Threat Report (April 2023). According to the report, this sets the record for most ransomware victims in a quarter since the start of double extortion.
The threat posed by ransomware attacks is not about to subside any time soon. In fact, it is likely to remain a key driver for cyber risk for many years to come. Cybercriminals continue to reap large financial gains from ransomware for relatively little risk. They are well organised and resourced, and constantly refining their business model and techniques, finding more effective ways to infiltrate systems and extort money from their victims.
Number 1 cyber threat
Ransomware remains the biggest cyber threat and the single largest driver of cyber insurance claims. Following a spike in ransomware claims between 2019 and 2021, frequency began to stabilise in 2022 but has since started to rise again this year. According to cybersecurity firm Black Kite, the first quarter of 2023 saw a resurgence in the number ransomware attacks, in part due to an increase in supply chain attacks and as cybercriminals exploit vulnerabilities in third-party vendors.
While frequency stabilised in 2022, the severity of ransomware attacks continued to rise, driven by the cost of business interruption, IT forensics, and to a lesser degree, extortion payments. On average, a ransomware attack in 2022 took 237 days to identify and 89 days to contain – 49 days longer than the average data breach, according to IBM. The average cost of a ransomware attack, excluding the ransom, hit $4.54m in 2022, according to IBM’s Cost of a Data Breach Report.
New levels of extortion
Ransomware-as-a-service (RaaS) has turned ransomware into big business. RaaS groups provide affiliated criminals with all the technical advice and tools they need, supported by a host of ransomware attack services, including customer service hotlines, leak-websites, extortion negotiation and payment services.
Recent years have seen the ransomware model evolve, as criminals find new ways to threaten and extort money. Where cybercriminals would once just encrypt data and demand a ransom, there are now four levels of extortion. In addition to encryption, attackers now typically steal data – known as double extortion – and threaten to release it unless a ransom is paid. If an organisation refuses to pay, they may also be threatened with a distributed denial-of-access-attack, or stolen data might be used to harass and threaten the victim’s customers and business partners.
Exploiting supply chain vulnerabilities
Cybercriminals are also turning their attention to third-party service providers and supply chains, which enable criminals to hit multiple targets in one attack. According to IBM, around a fifth of breaches in 2022 were the result of a supply chain compromise.
In March, a ransomware group claimed to have stolen data from 130 organisations after launching a mass ransomware attack using a flaw in the GoAnywhere MFT secure file transfer tool. It is this type of supply chain attack that has led to an increased number of impacted companies in 2023. Other notable supply chain attacks include the 2020 SolarWinds and 2021 Kaseya attacks.
Supply chain cyberattacks are an important topic for businesses, as they are only as secure as the weakest link in their supply chains. While many companies have improved their own cybersecurity in recent years, they need to also consider third parties. Insurers such as Zurich are able to help companies assess and monitor the security and resilience of suppliers and business partners.
Continual risk assessment
Understanding the threat of ransomware has never been more important. The tactics and methods of cybercriminals continually evolve, and what might have been considered strong cybersecurity a year ago may no longer be adequate – some hackers, for example, are starting to find ways to bypass multi-factor authentication.
Basic cybersecurity hygiene measures remain essential to help prevent ransomware attacks, but it is imperative that companies continually assess, monitor and test their cybersecurity and resilience. Time is also key – the faster a company identifies a problem and responds, the better the chances of blocking the infection and limiting damage.
Paying a ransom is not the answer. In many cases, criminals will prioritise companies that have shown a willingness to pay ransom demands in the past. It is also possible to contain a ransomware attack without paying an extortion demand, through robust cyber business continuity planning and close collaboration with stakeholders, including security agencies and insurers.
Holistic approach
Ransomware also requires a holistic response, with risk prevention and mitigation, incident response, and risk transfer, all working together. Cybersecurity is not a tool but a process. This is governance, risk assessment and management.
To that end, Zurich is providing customers with a growing range of risk management tools and services, including risk assessment, penetration testing, crisis management and response combined with insurance offerings. Companies can now more easily quantify their exposure to ransomware, which helps gain the support of top management and the cybersecurity team, and prioritise investments in cybersecurity and resilience.
As part of Zurich’s aim to help companies build and maintain their cyber resilience, the Group is in the process of strengthening its cyber offering, expanding risk assessment, risk engineering services and cyber insurance solutions, working with specialist third-party providers, and adding skills and talent. For example, Zurich is working with Swiss university ETH to identify and prioritise the top security controls for companies to reduce their risks and improve their cyber resilience. The model will also enable underwriters to focus on the most effective controls, reducing the burden on customers.
Solving the ransomware problem
Ransomware will continue to evolve, as must our response to the threat. Artificial intelligence, for example, will enable criminals to automate attacks at scale, increasing the attack surface and expand their capacity to extort. But cybercriminals will not have everything their way. AI will also help companies detect potential threats and block intrusions before they can infect a system.
Moves to regulate cryptocurrency, which is used to make ransomware payments, could make life more difficult for cyber criminals. Likewise, requirements to report ransomware events to authorities could also help: The EU’s NIS 2 Directive will introduce obligatory reporting of attacks by critical infrastructure companies, for example.
In the meantime, there is much we can do to better understand the risks and quantify the impact, taking steps to bolster cybersecurity and resilience, and make life harder for the cyber criminals.
Contributed by Andreas Schmitt, global cyber underwriting manager at Zurich Insurance Company, and Vivien Bilquez, principal cyber risk engineer at Zurich Resilience Services
