Ransomware surges on supply chain attacks

Ransomware attacks surged in the second quarter on the back of supply chain and extortion attacks. Following a reduction in 2022, this year has seen a resurgence of cyber ransomware attacks. According to NCC Group’s July 2023 cyber threat intelligence report, the company saw more than 500 attacks last month, an increase of 153% compared to a year ago. Analysis from GuidePoint Security found a 38% increase in public ransomware victims in Q2 compared to Q1 2023, and a 100% increase from Q2 2022. Having extorted at least $449.1m in the first six months of this year, ransomware attackers are on track for their second-biggest year ever as they target large, deep-pocketed organisations, according to ChainAnalysis. At this rate, ransomware attackers will extort $898.6m in 2023, trailing only 2021’s $939.9m. Not only has the number of attacks increased, ransomware gangs are changing tactics. This year has seen several large supply chain attacks, including the MOVEit hack, the biggest cyberattack of the year so far. The Clop ransomware gang used an exploit in transfer file management program MOVEit to steal sensitive data from the US software firm’s customers, which included British Airways, Shell, Siemens, and insurance broker Aon and insurer MS Amlin. According to Emsisoft, more than 1,000 organisations and 65 million people may have been affected by the MOVEit attack as of 31 August. With the average cost of a data breach at $165 per record, the cost of the MOVEit attacks could reach $6.5bn, Emsisoft estimated. Cybercriminals are targeting IT supply chains like MOVEit in order to hit multiple companies with one attack, while gaining additional leverage by stealing sensitive data from customers. Hackers are compromising IT service providers, cybersecurity firms and outsourcing companies, exploiting vulnerabilities and inserting malware into software and updates. Software supply chain security has long been a threat in the cybersecurity industry. However, there have been great efforts in recent years to combat these attacks through new security tools and a renewed focus on software supply chain scrutiny, said Josh Knapp, principal, cyber risk modelling at cyber risk analytics firm CyberCube. “As technology stacks get larger and larger, it is harder to track all of the software you or your third parties rely upon. Of primary concern are software installations with privileged access across a network or with the ability to move laterally across or between networks,” he said. Going forward, companies should routinely map and track their software supply chains, add any dependencies to their vulnerability management programmes, and require vendors and third parties to disclose their exposures, advised Knapp. “Assessing the business need for any software or external connection, proper network segmentation, employing least privilege, and proper monitoring and detection technology are also key to mitigating any possible vulnerabilities or attacks. Working internally and with third-party vendors to properly manage this risk can allow companies to prevent or mitigate internal supply chain attacks and patch before attacks from external supply chain vulnerabilities occur,” he said. In addition to targeting supply chains, ransomware gangs have also turned to data theft as improved cybersecurity and backup strategies have made traditional encryption-based attacks less attractive. This change in tactics alters the consequences of a ransomware attack, as data theft increases the risk of third-party liability claims and regulatory investigations, along with reputational damage. “We are seeing organised threat actors focus on more intentional data breach extortion as a means of additional revenue generation, in addition to traditional encryption-based ransomware. As defences have adapted, attackers are experimenting with shifting tactics,” said Knapp. “It’s been a fairly consistent theme in cyber insurance over the past few years that claims costs continue to rise. From 2020 to 2022, the industry responded in ways to mitigate claim frequency, but much of a claim’s severity depends on a threat actor’s choice of payload,” he said. The rise in ransomware attacks coincides with the softening of the cyber insurance market after a period of sharp increases in 2021 and the first half of 2022. Insurers responded to increased frequency and severity of ransomware attacks with tighter underwriting criteria, cyber risk management requirements and increased pricing. But with a reduction in ransomware attacks in 2022 and a return to profitability, cyber insurance pricing has been under pressure. “2022 marked a significant return to industry profitability following several years of drastic rate increases in addition to disciplined underwriting action. Barring a major cyber-cat event, we expect 2023 to be similarly good. Where rates are softening, insurance buyers are getting a little back after several tough renewals,” said Knapp. However, there is always the potential for a catastrophic event to occur, and a large-scale software supply chain attack could fall into this category, warned Knapp. “If such an event happened and generated widespread financial losses, it could certainly trigger a market correction. The risk of such an event is there all the time, though, and the risk alone does not turn the market. But you have to account for it. That’s why we pay so much attention to cyber cat modelling,” he said. “It’s important for insurers to allocate an appropriate provision for the potential losses a cyber cat event could generate over and above the trends that are influencing everyday claims, such as the prevalence of double extortion attacks,” he added. Supply chain risk presents insurers with a particular accumulation risk, as a single attack can trigger multiple claims from many customers globally, or concentrated in a sector or geography. Some sectors are dependent on a small number of providers for IT, software and outsources services. As with any risk, supply chain risks should be managed, both at the company and insurance level through the appropriate questions, analytics, and data, said Knapp. Like any emerging risk, this means asking the right questions, gathering the right data, and using an analytical and expert-driven approach to avoid risk, he said. “Supply chain attacks and vulnerabilities have always represented potential points of cyber risk aggregation like any widespread cyberattack such as ransomware events or data breaches, explained Knapp. “However, supply chain attacks and vulnerabilities are not new or emerging and have long been known to be primarily committed by advanced nation-state actors whose goals are often espionage. Less capable actors often focus on more quantity-over-quality attacks, like ransomware as a service, where monetisation is easier, he said. CyberCube offers products that allow users to track the reliance of companies on single points of failure while detailed reviews of an insured’s supply chains could allow insurers to avoid aggregation of risk related to common supply chain software dependencies like MOVEit, Knapp said.

Ransomware surges on supply chain attacks

Want to read this article?

Read Next

IASB meets in China to discuss climate reporting

‘Pressure rising’ on developing Asian aging risk: ADB

European business confidence in China plummets

Starr Insurance opens new operation in Korea

International SOS warns of ‘burnout epidemic’

IASB meets in China to discuss climate reporting

‘Pressure rising’ on developing Asian aging risk: ADB

European business confidence in China plummets

Starr Insurance opens new operation in Korea

International SOS warns of ‘burnout epidemic’

Want to read this article?

Read Next

IASB meets in China to discuss climate reporting

‘Pressure rising’ on developing Asian aging risk: ADB

European business confidence in China plummets

Starr Insurance opens new operation in Korea

International SOS warns of ‘burnout epidemic’

Related Articles