Jan van Vliet, VP and GM EMEA at Digital Guardian, discusses the business of ransomware over the coming year and beyond.
Ransomware has been a prominent mainstay of the cyber threat landscape since the mid-2000s, used to target everything from individual users and SMBs through to global enterprises.
In the last few years its popularity was seemingly on the wane as the world began taking cyber security more seriously and criminals turned to new, more advanced forms of attack such as crypto-jacking. But just as ransomware’s day in the sun appeared to be over, a recent resurgence has seen it shoot right back to the top of the cybercrime list.
The resurgence of ransomware
In 2019, there were an estimated 184 million ransomware attacks, with some of the most high profile attacks targeting government municipalities in the US, such as Lake City in Florida, Baltimore and Maryland.
While much of this resurgence can be attributed to the arrival of new ransomware mutations (Dharma, GandCrab and Ryuk were some of the most active ransomware families during the half of this year), another factor seems to be playing a major role as well; the growth of cyber insurance.
At first glance, it seems strange to suggest that better, more comprehensive cyber insurance could actually lead to a growth in ransomware attacks, but a closer look at the evidence would certainly seem to suggest just that.
Why? Because in many cases, paying the ransom is much cheaper than trying to recover the lost data through other means, often to the tune of millions of pounds. The more ransomware victims use insurers to pay ransoms, the more criminals are encouraged to carry out ransomware attacks.
Cyber insurance is big business
The global market for cyber insurance is expected to grow from about £4.5bn in premiums paid at the moment, to £11bn by 2022, according to RBC Capital Markets. Cyber insurance policies are also proving to be much more profitable for insurers than many other insurance areas.
According to a report by London-based professional services firm, Aon, the loss ratio for U.S. cyber policies was about 35% in 2018, meaning insurers paid out roughly 35 cents in claims for every dollar collected in premiums. That compares to around 62% across property and casualty insurance, making it a growth area that many insurance firms are actively pursuing.
Of course, the resurgent threat of ransomware has also bolstered other areas of the security industry such as data recovery and secure cloud backup. However, in many cases, even if ransomware victims have such backups in place, they still choose to pay off the attacker through insurance.
This is because the time taken to recover a full cloud backup (which can be up to a month or more), still costs more in terms of lost revenue than simply paying the ransom. Equally for insurers, paying the ransom is cheaper than footing the bill for recovering the data themselves.
To put this into context, earlier this year, the municipal government for Lake City in Florida, paid a ransom of roughly £350,000 via its cyber insurance policy. The government itself was only liable for the £7,500 policy excess, with insurance firm Beazley paying the balance of the ransom.
As it turned out, this decision was made on Beazley’s recommendation, because the cost of prolonged recovery from data backups would have almost certainly run into millions of dollars. While the attack and its ultimate resolution made national headlines in the US, not only did it save both the municipal government and its insurer a significant sum of money, it also allowed the government to get back to work much faster.
Conversely, the municipal government in Baltimore was also hit by a ransomware attack earlier this year, but didn’t have any cyber insurance at the time. Rather than pay the £57,000 ransom demand, the government chose to try and recover the data itself, which has cost over £4million to date…
A vicious cycle
When the figures are broken down in such a manner, it’s easy to see why so many ransomware victims and insurers choose to pay the ransom demands, but it would be foolish to think that such actions don’t have consequences.
Not only has it given rise to the aforementioned resurgence in ransomware attacks, it has also emboldened attackers who are asking for ever-larger ransoms in return for the data they have stolen/locked. A recent estimate suggests that the average ransom payment currently stands at around £27,000, representing a six fold increase over the last 12 months alone. Naturally, criminals are looking for the biggest payday they can get and the willingness of victims and insurers to pay these ever growing sums is creating a vicious cycle.
Ultimately, it’s the insurance companies who will pay the price over the long term. However, until businesses invest in better security systems of their own and/or faster, more reliable data recovery technology becomes available, this current trend looks set to continue for some time to come.