There are several factors driving the surge in ransomware incidents, according to AGCS. One is the emergence of ransomware-as-a-service (RaaS) whereby criminal groups such as REvil and Darkside sell or rent their hacking tools to other bad actors on the dark web. This ready-made ransomware is often sold for a relatively cheap price, and it comes with support services from the hacker groups, making this type of malware more accessible to malicious threat actors.
Read next: Insurers with high credit ratings have better cyber security
“The marketplace of the bad actors is continuously evolving and maturing,” said Thomas Kang (pictured), head of cyber, technology and media for North America at AGCS. “It is not only maturing, but there’s also an ecosystem that has been built online, which really lowers the cost of entry and removes a barrier to entry to RaaS.
“One number I find striking is that, for US$40 per month subscription service, even folks with very little cyber security background or IT background can leverage the ecosystem to perpetuate attacks. I think that ecosystem model, that commercial marketplace model [for ransomware] has been working for the bad actors, and it’s been working increasingly well. And unless something changes materially, we will continue to see some challenges in this space.”
A second contributing factor behind the increasing frequency and severity of ransomware claims, according to AGCS, is the evolution of extortion tactics. Hackers have moved from single, to double, to triple extortion, making it harder and harder for businesses to shake off an attack unscathed. These days, it’s not just about encrypting the data, Kang noted. It’s about encrypting the data, extracting and compromising it, and then using it as additional leverage for extortion negotiation.
“Obviously, the first attack is to infect the systems, infect the network with ransomware and then encrypt, so that there’s no access or lack of access into the systems. That’s the first layer [single extortion],” Kang told Insurance Business. “The second layer is really related to the compromise of data so that there’s now exfiltration. Traditionally, you always had consumer data, sensitive information that was compromised, and that would be a data breach. But now there’s encryption, and then on top of that a data breach – either because it’s sensitive personal information or because it’s corporate confidential information.
“That really has two consequences for insurance carriers. One is that now there’s an incident response [required] from a traditional data breach, and related costs associated with that. The second impact is that bad actors are now able to use that sensitive information to increase leverage on their side and to drive up the cost of the ransom. That’s the double extortion. And I think those two mechanisms are almost standard operating procedure at this point. Any time there is a ransomware event, you always have to check whether any information has been compromised.”
Read more: Marsh McLennan launches Cyber Risk Analytics Centre
The third layer is “when things get a bit more interesting,” according to Kang. Triple extortion incidents typically include distributed denial-of-service (DDoS) attacks whereby, if victims refuse to negotiate with hackers and pay a ransom, the bad actors will launch a separate DDoS attack which will cause business interruption by disrupting the corporate network by overwhelming it with a flood of Internet traffic.
“Even if a victim has been able to restore from backups and/or their confidential information has not been compromised so they don’t negotiate with the bad actor, some hackers are then initiating separate DDoS attacks. So now you have a denial-of-service attack on top of the ransomware event and a potential data breach,” Kang commented. “This creates a significant challenge for companies to recover. They’re dealing with one emergency situation, and now they have another layered on top of that, and that oftentimes drives the insured or the company back to the negotiating table.
“The other interesting variation on this is bad actors have also called senior leadership within victim organisations directly, and engaged in direct negotiations […] and oftentimes, they actually record the conversations that they’re having with the executives at these victim organisations, and now they use that recording as another potential lever.
“So, that’s the triple extortion threat, and the third aspect of it has been relatively new. But also, there are some variations to how they layer the attacks in order to drive folks back to the table and to increase the incidence. At the end of the day, they’re really looking at different ways to create leverage so that they can get the best financial outcome for themselves.”