They’re back: the return of ransomware attacks
After low levels of cyber losses for a couple of years, ransomware is a growing risk again for cyber re/insurers and their customers.
According to an expert panel at Intelligent Insurer’s Cyber Risk and Insurance Innovation USA 2023 event held in Chicago in May, frequency and, say some, severity, are increasing as attackers alter tactics and technology to target businesses.
The panel brought together a range of experts, including three from Bermuda re/insurers: Catherine Rudow, Everest Re’s head of cyber reinsurance, who moderated the discussion; Marissa Olsen, Aspen Insurance’s global head of cyber liability claims; and Pete Smith, Axis Capital’s head of middle market strategy for cyber & technology.
They were joined by Thomas Bennett, team leader for cyber threat analysis at London-based CFC Underwriting.
The calm before the storm
Starting the discussion, Rudow asked for an explanation for the reduction in ransomware claims frequency in 2022.
According to Bennett, the most obvious cause was the war in Ukraine. Russia’s invasion caused significant disruption to some of the most prolific ransomware groups, such as Russia-based Conti, which splintered due to internal political disagreements as a result.
“That disruption and having to reform groups definitely impacted their ability to carry out ransomware attacks at the same kind of frequency,” he explained. Other impacts of the war include the loss of some of those involved.
“Some involved in ransomware attacks and the cybercrimes that support them were killed in Ukraine,” he explained. For example, Raccoon Stealer, a malware as a service responsible for many infections in 2021, became less of a threat in 2022 after its original administrator was killed.
Among the mainly young men involved in cyber attacks, some left Russia to avoid being conscripted into the Russian military.
That relief has proved short-lived, however, Rudow noted, with attacks once again increasing in 2023. Groups have recovered, and new alliances have formed.
“We have seen a dramatic increase throughout the industry in the last six to eight months,” said Olsen. “Previously, we saw one or two ransomware matters come in a month; now we’re seeing one or two per week.”
It is not simply that the threat has returned, Olsen added. There has been a dramatic change in tactics and strategies.
New tactics, greater dangers
In part, this reflects the efforts and progress insurers and their clients have made in recent years. As Smith noted, the industry has long been realistic about the risk and the futility of hoping to achieve complete security.
“I don’t think we were ever trying to prevent its happening,” he explained. “It was more the response to ransomware with posture and the ability to recover.”
Consequently, organisations are now more likely to have effective backups and are more resilient.
“The general posture out there is much better than it used to be, and quick hits are no longer viable,” said Smith.
Olson agreed, saying: “There’s been a lot of education in ensuring companies have good viable backups. That’s something that a few years ago was an exception, not a rule.”
However, attackers have also adapted, Bennett said, moving away from the traditional model of encrypting insureds’ data and demanding a ransom to unlock it.
“More and more, ransomware groups are not even attempting to encrypt data. They’re just stealing it and threatening to publish that data if they’re not paid.”
According to Olsen, there’s a trend towards higher demands and, perhaps more crucially, a more uncompromising attitude from the criminals in negotiations regarding ransom demands.
“They’re pushing negotiations along faster, making more threats and not discounting anywhere near the 50, 60 or 70 percent discounts they did in the past. We’re not seeing anything close to that,” she explained. “In the one I have just been working on, we ended up getting a 15 or 20 percent discount, and they were not going to go down further.”
Rudow summed up: “We’re seeing ransomware threat actors becoming more aggressive and finding new ways to extort our insureds.”
A resilient product
Things may get worse in the short term. As Bennett outlined, malicious actors are, as ever, using evolving technology to circumvent defences. He described how the artificial intelligence software ChatGPT is being used to dynamically generate website content to lure victims into social engineering scams.
“The arms race is currently in the favour of the attacker,” he said.
However, there are causes for optimism. As Smith pointed out, despite the resurgence, claims frequency is still “multiples below” the levels seen before 2020. In the mid-market, at least, he said he hadn’t seen an increase in severity. The improvements in insureds’ security and backups have had an impact, he maintained.
“The education we’ve provided has made clients and buyers more resilient and more prepared, if it were to happen, to respond, instead of saying ‘let’s just pay’.”
This should give the industry confidence for the future. Smith agreed that the advantage is probably with the attackers, but that was true in previous years as well.
“We as a group came together to figure out what was most important to those attackers and tried to find a counter to it, and that will happen again,” he said.
“There is always going to be a next threat and a doomsday scenario, but what I’ve found is through the 20 or 25 years this product has been around, it’s been a resilient product alongside resilient clients.”