Criminals are increasingly viewing ransomware attacks as a lucrative income source and applying more sophisticated techniques, driving up costs for businesses and often giving them no choice other than paying the demanded ransom sum.
Ransomware is a computer virus that prevents users from accessing their system or files. Messages sent by the perpetrators demand a payment in order to unlock the frozen accounts.
In the first quarter of 2019, the number of ransomware attacks jumped (opens a new window)105% compared to the same period a year ago, according to specialty insurer Beazley. At the same time, the average ransom demanded from its clients and/or paid increased 93% year on year to an average of $225,000.
“Insurers try to avoid paying ransom as they don’t want to fund illegal organisations, but often they have no choice as their priority is to protect their clients from the impact of the attack,” says Brett Warburton-Smith, Partner at Lockton. “Insurers work with extortion specialists and law enforcement entities but at the same time they need to remediate the impact on their clients’ business as quickly and efficiently as possible,” he explains.
Insurers try to avoid paying ransom as they don’t want to fund illegal organisations, but often they have no choice as their priority is to protect their clients from the impact of the attack.”
A ransomware attack that cuts a company’s access to its data records can, in some cases, endanger the viability of the business. A decision on the payment of a ransom should not be taken easily but could be the only option if the company would otherwise not be able to continue operating. Victims of ransomware attacks should get professional advice before paying ransom also because they could potentially be held liable for financing a terrorist organisation.
Ransomware-as-a-service (RaaS) attacks which use “off-the-shelf” software viruses remain commonplace and tend to hit unsuspecting small businesses, Beazley notes. But a growing number of attackers are shifting focus, targeting larger organisations and demanding higher ransom payments. Sophisticated attack groups associated with Ryuk and Bitpaymer ransomware variants are targeting larger organisations through phishing emails and tricking users into deploying banking trojans which are designed to gain access to confidential information stored or processed through online banking systems. Data encrypted with more sophisticated tools is sometimes not recoverable without the decryptor.
In the first quarter of 2019, victims who paid ransom for a decryptor recovered 93% of the encrypted data, according to IT security firm Coveware. Bitcoin is by far the preferred cryptocurrency in ransomware. While the data might be lost without paying a ransom for the decryptor, the more expensive element of a ransomware attack is often the total cost of downtime which can be measured in lost productivity.
Ransomware attacks caused an average downtime (opens a new window) of 7.3 days in the first quarter of 2019, up from 6.2 days in the previous quarter, according Coveware. The increased downtime is driven by a surge in the use of ransomware that is difficult to decrypt as well as a higher frequency of cases where the backup systems were wiped or encrypted as part of the attack.
Norwegian aluminium maker Norsk Hydro lost more than $40 million (opens a new window) in the week that followed a March 19, 2019 cyber-attack that paralyzed parts of its operations.
The majority of the cost of the attack stemmed from lost margins and volumes in its unit manufacturing extruded aluminium profiles. Norsk Hydro had to halt some of its production and switch other units to manual operation after hackers blocked its systems with ransomware. More than three months after the attack the company was still in recovery mode. Norsk Hydro refused to pay ransom but had cyber insurance in place.
Cyber insurance policies can cover the cost of ransomware attacks including recovery cost such as forensic reviews, assistance in rebuilding servers and workstations, a potential ransom payment, as well as downtime cost.
“Criminal organisations focusing on ransomware attacks are becoming more sophisticated,” says Lucy Scott, Account Executive/Broker Global Cyber and Technology at Lockton. “They are doing a lot of reconnaissance in advance to understand the financial power of potential targets and also the value of the information they are likely to get hold of,” Scott adds.
In addition to all the costs and distress a ransomware attack may cause to a company, the regulator may issue a fine if personal data has been breached. Such fines have gone up significantly since the introduction of the general data protection regulation (GDPR) framework.
British Airways, for example, is facing a £183 million GDPR fine (opens a new window) following a cyber-attack against its website which compromised personal data of approximately 500,000 customers.
However, if an organisations has applied “appropriate” measures to secure personal data against unauthorised or unlawful processing and its accidental loss, destruction or damage, they are unlikely to face a significant GDPR fine.
In order to avoid an attack causing disruption and distress as well as potentially high expenses, companies need to have an effective prevention plan in place. This should include installed and up-to-date antivirus software, security awareness training for all the staff, regular data backups which are kept separate from the main computer system, the regular application of patches and a restriction of administrative rights on endpoints. Companies should also do regular so-called penetration tests that simulate a hacker attack to test the security software and processes in place.
For further information, please contact the Lockton cyber and technology team:
Brett Warburton-Smith, Partner
Direct Tel: +44 (0)20 7933 2242 | E-mail: brett.warburton-smith@uk.lockton.com (opens a new window)
Lucy Scott, Global Cyber & Technology Broker
Direct Tel: +44 (0)20 7933 2382 | E-mail: lucy.scott@uk.lockton.com (opens a new window)
Peter Erceg, SVP, Global Cyber & Technology
Direct Tel: + 44 (0)20 7933 2608 | E-mail: peter.erceg@uk.lockton.com (opens a new window)