Summary List Placement
The world is getting better at paying off ransomware gangs. Ransomware gangs are getting better at everything else.
A vicious cycle is fueling ransomware, one of the world’s worst cybercrimes, in which criminals seize control of companies’ computer networks, encrypting their data with secret codes. Companies paralyzed by the attacks paid hackers an average of $312,493 in 2020 – triple the average of the year before. The criminals are reinvesting their profits in increasingly-efficient operations, making for even bigger and bolder attacks.
The cybersecurity industry, meanwhile, has no easy answers.
“I don’t see a light at the end of the tunnel,” said Josh Motta, CEO of the cyberinsurance firm Coalition, which helps companies hit by ransomware. Coalition and other cyber insurance firms also cover data theft, breaches, and social engineering attacks.
“We haven’t done a great job,” said Jon DiMaggio, a veteran cybersecurity researcher at the company Analyst1. DiMaggio said that while the industry is struggling to address ransomware, its practitioners are thriving.
Last year ransomware attacks grew 435%, according to Deep Instinct, an New York City startup that uses artificial intelligence to fight the attacks. The gangs took down the networks of 560 healthcare facilities, 1,681 schools and colleges, and more than 1,300 companies, according to Emsisoft, a New Zealand cybersecurity company that helps ransomware victims get back their data.
Ransomware could cost companies $20 billion this year. But the fact is, no one really knows the cost, because so many victims cave to their attackers’ demands, and pay them off rather than reporting the crime. New research from Kaspersky finds that 56% of ransomware victims pay the ransom.
The criminals tightened the screws on victims over the past two years by posting their stolen data if they did not pay. That extortion tactic, which exposed classified data and even military weapons plans, put more pressure on companies to pay.
Cybersecurity insurance, a booming market expected to grow from $7.8 billion in 2020 to $20.4 billion in 2025, has sped up relief for the victims of ransomware by helping companies get back up and running. However, those insurers, too, have been criticized for contributing to the problem — the recovery services they offer will often hinge on paying off the ransomware attacker on a client’s behalf, again adding to the cybercriminals’ considerable coffers.
Indeed, the FBI urges companies not to pay up, and a former British cybersecurity official went much further than that. The UK’s former top cybersecurity official, Ciaran Martin, accused cybersecurity companies of “funding organized crime” because they facilitate payments to ransomware gangs.
Governments are also having little success addressing the crime, however. In the US, law enforcement is struggling to address ransomware in part because many of the criminal gangs are in Russia, where the government protects them from extradition to stand trial for cybercrimes.
Ransomware is one of cybersecurity’s most difficult challenges for companies of all sizes, in large part because what can be the remedy for a single victim makes the problem worse for everyone.
Cyberinsurance helps victims, but critics say it just adds to the problem
Many customers look to cybersecurity insurance as important protection from criminal hackers. Ransomware is the largest category of claims — 41% of cyberinsurance payments across North America stemmed from ransomware attacks in the first half of 2020, according to Coalition.
Motta, Coalition’s CEO, said his firm works with companies to shore up their security, respond to attacks, and make payment a last resort. He suggests that routinely paying a ransom demand, which can reach as high as $30 million as we saw in one 2020 attack, would be a very poor business model.
“I can tell you definitively that insurance companies are losing money on ransomware. We are very much incentivized to fight it in every possible way,” Motta said.
As for the ethics of paying off a ransomware gang, Motta says it “can be an existential decision” for a company that determines whether they survive. “It’s absolutely unrealistic for anyone, whether they are at a government agency or not, to say that you shouldn’t ever pay.”
At the same time, ransomware hackers sometimes target insured victims. Researchers with Cisco’s Talos Intelligence Group conducted a rare interview with a ransomware hacker earlier this year. The hacker, a Russian man in his mid-30s named Aleks, said if the victim has a cyber-insurance plan, ransom payment is “all but guaranteed.”
Kaspersky security researcher Ivan Kwiatkowski summed up the pluses and minuses of ransomware insurance this way: “Cutting the flow of money, no matter how, is the only way to affect the ransomware ecosystem. On the other hand, insurance companies are well-positioned to enforce security best practices of their clients and may play an important role.”
Cybercriminals are reinvesting the profits in their own operations
Whether the payments come via insurers or from the companies themselves, they are funding advancements for the gangs. “They’re investing in the development of automation tools,” DiMaggio said, using machine learning to find and exploit holes in organizations’ defenses. It used to take gangs weeks to seize organizations’ data and demand a ransom, the analyst said. Now it can be done in hours.
DiMaggio said the gangs are also adding distributed denial of service attacks to their repertoire, raining terabits of data down upon victims’ websites to crash their systems. The web traffic management company Akamai has tracked some of the largest DDOS attacks in history over the past several months. In one extortion campaign, victims’ websites were hit with data dumps that were the equivalent of 56,250 copies of “War and Peace” per second, said Akamai VP of Global Security Operations Roger Barranco.
The gangs are also adding press pages to the websites where they threaten to expose victims’ data, giving interviews to journalists, and promoting their operations. “They’re almost like a brand,” said DiMaggio.
Some cybersecurity companies are fighting back in new ways. Last week Deep Instinct introduced “a ransomware warranty” that pays up to $3 million per company for a single breach. “The criminals’ techniques have evolved, and our responses to them must, too,” said Guy Caspi, CEO of Deep Instinct.
DiMaggio applauded Deep Instinct’s novel approach, and also believes that AI may bring solutions to preventing the gangs from locking up companies’ data.
Motta, the insurer, said addressing ransomware is more than a cybersecurity problem. It’s also an international relations issue, due to Russia’s protection of the gangs. “This is transnational organized crime. It’s going to take more than just law enforcement. It’s going to take a significant amount of diplomacy.”
Originally published at https://www.businessinsider.com/ransomware-cybersecurity-insurance-coalition-deep-instinct-vicious-cycle-2021-4 on .