The first ransomware attack took place in 1989 and was made possible by the floppy disk. However, it wasn’t until cryptocurrencies and “untraceable” payments emerged in the 2010s that their prevalence as an attack method exploded.
The growth of cryptocurrencies is just one of many major trends that have influenced the ransomware landscape. Elsewhere, for example, international relations have played a role. Abusers and victims rarely live in the same country. The fight against criminals therefore requires cross-border collaboration between law enforcement agencies. The United States and Russia began working together to combat Russian-based gangs before the war in Ukraine ended that cooperation.
But one of the biggest influences on the state of ransomware in the relatively short period since it first appeared just over a decade ago has been cyber insurance. While this may not always benefit victims, years of policy changes and updated coverage requirements have allowed organizations to become much more resilient in the long term.
Managing Director of Databarracks.
If ransomware is a new phenomenon, so is cyber insurance
I remember talking to an insurance company a little over ten years ago. They had just started offering cyber insurance policies, but at this point they had yet to receive any claims.
But as the number of ransomware attacks increased, organizations rushed to put cyber policies in place to protect themselves. Ransomware attack methods and ransom demands were very different from today. In the early 2010s, the most common ransomware ventures were low-cost mass attacks, like CryptoLocker. The ransom demanded by the attackers was only a few hundred dollars.
As attacks have become more frequent, there have been significant changes in the way criminals operate. “Ransomware as a Service” emerged as a product offering would-be cybercriminals, without the skills to develop malware themselves, the opportunity to purchase a ready-made kit. Attacks have also become more targeted, focusing on industries with weaker cyber defenses, such as manufacturing, government and healthcare, where the impact of downtime would be much greater.
Pay, collect or fail
Historically, ransomware victims were faced with a choice: pay the ransom, often hundreds of thousands or millions of pounds, usually by claiming on their cyber insurance policy, or attempt to recover themselves.
Without being able to rely on recovery methods such as backups, some companies had no choice but to pay the criminals. In other cases, victims have had to weigh the cost of the ransom against the cost of their own recovery, which can quickly become costly. For example, there are direct costs like cybercrime experts, IT consultancy and the likely cost of overtime for your own teams. Then there are the business impacts to consider, such as lost revenue, fines from regulators, and long-term costs that damage your reputation.
The majority of organizations chose to pay the ransom and then entered a vicious cycle of more attacks and more payments.
While this is bad news for all parties, the pain has been felt acutely by cyber insurers who suddenly discovered that their fast-selling product was coming back to bite them and exposing them to massive losses.
The biggest problem for businesses was that they weren’t addressing the root cause of the attacks. Instead of taking steps to improve their defenses and put processes in place to facilitate recovery, they found themselves vulnerable and in a position where they had no choice but to pay a ransom.
Insurers reacted in two ways that are most expected in this situation: they increased the price of the product and raised their requirements for obtaining coverage.
When you take out home insurance, for example, you answer questions about the security of your home and its various entrances. But when it comes to obtaining cyber coverage, businesses today have much more to consider.
- Previously shallow cyber insurance questionnaires now assess companies in each of the following areas: Segregation of production and backup data
- Backup encryption
- Disaster Recovery Testing Deadline
- Annual budget for IT and cybersecurity
- If a business has ever suffered a ransomware attack
- How quickly critical updates are deployed and whether software is used beyond its end of life
The main difference is that insurers are more careful to assess whether or not the business seeking coverage is secure and capable of responding to a cyberattack. For them, the best customers are those who are unlikely to make a complaint. In the event that they need to make a claim, the customer has the ability to respond and get back online quickly, thereby limiting their costs and leading to a lower payment.
Importantly, insurance companies have also started discouraging payments wherever possible.
These changes have had a significant impact on the situation. Organizations have improved both their preventive security measures and their response capacity. Suddenly, companies sought to implement immutable backups and separation of operations and began performing frequent disaster recovery testing.
The resulting change is already visible in all companies. More and more organizations have cyber insurance, but fewer are filing claims. Instead, businesses are recovering.
The here and now
Taking each attack in isolation, paying a ransom may seem like a more attractive option. Paying can mean less downtime, less reputational damage (assuming it’s kept secret), and a lower overall cost to the business.
But ultimately, paying will only lead to more attacks. The ransomware problem cannot be solved in isolation, but rather requires a collaborative effort to address the benefits to attackers.
Although outright payment bans are frequently mentioned by regulators, they have almost always been abandoned. The only successful ban prevented payments to known terrorist organizations. The difficulty lies in establishing a rule that is effective but does not result in crushing costs, bankruptcy and job losses for businesses. Initially, cyber insurers began to influence the market by discouraging organizations from paying and instead encouraging them to improve their response.
Cyber insurance has succeeded where regulation has largely failed. This is undoubtedly the most important positive factor in improving ransomware response and overall enterprise cyber resilience.
We’ve compiled a list of the best cloud backup services.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you would like to contribute, find out more here:
