The first ransomware attack took place in 1989 and was made possible by the floppy disk. It wasn’t until cryptocurrencies and ‘untraceable’ payments came along in the 2010s, however, that its prevalence as an attack method exploded.
The growth of cryptocurrency is just one of several major trends that has influenced the ransomware landscape. Elsewhere for example, international relations has played a part. Attackers and victims quite rarely live in the same country, so dealing with the criminals requires cross-border law enforcement collaboration. The US and Russia began working together to address gangs based in Russia before the Ukraine war put an end to that cooperation.
But one of the biggest influences on the state of ransomware in the relatively short period since it really arrived just over ten years ago has been cyber insurance. Though not always to the benefit of victims, years of policy changes and updated requirements for cover have seen it make organizations much more resilient in the long run.
Managing Director of Databarracks.
If ransomware is a new phenomenon, so too is cyber insurance
I remember speaking to an insurance company just over ten years ago. They’d just started offering cyber insurance policies but at that point, they were yet to receive a claim.
But as the number of ransomware attacks rocketed, organizations eagerly took out cyber polices to protect themselves. Ransomware attack methods and the ransoms demanded were very different then to how they are today. In the early 2010s the most common ransomware businesses faced were low-cost, mass-market type attacks like CryptoLocker. The ransom demanded by the attackers was just a few hundred dollars.
As attacks became more common, there were significant changes in how criminals operated. ‘Ransomware as a Service’ emerged as a product, offering would-be cyber criminals, without the skills to develop malware themselves, the chance to buy an off-the-shelf kit. Attacks also became more targeted – focusing on industries with weaker cyber defenses such as manufacturing, government and healthcare, where the impact of downtime would be much higher.
Pay up, recover or fail
Historically, victims of ransomware faced a choice: pay the ransom, often hundreds of thousands or millions of pounds, usually by claiming on their cyber insurance policy, or attempt to recover themselves.
Without being able to rely on recovery methods such as backups, some businesses had no option but to pay criminals. In other instances, victims had to weigh the cost of the ransom against the cost of their own recovery, which can quickly become expensive. For example, there are the direct costs like cyber forensic experts, IT consultancies and the likely cost of overtime for your own teams. Then there are business impacts to consider such as lost income, fines from regulators and the long-term costs that come with damage to your reputation.
The majority of organizations chose to pay the ransom and subsequently fed into the vicious cycle of more attacks and more payouts.
While this is bad news for all parties, the pain was felt acutely by the cyber insurers who found suddenly that their fast-selling product was coming back to bite them and exposing them to massive losses.
The biggest problem for businesses was the fact that they weren’t addressing the root cause of attacks. Instead of taking steps to improve their defenses and put processes in place to aid recovery, they found themselves vulnerable and in a position where they had little choice but to pay a ransom.
Insurers responded in the two ways that you’d most expect in this situation: they increased the price of the product and raised their requirements to obtain cover.
When you take out home insurance for example, you answer questions about the security of your home and its various entrance points. But when it comes to obtaining cyber cover, businesses today have far more to account for.
- Cyber insurance questionnaires, once of no great depth, now assess businesses in each of the following areas: Segregation of production and backup data
- Encryption of backups
- Last date of disaster recovery testing
- Annual budget for IT and cyber security
- Whether a business has previously suffered a ransomware attack
- How quickly critical updates are deployed, and whether any software is used beyond end of life
The key difference is that insurers are taking greater care to assess whether or not the company applying for cover is secure and able to respond to a cyber-attack. For them, the best customers are those who are unlikely to make a claim. In the event that they do need to claim, the customer has the capability to respond and bring themselves back online quickly, limiting their costs and leading to a smaller payout.
Crucially, insurance companies also began discouraging payments wherever possible.
These changes had a significant impact on the state of play. Organizations improved both their preventative security measures and their ability to respond. Suddenly, businesses sought to implement immutable backups and segregation of operations and began carrying out frequent DR testing.
The resulting shift is already visible across businesses. More organizations than ever have cyber insurance but fewer are making claims. Instead, businesses are recovering themselves.
The here and now
Taking each attack in isolation, paying a ransom can seem a more attractive option. Paying can mean less downtime, less reputational damage (assuming it is kept under wraps) and a lower overall cost to the business.
Ultimately however, paying will only lead to more attacks. The ransomware problem can’t be improved in isolation, but instead requires a collaborative effort to address the benefits for attackers.
While outright bans on payment are frequently discussed by regulators, they have almost always been abandoned. The only successful ban has prevented payments to known terrorist organisations. The difficulty lies in setting a rule that is effective but doesn’t lead to businesses incurring crippling costs, failing and causing job losses. Cyber insurers originally began influencing the market by discouraging organizations from paying out, and instead encouraging them to improve their response.
Cyber insurance has succeeded where regulation has mostly failed. It has undoubtedly been the most significant positive factor in improving ransomware response and the overall cyber resilience of businesses.
We've compiled a list of the best cloud backup services.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
