Across the cyber security industry, ransomware is a hot topic. As frequency, severity, and loss continue to rise, professionals from across the industry are looking for solutions. At the 2020 NetDiligence Summer Summit on July 1, 2020, Moderator Richard Goldberg (Lewis Brisbois) led a team of thought leaders in a dynamic panel entitled “The Evolution of Ransomware Claims.” Chief among topics were current trends, issues related to MSPs, and how enhanced risk assessment/management can mitigate threats and lower costs.
Two trends in recent months – threat actors showing increased sophistication and increased sloppiness – might seem contradictory, but Ben Auton (SpearTip) and Bill Siegel (Coveware) explained how they are two sides of the same coin. Auton described the results of more sophistication: as coders put greater care into programming and demonstrate more patience once they have accessed a system, they are able to gather more information and access more endpoints before making a demand. Siegel added that this increase in work and effort leads to an expectation of greater payoff – an economic proposition that works as clearly in crime as any other enterprise. Furthermore, new ransomware strains are being developed to evade detection and to attack the very security controls designed to stop them. All of these factors increase disruption, drive up cost, and make companies more likely to pay.
The other side of the coin is the commoditization of ransomware, which has allowed code developers to become entrepreneurs. Ransomware as a service on the dark web means that less competent threat actors can simply buy into the enterprise. Armed with “junky” kits and less technical expertise, these actors may do more harm as they provide bad de-encryption tools or wreak damage trying to break into sophisticated systems. Furthermore, as entrepreneurial threat actors grow their own businesses, they are plagued by management issues that can complicate negotiation and recovery.
Matthew Webb (Hiscox) further developed the picture of threat actors as business developers – these are individuals highly attuned to their own branding and image. It would seem that there is a ransomware for every need, from free code used by thousands of affiliates, to exclusive packages, available to only the select few and targeting high profile/high profit targets.
Kimberly Horn (Beazley) noted that a subtle shift in data exfiltration is also underway. Though PHI/PII is still a target, threat actors have begun to understand the value of other data. Marketing, product development, internal communications, and other sensitive material are not covered by mandated reporting; however, these are certainly secrets that companies do not want to see published, making them excellent hostages in a ransom negotiation. If insurance information is accessed, a company enters negotiation in a particularly weakened state. Demands may far outstrip a reasonable payment if the threat actor believes that the policy limit should go directly into their pocket.
One industry that faces particular challenges in this environment are managed service providers. All results of an attack on an MSP – from data breach to business interruption – ripple downstream, creating 1st and 3rd party loss. Horn states that MSPs tend to be both underinsured – carrying insufficient lines and limits – and undereducated – failing to understand how their own policies may give no coverage to clients. Auton adds that MSPs typically incentivize accessibility over security and that negotiation is particularly complex when there are so many stakeholders.
Underwriting in this environment is clearly a challenge, but Webb sees data collection as the answer. Understanding each industry, the frequency and severity of attacks, common risks factors and geolocation is a start. But he also stresses that close examination of a company’s risk posture is a practice with an additional benefit. As companies are increasingly asked to investigate their risks, their ability to detect and protect, and their plans for response and recovery, they may be engaging in the same practices that will ultimately provide information they can use to improve their risk posture and mitigate future losses.