Ransomware remains one of the top concerns in the cybersecurity world. Like cyber risk as a whole, the threat of ransomware is constantly evolving. Only a couple of years ago, ransomware was more of an automated attack. Bad actors peppered as many people as possible with phishing scams in order to get a high click rate and make a quick buck via frequent low-dollar ransoms.
The malware mainly used in ransomware attacks two-years-ago wasn’t really designed to do anything more than lock down the system. It wasn’t in the system capturing data, meaning the attacks didn’t often lead to data breaches, explained Kimberly Horn, global claims team leader, cyber & tech claims at Beazley.
“We always carry out a data breach investigation once a company is back up and running after a ransomware attack. Typically, we weren’t seeing companies actually have to notify because no personally identifiable information was being impacted,” Horn told Insurance Business. “Those attacks were largely hitting the small business space, at least that’s where the majority of claims on our book came from.
“Fast forward two-years to today and now what we’re seeing in terms of ransomware is more targeted attacks, and the bad actors are going after middle market companies. In these cases, the ransomware is more of a parting gift. They’ve already been in the system for some time, using sophisticated banking trojans to do a reconnaissance of the company in order to figure out what the company’s worth, what data they might be able to steal and profit from, and whether they have any system back-ups.”
Banking trojans have been around for a very long time. They were initially designed to capture people’s key log-in strokes and to steal banking credentials. Now these trojans are being used to infiltrate systems, fish around, and ultimately cause data breaches. These more targeted attacks on middle market companies come hand in hand with much higher ransom demands. The more malicious strains of ransomware are actually locking down system back-ups, and once bad actors know they’ve done this, they’re able to be more brazen with their ransom demands because they know the companies have no other alternative.
“A year and a half ago, the maximum amount we paid was about US$7,500, but in many cases, we weren’t paying the ransom because we had the back-ups available to restore the data,” commented Horn. “Now we’re seeing ransomware demands regularly in the seven figures, more like US$1 million, US$2 million, and a few weeks ago we saw one for almost US$4 million.
“There are still some opportunities, as not every insured has their systems locked down. Hopefully they have their networks segmented in a way that those back-ups are not able to be linked to the main server. However, the bad actors are now finding the main servers and locking those down, and, as a result, we’re seeing ransom demands go way up. They’re getting smarter and much more sophisticated, and companies are really scrambling to find people who can service them through these breaches.”