Cyber insurance for organizations is becoming increasingly more beneficial where $10,000 deductibles are a bargain when compared to the hundreds of thousands of dollars requested by ransomware creators. While these insurance policies are devised to aid an affected organization back to regular business operations, they’ve also been directly fueling the creators of the ransomware.
Ransomware, when exploited in an environment will crawl through your workstation and network shares to identify specific file types (documents, backups, images) to encrypt. Once encrypted, an organization only has two options to recover the encrypted data. One involves restoring from a backup, which would first require that the organization has a backup, and the second would involve paying the ransom. While the ransomware cost can vary from a few thousand dollars to upwards of a couple of hundred thousand, the organizations now have insurance companies making decisions on how to get the organization back to normal operations while incurring the least cost.
If the cost of the ransomware is less than the cost to recover, insurance companies may be advising organizations that they will pay the ransom. While this may seem counterintuitive, insurers are aware that the cost resulting from business interruption, on top of recovering data, is simply a much greater cost than the cost of simply paying the ransom. Ransomware creators have caught wind of this trend and have accordingly increased the ransom values. From Q1 2019 to Q2 2019, the ransom has increased 184%. The ransomware creators know that the cost to recover and the cost of the ransom will always exceed the deductible from insurers.
Case Study: Lake City, Florida
As cases for large ransomware payouts are on the rise, some organizations are beginning to hold their IT staff responsible for these unfortunate attacks that could have been prevented. In Florida the director of information technology for Lake City was dismissed after the city of was hit last month, impacting almost the entire infrastructure including many systems, emails, and telephones.
On account of the infection locking down so many sensitive servers, the city council approved paying $460,000 USD in bitcoin to the attacker in order to obtain decryption keys to unlock municipal systems. Fortunately, Lake City had enough insight to have purchased cyber insurance just for these types of scenarios. Most of the payment was covered by insurance except the deductible. The news station that release the story quoted the city manager as saying it will take the municipality another two weeks to recover all the data that was encrypted by the malware. Similar high payout cases have been occurring across North America but it has not been disclosed if insurance coverage was involved. Recently victimized were the Florida municipalities of Key Biscayne and Riveria City. Riveria City’s Insurer, Beazley, paid the equivalent of US$600,000 in bitcoin ransom.
Ransomware and cyber insurance are relatively new territories for insurers, and they may be unaware of the consequences of fueling these attackers. With greater financial support, ransomware can continue to become more sophisticated and costlier as the creators will continue to increase ransoms until payouts are no longer feasible. While the ability to detect a new strain will heavily depend on your anti-virus, there are ways to limit your exposure and lower your overall risk. Many cyber experts claim that there is no reason to pay ransoms if an organization has a data recovery plan that ensures backup data is held independently of main systems and can’t be corrupted, but this type of implementation requires hardening security policies and must be maintained regularly.
To protect yourself from ransomware, we recommend the following tasks are completed:
Enable two-factor authentication for email and any services that connect into the network (e.g., VPN).
Conduct a permissions audit on your file shares. If ransomware strikes, limiting the reach of the malware can save thousands.
Check your backups regularly and conduct a table top exercise that mirrors what would occur if ransomware was to strike.
Review your anti-virus vendor. More often than not, ransomware will get past some of the top vendors in the industry.
Ensure regular employee awareness training for phishing emails. Think twice before clicking. Not only does this apply to messages sent by unfamiliar people but also to senders who you believe are your acquaintances. E.g. delivery service, an e-commerce resource, a law enforcement agency, or a banking institution.
Fine-tune anti-spam filters. Most ransomware variants are known to be spreading via eye-catching emails that contain contagious attachments. It’s a great idea to configure your webmail server to block dubious attachments with extensions like .exe, .vbs, or scr.
Consider disabling vssaexe, which administers the Volume Shadow Copy Service. While this can be used to restore previous versions of arbitrary files, malware can also use it to wipe out shadow volume snapshots. If the admin service is disabled, IT managers can still use VSS to restore the encrypted files after an attack.
At Packetlabs, we specialize in simulating an attacker and preparing your organization before they reach you. We offer a ransomware simulation service to assist organizations in determining their susceptibility to ransomware. The service involves simulating a successful ransomware attack and determining what data could be impacted. In doing so, organizations determine areas where security controls are lacking and the inevitable resulting cost if attacked. Our services act as a preventative measure that will not only protect or clients against an attack, but also reduce the risk of fueling an already growing epidemic.