The first ransomware attack took place in 1989 and was made possible by the floppy disk. However, it wasn’t until cryptocurrencies and “untraceable” payments emerged in the 2010s that its prevalence as an attack method skyrocketed.
The growth of cryptocurrencies is just one of several major trends that have influenced the ransomware landscape. Elsewhere, for example, international relations have played a role. Attackers and victims rarely live in the same country, so dealing with criminals requires cross-border collaboration of law enforcement. The United States and Russia began working together to address Russia-based gangs before the Ukraine war ended that cooperation.
But one of the biggest influences on the state of ransomware in the relatively short period since it really arrived just over ten years ago has been cyber insurance. Although it does not always benefit victims, years of policy changes and updated coverage requirements have made organizations much more resilient in the long term.
General Director of Databarracks.
If ransomware is a new phenomenon, so is cyber insurance
I remember speaking with an insurance company a little over ten years ago. They had just started offering cyber insurance policies, but at that time they had not yet received a claim.
But as the number of ransomware attacks skyrocketed, organizations eagerly adopted cyber policies to protect themselves. Ransomware attack methods and ransoms demanded were very different from today. In the early 2010s, the most common ransomware companies faced were low-cost, mass-market attacks such as CryptoLocker. The ransom demanded by the attackers was just a few hundred dollars.
As attacks became more common, there were significant changes in the way criminals operated. ‘Ransomware as a Service’ emerged as a product that offered potential cybercriminals, without the skills to develop malware themselves, the opportunity to purchase a commercially available kit. Attacks also became more targeted, focusing on industries with weaker cyber defenses, such as manufacturing, government and healthcare, where the impact of downtime would be much greater.
Pay, recover or fail
Historically, ransomware victims were faced with a choice: pay the ransom, often hundreds of thousands or millions of pounds, usually by claiming on their cyber insurance policy, or attempt to recover on their own.
Unable to rely on recovery methods such as backups, some companies had no choice but to pay criminals. In other cases, victims had to weigh the cost of the ransom against the cost of their own recovery, which can quickly become expensive. For example, there are direct costs such as cyber forensic experts, IT consultancies and the likely cost of overtime for your own teams. Then you have to consider the business impacts, such as lost revenue, fines from regulators, and the long-term costs of reputational damage.
Most organizations chose to pay the ransom and subsequently fueled the vicious cycle of more attacks and more payments.
While this is bad news for all parties, the pain was felt acutely by cyber insurers, who suddenly found their fast-selling product backfiring and exposing them to massive losses.
The biggest problem for companies was the fact that they were not addressing the root cause of the attacks. Instead of taking steps to improve their defenses and implement processes to aid recovery, they found themselves vulnerable and in a position where they had no choice but to pay a ransom.
Insurers responded in the two ways that would most be expected in this situation: they increased the price of the product and raised their requirements to obtain coverage.
When you take out home insurance, for example, you answer questions about the security of your home and its different entry points. But when it comes to obtaining cyber coverage, businesses today have much more to consider.
- Previously not very in-depth, cyber insurance questionnaires now evaluate companies in each of the following areas: Segregation of production and backup data.
- Backup encryption
- Disaster Recovery Testing Last Date
- Annual budget for IT and cybersecurity
- If a company has previously suffered a ransomware attack
- How quickly critical updates are deployed and whether any software is used beyond its end-of-life.
The key difference is that insurers are taking more care to evaluate whether the company requesting coverage is secure and capable of responding to a cyberattack. For them, the best customers are those who are unlikely to file any complaints. Should they need to file a claim, the customer has the ability to respond and reconnect quickly, limiting their costs and resulting in a lower payment.
Crucially, insurance companies also began to discourage payments whenever possible.
These changes had a significant impact on the situation. Organizations improved both their preventive security measures and their response capacity. Suddenly, companies looked to implement immutable backups and segregation of operations and began conducting frequent disaster recovery testing.
The resulting change is already visible in all companies. More organizations than ever have cyber insurance, but fewer are filing claims. Instead, businesses are recovering.
The here and now
Considering each attack in isolation, paying a ransom may seem like a more attractive option. Paying up can mean less downtime, less reputational damage (assuming it’s kept secret), and a lower overall cost to the company.
However, ultimately paying will only lead to more attacks. The ransomware problem cannot be improved in isolation, but requires a collaborative effort to address the benefits to attackers.
While outright payment bans are frequently discussed by regulators, they have almost always been abandoned. The only successful ban has prevented payments to known terrorist organizations. The difficulty lies in establishing a standard that is effective but does not lead companies to incur crippling costs, fail and cause job losses. Originally, cyber insurers began influencing the market by discouraging organizations from paying and instead encouraging them to improve their response.
Cyber insurance has succeeded where regulation has largely failed. Without a doubt, it has been the most important positive factor in improving the response to ransomware and the overall cyber resilience of companies.
We’ve compiled a list of the best cloud backup services..
This article was produced as part of TechRadarPro’s Expert Insights channel, where we feature the best and brightest minds in today’s tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, find out more here:
