Ransomware is evolving from a relatively low-dollar extortion racket, into a more sophisticated, more expensive, and more prevalent major criminal activity. Hardly a day goes by anymore without ransomware or cyber extortion making the news. A seeming turning point in the severity of this crime was the mid-February 2016, cyber extortion of a large Los Angeles hospital chain where a reported ransom of $3 million was originally demanded. Although the ransom ultimately paid was 40 bitcoins (about $17,000, a far cry from $3 million), its payment nevertheless represents a substantial and noteworthy increase from the hundred dollar ransoms that were previously commonplace. Among those taking note are insurers providing cyber coverage, who often will include ransomware coverage in their policies. Since this manner of cybercrime is going to be with us for the foreseeable future, insurers and their insureds are best served by proactively managing, and thereby perhaps eliminating, the harm that may result from a ransomware attack.
What is ransomware?
In a nutshell, ransomware is a type of malware (a computer virus) that prevents users from accessing files and data on their computer, and threatens permanent encryption or deletion of that data if a sum of money—a ransom—is not paid. For individuals and businesses that do not back up their essential data, the only real option is to pay the ransom.
The goal of the hackers is not to destroy or permanently encrypt the data, but to secure fast payment of the ransom. That is the ransomware business model – quick cash. Historically, the amount of ransom demanded by the perpetrators has been relatively low in order to make its payment the logical choice for the victim; pay a nuisance sum and have access to one’s data restored quickly. In the early ransomware incidents of several years ago, the ransom was often as low as $100. According to the recent Crypto-Ransomware Survey of IT Experts performed by Researchscape International, the median amount of ransoms paid more recently is approximately $250, with one quarter of the ransoms paid amounting to $551 or more. Despite these still relatively modest ransom amounts, future demands will certainly seek even larger amounts of money, if for no other reason than simply because the hackers can get it. Indeed, the $17,000 ransom payment made in the Los Angeles hospital case demonstrates a significantly steeper price that companies are willing to pay for the return of access to their data.
While ransomware is not a new concept, it has become considerably more prevalent in recent years, and will endure as a serious and escalating threat for the foreseeable future. In the Crypto-Ransomware Survey, one-third of IT experts were “extremely” or “very” concerned about ransomware attacks and 61 percent were “moderately” or “slightly” concerned. Only 6 percent of IT experts were not at all concerned about ransomware. Moreover, of the IT experts concerned about ransomware attacks, 59 percent expect the number of ransomware attacks to increase in 2016. In 2016, McAfee Labs, one of the world’s leading sources for threat research and cybersecurity, released a Threat Predictions forecast that predicted ransomware will remain a “major and rapidly growing threat in 2016.” Indeed, data from the FBI Internet Crime Complaint Center (IC3) shows that ransomware with cyber extortion is one of the most serious cyber threats infecting devices around the globe.
CryptoLocker is thought to be the first ransomware spread via email through social engineering techniques, and it has infected tens of thousands—if not hundreds of thousands—of computers since its release in September 2013. A seemingly innocuous email message appears on the user’s computer, appearing to have been sent by a legitimate company. However, when the recipient attempts to open a file attachment embedded in the email, CryptoLocker causes a Trojan bot to encrypt certain types of files on the recipient’s hard drive or networked drives. The malware then displays a message offering to decrypt the data if a ransom is paid online by a stated deadline. Typically, payment in bitcoin or a pre-paid cash voucher is required. Once the ransom is paid, the data is decrypted and access restored.
CryptoLocker also demonstrates the creativity and resourcefulness cybercriminals will employ to capture the maximum amount of dollars from their crimes. Shortly after CryptoLocker launched, the crooks behind it discovered that some victims were having trouble completing the online ransom payments. In response, the enterprising CryptoLocker hackers created a customer service website to help victims pay their ransom – a criminal help desk! The hackers did not want to leave a single ransom dollar on the table.
What are the insurance implications of ransomware?
With the increased prevalence of cybersecurity breaches and hacking attacks, more and more companies look to the insurance marketplace to manage their cyber and data breach risks. Given the recent increase in demand, many insurance companies have jumped into the marketplace and offer cyber insurance or data breach policies. A number of these policies provide coverage for the insured’s ransom payments following such extortions. As more and more insurance companies write coverage for cyber extortion, what is going to happen? How will that change the ransomware landscape? Will the increasing availability of cyber extortion coverage increase the prevalence of ransomware attacks and, as well, the dollar amounts of those ransom demands? These questions will only be answered precisely in due course. However, we do know that as victims continue to pay the hackers for the return of their data and files, the cycle will not stop. Indeed, on June 8, 2016, the University of Calgary paid $16,000 (U.S.) ($20,000 CDN), as ransom in order to restore data following a ransomware attack.
The availability of ransomware insurance does not mark the first time insurance has been made available to cover ransom payments. Nearing a century ago, coverage for kidnapping ransoms came into existence. Kidnappings for ransom share many parallels to ransomware attacks. Both are accomplished to obtain ransom, and in many instances that ransom is paid. The earliest kidnap insurance policies are believed to date back to the 1930s, after the abduction of the 20-month old son of the trans-Atlantic aviator, Charles Lindbergh. The kidnap insurance market further increased in the 1960s and 1970s after a series of well-publicized kidnappings, and, in more recent times, the market again expanded after 2001 following the terrorist attack on 9/11. Indeed, the Guardian reported that at least seven percent of Fortune 500 companies in 2014 took out kidnap and ransom insurance. While the exact figures are unknown, it is estimated that more than $1 billion has been paid out in ransom to release kidnapped executives. Not surprisingly, the vast majority of ransom payments go unreported.
With kidnap insurance, it is a very debatable point whether the existence of such coverage and the resulting payments has led to more kidnapping and ransom demands. However, in the ransomware context, we contend the increased prevalence of cyber extortion coverage will very much, and necessarily, lead to even more cyber extortion events and an increase in the dollar amounts of such demands. The barriers to entry into the cyber extortion arena are substantially less than exist for human kidnapping; cyber extortion can be done from a basement half a world away from the victim, and involves only keystrokes rather than physical confrontations or inherent danger. There is little, if any, reason for the cyber criminals to stop their attacks on distant computers and increasing their ransom demands when those attacks are successful. The profits made by initial entrants to cyber extortion will drive additional hackers to the business model. If the insurance market, or the extorted businesses themselves, continue to pay these increasingly larger sums for the release of data, the cyber criminals will continue to push their ransom demands higher and higher.
This is not at all to suggest that ransomware coverage should not be available to insureds. As with kidnap insurance, there are a variety of ways insurance companies can mitigate cyber risk. For example, secrecy is usually a paramount term in kidnap and ransom policies. The fewer people who know a ransom might be insured and paid quickly by an insurance company, the better. This makes sense. Criminals will prefer victims who they know are insured, so knowledge as to coverage must be limited.
Perhaps more importantly, however, is an insured’s focus on prevention and planning for a potential incident. With kidnap and ransom insurance, carriers typically educate their clients on prevention and the importance of having procedures and a pre-established kidnap crisis management team in place. Similarly, cyber insurance carriers ought to consider requiring their insureds to have proper backup systems and cyber security training for all employees before they issue insurance policies covering cyber extortion.
Companies can minimize or eliminate the need to pay a ransom by making sure they have robust and efficient backup procedures and data restoration plans. With a solid backup system in place, a company need not pay any ransom to the hackers—the company’s data may be encrypted by hackers, but that same data is then recoverable from the company’s own backup systems. Companies must also minimize cyber extortion risk by training their employees about the risks of ransomware. Ransomware enters a computer system when a user accidentally and unknowingly clicks on a file or attachment that contains a ransomware virus. Through training, employees can be taught to avoid suspicious looking websites and emails, and to not click on accompanying attachments.
Unfortunately, the end of ransomware is not near. Even as companies employ more resources to prepare for a ransomware attack, ransomware is not going away any time soon. It is simply too profitable at the moment. The hackers will become more sophisticated and their technology will continue to evolve. Accordingly, businesses and the insurance market must work together to explore new approaches to address these risks and work toward eliminating, or at least substantially reducing, the need to put these ransom dollars in hackers’ pockets.
Thomas Caswell’s insurance coverage litigation practice is focused on first party property, liability, cyber coverage, construction defect claims, bad faith, time element and boiler & machinery claims. He has made substantial recoveries for his clients following their losses arising out of fires, explosions and mechanical failures in refineries, power plants, foundries, hotels and large manufacturing facilities. His email address is firstname.lastname@example.org
Rory Zamansky’s practice focuses on complex litigation and dispute resolution. He has extensive experience defending financial services firms in challenging, high stakes lawsuits involving multi-million dollar claims of negligence, breach of contract, breach of fiduciary duty, and violations of state and federal statutes. He also has substantial experience in the areas of commercial contract and business disputes, insurance, reinsurance, employment matters and class actions. His email address is email@example.com