Survey Suggests Ransomware Broadening Perceptions of Cyber Risks

By Jim Sams | October 4, 2019

Corporate risk managers are increasingly focusing on protecting their enterprises from business interruption after a series of ransomware attacks on government agencies highlighted the peril of losing access to their computer networks, according to a survey released by Zurich Insurance and Advisen on Thursday.

“In the past, the most attractive targets were organizations with large databases of personally identifiable information that could be stolen and monetized on the Dark Web,” stated Michelle Chia, head of Professional Liability and Cyber for Zurich North America. “While that risk is still with us, criminals are expanding their target lists to include organizations that historically have not had large stores of salable data. The goal is to immediately cash in by taking control of a network until a ransom is paid.”

A separate report released this week by cybersecurity firm FireEye detailed the latest tactics of ransomware hackers: Using compromised websites to transmit fake internet browser updates that actually download malware. FireEye said hackers used the updates to open a backdoor into computer networks, where they could gain credentialing information to lock down all files until a ransom is paid.

FireEye first reported on the “FakeUpdates” scam in April. The company said since then, hackers have developed more sophisticated means of entry and have been able to move laterally within systems, sometimes within 15 minutes after infection. In some cases, the ransomware hackers made multi-million dollar ransom demands, FireEye said.

“Over the past few years, we have seen ransomware graduate from a nuisance malware to one being used to extort victim networks out of significant sums of money,” the Silicon Valley-based firm said. “Furthermore, threat actors are now coupling ransomware with multiple toolkits or other malware families to gain stronger footholds into an environment.”

McAfee, the Internet security firm, reported in August that the number of ransomware attacks in the first quarter of 2019 increased by 118% compared to the prior-year quarter. While spear-phishing tactics were still being used, an increasing number of attacks are made through exposed remote access points and through virtual network computing, the report says.

Ransomware attacks have been making headlines for about the past 18 months. Most recently, coverage focused on ransomware attacks against the pension fund for Oklahoma state troopers and more than 20 Texas municipalities and several Louisiana school districts.

In the wake of that attack, the FBI on Wednesday issued a public service announcement warning that ransomware attacks are becoming increasingly sophisticated.

“Since early 2018, the incidence of broad, indiscriminate ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly,” the FBI said. The bureau advised businesses not to pay ransom because payment does not guarantee that data will be recovered.

The ransom paid is only part of the potential loss of a cyber attack. The FireEye report said hackers often threatened to delete all files in a network within one week if the demanded ransom was not paid. If an enterprise took that long to respond, the impact on revenue could be devastating.

The survey of 350 risk professionals and insurance buyers showed that business interruption cost is a greater concern than the actual extortion. Respondents were asked to choose from a list of 11 possible outcomes of cyber events. Of those, 95 percent named data breach as the number one risk, cyber-related business interruption was cited by 94.5 percent and cyber extortion/ransom was cited 89 percent of respondents.

Risk managers also believe that they are protected. According to the Zurich/Advisen survey, 95% of respondents said they expect the cost of business interruption to be covered under their cyber policies. And 75% expected contingent business interruption — such as a hack that shuts down a crucial vendor — to be covered, according the survey.

Zurich said in a press release that the survey results show how customer expectations are changing. In their infancy, cyber-related claims typically involve costs incurred in resconstruction of data, user notifications and mitigation for affected individuals after a breach, the carrier said.

The survey also shows that there is some uncertainty as to whether business interruption costs will be covered. While 95% of respondents said they expect such costs to be covered by insurance, only 78% said that they believe it is covered by their cyberpolicy and 9% said the costs will be borne by another policy, while 5% said they would be interested in buying such coverage. Another 9% of the risk professionals said they don’t know if they have coverage.

“The survey results show insurance buyers see both a potential gap in limits of coverage as well as overlaps of coverage – 36 percent believe they have cyber-related property damage/bodily injury coverage under another policy,” Advisen said in a report explaining the survey results. “This reflects the belief that some coverage for cyber as a cause of loss can be found under traditional policies.”

Zurich said it will discuss key findings of the report during the Advisen Cyber Risk Insights Conference in New York City on Oct. 24.

Was this article valuable?

Here are more articles you may enjoy.