After suffering a ransomware attack, a team of business leaders felt confident they didn’t need to give in to the attackers’ demands for payment.
Though their files were encrypted by the ransomware gang, they had strong backups. They’d contacted their cyber insurer, which put them in touch with legal counsel and a forensic specialist. These experts helped them get in touch with the FBI, which had a decryption key for this particular ransomware gang. All seemed to be going smoothly until they entered the key and found a number of files in their virtual machines were still locked.
“It turned out that another ransomware gang had also encrypted its system,” said Danielle Roth, head of cyber and tech claims for AXA XL.
So the company had to pivot. It needed to get its machines back up and running. The ransom negotiator reached out to the second group of threat actors, who had the team continue to negotiate with the first group. The insured eventually got its files back, after paying the first group of attackers, who then had the second group release the decryption key.
This case was unique — it’s not often companies are attacked by two ransomware gangs at the same time. But it is an example of how attackers are getting more creative in their efforts to encrypt files and extort payments from businesses.
Tactics like double extortion, sensitive data leaks and personalized attacks are placing companies at risk, even as many adopt critical security defenses.
After massive increases in 2021, the number of ransomware attacks and the size of ransoms declined slightly in 2022, according to Roth. These decreases can be attributed to companies adopting security measures like multifactor authentication, reliable backups and increased activity from law enforcement.
“Law enforcement is much more active,” Roth said. “Threat actors are very aware that if they aim too high, they’re really putting themselves at risk.”
A decrease between 2021 and 2022 doesn’t mean cyberattacks are going away, however. Roth noted that the number of attacks was once again increasing in the first quarter of 2023 as hackers tried out new strategies to get ahold of company data and force payments.
“It’s not necessarily that the demands are higher, but threat actors are a lot more focused now,” Roth said.
That’s where tactics like double extortion come in. With double extortion, a cybercriminal might ask for a ransom before they provide a decryption key while also threatening to leak sensitive data if they don’t get paid. This tactic targets companies with strong backups, which may not need to regain their encrypted files, and puts additional pressure on senior leadership by threatening a business’s reputation.
“If it’s a health care facility, they might go after videos or private medical records or pictures, which could be very distressing to someone if they’re released,” Roth said.
“It’s actually pretty upsetting that the threat actors are going after employees and people’s health information in that way.”
Double extortion attacks have flourished in part because some business leaders might be operating under a misconception about how much data attackers could potentially leak during a ransomware event. “Years ago, I think, there was a misperception that ransomware attacks were not breaches before information began to be exfiltrated,” Roth said.
“People would not engage counsel; they would engage a forensics vendor, and once they were able to use their system again, that was it. They thought they were done.”
In addition to using double extortion tactics and threatening to leak sensitive data, threat actors are launching more targeted attacks on companies.
“They’re very focused on what they’re accessing and using that to apply pressure to the organization,” Roth said.
Cybercriminals might spend hours researching companies, determining how they can impersonate senior leadership personnel in phishing attacks in an attempt to get other employees to provide the login credentials needed to access the system. In more sophisticated attacks, they’ll contact employees using the company’s domain name, so that “it looks like it’s coming from inside the building,” Roth explained.
Data leaks, too, are engineered to prey on a company’s weak points. Bad actors might threaten to leak sensitive information belonging to the employee they’re targeting in an attack. They might also contact customers (or patients, in the case of a health care system), threatening to release their data so the clients will urge the business to pay the ransom.
“People might put pressure on the company, if it’s their employer or if they’re a patient, to pay the ransom, so their information is not out there in that way,” Roth said.
If cybercriminals have proven one thing in recent years, it’s that they will continue to evolve their tactics for breaking into companies’ systems, exfiltrating their data and demanding payment. Insureds need to partner with carriers whose claims teams are prepared to help them address these ever-evolving risks.
“Everybody can always improve, and everybody should keep their eye on the ball and stay focused on this,” Roth said.
Insureds should make sure they are regularly conducting cybersecurity training — including phishing exercises with their employees, as well as tabletop exercises at least once per year — to ensure they know what to do in the event of a cyberattack. AXA XL partners with a number of vendors that offer cybersecurity consulting services on topics selected by the insured in order to help them improve their defenses.
“It could be employee training, some phishing exercises — all of that. It really just offers tips and tricks, so insureds know what to look out for, because I think awareness is really important,” Roth said.
If an attack occurs, AXA XL’s 24/7 breach hotline is there to provide support for insureds. The phone line is monitored all day, every day, by the insurer’s cyber incident response team. The team can advise insureds on what actions they need to take immediately, connect them with breach counsel, forensic teams and other support vendors, and generally provide whatever support is needed to limit the extent of the attack.
“Our insureds are able to really quickly get in front of somebody and talk about what’s going on,” Roth said.
“It can be very difficult for companies to understand what they need to do in that high-pressure situation. They can call us in one centralized location and get recommendations for law firms and forensic vendors and PR companies and all of that. We’ve already vetted them and prenegotiated the rates. It takes out hours and hours of legwork that they would otherwise have to undertake.”
The rapid response provided by AXA XL’s hotline can make a major difference for insureds who have suffered a breach. Roth recalls a recent situation where an insured called federal law enforcement, who confirmed the company was experiencing an active cyberattack on a Friday evening.
Immediately after receiving the call, the claims handler left her workout class and contacted legal counsel and a forensic team. The team was able to assemble within half an hour of when the breach was detected and take actions to prevent the intrusion from escalating into a ransomware attack, thus preventing the company from experiencing many of the major losses associated with ransomware claims.
“They’re not having any downtime. They don’t have that reputational risk. They’re not exposed to third-party claims in the same way. They’re not paying a ransom and undergoing that risk,” Roth said. “That was a real success story.”
To learn more, visit: https://axaxl.com/insurance/product-families/cyber.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with AXA XL. The editorial staff of Risk & Insurance had no role in its preparation.