Allianz Global Corporate & Specialty (AGCS) recently released a report, Ransomware trends: Risks and Resilience, that looks at the growing role of ransomware, recent and anticipated trends, and efforts to combat it.

Looking at the numbers, it is hard to argue that ransomware isn’t a growing problem.

The report cites a 125% growth in cyber intrusions globally in the first half of 2021 compared to 2020, and a 62% increase in ransomware attacks in the US, following a 20% increase in 2020.

Ransomware claims in the first half of 2021 have already matched the total for 2020.

The value of individual ransom demands has increased 518% from 2020, to an average of $5.3mn in the first half of 2021. Actual payments were considerably less, averaging $570,000, but still an increase of 82% from 2020. Global costs to business are estimated at $20bn in 2021 and are forecast to grow to $265bn by 2031.

The cost of recovery and downtime from a ransomware attack has also grown, more than doubling, from $761,106 in 2020 to $1.85mn in 2021.

Still, Thomas Kang, Head of Cyber, Tech and Media, North America at AGCS, sees room for optimism.

“A key takeaway from our perspective is that there is a path forward and there’s been significant progress made, looking across both the insurance carriers and the insurance industry, but also with the insured companies who, over the last couple of years have helped stem the tide of some of these events,” said Kang.

“And I think we’ll see that in the data over the next couple of years.”

A Number of Factors Contribute to the Rise in Ransomware

Thomas Kang
Head of Cyber, Tech and Media for AGCS

For the time being, however, the problem is growing, due to a number of causes, including the maturation of ransomware as a sector.

“There’s an ecosystem, a supply chain within the ransomware gangs, where there are actors that are responsible for getting the initial foothold, there are groups that are responsible for escalating the privileges, and then there’s the actual ransomware gangs that are deploying the ransomware and facilitating the payments and the collection of ransom payments,” Kang said.

“That has been maturing over time, but now we’re at a place where there are subscription services. It depends on the service, but for $40 a month, bad actors that do not have the sophistication can engage the service and be able to deploy ransomware.”

A related development is the growth of “Ransomware as a Service” (RaaS) operations. Like “Software as a Service” (SaaS) operations, organizations with names like REvil and Darkside have sprung up, offering to sell or rent sophisticated tools to less sophisticated gangs who use them to perpetrate the actual extortion.

The targeting and utilization of supply chains is also exacerbating the situation, as ultimate targets, such as the Colonial Pipeline, and as unwitting participants.

As the report points out, “Earlier this year, REvil infiltrated the systems of software provider Kaseya, injecting ransomware into an update sent out to the firm’s managed service provider (MSP) clients, who then unwittingly exposed their own customers.”

The European Union Agency for Cybersecurity (ENISA13) projects that supply chain attacks will quadruple by the end of 2021 compared to last year

The growth of cryptocurrencies is another element.

“Cryptocurrencies are a key factor in the rise of ransomware—it’s what makes it straightforward,” Kang said in the report. “They are the weak link that enables criminals to bypass traditional institutions and hide behind the anonymity built into the technology.”

Bitcoin reportedly accounts for approximately 98% of ransomware payments.

Double and Triple Extortion Schemes

Another trend is the growth of double or triple extortion schemes. Basic ransomware schemes gain access to a company’s computers, encrypt the data, and charge a ransom for the decryption key.

Double extortion schemes combine that with a data breach, but threatening to release encrypted data, either for added leverage to get the victim to pay the ransom, or sometimes adding a secondary ransom demand.

Triple extortion schemes add yet another layer, which can take a number of forms, such as a Distributed Denial of Service (DDOS) attacks, or demanding a ransom not just from the company whose customer data has been accessed, but from the customers themselves, as well.

“We recently had an insured company that was in a very good position in terms of recovery and restoration, but their client data had been compromised and they ended up paying the ransom,” said Kang.

“I’m confident, but for this double-, triple-layered attack, the client would have been in a very strong position to recover and to not pay the ransom.”

From an insurance perspective, it is noteworthy that such schemes can involve multiple lines of coverage.

“It has the potential to impact every coverage available under a cyber insurance policy,” said Kang.

“Ransomware would hit our extortion coverage through the ransom demand. And then if there’s an impact to operations as a result of the ransomware attack, that could trigger business interruption coverage. And then if there are double and triple extortion, where there’s information compromised, then it would also trigger our incident response coverage. And then if there are regulatory investigations and/or consumer or client litigation, it could also trigger third-party coverage.”

Victims of ransomware attacks face the difficult dilemma of whether or not to pay the ransom. Law enforcement agencies generally advise against paying, since it is thought to perpetuate the problem.

Further, as the reports says, “In many cases, by the time the ransom is paid, the damage is already done, and most organizations will have already suffered loss of income and incurred the expense of restoring files and systems.”

Some insureds may feel that they are adequately prepared to rectify the situation on their own.

“There are situations where insureds have very good backup and restoration capabilities,” said Kang.

“They’re pretty confident that they’re going to be able to recover with minimal downtime, so they may just not engage with the bad actors.”

But, as mentioned above, that is precisely when the double or triple extortion schemes can tip the scales in favor of paying.

Cyber Insurance Rates on the Upswing

With ransomware risks growing on so many fronts, it’s not surprising that cyber insurance rates have, too, reportedly increasing “by over 50% in the second quarter of 2021 alone.”

Capacity has tightened, as well, and underwriters are taking a harder look at companies’ cyber security efforts.

Insurers like Allianz are codifying their criteria, with specific measures companies must meet to be eligible for coverage. AGCS is working with its customers to help them meet these criteria, but presently only one in four do. The report estimates that 80% of losses from ransomware attacks could have been avoided if best practices were followed.

Insurers are also partnering with other organizations, to bolster their response. AGCS has partnered with Google, a relationship that brings multiple benefits.

“We’re doing that because we want to be solution-oriented for our clients, especially during a challenging market phase, but it also allows us to get additional data … There is accelerated migration into the cloud these days, and by partnering with a company like Google, we’re able to get significant visibility into the security of the Google Cloud Platform. And with clients’ consent, we also gain visibility into the security of our insureds in the cloud environment, which we haven’t had before,” Kang said.

“By focusing on these partnerships, we’re able to get more data. We’re able to get a little smarter about the cybersecurity, especially where there’s overlap between the insured and the supplier. it allows us to deliver meaningful solutions into the marketplace while getting smarter which is a winning proposition for everyone involved.”

The report concludes with an extensive checklist of cyber hygiene and other best practices, and points out that 80% of losses from ransomware attacks could be avoided by following them. The report also states that “robust business continuity and incidence response planning can significantly limit the impact of an incident, should attackers still find a way through.”

The good news is that many companies are moving in the right direction.

“The numbers and the trends are increasing, but I am very optimistic with all the remediations that we’ve done in the insurance portfolio,” said Kang.

“We’ve also seen a lot of insureds make significant investments in their security. So, we’re very optimistic that the results will show up in the data over the next couple of years.” &