Frequent readers of my blog will know that I adore the cinematic masterpieces produced by Christopher Nolan. While I am not alone in thinking that Inception should have won the Oscar for Best Picture, its ability to lend itself to real and cyber world scenarios continues to pay dividends. In the scene showing Robert Fisher’s supposed kidnapping, in which he meets his captors for the first time, he explains that he is insured against kidnapping for up to $10 million and that retrieving the ransom should be a straightforward process. Unfortunately for Fisher, his captors are interested in something other than money. Ransomware authors, on the other hand, are out for precisely that—ransom—which raises the question about who benefits from cybersecurity insurance: victims or their attackers.
Real-world kidnapping insurance (often referred to as kidnap and ransom, or K&R, insurance) insures individuals in the event of kidnapping, extortion, wrongful death, or hijacking. Cybersecurity insurance similarly covers losses for insured organizations in the event of a loss due to a cyberattack, administrator incompetence, fat finger error, or some other covered conditions.
The way I see it, the upward trend in the use of cybersecurity insurance is setting the stage for a resurgence in ransomware attacks. Ransomware is a type of malware that encrypts a computer’s critical files until the attacker receives a ransom (typically paid in the crypto-currency Bitcoin) in exchange for a decryption key. In the past, ransomware attacks had a more destructive tone rather than extortion. Many ransomware victims from the developing world could not afford the ransom payment or did not care enough about their data to recover it. In the cases of the high-profile ransomware attacks of WannaCry, NotPetya, and BadRabbit, there was no evidence that any decryption mechanism existed and there were no reported cases of any users recovering their data after the ransom was paid. Due to these factors, victims no longer were paying the ransom and the popularity of ransomware began to decline in favor of cryptojacking, which allowed for the immediate monetization of a vulnerable or compromised machine. With the decline in cryptocurrency prices and a steep drop-off in profitability, cryptojacking is now falling out of favor with ransomware making a resurgence.
In the wake of high-profile ransomware attacks against the UK NHS, Danish Shipper Maersk, the U.S. city of Atlanta, food conglomerate Mondelez, and—just last month—aluminum producer Norsk Hydro, many organizations are opting to buy cybersecurity insurance with specific coverage for ransomware to protect against losses. Attackers have taken notice of this trend and are using it as an opportunity to cash in on these policies. The top law enforcement bureau in the U.S. has advised ransomware victims not to pay the ransom because it encourages further attacks against other targets.
However, insurance companies tend to be more interested in minimizing losses and policy payouts than teaching attackers a lesson. Performing a simple calculation, they will typically determine that paying the ransom will be more cost-effective than allowing an organization to recover from a ransomware attack, often requiring the halting of all operations and restoring from backups (if such backups exist). The first teams the insurance carriers may call in after a ransomware attack are not cyber-incident responders, but crisis negotiators to open a dialog with the attackers, negotiate a ransom amount, and require proof that decryption is possible.
While there have been exhaustive discussions at cyber conferences on whether the carrying of cyber insurance increases the likelihood of a ransomware attack, it is difficult to find a direct correlation between the two. Similarly, the link between the popularity of K&R insurance did not necessarily drive up kidnappings or successful hostage retrieval. There are just too many outside factors that influence attackers' actions to be able to tie their motives to a single variable. However, as cybersecurity insurance becomes more popular and almost mandatory for most organizations, it would present a new and potentially lucrative market for ransomware attackers.
Organizations looking to proactively protect themselves against ransomware attacks can do so through the use of a cloud sandbox in combination with an inline cloud security proxy, which provides several benefits over traditional on-prem security controls. Cloud sandbox solutions can be deployed inline, which allows the proxy to hold a file for analysis (quarantine) before a user is allowed to download it. If the file is determined to be malicious, the sandbox and proxy block the user from downloading the file, effectively preventing a patient-0 infection and the start of a ransomware attack campaign. Combining the cloud sandbox with SSL inspection at scale and providing the same protection on and off the corporate network significantly enhance your detection and prevention capabilities. The world's largest security cloud sees about 83% of all traffic passing through to be encrypted with SSL or TLS, and saw a rise last year of about 400 percent in the number of threats using encrypted channels.
If ransomware makes a significant resurgence, I will not be surprised. The cybersecurity insurance trend should act as a wake-up call for the entire industry to implement reasonable and adequate security controls to prevent ransomware attacks from occurring in the first place.
To read about some of the new delivery schemes and evasion tactics malware authors are using, read yesterday's blog, The evolution of phishing kits, from ThreatLabZ.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Christopher Louie, CISSP, is a sales engineer at Zscaler