During the COVID-19 crisis another outbreak has happened in cyber space: a digital pandemic driven by ransomware. Malware attacks that encrypt company data and systems and demand a ransom payment for release are surging globally.

The increasing frequency and severity of ransomware incidents is driven by several factors: the growing number of different attack patterns such as ‘double’ and ‘triple’ extortion campaigns; a criminal business model around ‘ransomware as a service’ and cryptocurrencies; the recent skyrocketing of ransom demands; and the rise of supply chain attacks. In a new report, cyber insurer Allianz Global Corporate & Specialty (AGCS) analyses the latest risk developments around ransomware and outlines how companies can strengthen their defences with good cyber hygiene and IT security practices. “The number of ransomware attacks may even increase before the situation gets better,” says Scott Sayce, Global Head of Cyber at AGCS. “Businesses need to strengthen their controls. At the same time, in today’s rapidly evolving cyber insurance market, providing emergency response services, as well as financial compensation, is now the standard.”

Cyber intrusion activity globally jumped 125 percent in the first half of 2021 compared to the previous year, according to IT services and consulting firm Accenture, with ransomware and extortion operations one of the major contributors behind this increase. According to the FBI, there was a 62 percent increase in ransomware incidents in the US during the same period that followed an increase of 20 percent for the full year of 2020. These cyber risks trends are mirrored in AGCS’ own claims experience. AGCS was involved in over a thousand cyber claims overall in 2020, up from around 80 in 2016, and the number of ransomware claims (90) rose by 50 percent compared to 2019 (60). In general, losses resulting from external cyber incidents, such as ransomware or distributed denial of service (DDoS) attacks, account for most of the value of all cyber claims analysed by AGCS over the past six years.

Increasing reliance on digitalisation, the surge in remote working during COVID-19 and IT budget constraints are just some of the reasons why IT vulnerabilities have intensified, offering countless access points for criminals to exploit. The wider adoption of cryptocurrencies, such as Bitcoin, which enable anonymous payments, is another key factor in the rise of ransomware incidents.

Five trends in the ransomware space

‘Ransomware as a service’. The development of this service has made it easier for criminals to carry out attacks. Run like a commercial business, hacker groups sell or rent their hacking tools to others. They also provide a range of support services. From single to double to triple extortion. ‘Double extortion’ tactics are on the rise. Criminals combine the initial encryption of data or systems, or increasingly even their back-ups, with a secondary form of extortion, such as the threat to release sensitive or personal data. In such a scenario, affected companies have to manage the possibility of both a major business interruption and a data breach event, which can significantly increase the final cost of the incident. ‘Triple extortion’ incidents can combine DDoS attacks, file encryption and data theft – and don’t just target one company, but potentially also its customers and business partners.

Supply chain attacks. There are two main types – those that target software/IT service providers and use them to spread the malware, or those that target physical supply chains or critical infrastructure. Service providers are likely to become prime targets as they often supply hundreds or thousands of businesses with software solutions and therefore offer criminals the chance of a higher pay-out. Ransom dynamics. Ransom demands have rocketed over the past 18 months. According to Palo Alto Networks, the average extortion demand in the US was $5.3 million in the first half of 2021, a 518 percent increase on the 2020 average.

Business losses
Business interruption and restoration costs are the biggest losses due to cyber attacks, according to AGCS’s claims analysis. They account for over 50 percent of the value of close to 3,000 insurance industry cyber claims worth around $885 million it has been involved in over six years.

The average total cost of recovery and downtime – on average 23 days – from a ransomware attack more than doubled over the past year, increasing from $761,106 to $1.85 million in 2021. This surge has triggered a major shift in the cyber insurance market. Cyber insurance rates have been rising, while capacity has tightened. “Companies need to invest in cyber security. Losses can be avoided if organisations follow best practices,” explains Marek Stanislawski, Global Cyber Underwriting Lead at AGCS.

To pay or not to pay
Ransom payment is a controversial topic. Law enforcement agencies typically advise against paying extortion demands to avoid further incentivising attacks. Even when a company decides to pay a ransom, the damage may have already been done. Restoring systems and enabling the recovery of the business is a huge undertaking, even when a company has the decryption key.

IT security best practices
“In around 80 percent of ransomware incidents, losses could have been avoided if the organisation had followed best practices. Regular patching, multi-factor authentication as well as information security and awareness training and incident response planning are essential to avoiding ransomware attacks. Numerous security gaps can be closed, often with simple measures,” says Rishi Baviskar, Global Cyber Experts Leader at AGCS Risk Consulting.

In the event of an attack, cyber insurance coverage has evolved to provide emergency incident response services that typically include access to a professional crisis manager, IT forensic support and legal advisory. Further offerings include IT security training for employees and assistance with the development of a cyber crisis management plan. •