Does it make sense that companies pay ransomware criminals?
Global insurance company AXA announced in May that it would stop purchasing cyber insurance coverage in France that reimburses customers for payments made to ransomware criminals. Cyber ââinsurance policies have long covered these ransom costs, and it is widely expected that other insurance companies will follow suit.
While this is important news for businesses because they appreciate policies and understand their overall risks, it is also important for the world of cyber-bad actors. While the intention of the insurer may be to reduce the incentive to carry out a ransomware attack by reducing the chances of the ransom being paid, the outcome will likely be more difficult.
âWith insurance companies not providing ransom cover, attacks are expected to increase and, needing more targets, ransomware gangs are likely to become more indiscriminateâ¦. This can potentially put small businesses at higher risk than before. “
When the bad actors see that businesses don’t have the security of insurance coverage, they are likely to economically determine how much a business would be willing to pay without the protection of insurance. Since this could lead to a reduction in the ransom amount, it follows that there would likely be an increase in the frequency of these types of attacks as the global network of savvy cybercriminals continue to evolve their tactics. .
Ransomware hackers have often targeted large institutions such as hospital systems, government agencies, and Fortune 500 companies, which are more likely to have the backing of an insurance policy to cover the ransom demand.
Indeed, a representative of the ransomware gang REvil claims that insurance is “one of the tastiest bites.” In fact, REvil is trying to “hack insurers first – to get their customers and work in a targeted fashion from there.” And after you go through the list, then hit the insurer itself, âaccording to an article in The Record, a publication specializing in cybersecurity.
Ransomware has become one of the biggest operational threats to the public and private sectors today. The Institute for Security and Technology Ransomware Task Force reports that businesses are down an average of 21 days due to ransomware attacks, and that it takes an average of 287 days for a business to fully recover from a attack. In 2020, nearly 2,400 US-based governments, healthcare facilities, and schools were affected by ransomware.
With AXA and potentially other insurance companies not renewing their cyber insurance coverage when their customers pay ransoms, the strategic calculation for attackers and victims will change. From an economic standpoint, businesses must make decisions on the assumption that their data may not be restored and that it may not cover its losses. So, if companies pay the ransom, they incur the harsh cost of the payment itself without any assurance that their systems and data will be fully restored. Such an approach has the potential to mitigate any damage to reputation.
Alternatively, if companies refuse to pay the ransom, they risk losing business, although this can be fixed with insurance. AXA’s decision simplifies the calculation both for the company and for the bad actor: is the loss of activity, even insured, more expensive than the payment?
With insurance companies covering the costs of ransomware attacks, companies have an incentive to purchase this protection and, in the event of a hack, pay the ransom. It is also widely believed that ransomware attackers restore data when the ransom is paid, because if they don’t restore the data, companies would not pay for it. However, this is not necessarily the case.
According to a recent survey by cybersecurity firm Sophos, âOn average, organizations that paid the ransom only recovered 65% of the encrypted files, leaving more than a third of their data inaccessible. 29% of those surveyed said that 50% or less of their files were restored, and only 8% recovered all of their data.
Since insurance companies don’t pay the ransom, businesses will have some interesting decisions to make. First, do they have to make the payments? There is a high probability that they will recover more than half of their data, but they also have to pay for it out of pocket because the insurer would no longer cover it.
Then there is the question of whether they would be repaired by their insurer. Would their insurance cover the costs of business interruption, recovery and remediation? Would paying the ransom out of pocket cause insurance companies not to fix them? The answers to these questions will have a major impact on their decision whether or not to pay a ransom.
Attackers are also very attentive to these kinds of questions. With companies unable to afford large ransoms in the absence of an insurer providing the funds, one would expect bad actors to reduce the amount of the ransom demand.
However, bad actors will want to earn at least as much money as before, so they are likely to increase the number of attacks. This move would allow the bad actor to price the ransom just below the total cost of the insurance policy. Additionally, with insurance companies not offering ransom coverage, attacks are expected to increase and, needing more targets, ransomware gangs will likely become more indiscriminate. Finding out which companies have coverage would no longer be worth it. This can put small businesses at higher risk than before.
With the proliferation of ransomware, which has been rampant for some time, and the inability to transfer risk through insurance, companies are going to have to change the way they manage their cyber risk, especially through the way they use their controls.
Companies will likely invest more in their cybersecurity controls. The challenge of mitigating risk is not a lack of strategies, but rather determining the appropriate level of risk each business is willing to accept and which controls present the best business case for mitigating the risk.
To answer these questions accurately, the risk must be analyzed in a way that allows companies to examine the appropriate controls and mitigation techniques. Companies need to understand the business impact of their risk decisions to test and implement mitigation strategies for business cases to increase the likelihood of protecting a company’s assets.
The most effective way to quantify cyber risk and understand the consequences of a risk mitigation or risk transfer strategy is to structure your analysis in such a way that you can see the consequences and tradeoffs between your decisions. Cause-based models are a proven way to account for company and attacker decisions, as well as detail the impact of their individual decisions and, more importantly, their combined decisions.
In this simple ransomware example in Figure 1, the causal model can account for the different decisions made by the attacker, the insurer, and the target company. Senior management can see how paying the ransom would impact the total cost of the breach whether or not the company receives their data from the attacker and makes a claim under their cyber insurance policy.
With this kind of modeling available, companies can make more informed risk decisions based on their appetite for cyber risk, cybersecurity controls, and risk transfer options.