In crosshairs of ransomware crooks, cybersecurity insurers struggle

In the past few weeks, ransomware criminals claimed as trophies at least three North American insurance brokerages that offer policies to help others survive the very network-paralysing, data-pilfering extortion attacks they themselves apparently suffered.

Cybercriminals who hack into corporate and government networks to steal sensitive data for extortion routinely try to learn how much cyber insurance coverage the victims have. Knowing what victims can afford to pay can give them an edge in ransom negotiations. The cyber insurance industry, too, is a prime target for crooks seeking its customers’ identities and scope of coverage.

Before ransomware evolved into a full-scale global epidemic plaguing businesses, hospitals, schools and local governments, cyber insurance was a profitable niche industry. It was accused of fueling the criminal feeding frenzy by routinely recommending that victims pay up, but kept many from going bankrupt.

Now, the sector isn’t just in the criminals’ crosshairs. It’s teetering on the edge of profitability, upended by a more than 400 per cent rise last year in ransomware cases and skyrocketing extortion demands. As a percentage of premia collected, cyber insurance payouts now top 70 per cent, the break-even point.

Fabian Wosar, chief technical officer of Emsisoft, a cybersecurity firm specialising in ransomware, said the prevailing attitude among insurers is no longer: Pay the criminals. It's likely to be cheaper for all involved. “The ransomware groups got way too greedy too quickly. So the cost-benefit equation the insurers initially used to figure out whether or not they should pay a ransom — it's just not there anymore,” he said.

It’s not clear how the single biggest ransomware attack on record, which began on Friday, will impact insurers. But it can't be good. Pressure is building on the industry to stop reimbursing for ransoms.

In May, the major cyber insurer AXA decided to do so with all new policies in France. But it is so far apparently alone in the industry, and governments are not moving to outlaw reimbursement.

AXA is among major insurers that have suffered ransomware attacks, with operations in Thailand hard-hit. Chicago-based CNA Financial, the seventh--ranked US cybersecurity underwriter last year, saw its network crippled in March. Less than a week earlier, cybersecurity firm Recorded Future published an interview with a member of the Russian-speaking ransomware gang, REvil, that is skilled in pre-attack intelligence-gathering and happens to be behind the current attack. He suggested it actively targets insurers for data on their clients.

CNA would not confirm a Bloomberg report that it paid a $40 million ransom, which would be the highest reported ransom on record. Nor would it say what or how much data was stolen. It said only that systems where most policyholder data was stored “were not impacted.”

Hackers want $70-mn ransom to restore data

The hackers suspected to be behind a mass ransomware attack that affected hundreds of companies worldwide late on Sunday demanded $70 million to restore the data, according to a posting on a dark web site. The demand was posted on a site typically used by the REvil cybercrime gang, a Russia-linked group that is counted among the cybercriminal world's most prolific extortionists. The gang has an affiliate structure, occasionally making it difficult to determine who speaks on the hackers’ behalf, but Allan Liska of cybersecurity firm Recorded Future said the message “almost certainly” came from REvil’s core leadership. The group has not responded to an attempt by Reuters to reach it for comment.