Brace Yourselves, Ransomware is Resurging
Fischer: I'm insured against kidnapping for up to 10 million. This should be very simple.
Cobb: Shut up! It won't be.
Frequent readers of my blog will know that I adore the cinematic masterpieces produced by Christopher Nolan. While I am not alone in thinking that Inception should have won Best Picture at the Academy Awards, its ability to lend itself to real and cyber world scenarios continues to pay dividends. In the scene showing Robert Fisher’s supposed kidnapping where he meets his captors for the first time, he explains that he is insured against kidnapping for up to $10 million and that retrieving the ransom should be a straightforward process. Unlucky for Fisher is that his captors are interested in something other than money. Luckily for most organizations out there, most ransomware authors are out for precisely that: that ransom.
Real-world kidnapping insurance; often referred to as kidnap and ransom (K&R) insurance; insures individuals in the event of kidnapping, extortion, wrongful death, or hijacking. K&R policies are typically taken out for high-risk individuals, possibly traveling to high-risk areas in the world and protect the insured against losses due to kidnapping and other unfortunate situations covered by the policy. Cybersecurity insurance similarly covers losses for insured organizations in the event of a loss due to a cyber attack, administrator incompetence, fat finger error, or some other covered conditions in a specific policy.
A new trend in cybersecurity insurance is setting the stage for a resurgence in ransomware attacks. Ransomware is a type of malware that encrypts a computer’s critical files until the attacker receives a ransom (typically paid in the crypto-currency Bitcoin) in exchange for a decryption key. In the past, Ransomware attacks had a more destructive tone rather than extortion. Many ransomware victims from the developing world just could not afford the ransom payment or did not care enough about their data to recover it. In the cases of the high-profile ransomware attacks of WannaCry, NotPetya, and BadRabbit, there was no evidence that any decryption mechanism existed and no reported cases of any users recovering their data after the ransom was paid. Because of these factors, victims were not paying the ransom and the popularity of ransomware began to decline in favor of cryptojacking, which allowed for the immediate monetization of a vulnerable and compromised machine. With the decline in cryptocurrency prices and a steep drop-off in profitability, cryptojacking is now falling out of favor with ransomware making a resurgence.
In the wake of high profile ransomware attacks against the UK NHS, Danish Shipper Maersk, the city of Atlanta, Georgia (US state, not the country), food conglomerate Mondelez, and just last month, aluminum producer Norsk Hydro, many organizations are opting to buy cybersecurity insurance, with specific coverage for ransomware to protect against losses. Attackers have taken notice of this stance and are using it as an opportunity to cash in using these policies. The US’s top law enforcement bureau has advised ransomware victims not to pay the ransom, because that will encourage further attacks against other targets; the same reasoning of why the US has taken the stance to not negotiate with terrorists.
However, insurance companies are often interested in minimizing losses and policy payouts and not “doing the right thing.” Performing a simple calculation, insurance companies have usually determined that paying the ransom will be more cost-effective than allowing an organization to recover from a ransomware attack, often requiring the halting of all operations and restoring from backups, if they even exist. The first teams the insurance carriers may call in after a ransomware attack are not cyber-incident responders, but crisis negotiators to open a dialog with the attackers, negotiate a ransom amount, and require proof that decryption is actually possible.
While there has been thorough discussion at cyber conferences on whether the carrying of cyber insurance increases the likelihood of a ransomware attack, it is difficult to find a direct correlation between the two. Similarly, the link between the popularity of K&R insurance did not necessarily drive up the volume of kidnappings or successful hostage retrieval. There are just too many outside factors that influence how these attackers act to be able to tie their motives to a single variable. However, as cybersecurity insurance becomes more popular and almost mandatory for most organizations, it would be a new and comfortable market for ransomware attacks.
Organizations looking to proactively protect themselves against ransomware attacks can do so through the use of a cloud sandbox in combination with an inline cloud security proxy, give several benefits over traditional on-premise security controls. Cloud sandbox solutions can be deployed inline which allow the proxy to hold a file for analysis (quarantine) before a user is allowed to download it. If the file is determined to be malicious, the sandbox and proxy block the user from downloading the file, effectively preventing a patient-0 infection and the start of a ransomware attack campaign. Combining the cloud sandbox with SSL inspection at scale and the same protection on the corporate network, as well as off-network, significantly enhances both its detection and prevention capabilities. The world's largest security cloud sees about 83% of all traffic passing through to be encrypted with SSL or TLS encryption and saw approximately 400% rise in the number of threats using encrypted channels.
If ransomware makes a surprising resurgence, I will not be the first one to say “I told you so.” This trend should act as a wake-up call for the entire industry to implement reasonable and adequate security controls not to allow the attack to occur in the first place.