Ransomware Attacks: Impacts to Businesses and Insurance Claims

Many companies often do not think of the depth of their cyber policy until it's too late. Some businesses may be covered to a certain degree for basic business interruption and data loss through their insurer, but rarely is it a fully underwritten, comprehensive cyber policy. And, depending on the depth of the firm's attack, finding the extent of damage or loss to their equipment and systems is imperative.

We have become so used to hearing about new ransomware cases in the news, and over the last few months, it has become even more common to hear about these types of attacks on organizations all over the world. Something that was previously considered to be isolated cases, is now turning into a headache for companies who are seeing their reputations and bottom lines affected by these threats. But what exactly is ransomware?

What is ransomware, and why is it here to stay?

Ransomware is software designed to block access to a computer system until a sum of money is paid. The extent to which computer systems are blocked during and after ransomware attacks can vary, from a simple screen lock, all the way to complete encryption of all files. Ransomware attacks against companies continue to be more targeted, and the frequency of such attacks is likely to increase. For that reason, it is imperative that businesses and their insurers understand this growing risk.

Ransomware is here to stay, despite the rise in the more innocuous cryptominers, which hijacks a system's resources to generate bitcoins for the unscrupulous. Organizations are often insured under an umbrella policy. They are rarely protected with a specific cyber policy and are therefore often surprised when insurers don't send that cheque because ongoing monitoring and upgrading are perceived as betterment. Firms are all too often reactive rather than proactive.

The apparent good news is that ransomware has decreased overall, according to Kaspersky's KSN report. However, anecdotal experience from the Envista book of business shows that ransomware is just becoming more targeted, and the frequency of corporate claims are likely to increase and become more frequent due to the abandonment of "spray and pray" tactics. The hidden cost to organizations is reputational damage, downtime, lost businesses, and this does not include paying the ransom amount.

Prevention: How to weaken ransomware

Ransomware is not nearly as successful if a few key things happen within an incident:

1. If the encryption key is known, if it can be cracked, or if it's made public.
2. If it can be easily detected by an anti-virus or malware solution.
3. Security patches are up-to-date.
4. If it cannot be spread laterally to other computers.
5. The item is prevented from communicating to website URLs that control the operation.

Ransomware investigation

The first stage of the investigation is to gain a high-level understanding of the infrastructure. Asking questions early helps a digital examiner get to the bottom of what happened much quicker. Questions that can assist include uncovering what sort of network technology and topology is being used, what type of network and physical security is in place, how is the security monitored, and moreover, how many workstations are on the network.

When the necessary information is answered, a competent examiner can attempt to find out if an attacker was present in the system and when, how the attacker (or attackers) accessed the system, and what data was obtained. They can also find out what information the attacker exfiltrated and by what means.

In addition to the ransomware attack, if it is found that Personally Identifiable Information (PII), Protected Health Information (PHI), or Intellectual Property (IP) was taken from the compromised system(s), then an organization must proceed with caution. Regulatory, legal action may be required as well as compliance expert reporting. Retention of information for further analysis and testimony may be required to show no new or continuing breach is present on the system.

Cybersecurity contingency planning

For most organizations, the financial ransom that may be demanded could be considerably less than the hours lost to the business. Preparedness by companies creates less of an opportunity for system hackers, whereas, lack of preparedness provides the opposite and thus encourages future attacks.

Contingency planning, vetting security firms that can aid before and after an attack, staff training, and discussing options for obtaining an additional, more specific cyber policy can all soften the impact, or even stop altogether, the specter of ransomware that looms over global businesses.

Working with a company such as Envista to provide expert forensic consulting and training to corporations, insurers, and legal professionals can help professionals become more familiar with the changing risk environment. For more on this topic, please read our article in the February issue of eForensics magazine, Ransomware attacks in insurance claims.