Ransomware Claims Trending Downward, Insurance Firm Says
“Ransomware attacks are down from recent peaks, as costs and frequency of claims trend downward,” is the headline introduction to a new Risk Insights Index. This would appear to be welcome news to an embattled industry.
The claim is made by the Corvus cyber insurance firm based on a rather dramatic reduction in ransomware insurance claims in the last quarter of 2021. “Based on Corvus’s claims data, after all of the dire headlines throughout 2021 the end of the year presented signs of improvement: In Q4, the rate of ransomware claims reached just half of the peak seen in Q1 2021 — decreasing from 0.6% to 0.3%.”
The idea that this is a downward ‘trend’ is given further weight by an early look at results from Q1, 2022. Corvus observed a 30% reduction in ransomware claims frequency from Q4 2021 to Q1 2022 (through March 15), highlighting the fractured ransomware threat ecosystem during a time of war. The full effect of the Russia/Ukraine war on the ransomware ecosystem, however, will only be understood through the lens of history in the future.
All that can be said for now is that ransomware claims experienced by Corvus were lower in Q4 2021 than in the previous quarters of 2021. This is a good and positive sign. “This decrease in cost and severity can be partially attributed to underwriting entities requiring stronger backups for insurance coverage, which is helping to drive the broader trend toward more sophisticated and resilient approaches to mitigating ransomware risk.”
Overstressing the importance of backup alone in ransomware mitigation carries its own risks. Better backup has been a major and successful response to ransomware for several years. But it is considered a primary driver for the criminal move to ‘double extortion’ in ransomware. Backup alone offers no defense against the exposure of sensitive data and subsequent blackmail. This is an altogether more complex area for insurance to cover.
The primary costs involved in sensitive data exposure are reputational damage and potential regulatory fines. These are difficult to quantify and consequently difficult to insure. SecurityWeek asked Corvus if it requires any data protection requirements in the same way as it requires data backup.
“Underwriters regularly ask questions about the redundancy of sensitive or business critical data and how that data is protected,” replied Lauren Winchester, VP of risk and response at Corvus Insurance. “A cyber underwriter will want to know how many copies of that data a company keeps and in what form, whether that data is encrypted at rest, and whether credentials that can access and/or alter that data are protected with multi factor authentication (to name a few controls).”
We know empirically, however, that while good data hygiene can reduce the risk of compromise, it cannot eliminate it. The question then becomes one of whether insurance can cover the costs of sensitive data loss.
Winchester is optimistic. “Cyber insurance really has its genesis in covering the costs of investigating and responding to a possible compromise of personally identifiable information (PII) or protected health information (PHI),” she told SecurityWeek. “Cyber policies also often contain coverages for regulatory fines and harm to reputation.”
In short, insurance companies have a history of covering customers for loss of data and reputational damage. But ransomware data extortion is different than the insurance genesis of a few years ago. The extortion can be ongoing. The criminals can keep coming back asking for more money because they still have the data – and how the insurance companies respond to this has yet to be settled.
Nevertheless, it cannot be denied that cyber insurance is an important tool for ransomware cyber risk management, nor that Q4 2021 was a good month for Corvus. But whether ransomware is really trending down (with the implication that cyber insurance is winning the battle against ransomware) remains questionable.
Avast supports the Corvus view that ransomware was down in Q4 2021, but for different reasons. Jakub Kroustek, Malware Research Director, commented, “The havoc ransomware caused in the first three quarters of 2021 triggered a coordinated cooperation of nations, government agencies, and security vendors to hunt down ransomware authors and operators, and we believe all of this resulted in a significant decrease in ransomware attacks in Q4/2021. The ransomware risk ratio decreased by an impressive 28% compared to Q3/2021. We hope to see a continuation of this trend in Q1/2022, but we are also prepared for the opposite.”
He added, “This doesn’t mean the decline is permanent, instead it indicates that ransomware authors and operators are increasingly switching to targeted attacks on bigger organizations and institutions rather than high-volume, spray and pray techniques of the past.”
ESET sees the opposite: “a decline in the activity of the gangs engaged in big-game hunting.” Igor Kabina, senior detection engineer at ESET, told SecurityWeek, “We can also expect the emergence of new players who will try to take the vacated place after the actors that closed shop or were arrested. The reason is simple – and ransomware and extortion businesses are far too lucrative to abandon.”
ESET’s view is confirmed by CISA. In February 2022 it issued a ransomware alert that stated, “In the first half of 2021, cybersecurity authorities in the United States and Australia observed ransomware threat actors targeting ‘big game’ organizations – i.e., perceived high-value organizations and/or those that provide critical services – in several high-profile incidents. These victims included Colonial Pipeline Company, JBS Foods, and Kaseya Limited. However, ransomware groups suffered disruptions from U.S. authorities in mid-2021. Subsequently, the FBI observed some ransomware threat actors redirecting ransomware efforts away from ‘big-game’ and toward mid-sized victims to reduce scrutiny.”
The Corvus analysis of its own telemetry indicates a reduction in the number of ransomware claims in Q4 2021. This is a good thing, and demonstrates a success for the Corvus business. This success, however, should not be taken as indicative of a downward trend in ransomware. More likely it is a blip while criminals do what they always do – adapt to changing circumstances.