Ransomware and Cyber Extortion Are on the Rise
– What Can Be Done?
By Thomas B. Caswell and Rory D. Zamansky of Zelle LLP | www.claimsjournal.com/June 27, 2016
Ransomware is
evolving from a relatively low-dollar extortion racket, into a more
sophisticated, more expensive, and more prevalent major criminal activity.
Hardly a day goes by anymore without ransomware or cyber extortion making the
news. A seeming turning point in the severity of this crime was the
mid-February 2016, cyber extortion of a large Los Angeles hospital chain where
a reported ransom of $3 million was originally demanded. Although the ransom
ultimately paid was 40 bitcoins (about $17,000, a far cry from $3 million), its
payment nevertheless represents a substantial and noteworthy increase from the
hundred dollar ransoms that were previously commonplace. Among those taking
note are insurers providing cyber coverage, who often will include ransomware
coverage in their policies. Since this manner of cybercrime is going to be with
us for the foreseeable future, insurers and their insureds are best served by
proactively managing, and thereby perhaps eliminating, the harm that may result
from a ransomware attack.
What is
ransomware?
In a nutshell, ransomware is a type of malware (a computer
virus) that prevents users from accessing files and data on their computer, and
threatens permanent encryption or deletion of that data if a sum of money—a
ransom—is not paid. For individuals and businesses that do not back up their
essential data, the only real option is to pay the ransom.
The goal of the hackers is not to destroy or permanently
encrypt the data, but to secure fast payment of the ransom. That is the
ransomware business model – quick cash. Historically, the amount of ransom
demanded by the perpetrators has been relatively low in order to make its
payment the logical choice for the victim; pay a nuisance sum and have access
to one’s data restored quickly. In the early ransomware incidents of several
years ago, the ransom was often as low as $100. According to the recent
Crypto-Ransomware Survey of IT Experts performed by Researchscape
International, the median amount of ransoms paid more recently is approximately
$250, with one quarter of the ransoms paid amounting to $551 or more. Despite
these still relatively modest ransom amounts, future demands will certainly
seek even larger amounts of money, if for no other reason than simply because
the hackers can get it. Indeed, the $17,000 ransom payment made in the Los
Angeles hospital case demonstrates a significantly steeper price that companies
are willing to pay for the return of access to their data.
While ransomware is not a new
concept, it has become considerably more prevalent in recent years, and will
endure as a serious and escalating threat for the foreseeable future. In the
Crypto-Ransomware Survey, one-third of IT experts were “extremely” or “very” concerned
about ransomware attacks and 61 percent were “moderately” or “slightly”
concerned. Only 6 percent of IT experts were not at all concerned about
ransomware. Moreover, of the IT experts concerned about ransomware attacks, 59
percent expect the number of ransomware attacks to increase in 2016. In 2016,
McAfee Labs, one of the world’s leading sources for threat research and cybersecurity,
released a Threat Predictions forecast that predicted ransomware will remain a
“major and rapidly growing threat in 2016.” Indeed, data from the FBI Internet
Crime Complaint Center (IC3) shows that ransomware with cyber extortion is one
of the most serious cyber threats infecting devices around the globe.
CryptoLocker is thought to be the first ransomware spread via email through social engineering techniques, and it has infected tens of thousands—if not hundreds of thousands—of computers since its release in September 2013. A seemingly innocuous email message appears on the user’s computer, appearing to have been sent by a legitimate company. However, when the recipient attempts to open a file attachment embedded in the email, CryptoLocker causes a Trojan bot to encrypt certain types of files on the recipient’s hard drive or networked drives. The malware then displays a message offering to decrypt the data if a ransom is paid online by a stated deadline. Typically, payment in bitcoin or a pre-paid cash voucher is required. Once the ransom is paid, the data is decrypted and access restored.
CryptoLocker is thought to be the first ransomware spread via email through social engineering techniques, and it has infected tens of thousands—if not hundreds of thousands—of computers since its release in September 2013. A seemingly innocuous email message appears on the user’s computer, appearing to have been sent by a legitimate company. However, when the recipient attempts to open a file attachment embedded in the email, CryptoLocker causes a Trojan bot to encrypt certain types of files on the recipient’s hard drive or networked drives. The malware then displays a message offering to decrypt the data if a ransom is paid online by a stated deadline. Typically, payment in bitcoin or a pre-paid cash voucher is required. Once the ransom is paid, the data is decrypted and access restored.
CryptoLocker also demonstrates the creativity and
resourcefulness cybercriminals will employ to capture the maximum amount of
dollars from their crimes. Shortly after CryptoLocker launched, the crooks
behind it discovered that some victims were having trouble completing the
online ransom payments. In response, the enterprising CryptoLocker hackers
created a customer service website to help victims pay their ransom – a
criminal help desk! The hackers did not want to leave a single ransom dollar on
the table.
What are the
insurance implications of ransomware?
With the increased prevalence of cybersecurity breaches and
hacking attacks, more and more companies look to the insurance marketplace to
manage their cyber and data breach risks. Given the recent increase in demand,
many insurance companies have jumped into the marketplace and offer cyber
insurance or data breach policies. A number of these policies provide coverage
for the insured’s ransom payments following such extortions. As more and more
insurance companies write coverage for cyber extortion, what is going to
happen? How will that change the ransomware landscape? Will the increasing
availability of cyber extortion coverage increase the prevalence of ransomware
attacks and, as well, the dollar amounts of those ransom demands? These
questions will only be answered precisely in due course. However, we do know
that as victims continue to pay the hackers for the return of their data and
files, the cycle will not stop. Indeed, on June 8, 2016, the University of
Calgary paid $16,000 (U.S.) ($20,000 CDN), as ransom in order to restore data
following a ransomware attack.
The availability of ransomware
insurance does not mark the first time insurance has been made available to
cover ransom payments. Nearing a century ago, coverage for kidnapping ransoms
came into existence. Kidnappings for ransom share many parallels to ransomware
attacks. Both are accomplished to obtain ransom, and in many instances that
ransom is paid. The earliest kidnap insurance policies are believed to date
back to the 1930s, after the abduction of the 20-month old son of the
trans-Atlantic aviator, Charles Lindbergh. The kidnap insurance market further
increased in the 1960s and 1970s after a series of well-publicized kidnappings,
and, in more recent times, the market again expanded after 2001 following the
terrorist attack on 9/11. Indeed, the Guardian reported
that at least seven percent of Fortune 500 companies in 2014 took out kidnap
and ransom insurance. While the exact figures are unknown, it is estimated that
more than $1 billion has been paid out in ransom to release kidnapped
executives. Not surprisingly, the vast majority of ransom payments go
unreported.
With kidnap insurance, it is a very debatable point whether
the existence of such coverage and the resulting payments has led to more
kidnapping and ransom demands. However, in the ransomware context, we contend
the increased prevalence of cyber extortion coverage will very much, and
necessarily, lead to even more cyber extortion events and an increase in the
dollar amounts of such demands. The barriers to entry into the cyber extortion
arena are substantially less than exist for human kidnapping; cyber extortion
can be done from a basement half a world away from the victim, and involves
only keystrokes rather than physical confrontations or inherent danger. There
is little, if any, reason for the cyber criminals to stop their attacks on
distant computers and increasing their ransom demands when those attacks are
successful. The profits made by initial entrants to cyber extortion will drive
additional hackers to the business model. If the insurance market, or the
extorted businesses themselves, continue to pay these increasingly larger sums
for the release of data, the cyber criminals will continue to push their ransom
demands higher and higher.
This is not at all to suggest that ransomware coverage
should not be available to insureds. As with kidnap insurance, there are a
variety of ways insurance companies can mitigate cyber risk. For example,
secrecy is usually a paramount term in kidnap and ransom policies. The fewer
people who know a ransom might be insured and paid quickly by an insurance
company, the better. This makes sense. Criminals will prefer victims who they
know are insured, so knowledge as to coverage must be limited.
Perhaps more importantly, however, is an insured’s focus on
prevention and planning for a potential incident. With kidnap and ransom
insurance, carriers typically educate their clients on prevention and the
importance of having procedures and a pre-established kidnap crisis management
team in place. Similarly, cyber insurance carriers ought to consider requiring
their insureds to have proper backup systems and cyber security training for
all employees before they issue insurance policies covering cyber extortion.
Companies can minimize or eliminate the need to pay a ransom
by making sure they have robust and efficient backup procedures and data
restoration plans. With a solid backup system in place, a company need not pay
any ransom to the hackers—the company’s data may be encrypted by hackers, but
that same data is then recoverable from the company’s own backup systems.
Companies must also minimize cyber extortion risk by training their employees
about the risks of ransomware. Ransomware enters a computer system when a user
accidentally and unknowingly clicks on a file or attachment that contains a
ransomware virus. Through training, employees can be taught to avoid suspicious
looking websites and emails, and to not click on accompanying attachments.
Unfortunately, the end of ransomware is not near. Even as
companies employ more resources to prepare for a ransomware attack, ransomware
is not going away any time soon. It is simply too profitable at the moment. The
hackers will become more sophisticated and their technology will continue to
evolve. Accordingly, businesses and the insurance market must work together to
explore new approaches to address these risks and work toward eliminating, or
at least substantially reducing, the need to put these ransom dollars in
hackers’ pockets.
Thomas Caswell’s insurance
coverage litigation practice is focused on first party property, liability,
cyber coverage, construction defect claims, bad faith, time element and boiler
& machinery claims. He has made substantial recoveries for his clients following
their losses arising out of fires, explosions and mechanical failures in
refineries, power plants, foundries, hotels and large manufacturing facilities.
His email address is tcaswell@zelle.com
============================================================ For a great satire on email, please see the following: https://www.youtube.com/watch?v=HTgYHHKs0Zwscoop_post=bcaa0440-2548-11e5-c1bd-90b11c3d2b20&__scoop_topic=2455618================================================================ Good Netiquette And A Green Internet To All!
Special Bulletin - My just released book,
"You're Hired. Super Charge our Email Skills in 60 Minutes! (And Get That Job...)
is now on sales at Amazon.com
Great Reasons for Purchasing Netiquette IQ
·
Get more
email opens. Improve 100% or more.
·
Receive
more responses, interviews, appointments, prospects and sales.
·
Be better
understood.
·
Eliminate
indecisin.
·
Avoid
being spammed 100% or more.
·
Have
recipient finish reading your email content.
·
Save time
by reducing questions.
·
Increase
your level of clarity.
·
Improve
you time management with your email.
·
Have
quick access to a wealth of relevant email information.
Enjoy
most of what you need for email in a single book.
=================================
**Important note** - contact our company for very powerful solutions for IPmanagement (IPv4 and IPv6, security, firewall and APT solutions:
www.tabularosa.net
==================================================
Another Special Announcement - Tune in to my radio interview, on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:www.amazon.com/author/paulbabicki
In addition to this blog, I maintain a radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
=============================================================