A third of companies hit with ransomware didn’t have to pay…Here’s how they did it

By Pete Nicoletti, Check Point Field CISO, Americas

One in ten victims of ransomware pay ransoms of over $1 million. With successful ransomware attacks still growing and demands going up year over year, how can companies dodge that expensive bullet?

Even if you have solid anti-ransomware security measures in place, do not assume that your company will never fall victim to an attack.

You need to prepare for worst-case scenarios. Ensure you have a “prevention” vs. detection strategy in place. Test your backups, and exercise your Incident Response Plan on a routine basis. Finally, consider insurance as a final backup option to your active prevention strategies and defenses.

An annual study on the state of ransomware reveals the growing relationship between organizations and cyber insurance, and the role insurance plays in minimizing the financial burden placed on ransomware victims.

The role of insurance in managing cyber risk

Eighty-three percent of mid-sized companies rely on cyber insurance to help mitigate the cost of a ransomware attack. However, is insurance worth it? The results might surprise you. In 98% of ransomware incidents where the organization had insurance, the insurance company paid some or all of the costs associated with the attack. In 40% of incidents, the entire ransom payment was covered. If you do the math, that means a third of all mid-sized companies didn’t have to pay – insurance covered all their ransomware-related costs.

Nonetheless, there are other costs beyond the initial extortion payment. There are outage costs, response and restoration expenses, monitoring costs, investigation costs, potential regulatory investigation and penalties, and potential consumer or shareholder class action lawsuits as well as impacts to reputation. Fortunately, insurance companies can cover some of these liabilities as well.

As ransom demands have increased and attacks have become more sophisticated and common, insurance companies are looking to reduce their ransomware risk and exposure, and avoid paying out on claims. As a result, insurers are placing higher demands on organizations to have strong security measures in place. Insurers are also requiring adherence to well-known compliance frameworks and making sure that detailed evidence of program maturity is verifiable. This has the unintended and beneficial consequence of forcing companies to strengthen their security postures if they want to qualify for insurance.

Ninety-four percent of companies with cyber security insurance mentioned that their experience of acquiring it has changed during the past year. Policies have become more complex, and fewer companies are offering insurance protection. These changes have incentivized companies to improve their overall security posture so they can have a better chance of acquiring insurance.

Creating a stronger case for cyber insurance, the leaks from the Conti ransomware group give further insight into how these criminal gangs operate. Conti did not apply the same formula for every victim when calculating how much to extort. The higher the annual revenue of the victim, the lower the percentage of revenue demanded; however, that percentage still represented a higher dollar amount. Thus, if you’re a larger organization with higher revenues, then it may be worth exploring cyber insurance: it could potentially save you millions in the event of a ransomware attack.

The state of ransomware in 2022

At this point, you’re probably considering insurance if you don’t have it.

However, it’s important to familiarize yourself with the current ransomware landscape to know what you’re getting into.

  • For organizations around the globe, Check Point Research discovered a 24% increase in ransomware attacks year-over-year. One in 53 organizations were impacted, versus one in 66 during 2021.
  • Ransomware attacks are becoming more costly. Eleven percent of organizations paid ransoms of $1 million or more, an increase of 4% since 2020. Overall, the average ransom paid by organizations increased nearly five-fold to $812,360.
  • The majority of victims are opting to pay the ransom. Sixty-three percent of organizations hit with ransomware paid the extortion, and 26% of organizations that used backups to restore their data also paid.
  • Organizations paid an average of $1.4 million to recover from a ransomware attack, and it took an average of one month to recover from the attack. Ninety percent of companies said the attack had disrupted their operations, with 86% of victims in the private sector saying they lost business or revenue due to the attack.

The risks of paying the ransom

Let’s say your organization was hit with ransomware, and you don’t have insurance.

Should you pay the ransom?

Here are several risks to consider.

First, there is no guarantee that the threat actors will give you the decryption key and release your data.

Second, paying the ransom can encourage more ransomware attacks, especially if the threat actors know that you will meet their demands.

Third, the attackers may be familiar with your business and systems, incentivizing them to attack again. In one case, a company that fell victim to a ransomware attack paid millions to decrypt their data but fell victim to the same hackers in just a couple weeks after failing to identify the root cause of the attack.

Fourth, you could face criminal liability. Always consult with your legal counsel before taking any actions. For example, according to the UK Terrorism Act of 2000, it is an offense for any person to pay a ransom if there is reasonable cause to suspect that the money will be used for the purposes of terrorism.

Fifth, the U.S. Congress recently signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) into law. This law brings increased visibility to the scope and severity of ransomware attacks and payments. CIRCIA imposes reporting requirements on “covered entities” in the event of a ransomware payment.  Covered entities are defined in the Presidential Policy Directive 21, referring to 16 critical infrastructure industries. If a covered entity makes a ransom payment after suffering a ransomware attack, the entity must report the payment to CISA in under 24 hours after the payment is made. Such knowledge allows CISA to inform the public of large scale cyber attacks in an effort to prevent potentially imminent cyber attacks. This law is consistent with the government’s views against paying the ransom because of concerns that it will further incentivize threat actors.

Conclusion

In conclusion, the ransomware landscape has changed in 2022, for better or for worse. With ransom payments and attacks on the rise, companies are advised to look into cyber security insurance as a last line of defense for the worst case scenario.

However, to prevent things from ever getting to that point, it would be wise to invest in ransomware prevention tools.

Do it now — or do it with your hair on fire, spending triple or more in unplanned expenses of the amount after a hack while suffering business downtime, loss of proprietary or customer information and a deathblow to your reputation.  It’s time to get your tools in place for prevention and eliminate the ransomware gangs and their illicit ecosystem.

For more cyber security insights from Pete Nicoletti, see CyberTalk.org’s past coverage. Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.