Insured companies more likely to be ransomware victims, sometimes more than once

Companies with cyber insurance are more likely to get hit by ransomware, more likely to be attacked multiple times, and more likely to pay ransoms, according to a recent survey of IT decision makers.

Back in 2019, fewer than 20% of enterprises suffered repeat ransomware attacks, while during the pandemic, the percentage rose to around 30%. And it didn’t stop with the pandemic, with 38% of organizations surveyed in 2022 reporting two or more successful ransomware attacks, those that attackers were able to lock systems, encrypt data, or exfiltrate information to demand a ransom, according to Barracuda’s report conducted by Vanson Bourne.

Companies with cyber insurance get targeted more

Cyber insurance plays a significant role in the numbers as they get targeted more, Barracuda Networks CTO Fleming Shi tells CSO. The survey found that 77% of organizations with cyber insurance were hit at least once, compared to 65% of organizations without insurance. In addition, of the companies that had cyber insurance, 39% paid the ransom.

To make matters worse, the research found that insured companies were also 70% more likely to be hit multiple times. Repeat victims were also more likely to pay ransom, and less likely to use backup systems to help them recover.

Although the report doesn’t establish a direct connection between having cyber insurance and being hit by ransomware, Shi speculates that attackers might discover that a company has insurance because of social engineering, or they might be going after targets that are most likely to have critical data. “That allows them to have higher confidence in getting the payment,” he says.

That doesn’t mean that having cyber insurance is a bad thing. Insurance companies insist on cybersecurity controls before they provide coverage, says Shi. “Insurance can play a positive role if you utilize it in a way that helps you improve your security posture.”

Cyber insurance helps decrease the percentage of companies paying ransomware

According to a report released by Coveware earlier this year, the percentage of ransomware victims who pay the ransom has been declining, from 85% at the beginning of 2019 to 45% in the first quarter of 2023.

Part of the reason could be that even paying the ransom won’t get all the data back. According to Sophos’ 2022 ransomware report, organizations that paid ransoms only got on average 61% of their data back, and only 4% got all their data back.

Companies are investing in better security because of news reports and regulatory requirements — but also because their insurance companies demand it. “When we started mandating specific controls, we saw a tangible impact,” Jason Rebholz, CISO at Corvus Insurance, tells CSO. “Two years ago, we started mandating that organizations have to have secure and resilient backups. When we did that, we saw a 35% drop in ransoms paid.”

He admits that it’s hard for organizations to know what security tools to invest in given the wide variety of options out there and the rapid pace of change. But insurance companies have particular insight in this space because they get to see the details of cyber insurance claims, in addition to closely following industry developments. “There’s nobody who’s going to have more of a vested interest in your cyber security than your cyber insurance carrier,” Rebholz says.

And what matters is strong endpoint security, multi-factor authentication, and backups, he says. “We can see the difference. People who have better security controls have fewer claims and less severe claims. If you don’t have a secure email gateway in place, for example, you’re 2.5 times more likely to have a business email compromise.”

He doesn’t think that attackers are specifically targeting companies because they have insurance. “It’s one of the biggest myths out there. But there aren’t companies out there that are advertising that they have cyber insurance, and there are plenty of victims out there for hackers to go after.” Hackers typically rely on market valuation or other factors when choosing victims, Rebholz says.

Ransomware is just one of many threats that policies cover, Chris Hendricks, head of incident response at Coalition, tells CSO. He does not see a correlation between having cyber insurance and being a target to ransomware and he doesn’t think that companies get complacent when they buy insurance.

How insurers help organizations’ cyber hygiene

Coalition does what they call “active insurance”, Hendricks explains. “We work very hard to motivate them not to be complacent.”

For example, a property insurance company would need to know that a building has fire doors and sprinklers before they sell fire insurance. Coalition’s active monitoring means they can see, from the outside, if the company has fire doors. “We can say, hey, did you notice that your fire doors are closed? That’s a fire risk. Here’s how you open them,” says Hendricks.

This is particularly useful for smaller clients who might not have their own attack surface monitoring and vulnerability scanning tools in place, he says. Plus, there’s a reassessment of risky behaviors each time a policy is renewed, which reduces the frequency and severity of incidents, he adds.

The company also tracks the effectiveness of particular security controls. Multi-factor authentication, for example, reduces both ransomware and funds transfer fraud risk. “It’s not a silver bullet but it’s a huge positive benefit,” he says.

He recommends closing down remote desktop protocol, which allows employees to work from home more easily. “It’s used by unsophisticated attackers at scale. There are better ways to secure remote access — we recommend VPNs with multi-factor authentication.”

Endpoint protection is another tool he suggests. This used to be antivirus, but is now endpoint detection and response, he says. “Those who have quality EDR in place have a lower risk of significant issues. And a notch up from that would be to have that monitoring by someone like a managed security services provider so there’s eyes on it to do something in case something happens,” he says.

And then, of course, backups. “They never go out of style, and they truly do reduce the impact [of ransomware attacks],” he says.

But a good backup is about more than just having a copy of your file server in an Amazon S3 bucket. A backup should be able to restore your business operations and companies need to test the backups to be sure that they work. And yes, when companies apply for ransomware insurance, this is something they’re asked about, says Hendricks.

How the cyber insurance landscape changed in recent years

There might be some validity to the Barracuda survey results, according to Forrester analyst Alla Valente, attackers are probably wanting to work smarter, not harder. “If I was a hacker, I would probably direct my ransomware attacks to companies who can pay,” Valente tells CSO.

A company that doesn’t have cyber insurance in place might not be able to come up with ransom money. “But hackers are also targeting industries that don’t have any choice but to pay,” she says.

But as far as complacency goes, times have changed, she says. “Four years ago, I would have said companies that have cyber insurance are using it as a form of risk management. ‘We have insurance, so we don’t have to do as much,’” she says. “But then COVID happened and we saw not only a huge increase in ransomware attacks, but also a huge increase in claims that were filed against both standalone cyber insurance policies, and also as part of other business interruption policies. And that’s when the insurance companies started worrying.”

Insurance companies started having profitability issues and cyber insurance stopped being easy to get and relatively inexpensive. As a result, policies now have more exclusions and limitations.

“Insurance companies started doing risk management in their own underwriting,” she says. “If you don’t have the proper controls, proper technologies, and dedicated resources, then you’re a greater risk, and we’re not going to insure you, or not give you discounts, or charge you a lot more. And if companies have tools but they’re not being applied universally or consistently, well, policy claims have been rejected because a particular control or technology wasn’t in place at the time of the breach.”

An evolving attacker landscape

While insurance companies are demanding more from their customers, and enterprises are beefing up their defenses, the attackers aren’t standing still. According to the Coveware report, in response to declining ransom payment percentages, the attackers have shifted their tactics and are now targeting larger companies and demanding bigger ransoms.

The average ransom payment has grown from less than $50,000 in 2019 to over $400,000 at the end of 2022. In the first quarter of 2023, 45% of attacks had an initial demand of more than $1 million, an all-time high.

Another thing that has changed is the number of additional ransom demands. In the past, according to Coveware, re-extortion — when an attacker comes back and asks for more money after a ransom has been paid — was a tactic used by lower-end ransomware groups, attacking smaller companies. But, in 2022, some big-name ransomware-as-a-service groups that target larger companies have also embraced the re-extortion strategy.

Another technique that attackers have been using is stealing copies of the data before they encrypt it. This exfiltration tactic was present in over 80% of ransomware attacks in the first quarter of this year.

According to Coveware, enterprises are increasingly realizing that paying blackmailers for the promise that they won’t leak stolen data isn’t a particularly productive activity. By comparison, with decryption keys, they can immediately see if the key works and the business gets some value from the payment.

Attackers are also always looking at new tools, such as AI, to increase the effectiveness of their attacks. “There’s so much new technology that’s being developed, like ChatGPT and others,” says Forrester’s Valente. “They haven’t been used long enough for us to identify the risks and mitigate them.”

Enterprises are playing a game of whack-a-mole, she says. “While I’ve been focusing my attention over here, hackers have evolved. You do the best you can, but there’s a lot of risk out there.”