Be aware of Ransomware

Ransomware is a type of malicious software that infects a computer and restricts a user's access to certain data, systems and files until a ransom is paid. Ransomware can come in many forms. It also can re-appear, just when you thought the attack was over. Just like a virus or infection, ransomware can evolve and re-invent itself to counter cyber-defences and remediation.

Ransomware attacks target the most vulnerable part of a company's computer networks - the users. We are bombarded with spam emails. According to a recent study by IBM, spam emails loaded with ransomware increased 6,000 percent in 2016 compared with 2015, comprising almost 40 percent of all spam messages in 2016 [1]. Another report, from cyber security firm Symantec, cited 460,000 ransomware attempts in 2016, up 36% from 2015, with the average payment demand ballooning from $400 to $1,500, a 260% increase [2]. Ransomware attacks have certainly grown. The primary attack route for ransomware is an employee who has clicked on a file or a link that they should not have clicked. That employee may be reading their emails and come across what looks like a legitimate notification. Ransomware is sometimes embedded in seemingly legitimate downloads such as software updates or résumé files [3]. Fake Adobe Flash updates are a notorious Trojan horse for delivering ransomware because Flash is such a readily available add-on to most Internet browsers. Once inside a network, some ransomware can seed itself to additional computers or other devices via SMS messages or a user's contact list.

The invader encrypts the files so a victim company cannot access them. Then the hacker offers to sell the encryption key to the victim, typically payable in a difficult to trace online crypto-currency such as Bitcoin. The usual ransomware demand comes with a deadline — after which time, the ransomware attacker threatens that the key will be destroyed or will expire, rendering the kidnapped files forever inaccessible. In many cases the ransom note that hijacks the victim's screen is accompanied by a digital clock fatefully ticking down the minutes and seconds from 72 hours [4]. When the timer expires, the ransom demand usually goes up or even doubles - or the data is permanently locked and no longer recoverable. To make matters worse, seeking police help for a ransomware attack unfortunately remains a very limited option. The police authorities have become inundated with ransomware reports. They lack the resources to assist victims. The other problem is that most of the ransomware attackers are overseas. Just to obtain electronic evidence or interviewing a witness, let alone successful extradition and prosecution, are rarely possible. Finally, ransomware demands are often at monetary levels too small to warrant involvement by the Law.

Therefore, it should come as no surprise that a significant number of ransomware victims opt to pay the ransom. When padlocked files are business-critical (e.g. an important intellectual property formula); when encryption cannot be defeated (no matter how good the code-breaker) or when time is of the essence (e.g. when patient data is needed for life-saving surgery), paying the ransom can become the so called "best worst option". Sometimes from a cost-benefit perspective, payment can make the most sense.

Therefore, it should come as no surprise that a significant number of ransomware victims opt to pay the ransom. When padlocked files are business-critical (e.g. an important intellectual property formula); when encryption cannot be defeated (no matter how good the code-breaker) or when time is of the essence (e.g. when patient data is needed for life-saving surgery), paying the ransom can become the so called "best worst option". Sometimes from a cost-benefit perspective, payment can make the most sense.

Small to medium businesses are beginning to realise that the financial, operational and even reputational risks of a ransomware attack can be addressed by a comprehensive cyber insurance policy. In Australia, this cover is in its early stages. However, we do have access to a number of insurers offering varying solutions to this issue. Some insurers allow it to be added on to existing Management Liability or Professional Indemnity covers for a small sub-limit. A full comprehensive policy is also able to provide the additional liability exposures, such as a privacy breach, and Business Interruption losses, along with the expected costs to fix the issue from a suitable IT Consultant. Some insurers are providing an adjunct Risk Management Service alongside the cover, as prevention is often better than cure. If not preventable, they can at least step in immediately to deal with the matter on behalf of the client. In 2015, ransomware accounted for just over 10% of cyber insurance claims, but in 2016 that figure grew to 25% [5]. Ransomware typically falls under "first party" liabilities as cyber extortion and network interruption. Without a specific ransomware cyber insurance policy, professional indemnity and other insurance policies, have some limited application. However, it is difficult for us Brokers to deal with the ambiguities and disputes. For example, there are often terrorism exclusions. Is this a Terrorism Act? Or policies may have "acts of foreign enemies" or "government acts" exclusions that can limit reimbursement if the ransomware was distributed by cyber-attackers tied to a foreign government. With "Material Damage" policies, a victim company's data is not actually damaged but is rather "locked" - with Ransomeware. Just like other kinds of insurance, ransomware coverage by itself will rarely be enough to make a company whole after a cyber-attack, but it can provide critical financial resources. Also, your clients are likely to be impressed with a thoughtful and professional response. Having a Cyber Risk policy covering ransomware, can send a powerful message of strong business acumen, customer care and good corporate governance. Have you thought about and covered these risks with good Risk Management and Insurance?