The dark specter of ransomware continues to loom large. The stuff of nightmares for worn-out security teams and anxious boardrooms, it can easily feel like an insurmountable challenge; impossible odds always stacked against us. Yet, the truth is, ransomware’s reign of terror is weakening. Cracks are beginning to form in the iron grip of ransomware. There is light at the end of the tunnel. Three hammer blows have destabilized the longevity of ransomware; insurance demands, state sanctions and compulsory notifications. All of these are making it more and more difficult for malicious actors to extort ransoms and therefore diminishing the profitability for criminals in launching ransomware attacks.
Insuring against cybersecurity incidents has been a lucrative business for the insurance industry, and an increasing number of companies have built this kind of protection into their cyber strategy. In fact, recent data from the Howden Group reports that gross written premiums for cyber insurance have more than doubled since 2016.
However, as the ransomware pandemic continues, the sector has come under extreme pressure, with an ever-growing number of victims being squeezed for ever-increasing sums. Not only has the number of claims being made to insurance providers surged in recent years, but the value of each claim on average has also been skyrocketing as ransom demands increased by more than 500% between 2020 and 2021.
Under these mounting pressures, insurance companies have had to increase premiums and place restrictions around the kinds of cyber incidents that can be covered. Yet, even with these limitations, insurance companies face massive potential liabilities, so they are increasingly being selective about who they insure. With demand for insurance remaining high, insurers are able to pick and choose who they offer cover to, and businesses with the most robust cybersecurity are at the top of that list. It could be argued that this pressure from insurers is an even bigger catalyst for organizations taking their ransomware defenses seriously than the threat of ransomware itself, possibly because insurance procurement and compliance issues involve decision-makers from across the organization, not just IT and security.
When Paying Doesn’t Pay
Many legislative bodies, be they state governments or national, have already made it a crime to pay a ransom, and many more are considering similar laws. This has the potential to make the biggest impact on the success of the ransomware business model; if malicious actors can’t get paid, then there is no motivation for them to invest in developing attacks.
There is an added imperative to this kind of legislation when we consider how many publicly funded organizations, schools, hospitals, government departments, etc., have been the target of ransomware attacks. Any ransoms paid in these cases directly reduce budgets set aside for public services and instead put those funds in criminals’ hands.
Notifications Are Switched On
Some organizations, either with or without the help of insurance, have previously chosen to deal with the problem of ransomware simply with their budget. Quickly and quietly paying ransomware to try to restore systems as quickly as possible and cause minimal secondary loss through reputational damage. While this might make business sense in some cases, it ultimately continues to feed the ransomware plague as it funds threat actors to recruit bigger teams, develop more sophisticated attacks and devise more ways to circumvent defenses.
Essentially, ransomware thrives in the dark. As such, more and more legislators, at the national level and also industry bodies, are looking to tackle the pandemic by bringing the crimes into the light using compulsory notifications. Once an organization has been compelled to notify an authority that they have suffered an attack, the option of simply paying the ransom becomes less attractive. With the cat out of the bag, any hope of a quick, quiet conclusion to the attack has gone, so it starts to make more sense to try to fight it using backups and rebuilding weak systems.
Ransomware on the Ropes
Together, these three changes make ransomware look less appealing for malicious groups. Yet, even as we contemplate the beginning of the end of ransomware, we need to ask ourselves what next? Ransomware was just a symptom of bad cyber resiliency. If we don’t work to address that, then bringing down ransomware will be a hollow victory, leaving us vulnerable to the next big threat. Better resiliency now will help us see off ransomware and leave us in a much stronger position for whatever comes next.