Ransomware Attacks: The Current Virtual Hostage Situation

“CyberInsuranceInsights” is a Blog Series that shares ideas, advice, and experiences from the BlueVoyant Professional Services team. The blogs discuss the lessons learned from assisting clients navigate post-breach insurance claims and pre-breach preparation.

Scholars believe Helen of Troy may be the first case of kidnapping in our history of Western Civilization. Whether mythological or not, the storytelling and memorialization in the Iliad supports the theory that it was a plausible explanation for the Trojan War. As we trace the history of kidnapping, ransom payments and now ransomware attacks in our current society, the intent remains the same: taking someone or something of value in exchange for something of value to the attackers.

The first people kidnapped in the United States were two young boys from Philadelphia in 1874. The first computer ransomware attack took place in 1989 and targeted research from the healthcare industry. It was carried out through malware on floppy disks that infected the computer systems after the computer was powered on 90 times. In the story of Helen of Troy, the value was the victory of war. As it relates to people, data or intellectual property, the intended outcome is monetary gains, societal disruption and theft of trade secrets. Ancillary damage comes with it – war, grief, and amongst others, physical damage.

By definition, ransomware is a form of malwarethat encrypts a victim's files. It blocks access to data and may shut down computer systems which results in catastrophic consequences, including business interruption and damage to an organization’s reputation. Typically, the bad actor demands a ransom from the victim to restore access to the data upon payment. Users are shown instructions for how to pay a fee to obtain the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals oftentimes in bitcoin.

Any organization qualifies as an appealing target for a number of reasons. For example, a small family run business may not have adequate security measures established, but because they accept credit card payments, that information is still worth something on the dark web. Schools are ripe targets as they possess a wide variety of information about students, as well as intellectual property related to research and development projects.

Manufacturing, utility companies and the maritime industries are sectors now being recognized as newer targets – that when compromised - affect the physical safety of individuals globally. One common thread, in addition to being vulnerable, is that these companies are starting to adopt defensive mechanisms to respond to an incident, and even proactively, build incident mitigation plans.

A form of defense that is becoming increasingly popular is the purchase of cyber insurance. Generally speaking, cyber insurance is a risk transfer tool that provides monetary funds for costs associated with investigations including, the retention of experts, system restoration, and most relevant for this article, ransom payments. The decision to pay ransom is difficult with many stakeholders taking various positions. The positions vary from immediately paying the ransom demand in order to unlock the systems, to refusing to pay the ransom because it may fund terrorism if attribution reveals a foreign government may be responsible.

Additionally, an organization may turn to law enforcement or a private investigation firm to assist with data recovery. The availability of stand-alone cyber insurance is a significant factor. Similarly, any existence of kidnap and ransom insurance, which historically existed for the recovery of individual victims, may now include solutions to recover data. Equally important, and a direct comparison to the handling of traditional kidnapping cases, is the importance of an experienced negotiator to handle the discussions with the bad actor to ensure if payment is made, the bad actor holds up his end of the bargain. A negotiator may also be the right resource for access to bitcoin and it must be confirmed in advance that an insurance company willing to pay ransom is willing to pay in various forms of cryptocurrency.

Before tapping into an insurance policy, an insured organization must understand the process an insurance company requires before a ransom payment is made or under what set of circumstance would exclude a ransom payment from coverage. Some insurance policies will be reluctant to approve a payment if they deem the payment to signal availability of funds that may inspired bad actors to seek other insureds who are insured by the same insurance carrier, thereby tapping into multiple policy limits and diluting policy premiums. Insurance companies might also require prior approval before agreeing to pay. During the policy procurement process, it is prudent to ask these questions especially when comparing policies.

Cyber insurance companies have assisted many organizations recover successfully from ransomware attacks. Consider adding cyber insurance to your defense strategy. These policies are wrought with virtual versions of the same shields, spears and helmets the ancient Greeks donned to win their physical battles. As we are fighting a cyber war, we should embrace all the various weapons we have at our disposal.

This article was originally published by CHART Magazine.