Use the below code to add this video to your website.
Although reports indicate ransomware activity has been quieter than usual to start the year, experts say that likely won’t last for long.
“What we see is there's an evolution of [ransomware] changing and not just in the way that the tech is changing,” said Violet Sullivan, vice president of client engagement at Redpoint Cybersecurity, on this quarterly ransomware recap episode of The Insuring Cyber Podcast. “What I'm trying to get to is the strategy is changing. I think the question they ask is, ‘What hurts you the most?’ I think what hurts the most, what they're realizing, is introducing uncertainty.”
Uncertainty, Sullivan said, is exactly what this period of lower ransomware activity is inviting.
“There's just got to be something cooking,” she said. “There has to be something that we don't know that's going to come out like WannaCry. We haven't had anything that has hit us like NotPetya or WannaCry.”
Corvus Insurance reported ransomware attacks are down from recent peaks, according to the latest Corvus Risk Insights Index released last year. The report said that based on the company’s claims data, the average rate of ransomware claims at the end of the year reached just half of the peak seen at the beginning of the year even despite some larger scale attacks like the Microsoft Exchange Breach and Kaseya. Overall, Corvus found fewer ransoms are being paid compared to those being demanded as well. The report attributed the decline in part to cyber underwriters exercising more scrutiny.
“Over the last year-and-a-half or two years, we've seen an increase in really good security controls, like multifactor authentication, endpoint detection and response tools, and resilient backups, being mandated for a cyber insurance policy,” said Jason Rebholz, chief information security officer at Corvus, earlier in this episode. “The benefit there is that now we're starting to see not only a decrease in the number of these attacks that are getting reported, but also the impact of them.”
However, Jason said the true turning point in mitigating ransomware was likely the Colonial Pipeline attack of last year, in which cyber actors targeted computerized equipment that manages the American oil pipeline system originating in Houston, Texas, and carrying gasoline and jet fuel primarily to the Southeastern U.S.
“That really woke up the U.S. government about the impact that ransomware can have not only on an individual company, but an entire population,” he said. “We saw a much more unified and direct effort from the U.S. government to start applying pressure to these ransomware actors.”
Additionally, the Russia-Ukraine conflict may have contributed to a recent decline in ransomware activity as many ransomware actors themselves have been affected or even displaced by the war, Rebholz and Sullivan said.
“It was just this perfect storm of activity that was happening that we started seeing this decline in ransomware attacks and also just the overall severity of them,” Rebholz said.
Sullivan said insurers and other organizations can capitalize on a quieter period of ransomware by re-evaluating their cybersecurity protocols and ensuring they have updated plans in place.
“I think it's a better time to think about who you would be using in the event of an incident, practice it, and even think about higher-level employee awareness training,” she said.
However, she isn’t optimistic that ransomware criminals will lay low for very long.
“I guess I'm a little bit more pessimistic about why I think it's been quiet,” she said. “It's not because we have our defenses up, because I think when you hear from law enforcement and when you hear from technical communities, most people will still agree that the threat actors are way in front of us.”
Rebholz added that with larger scale ransomware attacks gaining more visibility, ransomware may once again shift back toward attacks on smaller organizations similar to its early days.
“I think we're going to see a bit of a shift there in terms of targeting from these massive companies to more of the mid-market - potentially the SMBs again - and just kind of see [criminals] try to fly under the radar there,” he said.
But with more knowledge, experience, and technical tools, will organizations and insurers ever be able to get ahead of ransomware? Sullivan isn’t sure.
“I honestly think it's going to be extremely challenging,” she said. “Let's just take it back to the human issue of there's always been crime. Crime has always happened, and this crime is extremely easy to anonymize. This crime is where the new generation is skilled at. We have digital natives that have never had life without a computer. That is the new world of criminals that can get money very easily if they have the technical expertise and understanding. There are entire groups, parts of the country, parts of the globe, that learn this stuff and treat it like a job. I've heard technical people saying it's going to be harder before it gets better.”
Rebholz agreed.
“We're still in the early innings of where this game is going to go, but I think we're starting to see a few of the opening plays that attackers are going to try,” he said. “And if they're successful, we could see a potential shift in some of these tactics.”
To find out what else Jason and Violet had to say, check out the rest of this episode and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.