Insurance Companies are Fueling the Ransomware Epidemic by Paying Ransoms
A recent ProPublica investigation has highlighted a growing problem that is fueling the current ransomware epidemic. Insurance companies are opting to pay ransom demands as it is the most cost-effective way of settling claims, even though paying ransoms encourages further attacks. A ransom demand may be high, but it is far cheaper to pay the ransom than cover the cost of rebuilding systems from scratch and restoring data from backups.
Paying the ransom demand is a win-win for the insurer and breached entity. The insurer saves money and since most insurance policies only require payment of a small deductible, the breached entity does too. They are also likely to regain access to their files and systems far more quickly, which saves time and money by reducing downtime. The hackers responsible for the attack are also happy, as their demand is met.
This has been clearly demonstrated in recent attacks where the breached entity has refused to pay up. The ransomware attack on the city of Atlanta saw the attackers issued a demand of $51,000 for the keys to decrypt files. The city refused and ended up paying around $8.5 million to resolve the attack. The city of Baltimore also refused to pay its $76,000 ransom and ended up paying $5.3 million (and counting).
There is naturally a downside to paying a ransom. Doing so gives the attackers the finances to conduct further attacks. When ransom payments of hundreds of thousands of dollars are paid, it sends a message to other cybercriminals that attacks can be extremely profitable. That just encourages others to jump on the ransomware bandwagon and start conducting their own attacks. It is for this reason that the advice of the FBI is never to pay a ransom.
The report also suggests that, in some cases at least, cybercriminals may be choosing to attack companies that have cyber insurance as there is a much higher probability that the ransom demand will be paid. The report cites Fabian Wosar, chief technology officer at New Zealand-based cybersecurity firm Emsisoft, who points out that one company offering cyber-insurance listed some of its clients on its website and three of those companies suffered ransomware attacks.
Information about companies that have cyber-insurance can also be found in SEC filings. The U.S. Securities and Exchange Commission recommends informing shareholders in quarterly filings that the company holds a cyber-insurance policy. That information could be used by ransomware gangs to find potential targets to attack. ProPublica reporters spoke to one company that was allegedly told by the FBI that U.S. companies are being targeted by hackers as there was a greater chance that the ransom demands would be paid by insurance companies.
Whether companies are being targeted specifically because they have a cyber-insurance policy is unclear, as there is little evidence to backup such claims. More and more companies are taking out insurance and it may just be coincidence that insured companies have been attacked.
Most ransomware attacks still occur because vulnerabilities have not been identified and addressed and cybersecurity defenses are poor. What is needed is greater investment in cybersecurity solutions, policies, and procedures to make it harder for attacks to succeed in the first place.