To pay or not to pay? The ransomware dilemma

What a period this has been for high-profile so-called ‘ransomware’ attacks on both private and public enterprises. Axa, Toshiba, Colonial Pipeline and the Irish healthcare service have all been in the news these past 10 days as the targeted victims of some very sophisticated cyber-attacks.

Yet, with reports suggesting that in some instances the ransom demands have been met, this does raise the question of whether it actually pays to become involved in cyber-crime, which is increasingly looking like a potentially very lucrative business?

But first, some background. Ransomware attacks typically involve the infection of computers with malicious software, often downloaded by clicking on seemingly innocuous links in emails or other website pop-ups. Users are left locked out of their systems, with the demand that a ransom be paid to restore computer functions.

French insurer Axa confirmed over the weekend that one of its Asian subsidiaries has been the subject of a ransomware attack. The group said the cyber-attack had targeted its Asia Assistance division, part of Axa Partners, impacting IT operations in Thailand, Malaysia, Hong Kong and the Philippines.

The targeting of Axa is especially ironic given that it is one of the major players in the emerging cyber insurance market, and comes only days after it announced that it would stop writing cyber insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.

The Axa attack followed the news last week that a unit of Toshiba Corporation had become the latest high profile target of a ransomware attack by DarkSide, the group the FBI has blamed for the Colonial Pipeline attack.

Toshiba Tec Corporation, which makes point-of-sale systems and copiers, said only a minimal amount of work data had been lost.

Colonial Pipeline

Earlier in the week Colonial Pipeline also the subject of a concerted ransomware attack.

The FBI has attributed the Colonial cyber-attack to DarkSide, a group believed to be based in Russia or Eastern Europe. Its ransomware targets computers that do not use keyboards in the languages of former Soviet republics, cyber experts said.

The pipeline shutdown has reduced fuel availability in the near term, pushing up prices and forcing refiners to cut production because they had no way to ship the gas. The pipeline operations have since been restored.

The incident is being regarded as one of the most disruptive digital ransom operations ever reported and has prompted calls from American lawmakers to tighten protections for critical US energy infrastructure against hackers.

Also on Friday, Ireland’s health service operator shut down all its IT systems on Friday to protect them from a “significant” ransomware attack, crippling diagnostic services, disrupting COVID-19 testing and forcing hospitals to cancel many appointments.

An international cyber-crime gang was behind the attack, Ireland’s minister responsible for e-government Ossian Smyth said, describing it as possibly the most significant cyber-crime attempt against the Irish state.

Risk accumulation

According to cyber risks analytics specialist CyberCube, the cyber-attack on a major US fuel pipeline is a wake-up call to insurers about the potential for cyber risk to accumulate around vital infrastructure or technology systems that affect large numbers of connected organisations.

The Colonial Pipeline, which was attacked last week causing petrol shortages across the eastern USA, is connected to 30 oil refineries and nearly 300 fuel distribution terminals throughout the United States. In addition, thousands of gas stations, consumers and hundreds of companies including mass-transit hubs such as airports, rely on Colonial to deliver fuel.

According to CyberCube, the Colonial attack demonstrates the vulnerability of so-called Single Points of Failure (SPoF) to cyber criminals. SPoFs are components or entire companies – physical or electronic – whose failure will shut down an entire system and affect many end-users.

William Altman, Cyber Security Consultant at CyberCube, said: “Colonial is a taste of what is to come. Both criminal ransomware operators and nation-state sponsored threat actors are increasingly turning their attention toward attacking SPoF. By going after SPoF criminal attackers will create maximum leverage to convince their victims to pay a ransom, and nation-state actors will use SPoF as a jump-off point into adjacent systems for conducting espionage and other information operations.”

“While we have yet to see a true accumulation catastrophe event in cybersecurity, the writing is on the wall. Recent attacks on SPoF like SolarWinds, Microsoft Exchange, and Colonial Pipeline indicate clearly the direction the industry is headed.”

“It should now be abundantly clear to the insurance industry that cyber-attacks with catastrophic scope – and the potential for catastrophic losses – are no longer just science-fiction. In 2021, it will be widely acknowledged that a rigorous and structured approach to cyber risk accumulation management is now a prerequisite and a necessity for all (re)insurers.”

Colonial discovered its IT systems had been hacked on 7 May. Prior to that date, CyberCube’ said it had already identified and flagged several high-risk signals for the Colonial Pipeline including malware infections and the potential for a remote user to gain access to Colonial’s network through an Open RDP Port, which is one of the most common ransomware attack vectors.

Does crime pay?

What is especially worrying about the Colonial Pipeline attack, according to multiple media reports, is that it actually paid nearly $5 million  to cyber-criminal gang DarkSide, following the incident. CNN, the New York Times, Bloomberg and the Wall Street Journal all reported a ransom was paid, citing sources.

In response to this news, Lior Div, CEO of cybersecurity specialist Cybereason, was firm about the correct approach to take:

“Cybereason strongly recommends against paying ransom demands as our recent research shows that more than half the companies that pay a ransom are hit a second time. However, each ransomware attack is unique to the impacted organisation. The attack group, jeopardized data set, and potentially impacted third-party is somewhat unique to every situation. Organisations often deliberate long and hard before deciding to meet the ransom demands.”

As she pointed out, a company’s lawyers and insurer will be involved in the decision to pay the ransom, and companies make decisions based on what they think is in the best interest of the company, its customers and shareholders.

However, with the ‘business’ of cyber-crime, and especially ransomware demands, now appearing to be a very lucrative one for the criminals concerned, one might be forgiven for thinking that a much more proactive risk management approach now needs to be taken by the corporate sector and its insurers. This is set to be a long and hard fight.

The targeting of Axa is especially ironic given that it is one of the major players in the emerging cyber insurance market, and comes only days after it announced that it would stop writing cyber insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.