The most important form of defence, more than likely, is the least expensive and easiest to conduct: educating employees (Getty Images/Yuri_Arcurs)
In late January 2020, court filings in the United Kingdom revealed that an unnamed Canadian insurance company had been victimized by a ransomware attack the previous October. Approximately a thousand of its desktop computers and 20 servers had been infected. The hackers, who infiltrated the company’s IT system and installed malware called BitPaymer, demanded a US$1.2-million ransom be paid in Bitcoin, the most prominent cryptocurrency, to unlock the hijacked files.
Fortunately for the insurance company, it had purchased cyber insurance coverage from a U.K.-based reinsurer, which negotiated a $950,000 payment to the hackers, although it took 10 days to resolve the matter. The reinsurer then initiated a lawsuit to recover the money against the unknown attackers and Bitfinex, the cryptocurrency exchange, which was holding most of the ransom payment in a digital wallet.
The U.K.’s High Court froze the 96 Bitcoins in question and ordered Bitfinex, which is based in Hong Kong but registered in the British Virgin Islands, to reveal the identity of the hackers. It is unknown at this time if Bitfinex complied.
The ruling had another significance: In English law, it solidified the status of cryptocurrencies and crypto assets as a form of property, which opens the door for proprietary injunctions.
Although a notable victory, the ongoing legal case hardly puts a dent in the seemingly endless onslaught of ransomware attacks around the world. The FBI, which has recently renewed a warning to businesses, governments and other institutions that ransomware attacks are on the rise, reported in 2017 that, “On average, more than 4,000 ransomware attacks have occurred daily since Jan. 1, 2016. This is a 300 per cent increase over the approximately 1,000 attacks per day seen in 2015.”
In October 2019, Cybercrime Magazine predicted a dire escalation in the problem. “Ransomware is expected to attack a business every 11 seconds by the end of 2021,” editor-in-chief Steve Morgan wrote. The magazine’s parent company, Cybersecurity Ventures, estimated that, “global ransomware damage costs will reach US$20 billion by 2021—57 times more than in 2015. This makes ransomware the fastest growing type of cybercrime.”
“Ransomware is the fastest growing form of cybercrime. By 2021, experts predict a new attack every 11 seconds.”
Considering the frequency of attempted incursions—and the cost not only of the ransom but, more critically, of the disruption to an entity’s ability to conduct business—many companies and institutions remain ill-prepared to defend themselves. Given the example of the Canadian company that had its ransomware loss covered by insurance, obtaining coverage might seem like a logical step. However, several issues need to be considered.
One is the cost of a policy, which is rising and typically has a large deductible; another is the irony that, by having coverage, an organization might be making itself a more attractive target. Fleming Shi, CTO and founding engineer of the American digital security firm Barracuda Networks, says that attackers are looking for targets who have insurance because they view them as easier to extort a payment from. He thinks insurance has contributed to a rise in the amount of money hackers are demanding, from an average of US$4,000 per attack in the U.S. in 2018 to approximately US$41,000 by the end of 2019.
Whatever decision an organization takes regarding insurance, it is imperative that it makes ransomware protection a top priority. That means preparing a risk profile, perhaps with the assistance of so-called “white-hat hackers” (security experts who will assess how easy or difficult it is for intruders to gain access to an organization’s system, either by trying to penetrate its defences or through tabletop exercises).
A dedicated cybersecurity team should be put in place that includes not just internal personnel but external experts as well. Hackers become endlessly more sophisticated in their methods, and in-house experts are often too busy to keep up with the latest developments. Relying solely on the CIO, for example, to keep abreast of new offensive and defensive techniques may not be the best decision.
It might also be prudent to find out where to obtain Bitcoin, or some of the other several thousand cryptocurrencies (the top 10 control about 85 per cent of the market). If an attack is successful, and the victim decides to pay the ransom, time is of the essence. The longer the system is inaccessible, the greater the potential harm or damage.
But the most important form of defence, more than likely, is the least expensive and easiest to conduct: educating employees. Many hackers gain access to a company’s computer system through a simple phishing email. A survey by the German portal Statista identified spam and phishing emails as “the leading causes of ransomware infections.”
Ransomware attacks are likely to increase in the near future. Although there are no guaranteed actions to insure against such harmful intrusions, organizations can mitigate or prevent potential losses by conducting proactive procedures. Preparing for a clandestine intrusion has become an unfortunate reality of today’s digital universe.
Find out about the impact of cybersecurity incidents on your business and how, as a CPA, you can reduce the digital risk for your organization.