Published on the 12/09/2019 | Written by Heather Wright

The maths of extortion…

As ransomware attacks continue to rise and the number of high profile payouts increases, the role of insurance companies is coming under scrutiny with claims the providers are encouraging further attacks through applying simple maths and instructing companies to pay ransoms.

When it comes to ransomware, general consensus has always been to not pay the bad guys. But as the plague of attacks continues, a number of high-profile cases have seen organisations, including several US cities, do just that.

“It’s a perverted relationship.”

Earlier this year Riviera Beach paid US$600,000 and Lake City paid $462,000 in ransoms after being hit by attacks.

It’s not just a US phenomenon either. Delta Insurance, which provides cyber insurance in New Zealand, told iStart last year that about 80 percent of the claims it was seeing was for ransomware attacks, with most payouts for the cost of IT experts to restore systems. But they admit resolving the issue can sometimes mean paying the ransom, even though that’s something Delta doesn’t recommend except as a last resort.

Now a new investigation from ProPublica, a US site set up to ‘expose abuses of power and betrayals of public trust by government, business and other institutions’, is causing a storm of controversy with its claims that the insurance companies are fuelling the ransomware rise and helping create an extortion economy.

While there might be some logic in companies paying out ransoms to – hopefully – get their data back quickly rather than incurring the financial and time costs to retrieve it themselves, ProPublica says insurance companies are ‘both fuelling and benefiting from’ ransomware, accommodating attackers demands ‘even when alternatives such as saved backup files may be available’.

File recovery, notes ProPublica, can cost – and it’s not just the cost of the staff to retrieve data, with insurers keen to avoid having to reimburse victims for revenues lost as a result of lengthy service interruptions during recovery.

The report says as criminals demands are growing as insurance companies pay out six- and seven-figure ransom payments. It goes so far as to suggest that attackers are specifically targeting companies that have cyber insurance, citing one example where one small insurer highlighted the names of some of its cyber policy holders only to have three attacked by ransomware.

Fabian Wosar, CTO for antivirus provider Emsisoft, told ProPublica that cyber insurance is keeping ransomware alive.

“It’s a perverted relationship. [Insurers] will pay anything, as long as it is cheaper than the loss of revenue they have to cover otherwise.”

The Propublica investigation is, however, being disputed by some. Jonathan Schwartz, Marc Voses and James Paulino from law firm Goldberg Segalla, took to legal update, analysis and insights website Lexology, to dispute the report.

They say there is scant evidence to support the suggestion that the proliferation of cyber insurance is fanning the flames of cyberattacks, and argue that cyber insurance ‘merely offers insureds options in how to respond to a ransomware event’.

“The article’s claims fail to explain how insurers could possibly exert leverage over insureds in this example or to cite any empirical evidence that insurers are putting their interests above those of their insureds,” they say.

“While the ProPublica article suggests the cyber insurance industry may bear responsibility for the increasing frequency and severity of ransomware attacks, that hypothesis cannot survive scrutiny, especially when viewed against the backdrop and in the context of the role of insurance in ransomware negotiations.”

It’s clear the topic of ransomware is increasingly murky.

While the United States Conference of Mayors, which includes more than 225 mayors, recently pledged not to pay ransoms, some who haven’t paid out are facing steep bills.

Baltimore official are transferring US$6 million from a parks and public facilities fund to pay for the May ransomware attack on that city, with the city estimating the attack will cost at least US$18.2 million in delayed or lost revenue and direct costs to restore the systems.

Atlanta, meanwhile was expecting to pay US$9.5 million to clean up and recover from an attack. The (unpaid) ransom? US$51,000.

But despite the steep costs from not paying out, for the most part the official line on ransomware remains ‘don’t pay’ for a number of reasons, not least of all because payment doesn’t guarantee a safe return of data, and can lead to further attacks.

Joel DeCapua, FBI cyber crimes division supervisory special agent, said in a Symantec blog that as well as helping bolster the proliferation of ransomware attacks, with ransoms often being used to help the bad actors target others, paying out doesn’t always work for the organisation attacked.

“Organisations that pay a ransom think their problems are over. But a lot of times there’s a lot of nasty malware left on their systems that they don’t know about. You can pay, but there’s still malware on there, re-infecting the system or stealing information.”