Cyber insurance carriers are facing challenges in adapting to the changing landscape of ransomware attacks. In recent times, attackers have shifted their tactics from encryption to data theft and extortion threats. These threat actors are now pressuring victims to pay by threatening to leak highly sensitive data, such as stolen photos and videos, if the payment demands are not met. This change in tactics has been seen on a large scale, with ransomware groups exploiting zero-day vulnerabilities to access and steal confidential data, without encrypting it. One example is the Clop ransomware gang, which used a vulnerability in Progress Software’s MoveIt Transfer product to steal data from victim organizations.
This trend of data extortion over encryption was highlighted in Crowdstrike’s 2023 Global Threat Report, which showed that 71% of recorded attacks in 2022 were malware-free. Ransomware attacks, specifically, saw a 20% increase in threat actors using data theft and extortion without deploying ransomware. Despite the decline in encryption, ransomware attacks remain profitable. A recent study by cryptocurrency analytics firm Chainalysis revealed a sharp increase in ransomware payments in the first half of 2023, with the Clop group being the most profitable.
The increase in data-centric attacks has raised concerns for cyber insurance carriers. These companies are now re-evaluating their policy requirements and incident response processes to focus more on data security. However, this shift has also led to further challenges for insured organizations. Premium costs have increased, and coverage has been reduced. Insurers are now imposing stricter requirements, such as endpoint detection and response, on their clients. These changes are driven by the increased data breach element and the need for organizations to notify affected parties once data is exfiltrated, even if there is no network disruption.
To mitigate the risks associated with data extortion attacks, cyber insurance carriers and organizations are implementing various strategies. Partnering with cybersecurity vendors is one approach taken by companies like Cysurance, which has formed partnerships with Sophos and Kaseya. These partnerships provide discounted coverage for customers that implement the vendors’ security products. Implementing products that limit the risk of data extortion, establishing broader perimeter security postures, and implementing privileged access management are also crucial steps for organizations.
Another important aspect of adapting to the evolving ransomware landscape is comprehensive insurance language. Insurers are updating their policies to include the deletion of data as a type of recovery. This change reflects the growing concern among organizations that their stolen data may be leaked or misused. By including data deletion as part of the coverage, insurers are providing a means for organizations to mitigate the risks associated with data theft.
Overall, the shift from encryption to data theft and extortion threats in ransomware attacks has posed challenges for cyber insurance carriers. These companies are now re-evaluating their policies and processes to prioritize data security. Insured organizations are facing increased costs and reduced coverage as a result. Implementing comprehensive security measures and partnering with cybersecurity vendors are some of the strategies being adopted to mitigate the risks.