According to a recent report by cyber insurer Coalition, ransomware claims have seen a significant increase of 27% in the first half of 2023, resulting in debilitating losses for businesses. The report, titled “2023 Cyber Claims Report: Mid-year Update,” analyzed data from Coalition customers across the US, ranging from small businesses to larger enterprises. While funds transfer fraud and business email compromise remained prominent attack methods, the resurgence of ransomware claims after a long decline has raised concerns.
Coalition determined that ransomware attacks were the main driver behind a 12% increase in overall claims frequency during the first half of 2023. These attacks accounted for 19% of all reported claims to the cyber insurer, with the Royal and BlackCat/Alphv ransomware gangs causing the most trouble for policyholders. The severity of ransomware claims also reached a record high in the first half of 2023, with an average loss amount surpassing $365,000. This represents a significant spike of 61% within six months and a staggering 117% increase within one year.
Several factors contributed to this historic high in claims severity. Higher ransom demands, along with the resulting business disruption and service restoration costs, all played a role in the increased losses. The largest spike in ransomware activity was observed in May, although Coalition stated that their claims data did not indicate a significant connection to Russia’s invasion of Ukraine, as reports had suggested.
Data from TechTarget Editorial’s 2023 ransomware database revealed that there were 33 confirmed ransomware attacks in May, compared to 29 in April and 24 in March. Many of these attacks targeted municipalities and were attributed to the Royal operators. For instance, the City of Dallas disclosed that it suffered an attack in May, leading to prolonged disruptions. While the city government confirmed receiving a ransom demand, the exact amount remained undisclosed.
Coalition’s mid-year report also found a correlation between ransom demands and the increase in attack frequency. The average ransom demand for Coalition customers in the first half of 2023 was $1.62 million, representing a substantial increase of 47% over the previous six months and 74% over the past year. However, it is worth noting that most policyholders did not give in to these demands.
According to the report, 36% of Coalition policyholders decided to pay a ransom in the first half of 2023 when it was deemed reasonable and necessary. The insurance carrier also played a role in negotiating down initial ransom demands, achieving an average reduction of 44%. The decision to pay a ransom is typically made collaboratively between the carriers, claims handlers, clients, and lawyers, taking various factors into account. These factors include a business’s ability to meet payroll or provide services to clients, as well as the extent to which sensitive data is at risk.
One notable finding from the report was the increasing shift in the ransomware landscape, with threat actors embracing data theft and extortion threats over encryption of victims’ systems. While Coalition included such attacks in its report, it acknowledged that they represent a minority of incidents. Nevertheless, these attacks were categorized as ransomware due to the demands made to suppress data leaks or restore access to stolen data.
To address the growing threat of ransomware, Coalition strongly advised enterprises to maintain backups, implement timely patching protocols, and enforce multifactor authentication (MFA) on all critical accounts. The report also highlighted phishing as the leading attack vector for cyber insurance claims, emphasizing the importance of MFA in preventing such attacks. Coalition’s Chris Hendricks noted that the success of phishing attacks has been increasing, signaling the growing effectiveness of this technique.
Another social engineering tactic on the rise is vishing, a combination of voice and phishing attacks. The use of deepfake technology and AI to emulate voices and create more convincing scripts has given attackers an advantage in these attacks. Hendricks cited instances where threat actors impersonated victims and even used voice prompts to bypass MFA. While MFA may not always be sufficient to prevent such attacks, it is considered a necessary security measure, along with two-step verification and a defense-in-depth approach.
In summary, the report by Coalition highlights the alarming increase in ransomware claims and their impact on businesses during the first half of 2023. With higher ransom demands and the growing shift towards data theft and extortion, organizations need to be proactive in implementing security measures such as backups, patching, and MFA to mitigate the risk of falling victim to these attacks.