Responding to a Ransomware Attack

How the negotiator, government and cyber insurance impact the outcome

As hackers have grown more sophisticated over the last decade, ransomware has emerged as their preferred attack vector. Ransomware is one of the most efficient ways for them to extort massive amounts of money in a short period of time.

This trend has been recognized globally, demonstrating a profound increase in sophisticated ransomware incidents focused on targets in critical infrastructure organizations, according to the Cybersecurity & Infrastructure Security Agency in a joint cybersecurity advisory with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Australian Cyber Security Centre (ACSC), and the United Kingdom's National Cyber Security Centre (NCSC-UK).¹

Ransomware continues to ravage the bottom lines of the hacker's victims, as well as cyber insurance carriers. By threatening to publicize their victims' most sensitive data if their demands are not met, ransomware attacks often lead to victims paying six-to-seven figure extortion payments. Hackers may even reach out directly to individuals whose data is held hostage, such as the organization's key clients or employees.

But extortion payments represent just part of the financial losses. Downtime costs, which may include lost business and extra expenses, can dwarf the extortion payments.

The role of the ransomware negotiator

One of the most critical steps an organization can take to mitigate the financial and reputational harm that almost always follows a ransomware attack is to have a strategy in place before an attack occurs.

The first step is to assemble an internal incident response team, comprising cross-functional roles that span many departments, including risk management, IT, legal, operations, communications, compliance and the C-suite. This team should align with key external breach response vendors, often provided through a cyber insurance policy via a pre-approved panel. They can include breach coaches, IT forensics investigators, credit monitoring firms, call centers and the all-important ransomware negotiator.

Ransom negotiators may be employed by IT forensics investigation firms, but sometimes operate as independent vendors. They play key roles in ransomware response, including:

Collecting and analyzing cyber threat intelligence
Analyzing the blockchain of transactions associated with hackers' digital wallets
Reverse engineering and analyzing ransomware strains and exploitation tool kits
Documenting for Office of Foreign Assets Control (OFAC) compliance reports
Collaborating with law enforcement
Opening communication with a hacker
Negotiating reductions in ransom demands
Providing immediate access to cryptocurrency
Facilitating payment to hackers

Arete, a leading IT forensics investigation and ransomware negotiation firm, has investigated and negotiated over 2,500 ransomware attacks. It found that a wide variety of industry sectors have negotiated and paid ransoms, with payments ranging from $130,000 to $2,600,000.

For informational purposes only.

According to Arete, one of the hackers' most favored ransomware variants is Conti, for which the average demand has been $1,561,184. However, Arete has negotiated significant reductions with hackers using this variant, leading to an average payment of $412,586. Almost half of the Conti victims decided to pay, and average downtime for all victims was just under six days.

The role of government

The U.S. and international governments have increased their efforts to work with and provide insight to the private sector, particularly regarding the ransomware epidemic. In 2022, this includes enhanced threat intelligence-sharing and a priority of protecting critical infrastructure.

In 2021, the U.S. government provided guidance around U.S. Department of the Treasury's OFAC, specific to whether ransom payments can legally be made. The private sector may face severe penalties for non-compliance with government-mandated OFAC requirements and should closely watch enforcement efforts in 2022.

We expect law enforcement to become more proficient at helping victim organizations recover ransom payments to threat actors by employing a combination of cryptocurrency experts, computer scientists, blockchain analysts and crypto-tracers. We also expect law enforcement to adopt a more aggressive offensive strategy in disrupting ransomware-as-a-service (RaaS) affiliates.

Impacts to the 2022 Cyber Insurance marketplace

Cyber carriers are taking deliberate steps to combat increasing loss ratios attributed to ransomware attacks, and we're beginning to see evidence these efforts may be paying off. According to a recent Fitch report, cyber loss ratios were beginning to trend down.

Despite these positive signs, we expect the cyber market to remain challenging at least for the near term. Cyber underwriters are wary of the heightened risk environment, particularly related to the Ukraine-Russia conflict. Therefore, cyber insurance buyers will likely face four specific challenges for the remainder of 2022:

Rate increases. Cyber premiums continue to increase across the board. Industry sectors such as municipalities, higher education, technology and manufacturing face the highest premiums.
Coverage limitations. Many carriers have imposed sub-limits specific to ransomware claims that can reduce coverage to 50% or less of the policy limit. Coinsurance provisions may also require an insured to pay half of the loss amount up to the sublimit.
Capacity constriction. Carriers continue to limit their capacity. Most are offering maximum policy limits of $5 million, both at the primary and excess layer level.
Greater underwriting scrutiny. Almost all carriers are requiring more details around the insured's data security controls. Several now require ransomware supplemental applications consisting of dozens of detailed and complex questions to see how well an organization is managing the ransomware threat.