Beazley breach insights October 2018 - Ransomware attacks surge and ransom demands rise

05/11/2018

In recent months, Beazley Breach Response (BBR) Services has seen the number of reported ransomware incidents climb again. The varieties of ransomware and the differing technical abilities of the criminals make effective response especially challenging. Breach response services, such as forensics and legal counsel, are often necessary in ransomware attacks to determine the attack vector and level of access obtained by the attacker. If the attacker accessed or exfiltrated personally identifiable information or protected health information, notification to affected individuals may be required by law.

In September, our insureds were hit particularly hard, with notifications to Beazley of ransomware attacks more than doubling relative to August. It is unclear if this spike will continue, as up until September the overall number of ransomware incidents in 2018 have been holding steady with 2017 numbers. Healthcare is still the most targeted industry (37%). The next hardest hit sector was professional services (11%). In Q3, financial institutions saw an 18 percentage points increase in ransomware attacks over the previous quarter.

Ryuk and BitPaymer have been associated with some of the highest ransom demands. Kivu Consulting has reported that the BitPaymer ransomware is appearing on systems that have also been infected with banking Trojans - malicious programs used to obtain confidential information of customers using online banking and payment systems. In July, the United States Computer Emergency Readiness Team (US-CERT) issued a warning about one banking Trojan in particular, Emotet, which is spread through phishing and possesses sophisticated capabilities to download other malware.

Successful decryption of ransomed data has also become more challenging. Winston Krone, global managing director of Kivu Consulting, describes "a sharp increase in 'bad' ransomware strains - where the malware carries out the encryption but has poor functionality, fatally corrupts substantial portions of the victim's data, fails to decrypt properly after payment of a ransom, or is favored by volatile, unskilled attackers who are unable to troubleshoot decryption issues."*

In the more sophisticated attacks, we have also seen ransom demands increase significantly, up to as high as $2.8 million. In these instances, criminals have either targeted the victim organization or upon obtaining access discovered that they had more leverage and therefore increased the ransom demand. They've also done reconnaissance on the victim's network and compromised back-ups before deploying the encrypting malware, which puts pressure on the organization to pay the ransom.

In the first nine months of 2018, 71% of ransomware incidents handled by BBR Services impacted small and medium-sized businesses. There are likely several explanations for the high percentage. First, larger companies often have more resources to put better controls in place to prevent ransomware from coming in or spreading throughout the network. Second, smaller companies are less likely to have properly segmented their backups, resulting in a higher likelihood that they will need to pay the ransom to get back up and running. Additionally, larger companies may have viewed the WannaCry and Not Petya worldwide attacks as wakeup calls and implemented better system patching protocols.

Increase of ransomware attacks in Q3

Causes of incidents, 2018

The top two causes of data breaches reported to BBR Services in Q3 2018 were hack or malware attacks (47%) and accidental disclosure (20%).

Breaches by industry

Business email compromise incidents continue to rise and have more than doubled in the first nine months of 2018 compared to the same period in 2017. The attacks continue to be broadly distributed across industry sectors, including healthcare, financial services, professional services and higher education.

Higher education incidents, 2018

Hack or malware incidents were up 7 percentage points from the same period in 2017 to 52% of the total number of incidents for higher education institutions. Social engineering incidents also increased 4 percentage points, while accidental disclosure numbers fell 9 percentage points. The increase in social engineering incidents is due to an increase in fraudulent wire instructions.

Financial services incidents, 2018

The number of hack or malware incidents reported to BBR Services in 2018, Q1-Q3 increased 5 percentage points compared to 2017. However, accidental disclosure incidents decreased 6 percentage points.

Healthcare incidents, 2018

Accidental disclosure (32%) leads the causes of incidents in healthcare despite a 11 percentage points drop from the same time in 2017. Hack or malware reports increased from 20% to 30% in the course of a year.

Professional services incidents, 2018

Social engineering incidents (3%) have decreased 14 percentage points in 2018, while the number of hack or malware cases reported by professional services increased 7 percentage points.