by Dr. Alan Shark
Ransomware attacks are on the rise affecting both private and public entities and it appears to be reaching epidemic levels. The hackers are successful because they continue to exploit known and unknown vulnerabilities – despite the federal government’s call to not give into ransomware demands. Not surprisingly, local governments are indeed paying but they have a new partner – insurance companies.
Finding information on such attacks is difficult to come by since there are no federal or state laws requiring ransomware attack disclosure. Most experts agree that many ransomware attacks go unreported.
Just a few years ago many in government believed ransomware was a menace and only happened to “others” and besides – hackers were initially demanding relatively small ransom amounts of just a few hundred dollars. Most paid as they believed they had no other choice. Ransomware attacks initially targeted small local governments that were more likely to lack some basic safeguards. However, we would later learn large cities make excellent targets too.
Those choosing to pay the ransomware demands do so claiming it was business decision reasoning that it would much be cheaper to pay the bad guys compared with the cost and enormous time it could take to restore systems from back-ups. Even small police and sheriff departments have become victims.
The US Department of Homeland Security and the Federal Bureau of Investigation have repeatedly recommended that no entity – commercial or government should comply with ransomware demands. The three major reasons offered have been:
This past July, the U.S. Conference of Mayors passed a resolution calling on “cities not to pay ransom to hackers who have taken over government computer systems through cyberattacks.”
Because cyber criminals demand payment in the form of cryptocurrency, Bitcoin has become the payment method of choice since payments are essentially untraceable. Ransomware can cause havoc to a system through one or all of four ways, exploitation of a software vulnerability; employees opening malicious email attachments; employees visiting hyperlinks (phishing exploits) sent in spam emails, or employees simply landing on contaminated websites.
Things started to change in March 2018 when the City of Atlanta was hit with a ransomware attack. The attackers demanded approximately $51,000. The City decided not to pay and instead developed plans to rebuild their systems. To date the City has spent over $2.7 million dollars to bring their systems back online. In May 2019 the City of Baltimore experienced a ransomware attack that literally shut down nearly all government operations and services. Like Atlanta, the City decided not to pay the attackers, who demanded a ransom of $76,000. To date the City believes it will spend upwards of $18 million.
Perhaps a further turning point occurred in June 2019 when Riviera Beach City became a ransomware attack victim. The City Council voted unanimously to pay the attackers $600,000 to unencrypt their systems. What made this decision significant was it was made in public and received national attention. It was the highest amount publicly reported to date. But there was another factor at play - the city council made their decision after conferring with their cyber insurance provider. And it is understandable why an insurance company would want to pay and minimize their losses based on what others had had to shell out in system restoration.
Had the Cities of Atlanta and Baltimore carried cyber insurance, much heartache and time and money spent on system restorations would have been avoided. While insurance companies have incentives that make them more apt to pay, cyber criminals have an incentive to make sure they honor their demands when met. After all who would ever pay a ransomware demand if the hackers did not provide the means to restore systems and simply ran away with the money?!
Cyber insurance has been around for over 15 years and covered many aspects of cyber-attacks as well as damage to systems due to malware. In the past 2 years, cyber insurance has gained more attention that appears to be fueling the growing ransomware epidemic. Cyber insurance is offered by a handful of companies and there are no less than 6 state-wide local government associations that offer cyber coverage. One problem with local government risk pools is they often have limits to coverage or caps due to the relatively small risk pool reserves.
Unlike purchasing car insurance, cyber insurance is not as easy to obtain, and it is not unusual to see a required questionnaire that asks dozens of questions. Annual premiums are based on what the insurance company believes is the inherent risks. I know of at least one public entity whose application was initially rejected. Insurance carriers want to make sure that a local government adhere to basic policies such as employee awareness programs, patch management policies, back-up policies and procedures DR Plans, and much more.
Insurance companies have become more actively involved by dictating terms and conditions as they understandably view everything through a risk assessment prism. It should be noted that insurance companies have invested heavily in educating key employees and often requiring governments to adhere to leading practices.
As the ransomware epidemic grows, it is feared this will ultimately lead to higher and perhaps unaffordable premiums. This will most likely impact those most in need of coverage – namely smaller jurisdictions. Hackers will most certainly become further emboldened by demanding higher ransom amounts and more attacks will certainly continue given minimal risk of prosecution coupled with a growing success rate. The vicious cycle of attacks and payments will continue to grow. And having cyber insurance may make local government entities an even more attractive target if hackers learn who has insurance coverage and who does not.
So how does this cycle end? The long-range answer is to focus more attention and resources on ransomware avoidance and recovery. The risk of ransomware attacks can be dramatically reduced or even avoided. The solution lies in new software and hardware technologies as well as improved staff training and certifications.
Finally, there are workable back-up solutions that protect both data and operating systems so that recovery in the event of an attack can be accomplished in short order. Of course, the bigger question is who pays the cost? One can only hope that state and federal authorities would make this a high priority and provide the required support. Ultimately, working with industry, law enforcement and government, we need to find a way to make sure cyber-crime does not pay and is no longer the growth industry it has become.