adimas - Fotolia
Insurance giant Beazley saw a huge spike in ransomware attacks in 2019, reporting a 131% increase in client incidents, according to new research from the company.
The recently-published 2020 Beazley Breach Briefing, which drew data from 775 ransomware incidents reported to Beazley Breach Response (BBR) Services, disclosed an increase in attacks, severity, disruption and payment demands last year.
Unlike the increases in reported ransomware attacks in 2018 and 2017, which were 20% and 9% respectively, last year's reported incidents "skyrocketed," according to Beazley. In addition to the jump in overall attacks, ransom demands have also surged.
"The sums being demanded by cybercriminals have also expanded exponentially, with seven or eight figure demands not being unusual," BBR Services wrote in the report.
The uptick trend isn't specific to 2019. Ransom demands have been increasing over the course of several years, said Katherine Keefe, head of BBR Services.
"I think it's because the criminals have been successful and they've become emboldened by that success," Keefe said. "Cybercriminals also look at things like the size of the organization and how they advertise themselves on their own website. Generally speaking, the larger the organization, the higher the demand."
The report did not say how many clients opted to pay the ransom, as Beazley does not disclose such data.
Healthcare, MSPs attacked
Attacks against healthcare organizations accounted for much of 2019's incidents, leading all industries with the highest percentage of ransomware incidents at 29%, according to the report.
"It's a combination of a rich amount of data, vulnerable industry sector because of the critical data and some success on the part of the criminals that this crime -- and it is a crime -- that works and it's lucrative to criminals," Keefe said. "They are calculating about it. It is not a matter of luck. They purposefully attack an organization they think they can hold over a barrel and extract significant funds because of vulnerability and sensitivity of data."
In addition to healthcare organizations, cybercriminals also targeted third-party vendors such as managed service providers in 2019. "At least 17% of all ransomware incidents reported to Beazley originated from attacks on vendors," BBR services wrote in the briefing.
BBR Services tackled ransomware myths in the report as well, such as the idea that "paying the ransom is always faster than restoring from backups." That is not the case, Keefe said.
"I think the decision to pay or not to pay is an individualized one," "The decryption process post payments is not just a matter of turning a key and all the sudden the medical records are back online," Keefe said. "It's server-by-server, desktop-by desktop and it can be a prolonged period of time. Whether it's influenced by who the attack group is, their history and credentials in providing an accurate decryption code, the nature and complexity of the organization's own ecosystems, those factors all combine to form a picture of how involved the decryption process post paying a ransom could take."
Once an incident is reported and negotiation is required, Beazley works with incident response company Coveware to assist clients. Keefe said Coveware has historical data on various ransomware groups concerning aspects such as the success rates for decryption.
"They will communicate with the attackers to understand who they are, what their history with them has been and their inclination regarding negotiating a drop in the ransom demand," Keefe said. "[It's important] to understand the attackers' ability to provide the decryption code in a manner that is useful and workable for the attacked organization."
Coveware recently partnered with antimalware vendor Emsisoft for an initiative to give healthcare providers free ransomware response services during the coronavirus pandemic.
Though Coveware has not seen hospitals and healthcare organizations hit by ransomware attacks lately, they have seen an increase in a different industry.
"Schools are getting hammered by ransomware attacks," Bill Siegel, CEO of Coveware, said. "As schools have had to shift to remote operations, they are struggling to meet the pressure to keep student services up and keep security tight. It's a terrible predicament, but we encourage school IT security admins to take their time, and more importantly, for school administrators to grant them the time they need to configure their networks for secure remote access and learning. A few days off to properly configure is much better than a month of downtime because of a ransomware attack."
And surge in ransomware attacks is not expected to decline any time soon, according to BBR Services.
"Ransomware attacks in their current form are far too successful and profitable for cybercriminals to shift course," BBR Services wrote in the briefing. "While it is difficult to predict the next type of attack, we can speculate as to targets. Products and services with a large market share, as well as communication devices, smart TVs and cloud-based security and monitoring tools."