In a webinar discussing the state of the cyber insurance market in Q4 2024, Helen Nuttall (pictured), UK head of cyber incident management at Marsh Specialty highlighted the two key claims trends shaping the cyber risk landscape today – ransomware and supply chain risk.
Focusing in on ransomware, the headline is a bleak one – “it hasn’t gone away”. The NCSC’s latest annual report revealed ransomware as the most pervasive cyber threat to UK organisations, and it’s a threat that continues to impact organisations of all shapes and sizes. In slightly more upbeat news, however, she noted that ransomware payment rates continue on a downward trend, falling from 80% of victims in 2019 to 32% in Q3 2024.
“So, while ransomware remains a real problem, the fact that many victims are choosing not to pay is testament to improved cyber security and resilience, and we're seeing fewer victims feeling obliged to pay the ransom for a number of reasons,” she said. “It could be that they have secure available backups, meaning that they don't need to pay for a decryption key. It could be that their cyber security measures actually caught the threat actor in the act, preventing encryption entirely.
“Or potentially that the reputational impact of being a ransomware victim is perceived as less severe than it used to be. We see these headlines on a daily basis nowadays. The other reason why ransom payments are decreasing is likely to be the increased law enforcement activity and heightened sanctions regimes globally. Law enforcement continues to try to disrupt and unmask these ransomware groups, adding their names to global sanctions lists and making it more difficult for these individuals to operate and monetise their activities.”
Changes to the legal landscape are also a crucial consideration, with Australia implementing a new mandatory reporting law aimed at ensuring organisations are transparent with law enforcement about ransoms being paid, which may also have a deterrent effect. Unfortunately, Nuttall said, on the flip side, while ransom payments decline, the average ransom paid has continued to rise as threat actors seek to maximise the profitability of the attacks that do pay.
“We've seen some exceptionally high ransoms being reported this year, such as the $75 million ransom paid to Dark Angels group, which was reported as the highest ever ransom paid at that time,” she said. “These sums make headlines, but they do tend to be the outliers. Average payments are significantly lower than that, and in Q3 2024, the average ransom payment was around $480,000.”
There is a generally very high effectiveness with extortion negotiations involving ransomware experts, Nuttall said. “We've seen average reductions of over 60% being achieved from the headline demand down to the final payment, which is why it's essential to bring in external expertise when considering payment of a ransom,” she said.
Identifying some of the measures now being used by threat actors to persuade organisations to pay up, Nuttall noted that in previous ‘state of the market’ presentations, Marsh has talked about the deployment of various tactics including encryption of data, denial of service, data exfiltration, and the naming and shaming of organisations on leak sites. Threat actors are increasingly using a combination of all of these methods to increase pressure on their victims to pay, she said, but recent trends have seen threat actors resorting to even more desperate measures, including physical threats.
“We've seen at least two examples in the UK of executives receiving physical threats to cause injury or harm to them or their families during the course of a ransomware event,” she said. “Those threat actors have access to [victim’s] home addresses and phone numbers as a result of the breach, and so these threats can cause real fear and anxiety for the individuals and their families and can't be underestimated.”
Continuing on the theme of threat actor tactics, she noted that Marsh has seen lateral movement remain the most commonly observed tactic, having seen it in 84% of cases in Q3. This is primarily driven by the exploitation of remote services like RDPs. Meanwhile, 76% of cases involve data exfiltration so that remains a critical concern for organisations. “We see exfiltration of data either as a precursor to an encryption attack or sometimes as the sole objective.
“We see increasing numbers of data exfiltration events that don't involve encryption, and the threat actors just rely on the threat to name and shame organisations and publishing the data online to get their ransoms paid, rather than encrypting systems.”
The median number of employees of those companies impacted by ransomware in Q3 was 258, Nuttall said, which spotlights how ransomware continues to be a major risk for small and medium sized firms, and is not just an issue for big companies.
Sharing some proactive steps that organisations of any size can take to dramatically improve their response to any incidents and minimise losses and claims, she highlighted that there’s five key areas to consider, each with preparation and practice at their core:
How concerned are your clients about ransomware? Feel free to share your thoughts in the comments section below.
