The evolution of extortion tactics in ransomware attacks

The evolution of extortion tactics in ransomware attacks | Insurance Business America

The evolution of extortion tactics in ransomware attacks

This article was produced in partnership with Tokio Marine HCC – Cyber & Professional Lines Group.

Bethan Moorcraft of Insurance Business sat down with Tamara Ashjian, Director of Claims, Tokio Marine HCC – Cyber & Professional Lines Group to discuss the evolution of extortion tactics in ransomware attacks.

Ransomware is rampant in the business world. Over the past year, ransomware attacks and related cyber insurance claims have surged in both frequency and severity. One factor driving this concerning trend is the evolution of extortion tactics.    

Sophisticated threat actors are increasingly deploying additional layers of extortion beyond the initial installation of malware and data encryption, making it harder for businesses and their cyber insurers to shake off attacks unscathed.   

“A year ago, a ransomware claim would come in, and when we would determine that the insured had secure data backups, we’d be happy because the threat actor did not encrypt that data. Our initial thinking would be: ‘We don’t have to pay a ransom because we can re-create everything from the backups,” said Tamara Ashjian (pictured), Director of Claims, Tokio Marine HCC – Cyber & Professional Lines Group.

“But lo and behold, that’s becoming irrelevant now, because even if the [threat actors] are unable to encrypt the insured’s backups, they’re threatening to exfiltrate their data and post it on data leaks websites if the demand is not paid.  We’ve been so concentrated on the deployment of the ransomware that shuts everything down, but we started seeing this trend in the last six months where there is no encryption of data, but hackers have threatened to publish sensitive information.”

Read next: The benefits of a strong cyber threat intelligence program

While ransomware attack victims can use the services of forensic investigators to monitor data leak sites and the dark web for illegally exposed data, this does not eliminate the double extortion threat. Hackers will typically show their victims a sample of the files they have exfiltrated, so the insureds know their data is in the wrong hands and they’ll have to negotiate if they want to remediate any potential damages.  

Ashjian commented: “Now ransomware events are more dangerous because the hackers are threatening to leak sensitive information to the public, and it’s more likely that the insured is faced with the difficult decision of paying the ransom demand or not, even when their data is not encrypted, since there is a possibility of having their clients’ and/or employees’ information out there. It’s a different way to attack, but we’re definitely seeing more of it.”

Traditionally, one of the first lines of defense against cyberattacks of any kind was to have secure data backups stored offsite and offline. While that may mitigate the encryption component of ransomware attacks in some circumstances, it does not always prevent such attacks, and it doesn’t protect against data exfiltration or resultant business interruption. One of the reasons businesses should buy cyber insurance is for financial security, Ashjian stressed, because even with the right backups, the most secure systems and the best end-point monitoring, some hackers have become so sophisticated that they’re able to penetrate into systems and do irrevocable damage, such as bankruptcy.

Beyond data encryption and exfiltration (the first two methods performed during a ransomware attack), there is also a risk of hackers initiating distributed denial-of-service (DDoS) attacks, especially if victims refuse to negotiate and pay. These DDoS attacks, which disrupt the corporate network by overwhelming it with a flood of internet traffic, would cause additional business interruption to a business that’s already rallying to recover from the initial ransomware event.

Read more: Cyber insurance claims explode in severity

“We’ve also seen harassment of c-suite executives, where the CEO [of the victim organization] has received calls from the threat actors, and suddenly, the incident becomes very personal and the insured panics even more,” Ashjian told Insurance Business. “Our stance has always been: ‘We’ve hired experts, let’s see what we can do. You don’t want to give in right away and pay the first demand you get.’ But that becomes very hard for insureds to comprehend when the CEO is getting calls or they’re being threatened.

“Sometimes it depends on who the insured’s clientele is. If they’re a business with celebrity clients, for example, then a data leak in that instance is going to be a lot more problematic than it would be for businesses with other types of clients. That makes our job more difficult, because you really want to negotiate the best deal in a situation, but sometimes, because of the circumstances and the high potential of impending litigation, there’s a lot of pressure from the insured to resolve the matter at any cost.”

One thing that Ashjian has noticed is that threat actors are using more sophisticated strategies to ensure their attacks generate as much financial gain as possible. In contrast to three or four-years-ago, when many hackers made random hits without really knowing their targets, they now know exactly who they’re attacking and what information they can threaten to leak.  

“Another thing we’re noticing is, once they’re in the insured’s system, they’re immediately looking for insurance policies,” Ashjian added. “When our experts are negotiating with them, and they take the stance of: ‘Well, the insured can’t pay that,’ the threat actors come back and say: ‘Yes, they can, they have a $10 million policy.’ This is what we’re dealing with. It’s become very complex, and there’s something new every few weeks.”   

Tamara Ashjian is a Director in the Cyber & Professional Lines Group Claims Department at Tokio Marine HCC. Tamara oversees and manages the Claims team, which focuses on the handling of litigation and claims resulting from cyber and technology liability incidents.