Encryptionless Extortion Attacks and IT Supply Chain Risks
In the ever-changing world of cybercrime, the ransomware environment appears to be shifting again, with an increase in encryptionless extortion attacks. At the same time, recent events have highlighted the risks in the IT supply chain.
The shift away from encryption
Over the past year, observers have noted an increase in attacks that don’t use encryption, and a rise in the number of extortion groups operating this way. Rather than encrypting data — a tactic that has been a foundation of ransomware attacks — many cyber extortionists now threaten to release it publicly if no payment is made.
By not encrypting stolen data, threat actors eliminate the time, effort, and cost needed to develop and support software for both encryption and de-encryption. This kind of attack may also be less visible and less likely to attract law enforcement attention, unlike the Colonial Pipeline ransomware attack in 2021, for example, which drew a significant law enforcement response as it affected critical infrastructure.
Before this latest change of tactics, threat actors typically would both encrypt the exfiltrated data and also threaten public release if a ransom was not paid. These “double extortion” ransomware attacks were the most common method employed by threat actors during the past year or two. By threatening to make data public, the attackers could increase the likelihood that even if a company had backed up all of the stolen data, it might still agree to pay.
Before ransomware, threat actors’ main activity was to steal data and sell it. Many companies would learn about theft only after the FBI or another organization let them know their information was for sale on the dark web. The development of ransomware — and then ransomware as a service (RaaS) — allowed cybercriminals to encrypt and hold data and systems hostage, and demand payment in exchange for the keys to unlock it. For the criminals, extortion was a more efficient way to operate. For companies, it added the spectre of business interruption losses as well as the cost of meeting regulatory requirements, such as breach notifications and credit monitoring in the case of stolen personal data.
Whether the trend toward encryptionless extortion continues, and how it might impact cyber insurance and claims, remains to be seen.
Regardless of the type of cyber threat, companies will need to decide whether they will pay a ransom to get the de-encryption key and/or to stop its release.
One complication that accompanies theft without encryption is that it can be more difficult for companies to decide whether to pay a ransom, and how much to pay if they do so. Organizations need to assess the possible damages resulting from a release or threatened release of data while also judging the threat actors’ “trustworthiness” — are they going to comply if a ransom is paid? Or are they going to retain data for a new extortion attempt?
Another complicating factor is that the loss or release of data could trigger regulatory inquiries and class action or other litigation/arbitration.
Potential privacy liability is a major driver of decisions, but it can be extremely difficult to put a value on when deciding if a ransom payment will be beneficial economically, or if it will, in fact, reduce future liability. Privacy liability claims significantly increased over the past few years, and the settlement values have also been increasing, making this a large unknown.
The decision can be more straightforward when criminals encrypt data and cause business interruption (BI) losses. For example, a company might be able to determine that BI losses are costing $1 million per day. If the cost to de-encrypt will be $X thousands, but will enable the business to be up and running in a few days, the math may point to a decision to pay the ransom. However, every situation is unique, and a decision to pay or not to pay a ransom can have consequences beyond the specific incident at hand.
If data is stolen but not encrypted, the scenario will be different. While there may not be damage in the form of BI losses, depending on the specific circumstances, regulations could require the company to send breach notifications anyway, and possibly pay for customer credit monitoring. This can also increase the likelihood of a lawsuit.
Other factors that may influence the decision to pay include whether the exfiltrated data is business sensitive, or possibly embarrassing.
In some instances, insurers may more deeply scrutinize ransom payments where there is no encryption, especially if breach notification laws are triggered. If ambivalence about paying ransoms increases, some observers wonder if data theft will go full circle, with more criminals simply selling stolen data on the dark web and avoiding working with their victims.
IT supply chain attacks
Several attacks this year against file-transfer service providers have reinforced the need for vigilance around cybersecurity controls, such as rigorous monitoring of the measures taken by vendors and suppliers.
File-transfer services are widely used among organizations of all sizes, and a breach or theft may involve the data of hundreds of thousands of their customers. Just one of the recent attacks has exposed the data of hundreds of organizations and tens of millions of individuals.
Understanding the risk can be further complicated if the attack succeeded by going through a vendor two or more layers down in an IT supply chain that uses the file-transfer service on an account. At renewal, insurers now ask questions aimed at understanding the risks deeper in IT supply chains.
For insurers, these situations raise the issue of systemic risk, where thousands of their insureds can potentially be exposed by an attack on a single company. Some carriers have even discussed developing a type of “systemic event” exclusion, but such a limitation is extremely difficult to define and apply.
In the State of Cyber Resilience study issued by Marsh and Microsoft, survey respondents typically ranked ransomware at the top of the cyber risks facing their organizations. It’s critical to have an effective, updated incident response plan that addresses extortion. The plan should be discussed across the enterprise, including at the board level, and should address major issues, including the ransom payment decision and financial, reputational, and other factors.
As companies review their cyber controls, they should pay particular attention to those that have proven to be most effective broadly and/or within their industry.
And please reach out to your Marsh advisor with any questions regarding cyber risk concerns.