Just two years ago, ransomware was crippling organisations to the tune of millions of dollars. Today, risk management can cautiously celebrate, having reduced the severity and number of claims. But with a new wave of attacks likely around the corner, it’s not quite game over.

It was the year 2021. The year that ransomware exploded.

The Colonial Pipeline in the US paid a total of $4.4m to hackers who brought gasoline and oil supplies to a standstill across eastern parts of the US.

ransomware, system hacked

Weeks later, Ireland’s nationalised healthcare system came to a halt, after Russian-based criminal group Conti infiltrated IT systems and demanded $20m in payment, according to reports.

Soon after, New Zealand’s healthcare system suffered a ransomware attack, causing widespread disruption to patient care and international uproar to hold attackers to account.

An estimated $590m was paid in ransomware-related transactions in just the first half of the year.

And this is a figure likely to only include payments originating from the US, according to US agency FinCEN. It also doesn’t account for recovery costs – which could be anything from $761,106 to $1.85m, says Sophos’ State of Ransomware Report 2021.

The cyber insurance market also hardened that year, as demand for insurance grew and a low supply of capital led to higher premiums.

A CRO’s perspective

Carl Leeman, chief risk officer at Katoen Natie, outlines the vulnerabilities that ransomware will use to attack you, and how collaboration with your IT department could be crucial:

The top three ransomware risks are:

  • Non-segregated networks and admin accounts allowing ransomware to spread across the organisation
  • Awareness of employees on how to recognise potential dangerous links
  • No adequate XDR (extended detection and response) solution and monitoring to identify breaches in an efficient and timely manner

We should also keep our eye on how AI and ChatGPT progress.

We are yet to see any serious ransomware risks related to this, but the expectation is that AI and large language models will be able to generate malicious software a lot faster than it can be combatted.

Automation and randomisation will be a big challenge for all companies. And phishing remains the number one entry point.

With potential follow-up and getting files installed for backdoors, ransomware is not just losing your data, but it potentially being sold or made public.

Early detection is key as bad actors remain in the estate for a prolonged period to cause maximum harm. It is worth thinking about backup solutions, which can now offer immutable backups to ensure safety of data.

In addition, risk managers should work with their IT departments to ensure: segregation and isolation of network environments and accounts; that there are decent backups, monitoring and prevention software in place; and that employees are trained on security.

Maturing cyber defences

But now, fresh data suggests signs of promise: ransomware incidents declined globally from 21% in 2021 to 17% in 2022.

That’s according to the IBM X-Force Threat Intelligence Index 2023, which noted: “Deployment of backdoors was the top action on objective last year [2021], occurring in more than one in five reported incidents worldwide.

“Successful intervention by defenders likely prevented threat actors from fulfilling further objectives that may have included ransomware. Fewer cases of ransomware have been reported.”

It is this “successful intervention”, that has led to a drop in attacks across Europe – in particular in France – says Philippe Cotelle, vice-president at FERMA and head of cyber insurance management and insurance risk management at Airbus Defence & Space.

“Large multinational corporates, which suffered significant cyber-related and ransomware attacks in 2021, have improved their security and have raised their maturity with regards to cyber defence.”

“The ransomware landscape today is not as challenging as you may have read in the past,” he says. 

“Large multinational corporates, which suffered significant cyber-related and ransomware attacks in 2021, have improved their security and have raised their maturity with regards to cyber defence. They are much more robust and resilient to today’s attacks.

“We were able to see a reduction in the number and severity of claims, which, from our analysis, suggests that even if they had suffered an attack, they had been able to reduce the magnitude of any potential impact.”

And there are statistics to back this up. Cotelle, who is also a board member at the French risk management association AMRAE, led a study on cyber insurance coverage across France on behalf of the association.

Four years of claims data from 10 brokers across the country and 9,672 cyber insurance policies were analysed.

“Even if they had suffered an attack, they had been able to reduce the magnitude of any potential impact.”

The study found that among large corporations, there was a 20% reduction in the number of cyber-related claims (which includes ransomware) and 50% reduction in the amount paid, or in other words, a 50% decline in the severity of the claims.

Mid-sized companies also experienced significant reductions – the number of claims dropped by 30% and the amount of compensation declined by 70% in 2022.

Insurers in other parts of the world have also produced data that suggests a similar conclusion.

Insurer Beazley, headquartered in the UK, says its risk and resilience research data indicates that the threat of cyber risk to global business leaders peaked in 2021 at 34% but has since dropped significantly to 27%.

A temporary reprieve?

This ‘improvement’, however, may only be temporary, according to Sydonie Williams, Beazley’s focus group leader, cyber risks. “We noticed a big trend in ransomware attacks in 2019 and 2020, fuelled by COVID-19 and the ability to exploit vulnerabilities from the shift to work from home.

“Then, when Russia invaded Ukraine, there was a burst in the cyber crime industry bubble, as international hacking groups disbanded and joined the war effort. So, for businesses, there was a temporary reprieve from the frequency and severity of cyber crime, and attacks dropped.”

She adds: “Now, we’ve come to a stalemate for the war. Nationalism is being trumped by the need for money, as these hackers from both sides put aside their differences and are reforming.”

“We must remain cautious. But the fact of the matter is, prevention pays off” 

If Williams’ analysis proves true, we’re likely to see ransomware attacks pick up again in 2023–2024. Nonetheless, for Airbus Defence & Space’s Cotelle,  this doesn’t negate the idea that prevention is effective.

To him, the data doesn’t tell a story of cyber extortion. It tells a story about the successes of risk management.

“Our research demonstrates that prevention works. When stable risk management is effectively deployed across an enterprise, the ability to resist threats improves significantly,” he says.

And as for the ‘temporary reprieve’ and a potential hike in attacks over the coming years, the answer is to resist resting on one’s laurels: “We must remain cautious. But the fact of the matter is, prevention pays off,” Cotelle concludes.

How to mitigate cyber attacks

Philippe Cotelle, vice-president of FERMA, gives his three steps to success when building a successful cyber defence.

1) Develop a group-level risk management plan

This should be a top-down process, where boards and executives provide clear strategic guidance on the direction the company should take with respect to cyber protection, including the importance of deploying a cyber risk management plan, the associated activities and teams, an education and awareness framework, and budgets.

2) Do your prep work

This can be improved with scenario analysis and ‘tabletop exercises’, where departments are placed under pressure to see how they would react in the event of a cyber attack. Feedback from these exercises should inform internal procedures and policies.

3) Include crisis management planning

This should involve all key personnel on technical, business and corporate sides and be backed by crisis management teams.