For cyber insurance firm Coalition, there was some good news in the first half of the year, with the number of claims filed by companies attacked by ransomware groups declining slightly year-over-year.
However, that was offset by a sharp spike in the average loss companies that were attacked took.
In its latest mid-year 2024 Cyber Claims Report released this week, the insurance firm found the number of ransomware-related claims fell 10% – though a 34% increase in Canada – but the severity of the claims jumped 68%, with the average loss reaching $353,000.
That said, Rob Jones, Coalition’s head of claims, noted during a webinar about the report that a ransomware attack comes with a host of costs, from filing a claim, litigation, and regulatory issues to the reputational hit among customers, employees, and business partners. Jones added that “within the pay-or-no-pay decision, we support policyholders evaluating their options and making decisions based on the specifics of their situation and with the benefit of privilege, legal advice and support of their IR team.”
In the report, Coalition focused on three cyberthreats – business email compromise (BEC), funds transfer fraud (FTF), and ransomware. Ransomware accounted for 18% of event types among claims filed, behind both BEC at 32% and FTF – which is a financial fraud crime that involves a bad actor stealing money from a victim’s bank account – at 27%.
However, ransomware played an outsized role, with the increase in the average cost being the key driver behind an overall 14% increase in the severity of all claims, which rose to an average loss of $122,000.
The numbers for ransomware followed what Coalition called a “volatile” 2023, including following a seasonal trend.
There are “consistent drop offs in the summer months and spikes during the winter holidays, which appears to be a conscious attempt by threat actors to go unnoticed within a system at times when businesses are typically slower to react,” Jones said. “We will soon see winter and holidays come, when these incidents do tend to increase.”
Ransom Demands Grow
According to Amy Cohagen, senior incident response analyst at Coalition, the average ransom demanded by threat groups was more than $1.3 million, with two groups in particular – Play and BlackSuit – driving up the number, with average ransom demands of $4.3 million and $2.5 million, respectively.
She also noted that the average ransom doesn’t include any of the other costs that go beyond the ransom, including business downtime, remediation, forensic investigations, dealing with lawyers, and notifying customers of the incident.
A key reason for the discrepancy between the amount of ransom demanded and the average cost of a ransomware attack is that 60% of Coalition clients don’t pay the ransom, Cohagen said during the webinar.
“Some choose not to pay off principle,” she said. “Many simply don't want to fund a threat group or otherwise reward them for compromising their network. Another reason could be any out-of-pocket costs, depending on their policy. They may or may not have to contribute out of pocket to the ransom demand amount. Other times, we've seen instances where a [ransomware] group just doesn't have enough leverage on the policyholder to entice a payment.”
That leaves 40% of clients hit with ransomware paying the demand, either because some critical data set is inaccessible and because their business would be heavily impacted if the data is publicly leaked. She added that if a company does “decide to pay for whatever reason, it's important to understand that the initial ransom demand is not set in stone and it can be negotiated.”
Negotiating Works
According to Cohagen, Coalition’s incident response team includes people who can negotiate with the bad actors, which have negotiated down payments for client by an average of 57% of the original demand.
Combined, BEC, FTF, and ransomware accounted for almost three-quarters of all reported claims in the first half of the year, a trend that has been fairly consistent for more than three years, she said.
Cohagen and Jones both noted that the growing use of AI technologies by hackers are making it easier for them to make phishing emails at scale and more difficult to detect, which has been an ongoing worry of cybersecurity firms since OpenAI introduced ChatGPT almost two years ago. Typical indications of a phishing email – such as poor grammar or syntax and typos – are smoothed out, making them seem more legitimate.
“AI has the ability to rapidly scan and analyze large datasets such as social media profiles, public documents, online activities, and that can help actors identify valuable targets more quickly,” Cohagen said. “AI also has the capability to extract details from these large datasets, and that can include information about a company's hierarchy or personal details about employees, all of which can be leveraged to easily craft personalized phishing messages.”
It highlights the importance of investing in security awareness training for employees, she said.
