Cyber Market Update Ransomware Returns

Welcome to Risky Business Commercial Insurance with Butler Byers. This is business commentator Paul Martin, joining me as always, Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. Colin, end of the year start of a new year. This is the time when we start to get data and we get analysis of trends and which way things are going when we get year end figures. I’m assuming they’re starting to trickle in now as we get a little bit into 2024. One that was prevalent a couple of years ago and we really didn’t talk about much last year was cyber and the ransomware and all of that sort of stuff. But I gather it’s making a bit of a comeback. Is that a fair description?

It is, yes. Very fair. So 2023 was the largest as far as successful Stiver, ransomware payouts 2023 was the largest ever recorded after, yeah, it really did take a dip in 2022. You’ve got Russia in conflict with Ukraine, so when they’re focused on war, they’re less focused on while stealing your data or encrypting it or deep fakes social engineering. And so there was a dip. And then I’m assuming, and yeah, I’m sort of blaming Russia, but I’m assuming that the war is getting quite costly. It’s lasting longer than they thought it would. So they’ve really ramped up the efforts. And it is very interesting that ransomware is back. Now, the type of ransomware has changed, but for the last 18 months or so, I mean almost actually closer to two and a half years I’ve been saying it’s really gone away. We’re now in the era of AI and social engineering and deep fakes where they’ll spend months learning.

They’ll be in your system for months learning every keystroke so they can replicate you. Exactly. And then they strike. However, that’s proving to be a lot more costly. And so they say, let’s go back to old reliable, where we can go for the big game, the big fish, or at least the big dollars. It’s not necessarily only the big company, but just they’re saying themselves rather than death by a thousand cuts. We’ll just go back to large ransomware payouts. And so yeah, just big changes in the industry. So to give you some context, the grand total for successful reported ransomware payouts was exceeded in the fourth month of 2022, or sorry, 2023. So they beat the 2022 total four months into 2023. And then the average payout, or I guess successful payout has gone up four times that of 2022. And so it’s more often and it’s larger dollars. And then I guess what I find very shocking as well is when it came to ransomware across the industry, so all industries all reported 40% of extortion payments were successful 40% of the time. If they had something you needed, you paid the freight, which it is a pretty high success rate.

Those are staggering numbers. And to think that it had gone away, or at least we had the perception that it had gone away. In fact, all it was doing was evolving. And I guess any other business, the business of being a cyber pirate, you look at ways to get more efficient and lower your costs and increase your revenue. And they were able to start to figure it out that I don’t go for your whole envelope of data, I just start to get more selective and get the stuff that’s more sensitive.

And it’s really important to understand that this is for profit. There’s colleges, there’s whole organizations that only exist for cyber crime, and these are not individuals playing pranks on companies in their basement. I mean, this is big business. And so they took a step back. And so the nature of ransomware as completely changed. So they are essentially moving away from data encryption. They’ve determined that on the cybersecurity side of things, that it’s proving to be more difficult to get in. They can do it, it just takes longer. So it might take a week to actually get ready to encrypt from the initial breach. And then it takes a lot of manpower to both encrypt the data and then actually when the ransom is paid, it takes a lot of manpower to get that up and running. So they’re saying, we don’t like that because that’s a lot of overhead.

And so the more successful they are, the more overhead they have. And maybe they don’t like paying employee benefits, I don’t know. So what they’ve turned to is back to sensitive or restricted data. And so rather than say we have just turned everything off, and if you want that back, you’ll pay the following. They said too much work. They’re looking for sensitive data, restricted data, data that you don’t want out. And all they do is say, this is what we have. If you don’t pay the following by X, we’re going to release it. And so the challenge with that is when you’re dealing with encryption, you’ve got some choices. You can say, I have backups. Yeah, we’ll be down for a week, but we prepped for this. We listen to call and show we’ve got an incident response plan, and we we’re pretty confident that we’ll be up and running right away and the impacts will be minimal. And the cyber crime experts know that. And so they say, okay, well yep, we’re going to go back to those tidbits that you will pay to not have released. Or if we do, there may be litigation against you for losing it. And that seems to be the new angle.

It is just getting more sophisticated, isn’t it? I mean, this is the whole point, and you made a comment earlier and I had like to explore that is that I gather to a degree, this is state sponsored stuff as well. Some of these, you talk about the war in Russia and Ukraine, that part of this is a mechanism for funding the military effort, isn’t it?

Yeah, they say that.

I guess we don’t really know, but we can speculate on that.

Yeah. Where if you look at where the crime is primarily centered, the activity and the investment in these publicly, or sorry, yeah, publicly funded schools, it certainly appears that there’s an investment made and its government involvement. Another interesting stat that it’s funny that I have to completely change my tune on from the last five or six years. So I used to say, and the data now reflects a totally different argument, that if you were a victim of ransomware, there was honour among seeds that said it all the time, that typically you aren’t hit again. And the other funny thing about this business is that there’s a lot of competition. So there’s some research that shows now that 80% of organizations that do pay are victims again. And also 29% of extortion victims. When that company does in fact pay, that data is still released. Nonetheless, I guess there’s less honour among CS and because of competition, there’s no real list that says this is off limits. We already got them once. They’ll come back because they know that someone else is going to anyway. So it’s particularly concerning.

Alright, we’ve got to take a little break, Colin, so just stand by. We’ll be back in a couple of minutes. You’re listening to Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. This is Risky Business. I’m Paul Martin back after this.

Welcome back to Risky Business Commercial Insurance with Butler Byers, Paul Martin here. And joining me is Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. Colin, I guess what we’re seeing is this evolution that we’ve been talking about in the way the cyber criminals and ransomware is being played out now. So even if you’re kind of up to speed as a business owner, you really have to refresh yourself on this, doesn’t it? Because this game is changing and the way the pirates are coming at you is changing and evolving as well. You’re seeing any other trends here? Are we able to see in data what direction this thing is moving into?

Yeah, another, I guess, shocking overall trend. Then I’ll give some sort of industry trends on the nature of the crime and where it’s going. But so what’s happening? So there’s a new, I guess, big game target, and these are third party vendors. And so rather than go after the mothership, they’ll go after a third party supplier. And often that is an IT provider. And so a cautionary note is that when choosing a third party vendor, someone to, if you’re outsourcing your it, you really want to make sure, I guess you are feeling they have a handle on your cybersecurity. You want to see a detailed plan, you want to be completely up to speed, you want know that they’re going, they’re lifelong learners because again, I guess in the effort to be efficient, they’re saying, well, rather than go after one company, we can go after a company that services hundreds, maybe thousands of companies, and then we can extract sensitive data from it and all of them at the same time. And so I’ve talked about cloud providers, how they’re just a business as well, and that your data could still be lost, but there seems to be a trend saying, well, we’ll go after a third party vendor that works with some of these large, and we’ll start there. And so really further to that, just where is this going?

How is this threat going to evolve from 2024 into 2025? Well, it’s about 101 billion projected by the start of 2025 spent on service providers specific to cybersecurity. There is 3.5 million open cybersecurity positions worldwide. So that’s a today’s stat, 3.5 million jobs. These are people saying, we need help with this and come work for us, whether it’s a third party or not. But that’s a lot of open positions. Premium growth is expected to increase by 21%. Now, that’s not all increases, but those choosing to take out cyber liability policies, depending on the industry, we actually, we are seeing rates stabilize some decrease depending on who they are. So it’s not all just rate increases, but premium growth overall. And they’re anticipating by the end of 2025 that the total cyber, the annual cost of cyber crime globally will be 10.5. Trillion’s a big number.

That’s a staggering number. It really is. And I mean, as someone who watches the evolution of the business community, I’m taken by just how much the IT and security industries are coming together and how they are changing. I think back three, four or five years ago, I might’ve known of one or two companies in the province, for example, or players that were kind of specialized in the cyber world, and now there’s way more of them and they’re far more sophisticated, but they’re also getting size. They’re getting the weight and scale and clout that they need to be able to take this on. So what this says to me is that the player on the negative side, the pirate, if I can use that term, they’re getting more sophisticated. They’re turning into heavyweights. And to compete with them, to actually protect yourself against them, you need to be a heavyweight on your side of the equation as well.

And one of the best ways to actually get a handle on where you stack up is to purchase cyber liability insurance. And here’s why. Almost every single insurer now will do a third party scan or an audit, or they will monitor your system remotely included in the premium. And you think, well, there’s no free lunches. Why would they do that? Why would they monitor my system 24 7 and why would they invest? And there’s got to be a hidden fees. No, because if you are paying a premium, let’s say it’s $20,000 for 5 million in cyber liability coverage, rest assured they don’t want to pay that 5 million. So if they can invest and if they can look for abnormalities, if they can help you avoid an incident they’re going to. And so some of the best ways to get a handle of do I have a breach that I don’t know about is actually through the policy itself.

They’re very good at doing scans on the dark web to say, do I have customer data that’s leaked or email addresses or websites or web addresses linked to the business they don’t know about? And so they’re actually contrary to a lot of lines of coverage. They’re really putting in the effort, and it’s one of the best ways to actually monitor activity is to have a policy because the insurers are saying, this has to be profitable for us. I mean, we’ve got to offer the coverage, but we have to make money while we do it. And so it’s really a great way to mitigate risk.

All of this sounds quite daunting. And so if I’m a small business owner or a medium-sized business owner or someone in management is responsible for this, saying, what do I do with this? This just starts to get to where I feel like I want to crawl in a hole and pull a blanket over myself.

Yeah, I can see there’d be an urge to just cut the internet cord and go back to handwritten checks. It is pretty scary stuff, but there’s a lot you can do, but really, if you’re putting in the work, you can do a very good job of mitigation. It’s those that are saying, we don’t matter. There’s nothing that we have that someone wants or that’s someone else’s problem. It’s big businesses problem. But I’m going to give one last shocking stat. So this is from the United States government, the National Security Agency, and so last year, 4,000 ransomware attacks per day in the us. And again, this is right from a government agency, publicly available information. I mean, that’s a scary thought. That is just in the United States, that’s not worldwide, and that’s growing.

Yeah, it really is. It’s growing. It’s scary. And if we leave people who are listening to this, if we leave them with one message is, yeah, you can deal with it, but you have to deal with it, right? You can’t ignore it. You have to actually just take it head on and people such as yourself and your organization, you can help walk them through this and explain it and give them some confidence that you can significantly improve what you’ve got right now. Just give us a call. Yeah, absolutely. You’ve been listening to Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. I’m Paul Martin. This is Risky Business. Thanks for joining us. Talk to you next time.