Last week, we provided our assessment of the 2024 election security threat landscape and offered free SentinelOne assistance to state and local governments on the front lines of democracy.
This week, we provide our assessment of financially-motivated cyber crime, including ransomware, and articulate a path forward for businesses.
Please subscribe to read future issues — and forward this newsletter to interested colleagues.
Contact us directly with any comments or questions: [email protected]
PinnacleOne ExecBrief | Financially-Motivated Threats
Last week, the 2023 Ransomware Task Force (RTF) released their updated Global Ransomware Incident Map. Their data showed a 73% increase in ransomware attacks from 2022 to 2023, highlighting what they see as a shift toward “big game hunting,” where cybercriminals target high-value organizations. The map, based on data from eCrime.ch, identifies 6,670 ransomware incidents, with notable increases in sectors such as healthcare, construction, financial services, and IT consulting. Major incidents, such as CL0P’s exploitation of the MOVEit vulnerability, contributed to this surge, affecting over 2,700 organizations.
Ransomware groups like CL0P and LockBit continued to dominate the landscape in 2023, with the Ransomware-as-a-Service (RaaS) model proving lucrative for cybercriminals. While CL0P’s activity surged due to large-scale exploits, LockBit maintained consistent operations, including the notable Royal Mail attack. Globally, ransomware incidents increased across regions, with significant spikes in Latin America and Southeast Asia. The healthcare sector saw a marked rise in attacks, reflecting its vulnerability.
These trends have continued through 2024, with the frequency of ransomware attacks declining from the 2023 summer peak but remaining at a very elevated level.
Much ink has been spilled on how governments can best deal with ransomware, criminal cyber actors, and cyber-enabled extortion. Recommendations range from “a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign” to more oversight of the ransomware insurance market. But many recommendations focus on what governments can do, not businesses.
Our recommendation to business is straightforward: form a pricing cartel, first among your industry, then – underwritten by your insurers – across industries. A good example of how this works is in the kidnapping and ransom insurance market.
Kidnapping and Ransom Insurance Inspo
The breadth of victims for cybercriminal groups is as big as the economy itself. Once a company is hit, incident response teams are called in to limit the damage and evict the bad guys, and negotiations begin. While SEC rules are increasing some transparency around attacks and payouts, thresholds for materiality, and thus disclosure, are evaluated and established on a per-company basis. This landscape creates an information asymmetry on the price of ransoms that favors the bad guys. This asymmetry is key to continuing the extortion of companies for higher-than-warranted prices. Victims do not have to allow the landscape to exist in its current form. Although the prices of kidnapping and ransoms increased through the 1970s, The Economist argues that payouts were ultimately brought down by coordination between K&R insurance providers. In 1975, Argentinian kidnappers extracted a $60m ransom for Jorge Born.
A Cheaper Option, Now
Only a handful of insurers underwrite ransomware coverage policies. Coordination between these insurers would reduce the current pricing information asymmetry that favors attackers. Setting soft price caps on payouts that gradually decrease overtime, requiring the use of insurance-cartel-approved negotiators—and deploying similarly-vetted cybersecurity incident response teams—would have an immediate and long-term impact on reducing the costs of ransoms.
Meanwhile, the price of cyber insurance spiked in 2021 and remains persistently elevated:
Unfortunately, some insurers that offer ransomware insurance do not require the use of approved negotiators with a proven track record of success, and some insurers recommend second or third tier incident response companies–both moves waste the victim’s money and disadvantage small to medium sized businesses that cannot afford top tier responders without better quality coverage.
An easy first move is to ask the right questions while shopping around insurance coverage: “Does this policy cover reputable incident response teams?” and “Will they cover good negotiators for our company?” Answers to these will help determine your short-term outcomes.
Once you’ve established a relationship with the insurer, price-fixing between your company and your competitors (preferably with your insurer’s buy-in and coordination) is key. As momentum builds, criminal groups will try to force defection from shared pricing caps to regain the upper-hand. It will be a struggle. But if industry and insurers share the same goal of saving money quickly on cyber crime, a pricing cartel is a good way to start.