Many ransomware attacks are “spray and pray,” with criminals unleashing crypto-locking malware installers, often via spam or phishing campaigns, to opportunistically infect as many organizations as possible, regardless of their size or industry, security experts say.
“These guys go after the low-hanging fruit because it’s cheap and the conversion rate is high. And whether or not those victims end up having insurance is just a roll of the dice.”
Some ransomware-wielding criminals, however, choose to target specific organizations in pursuit of a payday. In March, for example, aluminum giant Norsk Hydro was hit by crypto-locking ransomware called LockerGoga, which researchers say is used in one-off attacks by attackers who purposefully hack into the targeted organization, often via poorly secured remote desktop protocol settings (see: Hydro Hit by LockerGoga Ransomware via Active Directory).
But some attackers could be going further. A ProPublica report published last week suggests that some hackers are actively selecting targets that they know carry cyber insurance on the basis that they’ll be more likely to pay ransom demands.
To back up that assertion, the report cites Fabian Wosar, CTO of Emsisoft, a cybersecurity vendor based in New Zealand that has released free decryption tools for various strains of ransomware and assisted many victims. Wosar tells ProPublica that after one small insurer highlighted some of its cyber policyholders on its website, three got attacked.
Another, unnamed cybersecurity executive told the publication that the FBI had told him that “hackers are specifically extorting American companies that they know have cyber insurance.”
Attackers could potentially gather such knowledge by studying insurance companies’ sites to find the names of some organizations they insure. In addition, U.S. Securities and Exchange Commission cybersecurity guidance recommends that public companies tell shareholders – via their public, quarterly filings – whether they carry cyber insurance.
“My suspicion is that, in some cases, bad actors are specifically targeting entities that are known to be insured,” Wosar tells me. “This would make sense as insured entities are probably statistically more likely to pay ransom demands. Like other businesses, criminal enterprises adopt strategies that have been proven to work – and attacking insured, public entities has certainly been proven to work.”
He adds: “Of course, this is simply speculation based on the very limited of information that’s publicly available. It could also be the case that the attacks are completely random and non-targeted.”
Cybercrime: Time is Money
Several security experts, however, express skepticism that enterprising attackers are actively working to select cyber policyholders for infection over other potential targets.
“I don’t think it’s the way that this market works – and we very much view it as a market,” says Bill Siegel, CEO, Coveware, a Connecticut-based ransomware incident response firm. “These guys go after the low-hanging fruit because it’s cheap and the conversion rate is high. And whether or not those victims end up having insurance is just a roll of the dice.”
By conversion, Siegel is referring to sales parlance, which looks at converting prospective customers into paying customers. Ransomware-wielding gangs take the same approach, except that they’re criminally attempting to psychologically compel victims into paying. “Ransomware is a financial crime,” he says.
Date: September 10, 2019
Source: Bank Infosecurity