> A representative of the REvil ransomware gang said in a March interview that the group specifically targets victims known to have cyber-insurance, because they’re “one of the tastiest morsels” who can more easily afford to pay.
And if the interviews on infosec podcasts are any indication, insurance also means complacency on a management level because "we have insurance", and the insurers don't require you to actually make your security better.
So being cyber-insured:
- likely to have money to pay the ransom
- probably not really implementing strong security policies
- management more important than reality, so engineering buy-in unlikely which also means backups and redundancies unlikely to be effective at the target
This makes you wonder who ends up paying for all of this (with time, energy, money, mental health).
I think there's a net benefit to both sides here. The insurers probably charge a lot, in part because the risk is so hard to estimate and changes constantly with changes as well as new CVEs. I doubt they're losing money. The insured company gets benefits in terms of opex instead of capex, but more importantly, gets the expertise of the insurer in dealing with the situation.
In that interview, the hacker also talks about liking working with insurance companies because they understand how this situation works. They don't try to negotiate down to 10%; there's an understood negotiation window. They know how to get the bitcoins and send them, and probably know how to do bookkeeping for all of that.
I think it's closer to ransom insurance. The insurance company paying the ransom is a benefit, but not the primary reason to pay them. You pay them because they know what to do in that situation, and paying for ransom insurance looks slightly less ridiculous than paying a retainer to a Hostage Rescue Team. Most of the ransoms for hacks I've seen seemed well within the ability of the victim to pay. It's more about the negotiator that comes along with it, the bookkeeping, ensuring you get proof, ensuring they actually follow through, etc, etc.
That's a perspective I probably heard before but completely forgot about. Nice summary!
I suppose having an efficient resolution to any 'problem' would be a net benefit for all parties involved, even if we would think all sorts of negative thoughts about it from a technical perspective. The same goes for botched negotiations or indeed people who don't even know how to deal with cryptocurrency.
It does make me wonder when thinking about hostage negotiations if that parallel insurance concept has different requirements on the company in question. Say you ship expensive employees to a facility in a country where they are likely to be captured for ransom, you'd expect some training for the employees to deal with 'being held hostage', or 'reducing the likelyhood of being taken'. If that is the case, something similar would be sensible in the ransomware scenario, right?
> This makes you wonder who ends up paying for all of this (with time, energy, money, mental health).
The employees who are force-fed "security" crapware that some clueless CTO or other high level manager got sold at a golfing course (or got bribed to do such as Netskope did, see https://news.ycombinator.com/item?id=27047474), evaluated it on the specsheet as "fulfills the requirement of the insurance" and passed the can of turds down the line, for one.
> This makes you wonder who ends up paying for all of this (with time, energy, money, mental health).
With money? The cost gets passed on to the customers. In a few decades, the invisible hand of the market might push those customers to firms taking this issue seriously... But I think that to be quite unlikely.
I wonder if it would make sense that the insurance policy offers a bounty on the hackers after the ransom has been paid. It makes your clients less attractive to attack and might in the long term lower your underwriting costs.
"Millions for defense, but not a damned penny for tribute."
- Charles Cotesworth Pinckney when asked for tribute by the Barbary Pirates
Maybe we need to start treating ransonware attacks more like this. Spend money on hardening targets. Also pursue an policy of economic sanctions against countries that tolerate these types of activities in their borders. Maybe we need to make it possible to quarantine countries from the rest of the Internet who abuse the commons.
I don't see this being true as hackers targetting.
Cyber insurance is not generally public information.
Moreover, there are different flavors of cyber insurance. Some of which cover ransom pay and some do not.
Having knowledge at such a thing means only 1 thing: Someone in the hacker group has access to insider information. Only select people have access to such policies.
Call me a skeptic but i would assume 1 of 100 such hacks don't actually know the cyber coverage that the target has. The ratio of 1:100 may be larger if you expanded the question to Hackers knowing which companies have Cyber coverage... but not which flavor. I still think this is a limited number anyway.
AXA here is just taking the easy route out. A lot of unsuspecting customers (startups) will buy this and get surprised 10 years from now, because their CEO did not bother to read the fine print of a 30 page document.
Lots of lawsuits in the horizon.
Insurance is literally protecting yourself from long tail events. This is such a thing.
> Cyber insurance is not generally public information.
It might not be required to be, but it might still be disclosed anyway for various reasons in public market filings, on investor calls, employees talking in social media, and so forth.
I find it difficult to believe that CEOs and their advisors would not read insurance contracts. This may seem true, but any business with a corporate council and a team contemplating buying insurance is likely to take care to ensure that they contract for, and purchase, the product they intend to purchase.
Well, from the industry, re-insurance contracts aren't hard to read, but they are written in legal prose that's quite far from your average readers day to day reading. Let's say that in 50 pages of boiler plate only twenty items mark the exact risks covered. That's why most firms use brokers to translate the T&C to PowerPoint. Obviously important contracts get read and negotiated by teams. And then ten years and a few renewals pass, people move on and suddenly you've got a coverage on a historic part of your portfolio that nobody groks. We're all human.
Note that this change in policy is probably ahead of a potential legislation by the government. Some industries do not like being regulated, and insurers are painfully aware of the impact of legislation. So this is more of a reaction than an initiative, but still kudos to them; it won't solve anything in the short term, but if it makes businesses invest more in clean security pratices, why not.
>A spokesperson for AXA XL [...] said the announcement doesn’t apply [...] to ransomware-related incident cleanup costs.
So rather than paying the ransom, they'll hire a "ransomware cleanup" consultancy which cleans up the ransomware by paying the ransom (under the table and with plausible deniability, of course).
I read that certain ransomware distributors have been found to operate their own cleanup/“negotiation” service. Can’t be bothered to find a reference now, but this type of behavior is perfectly logical, and has been going on since forever in many traditional shady enterprises.
Proof already was provided, but even without it's just common sense. If ransomware was implemented correctly (like using asymmetric cryptography for encryption). There's hardly anything you can do if you don't have backups.
I'm sure companies will backups could use qualified IT help if they suddenly need to restore all their computers from backups quickly. Even if the backups all work, there is a lot of effort to restore them.
What else could these companies realistically do?
All I can think of is restore from backups or break the encryption. First sounds like a job for IT and second impossible unless it’s been done completely incompetently
Not necessarily. A ransomware attack is just a subclass of your generic security breach, so the usual response & remediation activities apply. I would actually think covertly paying ransom costs being a highly unlikely activity.
This is the right course of action. Always think about how your actions incentivize future behaviour. The only right course of action is to halt the flow of revenue to the attackers in order to disincentivize future attacks.
This will not solve the problem of ransomware alone, but is a step in the right direction.
Put yourself in the shoes of business. Well, like the oil company now in USA.
Lets say you haven't learn the lesson of backup importance.
Your business has stopped. Your ONLY way to recover and restore revenue stream is to get the data. You are aware that paying ransom may or may NOT work.
Now, what do you do?
The suggestions (cut the attackers revenue stream) may sound very right, correct and whatnot. But think of the side that is held as hostage.
This is why you need government intervention. Just make it illegal to pay such ransoms. Now the easy option has disappeared. You likely go out of business, and the company which takes your place implements good security policies from the get go. Funding for hacker groups and newer attacks dries up. Sucks for you in particular, but the public overall is better for it.
Sure, just like when you have 5 sick people, each needing a different organ to survive. We need the government to select a healthy person, take his organs and save the other 5. Sucks for that person in particular, but the public overall is better for it.
Interesting argument, though forcefully selecting a donnor does not increase organ failure rates for others, whereas paying ransom does increase risks of future attacks.
It does modify behavior though: I am more likely to engage in risky activities like heavy drinking and overeating if I know a replacement organ (like a liver) is readily available thanks to the wisdom of the government.
On its face, this sounds like an extreme behavioral reaction to having “replacement organs” available, but it actually tracks with my own anecdotal experience.
I was not comfortable skateboarding again until I had good insurance as I do now. I don’t go crazy, but it is definitely a weight off my shoulders knowing that if I break a bone I’ll be able to get help without wrecking my finances. On the other hand, my brother doesn’t currently have insurance, and in the past he was super advanced at skateboarding. He is very hesitant to skate with me because of his fear of getting hurt. It’s pretty wild to see that play out in my own life, and it has made even more empathetic to the decisions other people make and the sorts of high-level factors that come into play there.
Now swing it the other way. Only harvest organs from those guilty of crimes. Would that make you less likely to commit crimes, knowing that your organs will be harvested?
> This is why you need government intervention. Just make it illegal to pay such ransoms.
this penalizes the victim. Legally this might be impossible for the same reasons the law is unable to stop you from paying a ransom in kidnapping.
I'm not convinced this would affect the problem even if outlawed. Companies would simply go the path of least resistance the same way they do with avoiding tax. There will always be loopholes for shell / shelf companies to hide activities. The ransomware gangs themselves already today encourage you to reach out from private emails and promise smoother negotiation if you do.
There are several laws already on the books which address this – various international sanctions (https://www.reuters.com/article/us-treasury-cyber/companies-...), anti-terrorism laws (can't pay ransom to a known terrorist group), anti-money laundering laws and more. There is nothing stopping the government from enacting more.
Attorney-client privilege does not extend to lawyers doing illegal things on your behalf. For example, you can't ask your lawyer to hire a hitman to off a guy, and any evidence related to such activity will not be protected by attorney-client privilege.
Please. There is a difference between saving a loved one, and hiring a hitman to kill one.
It's literally illegal to pay certain sanctioned organizations today for kidnappings - because they are designated terrorist orgs.
Who negotiates the ransom? Lawyers and security firms, been going on for a long long time.
Amusingly enough, this has even gone through courts in some places, you might wanna look up caselaw. They just decided to classify kidnappers as "criminals" for the ransom purposes, or some other such wordsmithing.
In the US these laws are simply ignored outright.
"The United States Code prohibits funding terrorist organizations, which includes the payment of ransom monies to terrorist organizations.2 However, the outlook in the United States on ransom payments being made to terrorist groups has softened. In June 2015, President Obama announced that private parties may negotiate with and pay ransoms to terrorist groups without fear of criminal prosecution, which has been the informal practice for years. In fact, nobody has ever been prosecuted for paying a ransom in the United States."
Just imagine your election prospects after jailing a mother who paid a ransom to save her child.
Imagine defending a claim that such law is constitutional, moral and just.
Businesses can't expect claims for theft insurance to be honored if they didn't take reasonable measures (install security cameras, alarms etc... and lock the valuables). How is this different?
You quit and go do something else. It's not like your life ends when a company ends.
In a less sarcastic tone: this is where your DRP and BCP get involved, and if you don't have those at that scale, then you were doomed from the start anyway and your existence as a company was on a short lifespan to begin with.
To play the devil's advocate, in an ideal world, you go out of business and another business that actually followed security best practices takes over.
Over time, companies start taking security more seriously. When it affects the users, they can just ignore, business as usual. But now, they can't just go on with their days, so that's the real accountability in my opinion.
If the ransomware operators follow best practices, their C2 is in those backups too. The data's not encrypted, but without good IT, not for long.
Maybe go two weeks' back and you'll get a clean instance, but that's two weeks' data loss, I've seen (non-tech) institutions hit where an hour of data loss is worth paying a ransom for.
Not executable. Text. Readable by humans. Inspectable by humans so you can root out rootkits. Not even the valuable data that cyber criminals go for anyway - they go for personal and financial data, not k8s config files.
Neither of those are relevant. You don't back up virtual machines or image disks - you take afore-mentioned plain-text, audited config files and spin up new instance from scratch.
This is irrelevant snark. If you back up a data file, it doesn't matter that it's stored in the memory of a Von Neumann architecture - it's only going to be used as a data file.
> Separation of code and executables is a nice idea that approximately 0% of organisations fully adhere to.
Citation needed. Also, you just said:
> If the ransomware operators follow best practices
...so are we considering the ideal case, or not?
> I'm really not sure that has a serious answer.
Being snide is bad by itself, but it's even worse when you're wrong on top of it.
> You are aware that paying ransom may or may NOT work.
The ransomware campaigns are pretty good on support. You will get a key for a sample of your data as a proof. You can sometimes pay progressively to get more trust. Getting your data back is just as important for the criminals as encrypting it in the first place - otherwise their business goes down.
Oh, good to know they provide support. I just remember some ransom (was it notpetya?) that had a broken "pay" thing or some invalid mail... anyway, you couldn't get the key.
And encryption your data doesn't help if you don't have backups.
> And encryption your data doesn't help if you don't have backups.
Actually, it does. "We'll delete your data." is not the only ransomware threat - the other one that's not quite as big, but growing, is "We'll leak your data."
Have the government bail them out by buying them out, then collectivize the company.
If your company is too big to fail, maybe it shouldn't be controlled by profit-optimizing external shareholders and reckless directors. If it isn't too big to fail and can't get a loan the usual way to pay for the ransom (or better: data recovery), just let it go bankrupt like any other company making a costly mistake.
You can still have your assurance pay the cost of setting your revenue stream back up the hard way. As long as the money isn't going to the criminal groups.
The one company that I know personally that was hit by ransomware, and paid off the attackers, managed their own backups Which were encrypted as well. IMO, it's not just the importance of backups, but of having third party, redundant, off-site backups.
For the business they do not care about the greater good, the greater good is not paying the ransom, for the business paying the ransom and then taking measures so it doesn't happen to them again personally is still likely to be the better option and that is the problem.
It's a mildly interesting game theoretic problem, where if you are attacked and you pay, that wins over not paying -- but if you are not attacked and others pay, that loses you money because now you need insurance. So the actual optimum is for nobody to pay, but good luck on that.
It will incentivize others paying the ransom if the consequences are dire enough. Remember the after-ambush interrogation in the film Inglorious Basterds.
I don't think this will set any precedent. Unlike a standard kidnapping and ransom, where there is a huge amount at stake for the kidnapper - there is little consequence for ransomware authors and those who hold businesses hostage. They do it from the other side of the world, anonymously (assuming good opsec) and if someone doesn't pay up, they just move on.
Not this event alone, sure, but it is a step in the right direction. The attitude will need further adoption and it may drive pre-emptive actions actions ransomware instead of the "do nothing and cash out on insurance" approach
This hasn't really worked for real-life kidnap/ransom, which has probably been done since the dawn of civilisation. I don't see why it would change now.
Kidnap/ransom only really exists in countries with poor or corrupt governance.
It's a solved thing in the West for example, because the criminals know they will not get away with it. It's easier to get away with murder, because it doesn't create such social commotion, which in turn bring in the government focus.
I wish they were this well intended, or even that it’s actually what’s happening behind the scenes.
More often than not “don’t negociate with terrorists” [0] facades are just a message sent to the world, only enforced when the stakes are low enough and the ‘terrorist’ party has nothing actually valuable.
Can’t we just disallow email messages from anyone that is not either in the organisation or messaged by a user before? No more ransomware, or at least not as easily.
There are often classes of employees where external email is completely unnecessary. I know of one financial institution who has implemented this.
It wouldn't work well for many employees though. For example, try signing up for a legitimate service and guessing what email address the confirmation link will be sent from.
In a strict security environment, shouldn’t the employee request permission or, at the very least, give IT a heads up that they’re going to sign up for an external service? IT would vet the service and then apply the domains to the whitelist.
I know how bad it sucks to have to ask permission for every little thing, but if the alternative means risking ransomware attacks, then the case should be laid out transparently to everyone in the org so they understand why the rule is in place.
Call me cynical, but anytime an insurance company decides its in everyone's 'best interest', and by everyone I mean the policy holders, I cannot help but translate to mean - 'Its costing us more money that we expected, so we don't want to cover this'
Well insurance companies account for this by raising premiums. In fact it sounds counterintuitive but something which happens often is more profitable for insurance companies because otherwise few people bother to take out policies for it.
In this specific case, I imagine the reason for the announcement wasn't moral or financial – the company likely decided it did not want the legal liability of potentially funding international terrorism.
I have things to say on (French) AXA. Worst insurer I ever had the displeasure to deal with. I will spare you the multi-year history, but if you're an expat: AXA will pretend that once you move out, suddenly all 'modern' financial infrastructure has evaporated and only French cheques exist (not cache-able anywhere in my next country, Netherlands) when refunding the fines and erroneously incurred 'costs'.
They'll will string you along for _years_ correcting their own mistakes and then you're stuck with a bunch of useless cheques. I think half a dozen former colleagues and friends tried to help me out too, including someones grandma, to no avail whatsoever.
Up until about 2017(!), they were reimbursing people for treatment which was claimed back (as opposed to billed to the insurance company directly) by cheque exclusively, and there were rumours from the finance department that this was because lots of people never bothered to cash in their cheques because of the hassle compared to receiving a direct debit.
It's a large company: these things are not accidental (was home insurance btw). I know French law enforces cheques validity as legal tender, but it's a supremely asshole move to give them out to foreigners/people abroad. They did mail them abroad to me in the end! This is where someone's grandmother came in, but she couldn't cash them either, even with a letter authorising her. Out of all the countries I've lived in Europe, France is the only one where I ever saw cheques in actual usage!
In NL, cheques went out of fashion in the 80ies, and banks haven't had the infrastructure to process them for decades now.
You're completely right in thinking that. Insurance companies are only providing "insurance" from the perspective of the customers. They're actually just another investment vehicle and their managers (not so dissimilar to hedge and mutual funds) optimise for profits -- thus minimising risk. All the while being "risky" enough to allow for building some customer base (so cash inflow).
That's not cynical. That's just the lowbrow understanding of motivations. In that sense, any time you do something, you are only doing that because the utility to you is lowered. Sure, but that model provides no useful predictions about reality.
Everyone on the Internet always acts like this is some great revelation: "they're only stopping it because it doesn't provide enough utility to them"
Duh, that's what utility is. Honestly, it's so repetitive and each time it's presented as some insight when it's so trivial it provides no new value.
Not cynical at all. Insurance business is mostly predatory. If it doesn't make them money, they're not gonna cover it.
Regardless, in this specific instance I'm all for it. This will hopefully wake enterprises up so that they invest in good IT practices, which will have lasting effect on other parts of IT within firms.
This isn’t predatory at all. This is a company creating a risk pool that is cheaper for organizations that believe they can self-manage ransomware risks. The ethical behaviour of an insurance company is completely orthogonal to what risks they choose to cover.
You already so many MLM companies, why would you think that it is the only one? Also, insurance edge risks. Πhat's why you take it. A better way is a mutual (is that the english word?), but it is too much communism for America!
<not entirely serious>
I think the best way to convice cybercriminals not to ransom companies would it, to just drop a small tactical nuke on the site of the criminals if they are ever discovered... that may not stop ALL, but the risk for any aspiring new cybercriminal would go steep uphill.
</not entirely serious>
I think the best way to stop this "business" would be to make it as costly as possible for the "bad boys"... the course of AXA may be hard on some of their customers, but in the end it may be better for the net-society at whole.
Wow.