In this three-part blog series we tame the uncertainty of ransomware risk a la carte. For starters, we summon a playbook approach to reduce the conceptual uncertainty surrounding ransomware risk. We bookend this series by delving into the cyber insurance implications of these approaches to reducing ransomware risk.
Reducing Conceptual Uncertainty: A Playbook Approach
In the evolving battle between offense and defense, ransomware is the latest chapter in the red team (offense) and blue team (defense) playbooks that are used in the tradecraft of cybersecurity and risk management. Lacking collective truth about ransomware’s victimology, prevalence, payout rates, demand amounts, and other costs,1 risk managers and underwriters face challenges in coverage, risk selection, premium, and capital allocation. To be sure, there’s a growing body of descriptive and predictive statistics from cyber risk and security products as well as services vendors—each with varying and limited scope—resulting in unstable trend analyses and risk-transfer paralysis.
A more in-depth look at recent history provides no shortage of descriptive analyses and predictive assessments of ransomware frequency and severity. For example, in 2019:
The average ransomware payment increased 1,150% [Coveware]
The average downtime caused by ransomware attacks increased by a factor of 2.6 [Coveware]
The average cost of ransomware-caused downtime increased by more than 200% [Datto]
The number of ransomware incidents increased 37% between Q1 and Q2 [Beazley Breach Insights]
The number of ransomware claims increased by more than 2,000% from 2014 to 2019 and is anticipated to continue [Net Diligence 2020 Spotlight on Ransomware]
Despite a lack of convergence in statistical trends, companies and insurers can reduce uncertainty by invoking the playbooks that underpin attacker and defender interactions. These playbooks consider the strategic, tactical, and operational levels of the cat-and-mouse game that is cyber crime and cybersecurity. Although real-time specifics at the operational level continue to defy certainty, recognizing the tactical techniques and high-level strategies can go far in taming uncertainty .
Cyber crime strategy and tactics are foreseeable. Whether it is ransomware, data breach, or distributed denial-of-service (DDoS), the motive, means, and opportunity (MMO) script for cyber criminal developers and distributors has remained the same:
Motive (why):
The attackers’ objectives are to disrupt an organization and/or extract value for their own gain.
Means (how):
The core blueprint for how attackers accomplish their objectives often comprises of reconnaissance, target selection, evasion, and system/data incapacitation or theft.
2
Opportunity (when, where, what):
The resources, timing, and placement of attacks are a function of technology, process, and human vulnerabilities.
Using the Playbooks to Manage the Unknowns
Although these fundamentals are unchanged, technology has enabled their evolution and points to where trendlines are heading. Because attackers are rational economic, ideological, or geopolitical actors, they embrace technology to optimize the execution of their mission—just like their legitimate business counterparts and targets. Hallmarks of this evolution are automation, cryptocurrency, and a service-oriented business model.
Ransomware optimizes motive by focusing on higher, more likely returns at lower risk: Why would attackers resort to extracting value from selling access to resources, credit cards, or personal data in a volatile and saturated underground market? Or why would attackers settle for the exposure and limitations of committing identity fraud and money laundering when they can lock down a system or merely threaten to expose data, and then collect a quick and certain payout in bitcoins.
Ransomware optimizes the means by automating the steps involved in reconnaissance and attack, thus enabling more efficient ratios of cost-of-effort to reward.
Ransomware optimizes opportunity by adopting a specialization business process that turns ransomware attacks into a modular service-oriented ecosystem. Similar to the familiar XaaS (where X is platform, infrastructure, software, or data, among others), ransomware-as-a-service (RaaS) involves a supply chain of developers, aggregators, operators, and affiliates. They perform different roles with associated rewards in executing a ransomware attack: from setting up malware portal storefronts3 to selling plug-and-play malware kits, finding and deploying them on victim systems, and finally liquidating the bounty demand in cryptocurrency.
Why does shifting to a playbook mindset matter? The right frame of reference helps us manage the unknowns. It defines the vantage point through which we interpret risks. By framing ransomware risk according to the strategy and tactics of the red team, defenders and risk professionals can avoid blindspots that constrain the solutions for managing this type of risk. By putting a box around ransomware—reducing uncertainty at the strategic and tactical levels—at-risk companies and risk professionals can improve situational awareness, risk identification, and risk management.
Closing Remarks
Part II of the blog series drills down to offer a risk factor-based approach to help tame the empirical uncertainty surrounding ransomware. Stay tuned to learn more.
1 Costs include lost business income, restoration and recovery of data and systems, forensics, and litigation.
2 In security industry terminology, these are referred to as the TTPs (tactics, techniques, and practices).
3 Storefronts include bundle discounts, support service, and customer reviews.