Digital Piracy through Ransomware: A Change in Tides – Los Angeles Business Journal
Custom Content by the Los Angeles Business Journal
By Sean Renshaw
Tuesday, December 14, 2021
Years ago, digital pirates targeted healthcare and relatively vulnerable targets (e.g., educational, and not-for-profit organizations) but they have since moved on to a more diverse victim base. High-profile attacks have impacted critical industries during the first half of 2021, which has led to a significant change in how ransomware attacks are being handle by a variety of entities.
The NetDiligence Cyber Claims Study 2021 identified that ransomware attacks now account for 32% of attacks, leading all other vectors by a significant amount. These attacks have increased at an alarming pace, with an 85% increase in overall average attacks from 2018 through 2020. From a financial perspective, the average cost due to business interruptions has increased almost 300% during this period, and the cost to recover from an attack has increased over 400%.
The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a report which analyzed the ransomware trends for the period between January 2021 and June 2021. Based on this analysis, FinCEN identified 10 threat actor groups responsible for 73% of the ransomware attacks based on the analysis of cryptocurrency payments analyzed in the first half of 2021. In addition, FinCEN determined that these 10 organizations received $5.2 billion in ransom payments over the preceding two years.
While there is likely no relief from the current persistence of ransomware attacks, the digital pirates are increasing in the sights of those patrolling the digital high seas.
TURNING THE TIDES: ATTACKING THE ATTACKERS
As high-profile attacks have occurred, the U.S. government appears to be making a pronounced effort to target ransomware attackers, whether conducted by criminal organizations or nation-states. This growing emphasis has become a multi-disciplinary effort by the public and private sector, industry organizations and others, to target and disrupt these illicit organizations. Here are some recent examples of how the tide is being turned and the hunter is becoming the hunted:
• Reuters reported that on July 13, 2021 the REvil threat actor group leak site and payment portal unexpectedly went offline. On October 21, 2021 it was disclosed that the REvil group (responsible for the Colonial Pipeline and Kaseya ransomware attacks) was likely attacked and forced offline by the U.S. government and other like-minded countries
• On November 8, 2021, the U.S. Department of Justice announced the arrest of two foreign nationals and the seizure of assets worth approximately $6.1 million USD. These individuals were involved in Sodinokibi/REvil ransomware attacks including the Kaseya based attack in July 2021. Based on reports in CPO Magazine and ZDNet, Operation GoldDust (a multi-national law enforcement effort to combat cybercrime) has been targeting individuals allegedly involved in thousands of ransomware attacks around the world.
While this will not stop the attacks, it is a clear sign that governments around the world are taking a stand against these digital pirates.
STOPPING THE MONEY TRAIN
In August 2021 the Ransomware-as-a-Service (RaaS) model was publicly exposed when disgruntled affiliates of the Conti ransomware organization disclosed the inner workings of how the criminal organization is perpetrating these attacks. Based on our analysis, several key points came to light highlighting the effort attackers undertake to exploit their victims financially by knowing how much ransom they can demand:
Due to the cataclysmic growth of ransomware attacks, there is an effort underway by the government to take away some of the ill-gotten gains.
THE VICTIM IMPACT
Over the past year, there has been a significant effort by cyber insurance providers to gain an upper hand in relation to the reimbursement costs they are encountering as part of ransomware attacks.
• During May 2021 Insurance Journal reported that Axa S.A. (AXA) insurance would stop writing cyber insurance policies in France that reimburse customers for extortion payments made to ransomware attackers. While this action only applied to France in this announcement, it is becoming an emerging trend within the insurance industry.
• In an August 2021 article, Reuters reported that American International Group (AIG) insurance indicated that they were tightening the terms of their cyber insurance while increasing the premiums that insureds must pay for coverage.
• The most recent, and widest reaching, tightening in the cyber insurance market was reported by Reuters on November 19, 2021. In this latest salvo by the insurance industry, insurers and syndicates working in the Lloyd’s of London market are being charged substantially higher premium rates for cyber coverage. In addition, Lloyd’s is discouraging a significant number of insurance carriers from taking on cyber business in the coming year.
• Based on feedback from our clients, cyber insurance carriers are requiring them to complete robust cybersecurity assessments to gauge their security posture when applying for new covering or renewing existing coverage. In reviewing some of the recent requests, the level of cyber security requirements is becoming exponentially higher.
The outlook may be turbulent for companies that fall victim to a ransomware attack. There is an active effort to combat and neutralize organizations perpetrating these attacks; however, it will not keep others from stepping in to fill the void and continue launching attacks. While illicitly gained funds are being seized from the attackers, it is not filtering back to the impacted entities. In addition, cyber insurance coverage will continue to be more difficult to obtain and exponentially more expensive with much less coverage.
So where does that leave you?
DON’T BE A SOFT TARGET
-Deploy multifactor authentication.
-Secure remote connection access.
-Implement a regular update and patch program.
-Create network segmentation.
backup data.
Sean Renshaw leads the digital forensics and incident response (DFIR) practice and oversees global operations for cybercrime and data breach investigations, digital forensics and incident response services at RSM US LLP. For additional information about how RSM can help you prepare for these ongoing threats, please visit
For reprint and licensing requests for this article, CLICK HERE.