Examining systemic ransomware cyber risk

Sit up and take note: economic losses from a major systemic ransomware attack could exceed $15bn, according to data analytics specialist Verisk.

A single systemic ransomware event has the potential to trigger multiple claims from domino-like disruption that can generate widespread, aggregate losses across otherwise independent insureds. Economic loss from a major systemic ransomware attack—such as WannaCry and Not Petya—could exceed $15 billion, inflicting significant damage to the global economy, and significant losses to (re)insurers’ portfolios without well-managed cyber risk.

Emerging as a distinct and potentially costly peril in recent years, systemic ransomware has evolved from a cyber lineage nearly as old as the internet itself. The characteristics of the systemic ransomware now disrupting digital assets globally reflect both age-old tactics of cyber-attacks and newly developed technologies refined by the successes and failures of predecessor malware. State-of-the-art systemic ransomware attack models can fuse the rapid- and widespread-propagation capabilities of internet and network worms with the significant business disruption of ransomware.

In contrast to targeted ransomware aimed at a specific organisation or a single insured, systemic ransomware has the potential to impact more than one organization in an attack and generally does not rely on hands-on action by threat actors.

A self-propagating malware, systemic ransomware impacts multiple organisations either one at a time or in quick succession. By leveraging advanced, innovative worm-like techniques, systemic ransomware can rapidly extend its reach without requiring any attacker intervention. The powerful self-propagation techniques employed enable the ransomware to spread rapidly across networks and over the internet.

Unlike targeted commodity and opportunistic ransomware attacks, systemic ransomware events are unlikely to involve data exfiltration (when an individual’s or company’s data is copied, transferred, or retrieved from a computer or server without authorisation, a growing trend in targeted ransomware) because threat actors generally lack the resources or opportunities to navigate individual victim’s networks to locate business-critical data.

Digital disruption

Like all ransomware, systemic ransomware disrupts the digital assets of organizations (and sometimes individuals) by encrypting data and threatening to destroy that data and/or make it public in exchange for ransom or to cause damage through business interruption or reputational assault. Delivered via phishing emails or malicious content downloaded from compromised websites, as well as with more sophisticated methods of infection, systemic ransomware endeavors to exploit myriad digital vulnerabilities in people, processes, and technology to deploy and spread rapidly across networks. Ransom—cyber extortion—can be leveraged on threats to lock access to devices and files and can restrict the use of potentially business-critical systems.

Because of the large scale of systemic attacks, systemic ransomware events generally have lower ransom demands than targeted ransomware due to the difficulty of tailoring ransom demands to victims’ abilities to pay (as is customary with targeted variants) and because keeping ransom demands low increases the likelihood that infected organisations will choose to pay the ransom rather than try to recover data via other methods. Ransom payment demands also almost always specify cryptocurrency. Almost any organization can be impacted by systemic ransomware.

Campaign strategy

Threat actors today have a plethora of techniques at their disposal to support a systemic ransomware attack campaign strategy, based on the scale of the incursion, the distribution methods used, and the organizations affected. A number of vulnerabilities can be exploited—operating systems (e.g., Microsoft Windows), a common software (e.g., Adobe), or even human frailties (e.g., susceptibility to phishing)—and the malware can zone in on a specific geopolitical region. What is infected and by which vector and the attack’s desired outcome (e.g., a quick payout versus maximal business disruption) are considerations for actors designing a campaign.

The innovative techniques—and broad, substantial financial and/or business interruption impacts—that so uniquely characterise systemic ransomware require a high level of skill and sophistication. Threat actors must effectively leverage advanced technologies, molding the malware to the attack’s intended scope and objectives. The heavy demand on resources and proficiency of systemic ransomware increases the likelihood of the involvement of nation-state and sub-nationalist groups with these events, which in turn increase the likelihood of geo-political or intelligence-based motives to disrupt or destroy systems and data. As a result, systemic ransomware events often prioritize network downtime and system failure over financial gain.

WannaCry and NotPetya

Two catastrophic systemic ransomware events in 2017 reveal the grievous impacts of this self-propagating malware.

WannaCry, a global, nation state–driven attack, exploited a wormable vulnerability in Windows known as “EternalBlue.” The worm probed for appropriate vulnerable ports and when successful installed a back door for further exploitation and propagation. Although not all machines meeting the point of aggregation (PoA) constraint were affected, WannaCry’s unique mechanics enabled it to propagate beyond its initial device and spread its payload onto vulnerable systems on both internal and external networks.

An estimated 400,000 organizations in 150 countries were infected, including governmental bodies, hospitals, manufacturing facilities, and universities. One of the most significant ransomware attacks to date, WannaCry resulted in considerable downtime and business interruption.

NotPetya leveraged the same EternalBlue Windows exploit to corrupt an otherwise valid Ukrainian accounting-software update. Although geo-targeted at Ukrainian companies, NotPetya pushed its payload across dozens of corporate networks, affecting a broad swath of industries: energy, shipping, steel, and transport to food, law, and software. The sophisticated NotPetya ransomware propagated expeditiously, and secondary infections occurred globally, with machines compromised in organizations that simply had infrastructure in the Ukraine.

NotPetya went far beyond encrypting the master boot records and committed other malicious acts, such as credential theft, token impersonation, propagation and remote execution of malware, physical drive manipulation, system shutdown, and anti-forensics. NotPetya’s business interruption objective became clear when impacted organizations discovered that ransom demands were simply a distraction and decryption was not possible.

Risk accumulation

Unlike natural disasters, whose risk can be correlated by easily verifiable geographic location, systemic cyber risk creates a far more challenging landscape to navigate, as WannaCry and NotPetya well illustrate.

Systemic ransomware has emerged as one of the most substantial cyber threats facing today’s interconnected world, with the potential of severe losses across an insurance portfolio. (Re)insurers must regularly measure and monitor the accumulation of risk within a portfolio by making informed underwriting and portfolio management decisions. A probabilistic model that leverages a market share approach alongside detailed data for companies worldwide can help companies estimate aggregated losses from significant simulated and historical global-scale ransomware attacks, such as the costly WannaCry and NotPetya events.

The most recent update to Verisk’s cyber risk modeling platform comprises a comprehensive set of probabilistic models, including individual risk models, aggregation risk models, and the systemic ransomware model. The platform supports systemic ransomware by focusing on events that threaten the largest losses and are historically represented by such events as WannaCry and NotPetya.

The platform also leverages a fast analytics engine that accurately models insurance terms specific to cyber threats and uses public application programming interfaces (APIs) to integrate analytics into internal applications, enabling clients to make better decisions on cyber risk selection, portfolio management, and risk transfer.

Bethany Vohlers is a senior manager on the cyber solutions team at leading data analytics provider, Verisk.

A self-propagating malware, systemic ransomware impacts multiple organisations either one at a time or in quick succession. By leveraging advanced, innovative worm-like techniques, systemic ransomware can rapidly extend its reach without requiring any attacker intervention.

Bethany Vohlers, Verisk