back to article The policy of truth: As ransomware claims rise, what's a cyber insurer to do?

If you rely on your insurer to pay off crooks after a successful ransomware attack, you wouldn't be the only one. Ransomware victims from municipal governments to universities have turned to their cyber insurance policies to pay for decryption keys after getting pwned. That's making some insurers nervous. How will they react …

  1. Anonymous Coward
    Anonymous Coward

    Who gives a f**k what the insurers are meant to do?

    I wish I could care, but I truly and honestly believe I never will.

  2. Filippo Silver badge

    IMHO, paying ransoms ought to be illegal.

    1. 0laf Silver badge

      Yes, and I suspect it will be soon.

    2. Anonymous Coward
      Anonymous Coward

      Sure, but not spending a % of your profits each year on cybersecurity measures should be illegal-er.

      Cybersecurity training should be treated with the same weight as fire training and first aid training.

      I feel like we need a PSA like the old piracy ads.

      "You wouldn't smoke next to a petrol pump"

      "You wouldn't put your dick in a hornets next"

      "You wouldn't tell your wife her arse looks big in that"

      "You wouldn't open an attachment you weren't expecting"

      "Cybercriminals, they target Muppets, don't be a Muppet".

      1. steviebuk Silver badge

        Might want to make the PSA ad not male aimed.

        1. dvd

          Nothing male about any of those statements these days...

    3. Snowy Silver badge
      Flame

      If paying a ransoms ought to be illegal so should offering insurance cover to pay it!

  3. Flocke Kroes Silver badge

    Now that they mention it ...

    First question for insurance is going to be "Do you pay out for ransomware?" If the answer is "yes" I am going elsewhere because I do not want a part of my premiums going to fund criminals and support businesses that do not keep useful backups.

  4. brett_x

    Elephant in the room

    I just don't understand why it's legal in any circumstances, regardless of who the ransom is paid to. It's extortion. And as the article points out, the more it's paid, the more it is encouraged.

    I thought maybe it was still legal because there's a market for this kind of insurance, but this article points out how complicated that is getting.

    So WHY is it still legal? Who benefits so much that we can't pass laws to make it happen a lot less (or at least make it go away from the public spotlight)?

  5. Herring` Silver badge

    Layer 8 problem?

    How many of these bits of malware get in through users clicking on links or opening attachments in emails? Let's face it, that's a far easier way in than trying to get past tech.

    And how many C-levels demand access to their GMail/social media/etc?

    Also ob. SMBC https://www.smbc-comics.com/comic/2012-02-20

    1. Anonymous Coward
      Anonymous Coward

      Re: Layer 8 problem?

      Unfortunately, many people who SHOULD know better and who are considered "trusted" (city council, for one) use third-party email services that automatically cloak any URLs in the email into a convoluted mess. So any user training to not click on dodgy links gets eroded. Unfortunately the email senders are not IT people and have no clue why this is a bad thing no matter how many times one tries to explain it.

  6. Sparkus

    Stop indemnifying incompetent management

    for their deliberate decisions..........

    1. Diogenes8080

      Rank pedantry

      If they are incompetent, how is the situation deliberate? That would be malice...

      But yes, paying ransoms is massively fuelling the fire, and taking funds away from correcting the faults that led to the opportunity in the first place.

      Hit any beancounter budgeting for ransoms with the Colonial Pipeline case: the victims paid and the gang gave a valid decryption program that performed so slowly it was quicker to restore anyway.

      1. doublelayer Silver badge

        Re: Rank pedantry

        "If they are incompetent, how is the situation deliberate? That would be malice..."

        Not necessarily. A decision not to have a reliable backup system because it costs less to insure against ransomware, and of course that's the only reason why one might need long-term backups, is very incompetent but is also deliberate. Failing to consider the need for backups at all is incompetent and not deliberate. That is the difference.

  7. Dinanziame Silver badge

    What about theft?

    Do insurance companies pay up for stolen property? Even if it was left unlocked in a public place?

    1. katrinab Silver badge

      Re: What about theft?

      They don't pay the thief to hand it back. That's the equivalent here.

      1. parlei

        Re: What about theft?

        Actually I think that happens. For things like unique and precious works of art.

    2. doublelayer Silver badge

      Re: What about theft?

      It depends on your policy and how good they are at deciding it's your fault so you don't deserve payment, but maybe. In that case, they pay you for the loss, not the criminal.

  8. Anonymous Coward
    Anonymous Coward

    As with most things... follow the money.

    Keep following where the "coin" goes and when the trail runs cold (suspect it will be the exchange where "coin" becomes ca$h, that org has a strike against it and a warning. Three strikes and your org gets sanctions from the Fed, EU, etc etc. those sanctions are loss of access to the relevant market, loss of banking licenses etc etc.

    Very quickly, the crooks will run out of ways to extract cash from "coin" and the exchanges will find ways to facilitate "more info" on their "customers" to avoid being the one left at the end of the trail.

  9. cambesol
    Megaphone

    Flashback to the nineties

    I don't much care about the parasites that are insurance companies but I do like the reference to Depeche Mode.

  10. Claptrap314 Silver badge

    At first

    We had hopes that insurance companies would bring some discipline to security where stock-price-driven design consistently failed. The eagerness of insurance to pay cyberransoms caused me to give up hope in that regard. But it sounds like there might be some pullback. A glimmer of hope in the long tunnel. Wait. What's that air now rushing past my face about?

  11. Claptrap314 Silver badge

    Wallet tracing

    Surely by now even the skiddies know to use a separate wallet for each infection...

    1. Richard 12 Silver badge

      Re: Wallet tracing

      At some point it gets turned into real currency in a named or numbered regulated bank account. At that point you swoop and apply Consequences.

  12. Paul Hovnanian Silver badge

    Security audits

    Insurance companies will have to make policy payouts conditional on companies passing some sort of system audit. You have crappy policy controls and/or backups, your coverage gets cancelled.

  13. Keven E

    Monkey Business

    "stock-price-driven design consistently failed."

    Thumbs up for that one!

    **********

    "paying ransoms online validates the crooks' business model, emboldening them to keep doing it."

    Just calling it a "business model" seems to (insult the monkeys and) reveal, once again, *issues with "business as usual".

  14. Greybeard_ITGuy
    Thumb Up

    Good old Depeche Mode

    Thank you for a blast from my past.

  15. fredesmite2
    Mushroom

    INSURANCE COMPANIES DON'T PAY

    THEIR CUSTOMERS WHO PAY THE PREMIUMS DO.

    WHICH MEANS THE CONSUMERS OF THEIR CUSTOMERS PAY.

  16. Schultz

    "In an ideal world, Wolff says, companies would [protect] themselves against ransomware."

    He is wrong. In an ideal world, nobody ever payed the ransomware perpetrators and the business model would be dead.

  17. Conundrum1885

    Something intriguing

    I've found that a lot of external HDDs and other devices are counterfeit and/or fake capacity so the capability to embed date/time or usage triggered malware also exists.

    There have been cases where the entry point of a specific piece of ransomware or malware has not been found despite extensive efforts.

    Is it worth looking in more esoteric places like the monitor, optical drives and USB cables?

    To write malware that hides in the SPD chip on DDR4 RAM is another not so well known method and as its quite hard to write in W10 etc it wouldn't be much of a stretch to implant something nasty that only dumps its payload when it "sees" a specific setup like a server grade CPU or more than n system drives.

    So your average home user won't even know its there.

    Also heard of more recent malware that reflashes the BIOS with its current settings intact so unless someone goes to alter it they won't know that its actually been compromised, or a combination of the two that writes persistent code to any programmable chip.

    1. Androgynous Cupboard Silver badge

      Re: Something intriguing

      Broadly, if you're not the bus master you don't get to initiate the transaction. So monitors, optical drives, usb cables, usb drives... anything short of Firewire or lights-out controllers, really, don't get to make a choice about installing anything on another part of the system. They have to wait for the user to do it for them, which they do over and over again.

      When looking for a root cause, start with ignorance or inattention. The more esoteric attack vectors are out there, sure, but why work that hard when the clown on the other end of the keyboard will do it for you?

    2. doublelayer Silver badge

      Re: Something intriguing

      All that is fun, but let's be honest, it takes a lot of time and we programmers are lazy. The evil ones are too. Why go to the effort of manufacturing sneaky drives with a complex disconnected script which watches filesystem activity and implants itself only to find that it doesn't work because the users used something unpredicted when the script was written when you can email someone an executable and ask them to run it? It takes a lot of effort, time, and money to get those drives manufactured and sold and it's also a path someone could use to track you. Don't overthink it; the ransomware people aren't.

      1. Anonymous Coward
        Anonymous Coward

        Re: Something intriguing

        Because, if you can do it, you can infect EVERYONE, regarless of their A/V, firewall, or backup posture.

  18. Ken Moorhouse Silver badge

    Rather than paying off ransomware perpetrators...

    Insurers could arguably be doing deals with backup providers to encourage businesses to take preventative action by giving a hefty discount if you use their approved company.

    If you say that insurers shouldn't be endorsing companies then why is it that when you successfully make a claim for everyday things like jewellery they often force you to buy replacement goods from companies they have done deals with?

  19. Giles C Silver badge

    Should be recovery costs only

    I think ransomware insurance should cover the costs of system recovery.

    Not paying the ransom ever.

    I.e. if you get caught and it will take 100 man days to recover the systems then it covers the cost for the resource not the money demanded.

    It is therefore a known risk (unless someone has being telling porkies about the systems) and a known cost. For larger companies it isn’t needed as they should have the reserves to cover it. For smaller companies paying say 10% of the cost as a premium it is treated as a risk.

    And in the event of a payout the premium goes up to 50% of the insured cost next year….

    Of course this should be subject to a process audit before the policy is even offered…

  20. midgepad

    Some of this is nation states

    It approaches an act of war, and deserves forceful responses.

  21. david1024

    Oh, so now it is a problem?

    Trying to feel sorry for anyone involved here...

    Who knew sending boatloads of cash to the bad guys was a bad idea? Because that's ever worked in the past without a trip over to kill them irl?

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh, so now it is a problem?

      It was only a pallet of cash last time...

  22. martinusher Silver badge

    ..and what happens if the Insurance company is compromised?

    I was told by a security person that the reason why successful ransomware attacks are on the rise is that the scammers first attacked an insurance company, using the information taken from them to identify potential targets.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like