American insurance giant CNA reportedly pays $40m to ransomware crooks CNA Financial, the US insurance conglomerate, has apparently paid $40m to ransomware operators to gets its files back. In March the business revealed it had been hit by an extensive Phoenix Locker infection; this strain of malware was developed by Russian scam artists calling themselves Evil Corp, which may have links to …
Define Ransom?
“As per contract the annual cost of licensing our product per core and per instance is increasing. Due to higher costs to ensure the integrity and security of our product we’ve had to increase the cost of our license.
Speak to your account rep to discuss the changes and inevitable cost increases. “
When your business is so reliant on a vendor your over a barrel when their costs inevitably go up.
Same with these scammers that lock your data.
So let me get this straight, an insurance company, who profit by selling ransomware insurance, just funded a ransomware cyber crime group to the tune of $40m.
They're literally funding the criminal organisation, and then offering to sell insurance against that to our clients.
Weren't the Mafia doing shit like this back in the day?
If the crims can encrypt the data, does that mean they can also have a peek? Would be very nice to find the folder containing which companies have Malware insurance, and which don't, and which companies are more or less secure, as I know these questions are asked before insuring any company...
The public knowledge that a company/organisation has cyber insurance is already being flagged as a risk factor.
If the bad guys know you have insurance you are much more likely to be a target simply because they know your insurance will likely pay them. And it'll all be kept quiet so there is unlikely to be a political motivation to make paying ransoms illegal.
That's not generally the way it works. The attacking organization has a botnet probing for known vulnerabilities it can exploit to drop a ransomware package, which will then encrypt files and notify a C&C server. The humans only find out about it after a victim has been compromised. There aren't a bunch of pasty-faced yoots in hoodies hunched over keyboards manually encrypting a file at a time.
Some ransomware includes exfiltration of data; some doesn't. A given crew might, at some point, upgrade their botnet to deliver a package that includes exfiltration capability, but while the money's still rolling in there's no great incentive to do so quickly.
There are probably ransomware operators who still work manually, but the smart ones will be automating the process as much as possible. And aside from developing packages with novel capabilities, it can all be automated.
That's one reason why outlawing payments won't stop ransomware attacks.
I'm not sure what it is they're insuring? Is it the ransom note?
Ordinarily, insurance involves recitifcation. If I insure my car, and it gets stolen and never found, I get money to the market value of my stolen car, so I can buy another, hopefully. So its pretty clear in this example it is the car that is insured, not the thief, who stole it
We live in a fucking weird world
Am I the only one thinking this through in this way?
Paying ransomware should be illegal and company owners / board members who sanction it should receive a criminal conviction and possibly prison time.
In addition governments need to start requiring their departments, contractors and other companies deemed critical to national interest (e.g. hospitals, prisons, chemical plants, refineries, power plants, banks, flood barriers etc.) to implement adequate prevention, detection, and recovery procedures to lessen the impact of attack. That would include things like hardened OS images, least privilege accounts, traffic analysis, segregated local networks, backups of important data, firewalls around servers and all that good stuff. It might be an effort to get there, but it's better than suffering an attack and having to do it any way.
"That would include things like hardened OS images, least privilege accounts, traffic analysis, segregated local networks, backups of important data, firewalls around servers and all that good stuff. It might be an effort to get there, but it's better than suffering an attack and having to do it any way."
But, but, but, all that costs money NOW. As opposed some vague, nebulous hand-wavey possible future risk that "won't happen to us".
Signed.
The Accountant.
Hah dream on
All it takes is an attatchment to an email from a 'friend' and the luser ignoring the sign that says "ANYONE OPENING A EMAIL ATTACHMENT WILL BE DIPPED IN BURNING OIL BEFORE BEING SPRAYED WITH ACID THEN FED TO ARMY ANTS"
And your 'secure' system is encrypted again
Me? cynical? naww the voice of reason(and experience)
"Just out of curiosity, what's Putins cut from the take?"
He doesn't need a share of the profits and may not want to be linked. Russia can offer a safe base of operation for any group that acts to weaken rivals and not against Russian interests. That's the quid pro quo.
That will not work.
There's already a strong incentive not to pay: it costs money, it's risky, it's bad PR, it looks bad to investors. Yet companies pay anyway, because the alternative is worse for them.
Executives can always find a proxy and construct plausible deniability for making payments. Prosecution would be very difficult, and prosecutors hate difficult prosecutions. (See Eisinger, The Chickenshit Club.)
And (as I keep pointing out) even reducing payments by orders of magnitude won't eliminate ransomware attacks, because the cost of mounting those attacks is extremely low.
Governments already promulgate all sorts of IT-security requirements. The Biden White House just issued a new batch. They haven't helped much yet, and there's no reason to believe they will in the foreseeable future.
It seems like ransom ware is becoming just another cost of doing business. The more reliable the crooks become, decrypting when paid and not further exploiting any information collected, the more acceptable the business case for paying.
I don't like it but that may be the least worse way ahead. Just saying protect your IT is a bit like just say no, someone will always say yes.
But you don't see a certain conflict of interest in an insurance company, that will write profitable policies against ransomware attacks, paying a ransomware gang and so enabling and encouraging it to commit further acts?
Rather like a house insurance company donating crowbars to the charming street urchins of the neighbourhood
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
