Why ransomware is still a threat to your cyber clients

By Jason Contant | August 31, 2023 | Last updated on October 30, 2024
3 min read
Ransomware attack on a business computer|Cyber hackers encrypting and stealing data
iStock.com/AndreyPopov|

Ransomware is “almost certainly the most disruptive form of cybercrime facing Canada” because it’s pervasive and can have a serious impact on an organization’s ability to function, said a new report from the Canadian Centre for Cyber Security.

However, it’s more likely cybercriminals will target your clients’ industry sectors than the insurance industry in general, suggested the Baseline cyber threat assessment: Cybercrime report, released Monday with support from the RCMP.

An analysis of Canadian victims of ransomware in 2022 by sector found “ransomware has victimized a wide assortment of Canadian organizations with no discernable pattern based on sector.” That said, the manufacturing sector saw 18% of ransomware victims in Canada, followed by business and professional services at 14%.

The insurance sector amounted to only 1% of victims, according to the report.

This finding appears to conflict with an industry source who said during a virtual symposium in April 2022 that cybercriminals are specifically searching for terms like ‘insurance’ when looking for data.

“They will look for search terms like ‘insurance,’ interestingly enough,” said Imran Ahmad, a partner at Norton Rose Fulbright Canada LLP and head of technology/co-chair of data protection, privacy & cybersecurity. “They will look for ‘HR,’ they will look for personal information, customer data and pull that information out.”

Cyber hackers encrypting and stealing data

iStock.com/chunyawut sangkla

The Canadian Centre for Cyber Security’s report addressed cybercrime’s early history, the development of the most significant cybercrime tactics, techniques and procedures, as well as the nature of the global cybercrime threat and its implications for Canada.

The study also concluded:

  • Organized cybercrime will very likely pose a threat to Canada’s national security and economic prosperity over the next two years;
  • Financially motivated cybercriminals will almost certainly continue to target high-value organizations in critical infrastructure sectors in Canada and around the world over the next two years; and
  • Russia and, to a lesser extent, Iran will very likely act as cybercrime safe havens from which cybercriminals based within their borders can operate against Western targets.

For ransomware in particular, cybersecurity reporting indicates ransom payments have increased since 2020, likely driven in part by increasingly significant demands against larger organizations. “The emergence of cyber insurance policies which cover ransomware payments may have implications for the prevalence of ransomware in Canada,” the report said, but didn’t elaborate.

Some in the P&C industry have observed that if cybercriminals know their victims are insured for ransomware, they may be able to extract larger ransom payments from insureds.

But paying a ransom doesn’t guarantee a victim’s systems will be restored, that they will not be targetted again in the future, or even that exfiltrated data will be deleted by the cybercriminal.

One Telus survey of more than 450 Canadian businesses found only 42% of organizations who paid a ransom had their data completely restored. And some ransomware operators retained backdoor access to victim’s networks following a ransom payment.

To pay or not to pay a ransom has been a hot debate within the insurance industry. Ahmad said there are three scenarios where a client may want to consider payment:

  • Data is encrypted and it’s having a significant operational impact on the organization. If the ransom amount is “reasonable enough,” a company may consider paying;
  • You may be able to restore from backups, but the data is really sensitive. This may affect business-to-consumer clients who hold consumer, health or financial data collected in large quantities over multiple years. Clients may have an incentive to pay for the data to be deleted or recovered, even though they may be able to recover it themselves;
  • The client has good backups and is able to restore the data, which is not particularly sensitive, but is embarrassing, Ahmad said. “You certainly don’t want the name of the company or the organization to be out there, so you may be willing to pay a ‘nuisance payment.’”

 

Feature image by iStock.com/AndreyPopov

Jason Contant