Insurer: Size of Claims Paid for Ransomware Attacks DeclinesKey Factors: Negotiating Lower Ransoms, Improving Recovery
Cyber insurance provider Coalition Inc. says its clients' average claims for losses when they were hit by a ransomware attack totaled $184,000 in the first half of this year, down 45% compared to the second half of 2020.
See Also: Automating Security Operations
Losses resulting from ransomware attacks can include ransoms paid, recovery costs, breach response costs, lost income and more.
"Our data only accounts for incidents where the organization filed a claim and the losses were above the organization's deductible," the report says.
The decline in losses "is reflective of Coalition's efforts to negotiate ransoms on our policyholders' behalf and help them recover from data backups," the company says.
The insurer says it makes no recommendation to its clients when it comes to paying a ransom, but if the victim opts to pay, it will step in and handle the negotiations. In one example, the report says, the insurer was able to reduce a ransom payment from $200,000 to $75,000.
The legal intelligence firm JD Supra notes that most stand-alone cyber insurance policies include extortion coverage, covering costs to investigate a ransomware attack, negotiate with the hackers and make a ransom payment.
Overall, about 80% of organizations have a cyber insurance policy of some type, according to the research firm Statista.
Ransom Demands Rise
Coalition culled the loss data from ransomware attacks that took place among the company's 50,000 customers during the last 18 months. The average ransom demand made to policyholders rose to $1.2 million in the first half of 2021 vs. $444,000 during the first half of 2020, Coalition says.
But a recent report from the incident response firm Coveware found that the average ransom paid by a victim dropped by 38% in the second quarter of this year, compared to the first quarter, reaching $136,576.
Smaller Firms Also Targeted
Major ransomware attacks against large organizations, including Colonial Pipeline Co. and software firm Kaseya, have grabbed headlines in recent months. But Coalition notes that attacks against small and midsize business are growing.
"Historically, small and midsize businesses seemed to be off the radar of cybercriminals, but that has begun to change," the report says. "We've seen a material uptick in claims targeting small and midsize businesses, with the frequency of claims increasing by 57% for organizations with 250 employees or less."
Yet, when choosing a target, attackers seem to focus more on an organization's defenses than its size, according to the report.
Gangs Making Biggest Demands
During the 18 months the Coalition study covered, the gangs with the highest average ransom demands were Netwalker, Conti, REvil/Sodinokibi, MountLocker and Maze.
The insurer's analysis of its customers' experiences with ransomware shows that attacks involving the Netwalker gang, which was disrupted in January, carried the biggest average ransom demand: $8.4 million. By comparison, the Conti gang, which is still active, demanded $4.3 million, while the recently shut down REvil, aka Sodinokibi, gang; MountLocker; and the defunct Maze gang each demanded ransoms that averaged $2 million
Criminal Activity Shifting?
Coalition's report says many cybercriminals apparently are shifting away from ransomware toward other forms of attacks, such as file transfer fraud and business email compromises. That's because these other cybercrimes can be conducted by less sophisticated groups, the insurer says.
For the first half of this year, ransomware incidents accounted for 22% of attacks targeting Coalition's clients, compared to 41% in the same period a year ago, the insurer reports.
File transfer fraud attacks accounted for 25% of the incidents in the first half of 2021, while BEC attacks accounted for 23%. Average losses due to file transfer fraud rose from $117,000 in the first half of 2020 to $326,000 during the first half of this year, the insurer says. It did not provide estimates for BEC losses.
"FTF is most often perpetrated through phishing and email compromise followed by social engineering. Once a criminal has access to a mailbox they are able to manipulate contacts connected to that mailbox to modify payment instructions or otherwise make fraudulent payments," the report says.
Despite the shift in criminal activity, Coalition says ransomware attacks will continue to account for substantial losses in the months to come. That's because ransomware offers potential for much bigger profits, the necessary tools are available for purchase on the darknet, and many companies fail to take the necessary steps to block or recover from ransomware attacks.