Blog | | by B. Kirchhoff
Ransomware – a threat for all businesses
During a pay and spray attack ransomware Petya devastatingly attacked IT systems of a number of industry giants.
Food processing multinational Mondelez, US-pharma producer Merck and the Russian oil giant Rosneft were likewise affected. Even the biggest Danish Container-Shipowner Maersk has directly been affected and with it a branch that pays little attention to the rising cyber threat. The cause of the incident was a piece of software, which can be purchased for less than $30 according to some sources. With the incident ransomware has become a publicly perceived threat to business in any industry. Yet, few people know what ransomware is and what damage it can potentially cause.
What is ransomware and which threat does it actually pose?
As the terms ransomware implies, it is software aimed at extorting payments from an affected party. It might infect computer systems in various ways, be it via social engineering meaning from a seemingly legitimate link from a trusted source (Mail, Skype, WhatsApp) or via an infected homepage or corrupted content of the flash player or adobe reader.
Attacks are being carried out with significant differences in regards to finesse and aim. So-called commoditized attacks are the most widespread. For a sum of less than 10,000 USD a ransomware toolkit can be purchased on the darkweb. The distribution strategy in this scenario is relatively random and is distributed via spam hoping to exploit weak or antiquated systems among the many potential victims. Since the initial investment can be considered low key, perpetrator’s motives range from organized crime to the political motives of hacktivists. According to a survey of Osterman Research 39% of the companies replied that they had been victims of a ransomware incident over the last year. Economic damages worldwide are estimated to amount to approximately five billion US-Dollars.
At the same time it would be negligent to dismiss ransomware as a tool, which can only be used randomly. Targeted attacks are just as much a part of the threat posed by the malicious software. In these incidents specific branches or sectors are targeted, often with prior knowledge of the weaknesses in the affected systems, which are then exploited by the virus. Even though there is no proof that WannaCry was specifically targeted at the British National Health System, it is widely known that the Health Sector is vulnerable due to its reliance of often outdated IT and software and that their data, is highly valuable at the same time. Concurrently, the business interruption caused by such attacks cannot be underestimated and hence ransom demands increase exponentially. As these types of attacks require a higher degree of familiarity with the affected systems and potentially inside knowledge the costs for these attacks is much higher and perpetrators are more likely to originate from organized crime.
Which other forms ransomware might take in the future remains to be seen. Due to the increasing number of claims the associated costs can be identified more and more clearly.
What are the costs of a ransomware attack and what do possible claim scenarios look like?
Overall one can distinguish between direct costs, which are directly resulting from ransomware and are difficult to avoid and slow-burn costs, which are consequences of the attack and depend largely on the severity of the initial incident.
The most direct and obvious cost is the ransom payment as such. While single payments per device may be very low, the overall impact on a company-wide network can add up to significant sums. Other direct costs include crisis management, public relations advisors and of course the forensic and restoration cots of the damaged units. Business Interruption on land and loss of hire at sea are likely to result in higher costs than the initial sums paid as ransom.
In the long-run the slow-burn costs add up to the direct costs. Litigation against third parties, such as clients and service providers, whose data might have been affected. Penalties due because of infringed regulations and finally the potential impact on the stock market should not be underestimated. Further, such incidents might bind substantial management capacities, which would otherwise be employed for different tasks.
Insurance for Cyber Extortion and Threat
Hansekuranz Kontor has been actively involved in the development of the Norwegian Hull Club Conditions for Marine Cyber Extortion and Threat insurance. Substantial emphasis has been placed on detailed threat assessment and exercises. The product covers all relevant direct costs emerging from ransomware incidents such as ransom monies, forensic costs, public relations advisors. Moreover, the threat of Loss of Hire and Business Interruption can be insured under the cover. In addition to ransomware cases the insurance covers wide-reaching extortion and threat scenarios in which stolen electronic information or business secrets are used to extort ransom payments.
On the land side Hansekuranz Kontor is working on extensions for its Global Protect Product in order to mitigate and cover the direct costs and the business interruption costs resulting from a cyber attack. As always prevention is key and our experienced crisis consultants will be available for a preventive meeting and training.
In any incident it is due course to emphasis Cybersecurity in all companies – for seafarers as much as landsmen.