Ransomware incidents—cyberattacks in which bad actors demand payment in exchange for encrypted files—are a frighteningly common fixture of our modern era. But more troubling is that the number of attacks may be hiking due, in part, to the insurance companies tasked to deal with the fallout in the event of such crime, according to a new report.
ProPublica this week published an investigation into insurers who deal in the booming business of covering cybersecurity incidents and how they handle claims. The report claims that the companies prefer to fork over the tens or even hundreds of thousands of dollars in ransom—ostensibly to minimize the detriment to the affected party, as damages from such an attack can add up to multi-million dollar hits. But according to ProPublica, insurance companies are “both fueling and benefiting from” ransomware attacks by opting to pay ransoms, in some cases “even when alternatives such as saved backup files may be available,” as the outlet previously reported in May.
Ransomware incidents can throw a wrench into the day-to-day business operations of targeted municipalities and businesses. However, the report cited lengthy and costly recovery of backup files—in cases where such data is available—as a motive for insurers to acquiesce to the demands of bad actors behind the attacks. File recovery, ProPublica reported, can add up if an insurer needs to cover costs like overtime for employees or public relations efforts to deal with the aftermath of an attack, among other expenses.
But successful ransomware schemes—that is, those that are able to elicit payment from victims—only help fuel more ransomware incidents. As the report noted, both the government and cybersecurity experts advise against paying ransoms for stolen data for many reasons, foremost because including that paying up doesn’t necessarily resolve the issue.
Joel DeCapua, a supervisory special agent for the cyber crimes division of the FBI, told cybersecurity services firm Symantec last year that in addition to effectively boosting the proliferation of malware attacks by paying random, “organizations that pay a ransom think their problems are over. But a lot of times there’s a lot of nasty malware left on their systems that they don’t know about. You can pay, but there’s still malware on there, re-infecting the system or stealing information.”
Fabian Wosar, CTO for virus protection company Emsisoft, told ProPublica that cybercrime insurance “is what’s keeping ransomware alive today. It’s a perverted relationship. They will pay anything, as long as it is cheaper than the loss of revenue they have to cover otherwise.”
And the cost of managing the aftermath of a ransomware attack can be huge. It was reported in June that the cost to the city of Baltimore after it refused to pay hackers 13 bitcoin was somewhere in the neighborhood of $18 million, with the possibility of additional costs over time. The Baltimore Sun reported Wednesday that the city voted to transfer $6 million from a parks and facilities fund to help cover the costs to the city.
In the wake of the incident, Mayor Bernard “Jack” Young is reportedly weighing whether the city should purchase cyber insurance.