Science

How ransomware insurance that protects companies and communities can also embolden criminals

Spurred by reports of criminals hijacking computer networks and demanding payment, many governments and companies are buying insurance against these high-tech crimes. But security experts warn that insuring against attacks — and, in particular, paying ransoms — is likely only to embolden criminals.

A look at the pros and cons of coverage that promises a quicker recovery from a cyberattack

A sign taped to a door says computer systems are down.
A sign taped to a door in Baltimore, Md., in May 2019 warns citizens about a ransomware attack that paralyzed the city's computer systems. (Stephanie Keith/Reuters)

To town councillors in Essex, Ont., it sounded like an expensive, if necessary, proposal.

At a public meeting last August, the town's insurance provider pitched a new type of policy that he said a growing number of municipalities are buying: coverage against cyberattacks.

"By purchasing this layer of protection, you can have a little peace of mind," Wally McNeilly, of Aon Risk Solutions, told the councillors.

Spurred by reports of criminals hijacking computer networks and demanding payment, more and more local governments and companies are purchasing specialized insurance coverage against these high-tech crimes. However, some security experts warn that insuring against attacks — and, in particular, paying ransoms — is likely to embolden hackers by increasing their confidence they can get paid. 

A laptop displays code, part of the Petya strain of ransomware, in Kyiv, Ukraine, in 2017. (Valentyn Ogirenko/Reuters)

In Essex, near southwestern Ontario's border with Michigan, the insurer offered a $15,000 plan for the remainder of the year, covering a variety of expenses that could be incurred in the event the town's computer network were infected with malicious code: legal costs, regulatory fees, IT assistance and a ransom payment of up to $1 million.

Some officials questioned the price of the coverage. Considering the additional $5,000 deductible, Coun. Chris Vander Doelen pointed out that, in Essex, a town of 20,000 people, "that's about a dollar per head."

Still, council approved the coverage, perhaps fearing what happened in Wasaga Beach, Ont., in 2018. McNeilly described how the town was forced to pay a $35,000 ransom when its network was held hostage, on top of $250,000 in additional costs from the attack, including overtime for staff.

"There's no industry that's not picked on anymore when it comes to cybercrime," he said.

The recent case of an unnamed Canadian company paying a $950,000 US ransom through its U.K.-based insurer has only highlighted the problem further. Other victims, including the Nunavut government and a Prairie-wide insurance firm, have publicly refused to pay a ransom, despite being locked out of their computers, resulting in losses of productivity and, in some cases, data.

Insurance coverage on the rise

In a 2019 global survey carried out for Microsoft and insurance broker Marsh, 47 per cent of businesses said they carry cybercrime insurance, up from 34 per cent in 2017.

Premiums collected by this country's insurance industry for such coverage have also been growing in recent years, said Ryan Stein, the Insurance Bureau of Canada's executive director of policy, though he didn't cite exact figures. He recommends all companies talk to their provider "about their cyber risk and make sure they're properly covered for it."

But as the insurance industry makes more money from the policies, criminal networks appear to be profiting, too, by demanding more expensive ransoms.

The Ryuk strain of malware is known to store a ransom note in infected computers. (Thomas Daigle/CBC)

Criminals making more money, too

In the fourth quarter of 2019, the average ransom payment cost $84,116 US — more than double the amount in the previous quarter ($41,179 US), according to Coveware, a Connecticut-based firm that negotiates ransom payments and ensures data recovery.

"The sophistication of the attackers has gone up and they've been going after larger and larger companies," said Coveware CEO Bill Siegel.

He said hackers are now penetrating computer networks and surveilling organizations to gauge their ability to pay, all before encrypting any data.

A group called Maze has even taken to posting a list of its ransomware victims online, threatening to share the firms' stolen information if they don't pay up. Multinational construction firm Bouygues was recently targeted with a data dump, months after one of its Canadian offices was compromised by malicious code.

'They're completely emboldened'

Security experts have warned that some insurance firms may be too quick to pay ransom — judging that it's faster and cheaper (and more likely to work) than attempting to manually recover data with technical expertise. The problem is paying only encourages hackers to spread more malware, experts say.

The quick payments have "created a very unhealthy growth pattern in these cybercriminal syndicates ... they're completely emboldened," Theresa Payton, a former chief information officer in the George W. Bush White House, said in a telephone interview.

Now the CEO of U.S. cybersecurity firm Fortalice Solutions, Payton said she's seen cases where a company pays the ransom and receives the hackers' decryption keys as promised, only to discover the tools don't release all the locked files.

Law enforcement agencies, including the RCMP, generally advise against paying ransom, but they understand that in some circumstances — such as when companies don't have critical data backed up — an alternative solution can be hard to find. If a ransom is paid, they urge victims to notify police.

Theresa Payton speaks on Capitol Hill during her time as the White House's chief information officer in 2008. (Manuel Balce Ceneta/The Associated Press)

"If the insurance companies would lock arms with the rest of us" and make efforts not to pay, Payton said, "we could turn the tide."

Payton doesn't fault the organizations that feel the need to pay to restore their systems quickly, but she said insurers should agree to avoid paying if at all possible. She also does not discourage firms from buying insurance coverage.

There are some alternatives. For instance, the No More Ransom Project, involving the European police agency Europol and antivirus makers, collects decryption tools and provides them to ransomware victims for free. But that doesn't always work.

There's been no indication the town of Essex has been targeted in any cyberattack, or otherwise had to use its new insurance. The municipality's IT manager didn't respond to a request for comment.

At the council meeting last summer, Coun. Sherry Bondy summed up the dilemma facing Essex, as well as other towns and companies. She said she didn't mind paying for the insurance. 

"But I never want to use it."

ABOUT THE AUTHOR

Thomas Daigle

Senior Reporter

Thomas is a CBC News reporter based in Toronto. In recent years, he has covered some of the biggest stories in the world, from the 2015 Paris attacks to the Tokyo Olympics and the funeral of Queen Elizabeth II. He's reported from the Lac-Mégantic rail disaster, the Freedom Convoy protest in Ottawa and the Pope's visit to Canada aimed at reconciliation with Indigenous people. Thomas can be reached at thomas.daigle@cbc.ca.