ransomware — Criminal violence - Property Crime: Fraud - Money laundering - theft and robbery - homicide - rape - extortion - arson — Read-Me.Org -Open Access to All
Read-Me.Org
Open Access Publisher and Free Library
01-crime.jpg

CRIME

CRIME-VIOLENT & NON-VIOLENT-FINANCLIAL-CYBER

Posts tagged ransomware
Cyber Insurance and the Ransomware Challenge 

By Jamie MacColl, James Sullivan, Jason R C Nurse, Sarah Turner, Gareth Mott, Edward Cartwright and Anna Cartwright  

The cyber insurance industry has been heavily criticised for providing coverage for ransom payments. A frequent accusation, which has become close to perceived wisdom in policymaking and cyber security discussions on ransomware, is that cyber insurance has incentivised victims to pay a ransom following a cyber incident, rather than seek alternative remediation options. Over a 12-month research project, researchers from RUSI, the University of Kent, De Montfort University and Oxford Brookes University conducted a series of expert interviews and workshops to explore the relationship between cyber insurance and ransomware in depth. This paper argues that there is, in fact, no compelling evidence that victims with cyber insurance are much more likely to pay ransoms than those without. Ransomware remains one of the most persistent cyber threats facing the UK. Despite a range of government, law enforcement and even military cyber unit initiatives, ransomware remains lucrative for criminals. During this research, we identified three main drivers that ensure its continued success: 1. A profitable business model that continues to find innovative ways to extort victims. 2. Challenges around securing organisations of all sizes. 3. The low costs and risks for cybercriminals involved in the ransomware ecosystem, both in terms of the barriers to entry and the prospect of punishment. Despite this perfect storm of factors, the cyber insurance industry has been singled out for criticism with the claim that it is funding organised cybercrime by covering ransom payments. In reality, cyber insurance’s influence on victim decision-making is considerably more nuanced than the public debate has captured so far. While there is evidence that cyber insurance policies exfiltrated during attacks are used as leverage in negotiations and to set higher ransom demands, the conclusion that ransomware operators are deliberately targeting organisations with insurance has been overstated. However, the insurance industry could do much more to instil discipline in both insureds and the ransomware response ecosystem in relation to ransom payments to reduce cybercriminals’ profits. Insurers’ role as convenors of incident response services gives them considerable power to reward firms that drive best practices and only guide victims towards payment as a last resort. But the lack of clearly defined negotiation protocols and the challenges around learning from incidents make it difficult to develop a sense of collective responsibility and shared best  practices around ransomware response. This has not been helped by the UK government’s black-and-white position on ransom payments, which has created a vacuum of assurance and advice on best practices for ransom negotiations and payments. This paper does not advocate for an outright ban on ransom payments or for stopping insurers from providing coverage for them. Instead, it makes the case for interventions that would improve market-wide ransom discipline so that fewer victims pay ransoms, or pay lower demands. Ultimately, this involves creating more pathways for victims that do not result in ransom payments. Beyond ransom payments, cyber insurance has a growing role in raising cyber security standards, which could make it more difficult to successfully compromise victims and increase costs for ransomware operators. Successive years of losses from ransomware have led to more stringent security requirements and risk selection by underwriters. Although the overall effect of this on the frequency and severity of ransomware attacks remains to be seen, by linking improvements in security practices to coverage, cyber insurance is currently one of the few market-based levers for incentivising organisations to implement security controls and resilience measures. However, continued challenges around collecting and assessing reliable cyber risk and forensic claims data continue to place limits on the market’s effectiveness as a mechanism for reducing ransomware risk. This, along with cyber insurance’s low market penetration, makes clear that cyber insurance should not be treated as a substitute for the legislation and regulation required to improve minimum cyber security standards and resilience. Insurers are also commercial entities that primarily exist to help organisations transfer risk, rather than to improve national security and societal cyber resilience. The cyber insurance industry could be a valuable partner for the UK government through increased ransomware attack and payment reporting, sharing aggregated claims data, and distributing National Cyber Security Centre (NCSC) guidance and intelligence to organisations. However, the government has not made a compelling enough case to insurers and insureds about the benefits of doing so. Instead, it has relied on appealing to their general sense of altruism. While insurers will benefit if governments are able to generate more accurate and actionable data on ransomware, albeit indirectly, this needs to be sold to the industry in a more convincing way. Some principles and recommendations for both the insurance industry and the UK government are listed below. These are not designed to solve all the challenges of the cyber insurance market, nor do they present wide-ranging solutions to the ransomware challenge. Instead, they focus on where the cyber insurance industry can have the most impact on key ransomware drivers. This reflects the fact that disrupting the ransomware economy involves applying pressure from different angles in a whole-of-society approach. The recommendations also start from the position that the UK government’s light-touch approach is unsustainable and requires more intervention in private markets that are involved in ransomware prevention and response. While they are specifically aimed at UK policymakers, regulators and insurers, they may be applicable to other national contexts     

London: Royal United Services Institute for Defence and Security Studies, 2023.  84p.

Rule of Law, Justice, CrimeRead-Me.Orgransomware, insurance coverage, negotiation protocols, cyber resilience, policy recommendations
Cyber Insurance and the Cyber Security Challenge 

By Jamie MacColl, Jason R C Nurse and James Sullivan 

  GOVERNMENTS AND BUSINESSES are struggling to cope with the scale and complexity of managing cyber risk. Over the last year, remote working, rapid digitalisation and the need for increased connectivity have emphasised the cyber security challenge. As the pursuit of approaches to prevent, mitigate and recover from malicious cyber activity has progressed, one tool that has gained traction is cyber insurance. If it can follow the path of other insurance classes, it could play a significant role in managing digital risk. This paper explores whether cyber insurance can incentivise better cyber security practices among policyholders. It finds that the shortcomings of cyber insurance mean that its contribution to improving cyber security practices is more limited than policymakers and businesses might hope. Although several means by which cyber insurance can incentivise better cyber security practices are identified, they have significant limitations. Interviewees from across government, industry and business consistently stated that the positive effects of cyber insurance on cyber security have yet to fully materialise. While some mature insurers are moving in the right direction, cyber insurance as a whole is still struggling to move from theory into practice when it comes to incentivising cyber security. If this is to change, the insurance industry must overcome significant challenges. One is the competitiveness of the nascent cyber insurance market over the last two decades. Most of the market has used neither carrots (financial incentives) nor sticks (security obligations) to improve the cyber security practices of policyholders. The industry is also struggling to collect and share reliable cyber risk data that can inform underwriting and risk modelling. The difficulties inherent in understanding cyber risk, which is anthropogenic and systemic, mean insurers and reinsurers are unable to accurately quantify its causes and effects. This limits insurers’ ability to accurately assess an organisation’s risk profile or security practices and price policy premiums accordingly. The spectre of systemic incidents such as NotPetya1 and SolarWinds2 has also limited the availability of capital for cyber insurance markets. However, the most pressing challenge currently facing the industry is ransomware. Although it is a societal problem, cyber insurers have received considerable criticism for facilitating ransom payments to cybercriminals. These add fuel to the fire by incentivising cybercriminals’ engagement in ransomware operations and enabling existing operators to invest in and expand their capabilities. Growing losses from ransomware attacks have also emphasised that the current reality is not sustainable for insurers either.

To overcome these challenges and champion the positive effects of cyber insurance, this paper calls for a series of interventions from government and industry. Some in the industry favour allowing the market to mature on its own, but it will not be possible to rely on changing market forces alone. To date, the UK government has taken a light-touch approach to the cyber insurance industry. With the market undergoing changes amid growing losses, more coordinated action by government and regulators is necessary to help the industry reach its full potential. The interventions recommended here are still relatively light, and reflect the fact that cyber insurance is only a potential incentive for managing societal cyber risk. They include: developing guidance for minimum security standards for underwriting; expanding data collection and data sharing; mandating cyber insurance for government suppliers; and creating a new collaborative approach between insurers and intelligence and law enforcement agencies around ransomware. Finally, although a well-functioning cyber insurance industry could improve cyber security practices on a societal scale, it is not a silver bullet for the cyber security challenge. It is important to remember that the primary purpose of cyber insurance is not to improve cyber security, but to transfer residual risk. As such, it should be one of many tools that governments and businesses can draw on to manage cyber risk more effectively.   

RUSI Occasional Paper, June 2021, London: Royal United Services Institute for Defence and Security Studies , 2021. 68p.

Social Science, Rule of Law, CrimeRead-Me.Orgcyber insurance, cyber risk, digital security, ransomware, insurance market, cybersecurity policy
Reconceptualising organised (cyber)crime: The case of ransomware

By Chad Whelan, David Bright, and James Martin

The concept of organised cybercrime has been the subject of much debate over the last decade. Many researchers who have applied scholarly definitions of organised crime to cyber-criminal groups have concluded that such groups are not “organised criminal groups” and do not engage in “organised crime”. This paper adopts a different perspective to argue that certain cyber-criminal groups involved in ransomware can and should be considered organised crime if a more contemporary and flexible framework for conceptualising organised crime is adopted. We make this argument using three primary domains of organised crime first described by von Lampe: criminal activities, offender social structures, and extra-legal governance. We narrow in on the concepts of violence and extra-legal governance in particular as they have been interpreted to hold significant differences for criminal groups operating in physical and digital domains. The paper argues that it is time to move on from criminological debates regarding whether organised cybercrime can exist to focus on the many rich questions that researchers can take from organised crime scholarship and apply to cyber-criminal groups. We put forward a reconceptualisation of organised cybercrime towards this end.

Journal of Criminology, 0(0). https://doi.org/10.1177/26338076231199793, Preprint 2023.

violence and oppression, PreventionGuest Userorganized (cyber)crime, ransomware, cyber-criminal groups
Insurance as Crime Governance: Comparing Kidnap for Ransom and Ransomware

By Anja Shortland, Tom Keatinge and Jamie MacColl

Ransomware has become a major risk to global business and undermines national economic and societal resilience. Some consider that generous insurance-funded ransom payments are a major contributor to the problem, but many think insurance should be part of the solution. This report examines research activities investigating ‘insurance as governance’ in the field of extortive crime. Insurers have a financial interest in limiting the losses they cover. It is commonly known that insurers routinely manage moral hazard and adverse selection among the insured population by incentivising behaviour that limits risk and penalises excessive risk taking. Insurers also create processes that reduce the overall cost of claims by making it more difficult for third parties to benefit from the insurance relationship.

This report applies this approach to insurance as crime governance.

violence and oppressionRead-Me.Orgkidnapping, ransom, ransomware, governance
Ransomware. Defending Against Digital Extortion

By Allan Liska and Timothy Gallo

The biggest online threat to businesses and consumers today is ransomware, a category of malware that can encrypt your computer files until you pay a ransom to unlock them. With this practical book, you'll learn how easily ransomware can infect your system and what steps you can take to stop the attack before it sets foot in your network. Security experts Allan Liska and Timothy Gallo explain how the success of these attacks has spawned not only several variants of ransomware, but also a litany of ever-changing ways they're delivered to targets. You'll learn pragmatic methods for responding quickly to a ransomware attack, as well as how to protect yourself from becoming infected in the first place"

Sebastopol, CA: O'Reilly Media, 2017. 174p.

violence and oppression, Social SciencesRead-Me.Orgextortion, ransomware, cyber crime