Modeling fundamentals: Systemic ransomware cyber riskBy Bethany Vohlers | November 10, 2020
A single systemic ransomware event has the potential to trigger multiple claims from domino-like disruption that can generate widespread, aggregate losses across otherwise independent insureds. Economic loss from a major systemic ransomware attack could exceed USD 15 billion, inflicting significant damage to the global economy, and significant losses to re/insurers’ portfolios without well-managed cyber risk.
The most recent update to Verisk’s cyber risk modeling platform comprises a comprehensive set of fully probabilistic models, including individual risk models, aggregation risk models, and the systemic ransomware model. The platform supports systemic ransomware by focusing on events that threaten the largest losses and are historically represented by such events as WannaCry and NotPetya. The platform also leverages a fast analytics engine that accurately models insurance terms specific to cyber threats and uses public application programming interfaces (APIs) to integrate analytics into internal applications, enabling clients to make better decisions on cyber risk selection, portfolio management, and risk transfer.
In this article, we describe systemic ransomware, the difference between targeted and systemic ransomware, types of ransomware risks, how and why threat actors use systemic ransomware, the impacts of the WannaCry and Not Petya attacks, and finally how the risk of systemic ransomware cyber events can be quantified and managed using Verisk’s cyber risk modeling platform.
Systemic Ransomware: A substantial threat
Emerging as a distinct and potentially costly peril in recent years, systemic ransomware has evolved from a cyber lineage nearly as old as the Internet itself. The characteristics of the systemic ransomware now disrupting digital assets globally reflect both age-old tactics of cyber attacks and newly developed technologies refined by the successes and failures of predecessor malware. State-of-the-art systemic ransomware attack models can fuse the rapid- and widespread-propagation capabilities of Internet and network worms with the significant business disruption of ransomware.
Types of Ransomware Risks: Targeted and systemic
The hundreds of ransomware variants today create a rich arsenal of weapons for cyber criminals. Although this aggressive malware employs numerous techniques to support differing attack campaigns and disruption strategies (see “Techniques Employed to Support Systemic Ransomware Attacks” section), the most prevalent ransomware threats fall into two broad categories, targeted and systemic ransomware, with targeted generally either commodity or opportunistic ransomware.
The majority of today’s ransomware attacks stem from targeted variants, with a growing trend towards refined targeted strategies that enable attackers to demand higher ransoms and increase data exfiltration, (when an individual's or company's data is copied, transferred, or retrieved from a computer or server without authorization, a growing trend in targeted ransomware). Although these ransomware variants pose a considerable threat to organizations and individuals, they lack the extreme potential of systemic ransomware events, which can self-propagate and spread rapidly over groups of aggregated exposures.
Aimed at a specific organization or a single insured, targeted ransomware almost always requires some level of human intervention to deploy or execute. Often focused on financial reward (e.g., ransom payout), rather than business interruption, targeted attacks quite often are tailored to the target organization or individual. Also, threat actors operating targeted attacks often have access to enterprise networks for extended periods of time, which increases the opportunities for data exfiltration and in turn increases data breach and liability costs.
Commodity ransomware is generally developed by “professional” malware authors and then packaged and sold online as a self-contained service; it is usually deployed by via phishing campaigns or other low-effort entry points, exploiting human error to gain access to a target’s network. Targets tend to be a single organization and might be selected for a variety of reasons: high revenue, known to be vulnerable, or even personal motivations.
Opportunistic ransomware might be developed by experienced hackers, but the attacks tend to be relatively unsophisticated because they rely on easily accessed entry points. Unlike commodity ransomware, opportunistic ransomware generally is used by the malware authors, using exploit kits, existing backdoors, open ports, unsecured VPN connections, lack of patching, and other entry points. Targets often are organizations with known vulnerabilities. Once in, threat actors must act quickly to navigate the network and maximize their impact.
In contrast to targeted commodity and opportunistic ransomware, systemic ransomware has the potential to impact more than one organization in an attack and generally does not rely on hands-on action by threat actors. A self-propagating malware, systemic ransomware impacts multiple organizations either one at a time or in quick succession. By leveraging advanced, innovative worm-like techniques, systemic ransomware can rapidly extend its reach without requiring any attacker intervention. The powerful self-propagation techniques employed enable the ransomware to spread rapidly across networks and over the Internet. Unlike targeted commodity and opportunistic ransomware attacks, systemic ransomware events are unlikely to involve data exfiltration because threat actors generally lack the resources or opportunities to navigate individual victim’s networks to locate business-critical data.
Like all ransomware, systemic ransomware disrupts the digital assets of organizations (and sometimes individuals) by encrypting data and threatening to destroy that data and/or make it public in exchange for ransom or to cause damage through business interruption or reputational assault. Delivered via phishing mails or malicious content downloaded from compromised websites, as well as with more sophisticated methods of infection, systemic ransomware endeavors to exploit myriad digital vulnerabilities in people, processes, and technology to deploy and spread rapidly across networks. Ransom—cyber extortion—can be leveraged on threats to lock access to devices and files and can restrict the use of potentially business-critical systems.
Because of the large scale of systemic attacks, systemic ransomware events generally have lower ransom demands than targeted ransomware due to the difficulty of tailoring ransom demands to victims’ abilities to pay (as is customary with targeted variants) and because keeping ransom demands low increases the likelihood that infected organizations will choose to pay the ransom rather than try to recover data via other methods. Ransom payment demands also almost always specify cryptocurrency. Almost any organization can be impacted by systemic ransomware.
Techniques employed to support systemic ransomware attacks
Threat actors today have a plethora of techniques at their disposal to support a systemic ransomware attack campaign strategy, based on the scale of the incursion, the distribution methods used, and the organizations affected. A number of vulnerabilities can be exploited—operating systems, a common software, or even human frailties (e.g., susceptibility to phishing)—and the malware can zone in on a specific geopolitical region. What is infected and by which vector and the attack’s desired outcome (e.g., a quick payout versus maximal business disruption) are considerations for actors designing a campaign.
The innovative techniques—and broad, substantial financial and/or business interruption impacts—that so uniquely characterize systemic ransomware require a high level of skill and sophistication. Threat actors must effectively leverage advanced technologies, molding the malware to the attack’s intended scope and objectives. The heavy demand on resources and proficiency of systemic ransomware increases the likelihood of the involvement of nation-state and sub-nationalist groups with these events, which in turn increase the likelihood of geo-political or intelligence-based motives to disrupt or destroy systems and data. As a result, systemic ransomware events often prioritize network downtime and system failure over financial gain.
WannaCry and NotPetya: The impacts of two catastrophic systemic ransomware events
Two catastrophic systemic ransomware events in 2017 reveal the grievous impacts of this self-propagating malware.
WannaCry, a global, nation state–driven attack, exploited a wormable vulnerability in a popular operating system known as “EternalBlue.” The worm probed for appropriate vulnerable ports and when successful installed a back door for further exploitation and propagation. Although not all machines meeting the point of aggregation (PoA) constraint were affected, WannaCry’s unique mechanics enabled it to propagate beyond its initial device and spread its payload onto vulnerable systems on both internal and external networks. An estimated 400,000 organizations in 150 countries were infected, including governmental bodies, hospitals, manufacturing facilities, and universities. One of the most significant ransomware attacks to date, WannaCry resulted in considerable downtime and business interruption.
NotPetya leveraged the same EternalBlue exploit to corrupt an otherwise valid Ukrainian accounting-software update. Although geo-targeted at Ukrainian companies, NonPetya pushed its payload across dozens of corporate networks, affecting a broad swath of industries: energy, shipping, steel, and transport to food, law, and software. The sophisticated NotPetya ransomware propagated expeditiously, and secondary infections occurred globally, with machines compromised in organizations that simply had infrastructure in the Ukraine. NotPetya went far beyond encrypting the master boot records and committed other malicious acts, such as credential theft, token impersonation, propagation and remote execution of malware, physical drive manipulation, system shutdown, and anti-forensics. NotPetya’s business interruption objective became clear when impacted organizations discovered that ransom demands were simply a distraction and decryption was not possible. Verisk estimated insured loss at $3.6 billion, and affirmative cyber at $320 million.
Unlike natural disasters, whose risk can be correlated by easily verifiable geographic location, systemic cyber risk creates a far more challenging landscape to navigate, as WannaCry and NotPetya well illustrate.
Quantifying and managing systemic ransomware cyber risk
Verisk’s cyber systemic ransomware model leverages a market share approach, with detailed data for more than 100,000 companies worldwide. The model helps organizations analyze systemic ransomware events by estimating aggregated losses from significant simulated and historical global-scale ransomware attacks, such as the costly WannaCry and NotPetya events. The model considers four PoIs (probabilities of infection)—operating system, geocoded Internet infrastructure location, cyber hygiene, and industry—as well as the stochastic probability of infection and the downtime duration to understand the potential spread and severity of events, including the financial impact. The model’s 50,000-year stochastic catalog of events includes approximately 30,000 events of varying severities, with events defined by these parameters.
Systemic ransomware has emerged as one of the most substantial cyber threats facing today’s interconnected world, with the potential of severe losses across an insurance portfolio. Verisk’s cyber modeling platform enables insurers to regularly measure and monitor the accumulation of risk within a portfolio by providing insurers with critical insights to help inform underwriting and portfolio management decisions.
To learn more about the Verisk Cyber Solutions Suite, please visit our webpage.