Getty Images

Cyber insurance report shows surge in ransomware claims

Coalition's H1 2023 report shows ransomware activity increased and severity reached "historic" highs as businesses lost an average of more than $365,000 following an attack.

A new report by cyber insurer Coalition showed ransomware claims increased by 27% during the first half of 2023 and led to debilitating losses.

The "2023 Cyber Claims Report: Mid-year Update" features data from Coalition customers across the U.S., ranging from businesses with less than $25 million in revenue to more than $100 million. While funds transfer fraud and business email compromise remained significant attack avenues, ransomware claims saw a resurgence after an 18-month decline.

Coalition attributed ransomware as the main driver behind a 12% increase in overall claims frequency observed in the first half of 2023. The attack type accounted for 19% of all reported claims to the cyber insurer, with the Royal and BlackCat/Alphv ransomware gangs causing the most trouble for policyholders.

"Ransomware claims severity reached a recordhigh in 1H 2023 with an average loss amount of more than $365,000. This spike represents a 61% increase within six months and a 117% increase within one year," Coalition wrote in the report.

Factors that contributed to the "historic high" in claims severity include higher ransom demands, business disruption and service restoration.

The largest spike in ransomware activity was observed in May. While Coalition acknowledged reports that connected increased ransomware activity with Russia's invasion of Ukraine, the insurer said its claims data from the first half of 2022 compared to the first half of this year "does not show fluctuations significant enough to warrant such a conclusion."

TechTarget Editorial's 2023 ransomware database counted 33 confirmed ransomware attacks in May compared to 29 in April and 24 in March. Many attacks targeted municipalities and were claimed by Royal operators. For example, the City of Dallas disclosed it suffered an attack in May that led to prolonged disruptions. While the city government confirmed it received a ransom demand, the amount remains undisclosed.

Coalition's mid-year report found ransom demands unsurprisingly correlated with the increase in attack frequency. The average ransom demand in the first half of 2023 for Coalition customers was $1.62 million, which represented a 47% increase over the previous six months and a 74% increase over the past year.

However, most policyholders did not give in to demands.

"When reasonable and necessary, 36% of Coalition policyholders opted to pay a ransom in 1H 2023," the report read, adding that the insurance carrier negotiated down initial ransom demands by an average of 44%.

Examples of "reasonable and necessary" involve factors such as whether a business could make payroll or provide their services to their clients as well as how much sensitive data is at risk. Chris Hendricks, head of incident response at Coalition, said the decision is a collaboration between the carriers, the claims handlers, the client and the lawyers.

Coalition compared ransomware severity from 2021 through 2023.
Coalition observed a huge spike in ransomware severity during the first half of 2023 compared to the last two years.

Coalition responds to MoveIt Transfer attacks

Hendricks said many of Coalition clients that were affected by ransomware attacks this year were "essentially targets of opportunity." One example of an opportunistic attack was the Clop ransomware campaign against Progress Software's MoveIt Transfer product.

In addition to Royal and BlackCat, the Clop ransomware group also played a vital role in claims frequency and severity. Coalition policyholders faced ongoing attacks related to MoveIt after Clop operators exploited a zero-day vulnerability in the file sharing product. Progress Software disclosed the zero-day vulnerability on May 31 and released a patch, but security researchers reported widespread exploitation began prior to that. Hendricks said he can't be certain that the spike in May wasn't related to MoveIt attacks.

"Coalition policyholders have continued to experience cyber incidents related to MOVEit -- even beyond 1H 2023," the report read. "While the influx of incidents has slowed among Coalition policyholders, many organizations will likely find themselves indirectly impacted, given the breadth of the Clop victim list."

During the attacks, Clop operators did not deploy ransomware to encrypt victims' systems but relied solely on data theft and extortion threats (TechTarget Editorial's ransomware database does not track data theft/extortion attacks like the MoveIt Transfer incidents). The attacks highlighted an increasing shift in the ransomware landscape where threat actors embraced data extortion over encryption.

Coalition included ransomware attacks that did not involve encryption of the data for the report. But Hendricks said the numbers represent a minority of incidents. The insurer refers to those attacks as extortion only or data theft only.

"There are a few groups who do cyber extortion and don't technically encrypt data. They take data and demand a ransom, and that's a minority. But those would be categorized as ransomware as well in the sense that they're being ransomed, even though they're not necessarily being encrypted," he said. "It's really a distinction without a difference there. They're making a demand to the client to pay either to suppress a data leak or get their keys back so they can get the data back."

Coalition urged enterprises to maintain backups, instill timely patching protocols and implement MFA on all critical accounts.

Phishing was the leading attack vector of cyber insurance claims, which Coalition said would have been otherwise preventable with MFA. Hendricks said the increase in phishing success highlights the technique's growing effectiveness.

Vishing, which led to a breach against Retool earlier this month, is another social engineering tactic on the rise. Hendricks said AI has given attackers an advantage because they can use deepfake technology to emulate voices and create scripts that appear more legitimate. He also said voice prompts are an effective MFA bypass technique.

"We've definitely seen several cases where it's not just social engineering of the victim but then also social engineering of things like tech support or support at the banks or phone companies pretending to be the person," he said. "We have seen incidents of vishing -- some sophisticated, some not."

Hendricks referenced one vishing attack incident where the threat actor was pretending to be someone who had throat cancer to explain why their voice had a robotic tone. While MFA may not always be enough to stop such social engineering attacks, he said it is necessary, along with two-step verification and a defense-in-depth approach.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Dig Deeper on Risk management

Enterprise Desktop
Cloud Computing