Ransomware in 2022: Are We All Screwed?
By
— February 8th, 2022
Welcome to the first of a three-part blog series on the enormity of the ransomware threat facing every business today.
What's in this post:
- Experts predict ransomware attacks to increase in 2022
- Attacks will cost companies $265 billion by 2031
- 2022's "perfect storm" environment to fuel ransomware attacks
- The rise of Ransomeware as a service (RaaS)
- The need for insurance, and its escalating costs
Among the single words which tend to deny information security professionals a restful night of shuteye, ransomware may well be at the top of the list.
“Although the (US) federal government and companies are taking proactive steps, cybersecurity experts still say ransomware will be the biggest threat to businesses in the new year. Such attacks are projected to cost companies $265 billion by 2031,” according to TheDenverChannel.com.
To make matters worse, 2022 is rolling in with environmental conditions that some experts feel may accelerate cybercrime:
“As the COVID-19 pandemic enters its third year, real “security fatigue” with pandemic-related issues will combine with cybercriminals’ increasingly sophisticated capabilities to create an acceleration of ransomware and other security incidents, cybersecurity experts predict.” (See:JDSUPRA, Report on Patient Privacy)
Echoing agreement with a pandemic-related exploit theme, the National Law Review points out that,“2022 is expected to be another record-setting year for cybercriminals. Hackers are likely to continue to exploit the vulnerabilities attendant to remote working, which isn’t expected to be going anywhere in 2022.”
Somewhat more succinct and to the point, the same NLR article takes note that, “A commentator recently summed up the risk of a ransomware attack in 2022: “we’re all screwed.”
If capitalizing on an environment ripe for growth in cyber-crime activities seems too coincidental to convince you of a certain, if misdirected, business acumen within the cybercriminal mentality, consider this: the phenom of Ransomware as a Service (RaaS) – kitted ransomware attacks created by cybercriminals for use by other cybercriminals – at least roughly parallels another legitimate and enterprising application delivery model that we’ve come to know - software as a service (SaaS).
In fact, according to ZDnet.com:“Ransomware-as-a-Service (RaaS) is an established industry within the ransomware business, in which operators will lease out or offer subscriptions to their malware creations to others for a price — whether this is a per month deal or a cut of any successful extortion payments.
Considering the lucrative nature of RaaS and the difficulty of tracking down and prosecuting operators, it should come as no surprise that many security experts believe this business model will continue to flourish in 2022.”
There is plenty of information online dedicated to reducing ransomware attacks. However, much of that content, honestly, is focused upon that which is likely already self-evident to many readers of this blog: patch regularly, zero trust, least privilege, 2FA, update security and privacy policy, conduct a regular risk assessment, etc.
Future blogs in this series will focus more on preventative measures.
Not quite so self-evident, however, may be the rather important matter of having adequate insurance in place should a ransomware attack occur, a point well made by the National Law Review:
“… companies must be prepared. Fortunately, cyber insurance can still help mitigate cyber risks and liabilities, including the costs associated with ransomware attacks, such as response costs and the costs of retaining experts to advise you through the incident, investigation, and next steps; lost business income as a result of interruptions to networks or encryption; and in many cases, coverage for the ransom itself.”
Unfortunately, in addition to costs connected to an actual cyber attack, it appears companies may also be obliged in 2022 to endure an increase in the cost of cyber insurance, as Security Weekly has highlighted:
“The costs of cyber insurance policies are rising exponentially while underwriters are tightening the rules around who qualifies for cyber insurance, and at the same time, insurer capacity is constricting dramatically.
"The numbers are all over the place, but the latest statistics from the Council of Insurance Agents and Brokers reported a 25.5% increase in cyber insurance costs. Not surprisingly, the rise in cyber insurance costs is mostly attributable to a tidal wave of ransomware damage claims hitting insurers over the past two years.”
Future blogs in this three-part series over the next two weeks will focus on:
- Preventing Ransom Attacks in 2022
- What to Do When Ransomware Attacks