Chubb Ltd., best known for catering to wealthy families and corporations, is among at least three insurers facing a jump in costs tied to claims from ransomware attacks. The firms attribute much of that to the surging price of bitcoin, the currency of choice for online extortionists. And that’s bad news for everyone.
There’s been “a massive escalation” in both the number of attempts and the size of demands as criminals scramble for the hot cryptocurrency, said Michael Tanenbaum, an executive vice president at Zurich-based Chubb. “The rise in price of bitcoin correlates,” he said in an interview, declining to specify total costs. Around midyear, top payouts in corporate ransomware attacks began to exceed $1 million, dwarfing the previous maximum of about $17,000, he said.
Insurers like Chubb are a good place to look for information on costs from ransomware -- a type of malicious software that blocks access to computer files until victims pay a toll. Globally, security firms say incidents have exploded, ranging from precision hacks to this year’s mass assaults, like WannaCry. Insurers have a unique view of what actually gets paid, especially in the most expensive cases, because they may shoulder the burden.
Typically, they enlist third-party specialists, such as Kivu Consulting and Navigant Consulting, to facilitate cryptocurrency payments and investigate perpetrators. Those firms say business is booming.
This year’s frenzy for bitcoin has made hackers bolder, demanding larger payouts, said Winston Krone, a global managing director who oversees Kivu’s ransomware services. Demands of $250,000 to $500,000 were nonexistent six months ago, and now they’re a weekly occurrence, he said.
“We can make immediate payments of six figures,” Krone noted. His firm has teams of multi-lingual investigators trained to negotiate with hackers or ensure clients aren’t dealing with a terrorist group, which can run afoul of U.S. laws. Short of that, it’s the customer’s decision whether to give in to extortion, he said. “The ethics of paying ransoms and paying criminals, we take a neutral stance.”
It might seem counterintuitive that ransoms would rise because of bitcoin’s price. After all, the cryptocurrency can be split into tiny fractions, allowing payments of any amount.
But some extortionists have been slow to adjust bitcoin-denominated demands amid the rally, according to Christiaan Beek, who leads strategic threat intelligence research for McAfee Inc., the cybersecurity firm. A criminal network initially seeking a few bitcoins per victim might keep collecting that amount for months. Yet this year the digital currency has climbed ever upward, from roughly $1,000 in January to surpass $19,000 this week.
“Because the price of bitcoin has seen a dramatic spike in the latter half of 2017, it has made the overall price of demands much larger,” said Kimberly Horn, an executive at insurer Beazley Plc who oversees breach-response and information-security claims.
Ransomware claims at Beazley are on pace to rise more than 70 percent this year to 260. McAfee projects average payouts are about $900 to $1,200, up from roughly $600 in 2015. XL Group Ltd., another insurer, said it’s fielding demands of $20,000 to $60,000 -- compared with about $300 before bitcoin took off.
To be sure, observations vary. Symantec Corp. said it sees more instances of hackers ratcheting up the frequency of their attacks, while tempering individual demands to ensure victims will pay. In contrast to McAfee, Symantec estimates average ransom demands may even drop this year.
There are additional trends driving up total costs. Early ransomware attacks proved people and companies are willing to pay, luring more opportunists. Pioneering hackers are now flanked by rogue nations and novices. Extortionists can buy malicious software on the dark web and pump out emails to infect computers. There were more than 12 million attacks in the third quarter of this year, up from roughly 4 million in the same period of 2015, according to McAfee. And many people don’t have policies to offset their costs.
Ransom insurance started as a niche in the 1970s, pioneered by firms including Lloyd’s of London Ltd. and American International Group Inc. Companies concerned about executive abductions and wealthy families vulnerable to kidnappings snapped up coverage. Over the years, some policies added protection for online extortion. Insurers also rolled out separate products for cyber attacks.
Ransomware is now rattling that market. In May, days after WannaCry grabbed global headlines, law firm Covington & Burling posted a memo to clients, warning them to review terms in their contracts.
Within general kidnapping policies, there often was little to no deductible for online extortion schemes, said Anthony Dagostino, global head of cyber risk at Willis Towers Watson. But that’s changing.
“The insurance companies woke up to this, saying this is almost way too much,” said Dagostino, whose firm doesn’t provide cyber coverage but works with clients to find a carrier. “We’re already getting word that some insurance companies are not providing the coverage or are adding to the deductibles.”