Policy and Governance: The Cyber Insurance Market is Changing Course Due to Continued High Rates of Ransomware.
High volumes of ransomware attacks against U.S.-based organizations are rapidly driving insurers to reorient their cyber insurance policies. Since 2020, payouts in cyber insurance related to ransomware have approximately halved, while charges for cyber insurance premiums have approximately doubled. The demand for cyber insurance remains strong despite these trends as evidenced by many clients who are still willing to pay. Rates in the UK have polarized even more. The industry-wide trend continues upward from the start of 2020, when the same source reported cyber insurance rates climbing 5%-25% higher than they were in 2019. (1)
Ransomware threat actors are now highly attuned to the cyber insurance market and attempt to match extortion demands to insurance payouts as part of a new pattern of attack TTPs (2). Ransomware threat actors now perform more reconnaissance and discovery work to find the victim’s specific insurance policies as a way of ensuring ransoms can be met.
Last year, increasingly expensive payouts for ransomware contributed to a large rise in insurers’ measure of profitability calculations (2). Broker Aon calculated ransomware contributed over 1/5th of their total risk last year. The insurance market is repositioning itself against the risk from ransomware attacks by shifting more risk back to clients. The shift in risk back to clients will, in turn, put pressure back on governments to launch more law enforcement operations against ransomware cybercriminals and develop firmer policies of intervention, such as coordinated law enforcement operations to seize infrastructure or individuals. EclecticIQ analysts note 2021 has been a significant year for coordinated law enforcement operations against prominent cyber organizations (3). The number of similar cooperative law enforcement investigations and operations is likely to grow through 2022.
New and Noteworthy: Strict Removable Media Policy Will Best Protect Air Gapped Systems
As ransomware and APT attacks escalated against critical systems throughout 2021, perhaps the last solution to protect critical information is to leverage an air gapped network or system. Air gap systems are considered highly secure because a physical connection to the internet is not maintained (4). Nonetheless, air gapped systems remain vulnerable to intrusion, especially from APT groups. A recent, comprehensive analysis of APT attacks on air gapped networks by ESET found that all initial access used in all attacks over the past 15-years relied on introducing a compromised USB stick into the target environment. Replication Through Removable Media (MITRE ATT&CK technique T1091) initiated every air gap attack kill chain (5). EclecticIQ analysts highly recommend that administrators of air gapped systems prioritize resources for enforcement of a strict removable media policy to mitigate against very high-risk attacks to physically isolated data.
Policy and Governance: Cyberthreats to Satellites Escalate Outside Established Norms.
Satellites remain an often overlooked but critical piece of infrastructure supporting many different cyber capabilities on earth. China, Russia, and the U.S. are currently supporting cyberattacks in space “every single day” that qualify as “reversable attacks” - attacks that interfere with a satellite’s ability to communicate, according to the U.S. Space Force general (6). Operations are almost always recovered or return to normal in reversible attacks. Different countries including China and Russia are developing their own network of satellites, such as independent GPS networks, to support ground operations. The goal is technological independence in space-based communications.
Cyberthreats to space have, thus far, avoided “kinetic attacks”, or attacks that destroy satellites. There remains no common framework or bilateral agreements as to how threats to space-based asses should be mitigated or handled by conflicting nations. Kinetic attacks are prevented in part, through a deterrent effect. If a satellite is physically destroyed, the shrapnel created poses an immediate threat to all other satellites in that orbit. An escalation to kinetic attacks would guarantee further fallout in the form of additional damage and disruption to the IT infrastructure of other nation-owned satellites, which are not easily replaceable. Many nations are testing new TTPs against satellites (7). The current U.S. administration reportedly reached out to China to generate a dialogue specific to the issue of cyberattacks in space, in a global first, but so far efforts have not been successful.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at firstname.lastname@example.org.