War isn’t new to insurers, but the technology we see used in battle often is — and it’s not all tied directly to soldiers on the ground. There have been reports of Russian phishing attempts targeting both NATO and the European military, distributed denial-of-service (DDoS) attacks in the lead-up (and during) Russia’s physical invasion, and other disruptive cyber operations used with the intent to harm or distract Ukraine and its allies.
The war in Ukraine represented a sufficient shift in the global cyber threat landscape that we dedicated a full edition of our Corvus Risk Aggregation Report to analyzing the fallout. These quarterly reports are developed for our reinsurer and program management partners, but we decided to share some of this edition’s analysis here for a broader audience.
Has ransomware activity changed? Do sanctions work on cyber criminals? How will this play out for the West? Join us as we breakdown what the Corvus team found.
The Impact on Ransomware Activity
Corvus observed a 30% reduction in ransomware claims frequency from Q4 2021 to Q1 2022 (through March 15). The first Russian attack of note took place on January 14th, shuttering dozens of Ukrainian government websites. While Russia was actively homing in on Ukrainian targets, we noted a downward trend in the percentage of overseas ransomware events targeting US-based organizations. (A January lull in ransomware attacks is a seasonal expectation, but in this case it extended well beyond the normal “vacation time” for threat actors).
What’s been particularly interesting, though, is that when revisiting this finding over time, we’ve noted that the decline in the US remained consistent through June. Ransomware frequency does vary month-to-month, but the steady decline of US ransomware attacks stood out to us — especially because the global picture looks entirely different. Outside the US, ransomware rates actually rose February through June.
Why are U.S. organizations being spared from increased ransomware activities? There are a couple of theories:
Sanctions and law enforcement efforts are effective.
This past year, the United States government has been more public (and bolder) in their efforts to combat cyber threats. In May 2021, a presidential briefing declared that the Federal Government “must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.” In September, the US OFAC announced sanctions that specifically target intermediary businesses enabling ransomware operations, like certain cryptocurrency exchanges.
The impact of Russian state directives on ransomware actors.
Let us be clear: these are murky waters. We don’t know to what extent Russian state agencies, such as the FSB, play a role in ransomware activity, but we do know they are in contact with certain groups and provide them safe harbor. It could be that the Russian government has instructed groups to avoid US targets. But again, there is much we don’t know about these relationships so we believe that sanctions are the most reliable answer as to why the US is experiencing a lull in ransomware activity.
To see a microcosm of this effect, we can look at an individual ransomware group. Lockbit has been the most prolific ransomware group over the past year, and when looking at the group’s activity it follows the global trend: a dip in January, and an immediate return to “normal” levels of activity in February through May. Looking at the ratio of their attacks that were on US vs. non-US targets, however, we can see that US targets declined by 15%.
Sanctions Hit Some Groups Hard; Others a Glancing Blow
Threat actors operate as a business, so their time and resources need to be used efficiently. Once they’re targeted by sanctions, it can become difficult to turn a profit. That’s the calculus that most likely went into the folding of Evil Corp, originally sanctioned by the US government in 2019, and the scattering of the Conti group, following its public allegiance to Russia.
Into the void left by these disbanded groups has stepped Lockbit, which has been the most prolific ransomware group over the past year. When looking at Lockbit’s activity it follows the global trend: a dip in January, and an immediate return to “normal” levels of activity in February through May. However, if we look at the ratio of their attacks that were on US vs. non-US targets, we can see that US targets declined by 15%.
It’s possible that Lockbit is balancing the profits it can pull from US organizations against the notoriety that comes from being a prolific actor. Having seen what happened to the last groups to hold the crown of “#1” ransomware group in the US, they could be angling away from the US in the hopes of avoiding the attention of law enforcement, while not abandoning it entirely.
Western Business Exposure
Russia’s cyberwarfare tactics have not been nearly as prolific or destructive as initially feared. But in the weeks prior to and immediately after the invasion, we had to expect and plan for the worst. Some of the types of malware Russia is capable of using in cyberwarfare have a wide “blast radius”: they create the strong possibility of impacting organizations that aren’t direct targets. (We saw this kind of impact clearly in the NotPetya attacks of 2017 which famously ensnared multinational corporations like Maersk, Merck, and Mondelez International, despite initially being focused on Ukrainian targets). That means Western organizations with even a tiny IT footprint in the region might end up at risk.
What Kinds of Businesses Have Exposure to the Area?
There’s more variety than you might expect. In the group of US-based businesses we studied, hyper-local businesses like auto dealers and municipal governments were expectedly low in exposure. But an array of other industries had measurable exposure, including insurance services and software development, with finance being near the top of the list. (Note that even where we see variation, all industries showed only fractions of a percentage point in exposure).
How Do You De-risk a Regional Conflict?
Using our proprietary scanning technology, we were able to take a proactive approach to limit our policyholders’ exposure to serious risk. We documented which policyholders had any IT hosted in Russia, Ukraine, or Belarus and reached out to offer recommendations on how to quickly segment their environments from those systems, as well as guidance on how to migrate services out of those countries entirely. While the total exposure was less than one percent of our policyholders, this still represented an aggregation of risk.
Since implementing this strategy, we’ve seen a significant reduction in exposure among our policyholders. Looking at those with recently observed exposure to Russia, Ukraine, and Belarus, nearly 50% remediated their exposure by April, while only 25% of a control group we tracked who are not Corvus policyholders resolved their exposure in the same time period.
Global ransomware is up, but the US has seen a steady decline since January.
Sanctions from the federal government are a key factor for why we’ve seen such a lull in activity. The increased concern about cybersecurity from the US plays an important role in combating ransomware.
A proactive approach works. We reached out to policyholders who were exposed to affected countries (Russia, Ukraine, and Belarus) and nearly 50% remediated their exposure by April. Only 25% of other US businesses with recent exposure resolved their risk.