Ransomware: New alert, assessing current cyber insurance coverage

On August 11, a joint Cybersecurity Advisory (CA) was issued by Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warning about Zeppelin Ransomware and its emphasis on this particular malware family’s focus on the healthcare sector. The highlights of the CA are as follows:

• Zeppelin ransomware is a derivative of the Delphi-based Vega malware family and functions as a Ransomware as a Service (RaaS).
• From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. (emphasis added).
• Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.
• Access to victim networks is gained through a RDP exploitation targeting SonicWall firewall vulnerabilities and phishing campaigns.
• Data is exfiltrated prior to the files being encrypted. The ransomware demand is made and if the victim refuses to pay the ransom, the ransomware as a service (RaaS) attacker a note file is left on compromised systems.

Notably, “[t]he FBI has observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.” (emphasis added).

As my colleague, Peter Vogel, recently blogged, “[o]rganizations lack sufficient levels of cyber-insurance coverage to protect themselves in case of a ransomware attack, with just 14% of businesses with 1,400 or fewer employees boasting coverage limits above $600,000.” This is significant because as the 2022 IBM Cost of a Data Breach Report 2022, the average data breach cost increased from $4.24 million to $4.35 million between 2021 and 2022. Some key take aways include:

• Critical Infrastructure Lags in Zero Trust – Almost 80% of critical infrastructure organizations studied don't adopt zero trust strategies, seeing average breach costs rise to $5.4 million – a $1.17 million increase compared to those that do. All while 28% of breaches amongst these organizations were ransomware or destructive attacks.
• It Doesn't Pay to Pay – Ransomware victims in the study that opted to pay threat actors' ransom demands saw only $630,000 less in average breach costs compared to those that chose not to pay – not including the cost of the ransom. Factoring in the high cost of ransom payments, the financial toll may rise even higher, suggesting that simply paying the ransom may not be an effective strategy.

With these two issues in play, it underscores the importance of compliance. A preventative measure that is essential is continual security training with an emphasis on phishing, spear phishing, and other types of phishing attacks. An annual risk analysis that comprehensively evaluates the relevant technical, administrative, and physical safeguards.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.