2021 was a year defined by heightened fears of ransomware attacks and other attack vectors, which led to downstream impacts on countless customers. While the attack on Colonial Pipeline impacted vital infrastructure and JBS Foods’ attack impacted food supply chains, the general public felt first-hand the repercussions that can come from malicious actors.
Impact of Zero-Days & Third-Party Risk
One of the best indicators we have of overall cybercrime activity is the rate of ransomware claims in the Corvus book of business. Based on our claims data, after all of the dire headlines throughout 2021 the end of the year presented a pleasant surprise: in Q4, the rate of ransomware claims reached just half of the peak seen in Q1 2021 — decreasing from 0.6% to 0.3%. The impact of Log4j vulnerability exploitations were not as widespread as originally feared and no major attacks arose during the holiday season, when threat actors historically target understaffed organizations. Looking over the year’s trends in claims, the data in Figure 1 clearly reveals spikes that were tied to major cybercrime events: the Microsoft Exchange Server vulnerability and the PrismHR hack (both in March); and the Kaseya ransomware attack (launched July 2nd, just as American workers took off for a long weekend). These events were enough to significantly, but temporarily, impact the month-by-month ransomware claims rate for the Corvus book of business.
That’s because these events have a commonality: the attacks had downstream impacts on the customers of the initially breached businesses. Whereas a conventional ransomware event may produce major losses and eye-popping ransoms for a single organization, the impact of last year’s software vendor attacks were more diffuse, with impact spread among many victims. Consider the ratios of vendor-related ransomware claims by month outlined in Figure 2, below:
It’s worth noting, however, that the increased frequency of claims we see linked to these events isn’t necessarily paired with an increase in severity of claims (losses incurred). In the months we saw spikes in claims related to Microsoft Exchange, average severity of claims declined. Likewise, Kaseya-related claims were also seen to be less severe, with smaller losses incurred. While these vendor-related incidents can increase the frequency of downstream attacks, severity does not always follow with frequency. These varied findings highlight the different and often nuanced paths that vendor-related attacks can take, with one possible point of divergence in the scope of an attack. Kaseya provided attackers with a smaller number of potential targets, so they focused on squeezing victims for greater sums through in-depth attack methods. On the other hand, the number of Microsoft Exchange servers potentially impacted by the zero-day vulnerability was enormous, spreading attackers’ efforts across a larger area. In this case, attackers may have sacrificed the depth and sophistication of an individual attack in favor of carrying out a larger number of attacks. Figure 3 below highlights the recent downward trend for cyber claims overall, inclusive of ransomware attacks (such as Kaseya and Microsoft Exchange).
Cyber claims, inclusive of ransomware, followed a downward trend — getting closer to 2019 average metrics.
Updates on Ransom Severity
In the Fall 2021 Corvus Risk Insights Index, our security experts noted a potential outlier in the average ransom paid by quarter — a 254% increase in ransoms paid in Q3 vs. the prior quarter. Indeed, year-end data supports that “outlier” finding, as evidenced in Figure 4. While the Q3 average was atypically high, the average over the full year 2021 was just ~$167K, or 44.2% less than the Q3 figure.
At the same time, Corvus’s latest findings (highlighted in Figure 5) remain consistent with another key takeaway from our earlier Risk Insights Index — fewer ransoms are being paid compared to those demanded. The percentage for the last quarter of 2021 held steady in the low twenties, which has been consistent for a few quarters running and down significantly from figures that once were over 50%. As recently as Q3 2020, the ratio was 44%. Underwriting entities like Corvus are requiring stronger backups for insurance coverage, helping to drive the broader trend toward more sophisticated approaches to improving resiliency — a necessity in curbing the impacts of ransomware attacks.
The overall severity of ransomware costs by industry also shifted significantly over the past year, as shown in Figure 6. We saw a decreasing cost impact on education and social services, while the professional services industry (including but not limited to law firms, consulting firms, and architecture firms) experienced increased ransomware costs, with an average claim reaching nearly $400,000 within that industry in Q4. Healthcare, which saw an alarmingly high average in claims severity to start the year, has returned to a historically low average. The decreasing claims severity within healthcare may be tied to dissipating public fears and subsequent exploitation by threat actors during the height of the COVID-19 pandemic.
Sneak Preview: Q1 2022 Claims Indicators
We’ve been tracking rates of claims and other indicators closely as the Russian invasion of Ukraine unfolds. We’ll report on this data in full in a later edition of the Cyber Risk Insights Index, but we’re offering a brief preview now since there have been some significant shifts we believe to be associated with the war.
Corvus observed a 30% reduction in ransomware claims frequency from Q4 2021 to Q1 2022 (through March 15) — a trend also seen within the incident response industry. In reviewing this data, there are a few key observations:
- The arrests of REvil members in January 2022 struck fear into threat actors who rely on ransomware as their attack vector of choice. It was the first tangible action that Russia took against ransomware actors within its own borders, leading some ransomware actors to curb their activity.
- As the Russian invasion of Ukraine began, it caused a divide in the cyber underground. For ransomware actors located in Ukraine, their physical safety took precedence as they relocated along with their IT operations.
- We’ve seen unprecedented infighting between ransomware groups, including Conti, with actors choosing a side in the war. Former collaborators became enemies, distracting them from the previous focus they had on typically profitable ransomware targets.
As ransomware activity begins to return to pre-2022 levels, the dip in these claims is telling of the impact that the Russian invasion of Ukraine has had on the broader cyber criminal ecosystem. At the same time, we are still in the early stages of this narrative — our understanding of the total impact and what may happen in the future will continue to be shaped.
Data Exfiltration Trends
When considering data exfiltration, it’s an optimistic sign in the ever-changing security landscape that claims numbers surrounding cyber ransomware attacks with data exfiltration did not change (Figure 7). Since cases of data exfiltration can often give threat actors more leverage and increase damages almost immeasurably, it’s a positive finding that the numbers are not rising.