Europe, Content, EMEA

French Insurer AXA Drops Ransomware Payment Coverage

A leading European insurer said it will no longer underwrite cyber insurance policies to reimburse companies for ransom payments made to retrieve stolen or locked data.

Ironically, AXA is halting support for ransomware-related insurance payouts just as an AXA subsidiary in Asia discloses a ransomware attack.

While the Paris-based AXA appears to be crossing its arms regarding ransomware payouts, it will, however, cover losses for responding and recovering from ransomware attacks, said Christine Weirsky, a spokesperson for the insurer's U.S. subsidiary. (via ABC News)

“The word to get out today is that, regarding ransomware, we don’t pay and we won’t pay,” cyber crime prosecutor Johanna Brousse said at a hearing last month in Paris, the report said. No other insurer is said to be declining to square up customers for ransom payments made to cyber kidnappers.

A hint that something like this could be in the offing surfaced last year when the U.K.’s former top cybersecurity official said that insurers recompensing customers for ransom payments are inadvertently funding organized cyber gangs. Under U.K. law there’s no legal limit to companies paying ransoms to cyber gangs and then turning to cyber insurers to make them whole. That enables cyber crews to essentially roam free, said Ciaran Martin, who headed the U.K.’s National Cyber Security Centre. “Attackers often set great store in being reliable once you have paid them, providing testimony from involuntary customers,” Martin said.

A subset of organizations with cybersecurity insurance are reporting that their providers are strongly advising them to pay cyber ransoms, further fueling the success rates and the economy built around ransomware, researcher Enterprise Strategy Group (ESG) said. This presents an opportunity for criminals to exploit those organizations that have engaged with cybersecurity insurance companies, the analyst said.

In the U.S., legislators, security defenders and policy makers have taken to calling ransomware a global epidemic. Some $350 million in victim funds were paid as a result of ransomware in this past year, and the rate of ransomware attacks has increased over the prior year by more than 300 percent, DHS Secretary Alejandro Mayorkas said at a recent U.S. Chamber of Commerce virtual event. “The threat is real. The threat is upon us. The risk is to all of us,” he said. “The losses from ransomware are staggering, and the pace at which those losses are being realized are equally staggering.”

According to cybersecurity provider Emsisoft, France’s ransomware losses in the private and public sector totaled some $5.5 billion. In the U.S., according to Emsisoft’s data, more than 950 U.S. government agencies, healthcare providers and educational establishments were successfully attacked in 2019 at the cost of $7.5 billion.

For 2020, Emsisoft pegged the average ransom demand at $154,000 with 27 percent of victimized companies meeting the ransom demand. Globally, some $18.7 billion was paid out in ransoms. Another recent study figured that ransomware demand costs could exceed $1.4 billion in the U.S. in 2020. In the U.S., cyber crime victims have handed over more than $140 million to ransomware attackers since 2014, a study by the Federal Bureau of Investigation (FBI) found. The law enforcement agency said it arrived at the payout figure by analyzing bitcoin wallets and ransom notes.

Mayorkas’ remarks line up with a recent study of 15,000 consumers conducted by security provider Kaspersky in which 56 percent of the victims said they had paid a ransom last year but only 29 percent were able to restore all their encrypted or blocked files regardless of whether they paid up or not, opening up the question of whether targets should pay ransoms.

Nearly half of employees in organizations and industries in North America don’t know what to do should a ransomware attack hit their companies, a recent Kaspersky study found.

“When it comes to the question of paying a ransom, our recommendation is to never pay a ransom, and there are a few reasons for this,” said Brian Bartholomew, the security provider’s principal security researcher in its global research and analysis team. “First, paying a ransom will never guarantee that all of your data will be returned – it might be partially returned or not at all. There is also no way to tell if your information has been sold in underground markets once obtained,” he said. “Second, paying a ransom only encourages cyber criminals to further carry out these attacks as they are one of the most financially profitable attacks malefactors can perform. The more business organizations give in to ransomware attacks, the more we will see them continue to trend in the threat landscape.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.