The year 2017 was a high-water mark for large-scale hacks, which cybersecurity professionals and insurance companies said have become more diverse and severe in the last two years.
The NotPetya and WannaCry cyberattacks, which struck companies and institutions across multiple geographies in May and June of 2017, resulted in losses estimated in the hundreds of millions of dollars. The scale of attacks has also spiked for lower-profile cyber incidents for which Beazley PLC has received claims, said Brett Anderson, breach response service manager for Beazley.
Many calls related to malware or ransomware are no longer for suspicious network behavior or employees who have clicked on potentially dangerous links, Anderson said during a panel discussion at Advisen Ltd.'s Cyber Risk Insights Conference. By the time Beazley gets a call about ransom demands, networks and servers are already shut down.
"In the majority of claims that we see related to ransomware, the insured is in true crisis," he said.
Insurance companies and cybersecurity specialists still see a lot of the same email phishing scams that try to get individuals to divulge sensitive information or click links that lead to malware. But now hackers are exploiting new platforms, particularly Microsoft Office 365, whose login is the gateway to several programs, said Luke Tenery, senior managing director for Ankura Consulting Group LLC.
"Office 365 has been sort of a boon given the diversity of that platform and what's at risk from a single username and password," he said.
Breach severity has escalated even as federal authorities noticed a decrease in ransomware detections for 2017, according to Tenery. Ransomware attacks are sometimes fronts for other, more sophisticated attacks. Those breaches, if left undetected after the initial response, can compromise companies even more severely than the first attack, said Brian Robb, underwriting director and cyber industry leader for CNA Insurance Cos.
In those cases, "the ransomware is almost a disguise for the true intention of the attack," he said.
Anderson has seen cases where hackers were able to use stolen encryption keys to remotely assess the extent of their breaches and how many computers had been disabled by the ransomware they used.
"That allows them to make a larger decision and say: 'Well, now I'm going to request 10 bitcoins instead of just one or two because I know that you're in a more painful situation,'" he said.
Beazley has responded to cases of multi-level extortion, wherein a hacker accesses sensitive data and makes a ransomware demand on a company. After a company refuses to pay them, hackers move down to the victims of the breach, Anderson said.
Phishing schemes are also now ensnaring more people per incident. Up until last year, such a scheme would typically ensnare anywhere from 5 to 20 accounts, Anderson said.
"Now it's not uncommon to see 50 accounts compromised, or 100 or 200 or more," he said. That escalation has required larger and more expensive digital investigations, he added.
Hackers are likely to shift their methods, and their targets, over time, according to Larry Lidz, chief information security officer for CNA Insurance. Lidz believes criminals will shy away from banks because of the many layers of security they require to transfer money. With banks filtering transactions through 15-step security methods, hackers will probably turn to small and midsized businesses, especially given the talent shortage in cybersecurity.
"You target the people who don't have any knowledge about the threats," Lidz said.
And phishing schemes may also become creepier as they use robocalls that imitate human voices and conversation styles.
"Computers are getting really good at imitating people's voices," Lidz said. He expects hackers to leverage artificial intelligence that could give credible responses to skeptical questions on robocalls that would instruct individuals to transfer money to accounts that cybercriminals control.
