Please fill in the form below to subscribe to our blog

Cybercrime Proves to Be an Unreliable Weapon for Russia in Ukraine Conflict

March 03, 2022

Less Hacking Than Expected Could Be Because Cybercriminals Don’t Like to Work for Free

How valuable are cyberattacks in today’s conflicts? That answer appears to be highly variable. Although the early stages of the current Russia/Ukraine conflict contained heavy elements of cybercrime, cyberattacks haven’t been as big of a factor as many people thought they could be. One of the reasons for that disconnect could be very simple: money. The most commonly used weapon of nation-state cybercriminals is ransomware, but that’s also become a hot button issue for insurance companies. Faced with rising claims, insurers are making moves to blunt the impact of ransomware claims on their organizations, much to the sorrow of businesses that are facing increasing risk from cyberattacks and the ransomware gangs who attack them – and that could be impacting the role of cybercrime in this conflict.

The Guide to Reducing Insider Risk can help IT pros stop security incidents before they start! GET IT>>

Cyber Insurance Isn’t Paying Off for Insurers

Covering cyber incidents has not panned out for insurers. Cyber insurance seemed like a growth area in the beginning. Experts at Big Three credit rating agency Fitch Ratings determined that direct written premiums for property/casualty cyber insurance, which often include ransomware coverage, grew rapidly for insurers, more than doubling from just over $1 billion in 2015 to $2.3 billion in 2019. At the same time, insurers’ direct loss ratio, a measure of the proportion of collected premiums that get paid back out to clients making claims never surpassed 50%. Businesses got paid when something bad happened, insurers made money and everyone was satisfied with the arrangement.

But that gravy train was derailed by ransomware. Data from S&P Global shows that the loss ratio that insurers are seeing from cyber insurance policies has ballooned, from 43 cents on the dollar in 2016, to 73 cents on the dollar in 2020. Now insurers aren’t making money efficiently while being called on to pay out huge sums for ransomware attacks. Compounding that problem, as cybercrime rates rise, insurers saw a steady increase in the frequency of ransomware claims between 2020 and 2021, an indicator that has caused many to proceed with caution. Ransoms also rose, leaving insurers writing big checks and eating into their profits unsustainably.

Be the hero that defeats a company’s security threats to declare victory over cybercriminals! GET THE GUIDE>>

Premiums Are Rising & Coverage is Declining

Insurers are raising premiums for cyber insurance and implementing new restrictions on the coverage that companies can buy. Brokerage Marsh McLennan noted in a December 2021 report that cyber-insurance pricing increased an average of 96% in the third quarter of 2021.  AXA announced last year that it would no longer underwrite policies that included ransom payouts. AIG has also announced that it is tightening restrictions on cyber insurance policies and raising or maintaining high premiums. AIG’s and Lloyd’s of London have also taken steps to reduce their exposure.  

This is especially troubling for businesses because ransomware has grown significantly more expensive as cybercriminals demand higher payouts and more of them, hitting companies with double and triple extortion demands. Cybercriminals are pulling out all the stops to ensure that they get paid, including threats of public shaming and even contacting their victims’ customers whose data was stolen and demanding payment from them. Altogether, researchers estimate that the cost of the ransom payment itself is rising as a share of the overall cost, clocking in at 30% of the total. A report in Tripwire detailing the average ransoms paid by organizations said that average paid ransom amounts have increased by 82% in just one year. The average demand is now a record $570,000 (£414,000), compared with just $170,000 (£123,000) in 2020. 

The Computer Security To-Do Checklist helps keep the bad guys out of businesses and data in! GET IT>>

Cybercriminals Are in the Business of Making Money

Just because some insurers have decided not to cover ransom payments, not all of them have. Some insurers will still pay out for ransoms, and that’s something cybercriminals count on when planning targets for ransomware attacks. However, it is common for insurance policies to have exclusions for what is described as a “force majeure event” like an act of war. That creates a conundrum for the bad guys. Reuters reports that experts believe that a cyberattack claimed by a nation-state or nation-state adjacent group that is cozied up to a belligerent, like Russia in this awful conflict in Ukraine, might fall under that provision – and that means that insurance companies won’t pay out. 

Cybercrime is just as much of a business as anything else, and most cybercriminals are in the business of getting paid. Without the probability of insurance payouts, conducting attacks that will have nation-state implications is not a good business decision. Expert analysis puts forward the idea that unexpectedly, cybercrime gangs aren’t easily wielded as instruments of war, even for the country that houses them. Cybercrime may not be as rampant as people originally thought it would be because cybercrime gans are simply not enthusiastic about conducting attacks that always have an element of danger like getting caught if they’re not going to profit financially.  

Another reason that cybercrime gangs may be hesitant to act in this situation is the implications of being labeled nation-state threat actors. That could create an array of headaches for the gangs and the people in them, and none of those circumstances are good for business. First and foremost increased scrutiny from law enforcement could be disastrous. Plus, gang operators could face bigger, more complicated legal ramifications if they do get caught while conducting a quasi-nation-state aligned operation. After all, they can’t expect that the country they’re working for will ride to their rescue after they conduct a major ransomware attack and bail them out. Experts also theorize that individual threat actors within the groups may also be hesitant because of the stiff penalties that could come with being named an enemy combatant or terrorist. 

Is someone’s behavior suspicious? Learn to spot trouble fast with 5 Red Flags That Point to a Malicious Insider at Work.  DOWNLOAD IT>>

Hacking is Happening But the Impact is Blunted

That’s definitely not to say that there’s no partisan cybercrime gang activity happening in this conflict. Both sides have been busy as well as numerous groups in the dark web underworld. The ransomware group Conti initially announced its support for Russia as a sign of their patriotism but later walked that back, saying that they were not aligned with any government and condemning the ongoing war, as well as asserting that they would not hack critical infrastructure. Shortly after that announcement, a Ukrainian cybersecurity researcher, angry about the gang’s support for the invading army, began leaking internal chat records of the Conti gang through a Twitter account called “ContiLeaks”.  

In cyberspace, hacking activity is happening even if it isn’t at the pace experts anticipated. Reports say that Ukrainian WordPress sites saw a 10x increase in hacking by partisan Russian groups at the start of the invasion. The country is also enlisting skilled volunteers into what has been dubbed it’s IT Army. Wired reports that so far more than 175,000 people have subscribed to the Telegram channel used to organize its operations. Anonymous has also stepped in on behalf of Ukraine, claiming that it hacked 300 Russian assets including media and government targets within its first 48 hours of involvement. 

The bottom line is that while plenty of hacking has certainly occurred on both sides, the spate of damaging hacking including ransomware-related infrastructure damage that Western cybersecurity experts were expecting from Russia when this conflict began have so far failed to emerge. Some propaganda operations have clearly been successful, especially misinformation shared on social media, but for the most part Ukraine has retained utilities, communications and internet access without hacker interference. However, this conflict is far from over and Ukrainian infrastructure targets remain in danger of damaging ransomware attacks

Can you spot a phishing email? This infographic shows you how to detect one! DOWNLOAD IT>>

Protect Your Company from Ransomware

Step up your security awareness training program to create a powerful defense against cybercrime threats like ransomware. The newly revamped BullPhish ID is the ideal choice

  • Security awareness and compliance training helps prevent expensive cybersecurity incidents ad compliance failures 
  • Empower employees with the knowledge that they need to spot and stop the threat they see the most: phishing 
  • At least 4 new training videos are added every month on the latest security and compliance issues. 

Stop credential compromise threats before they start by ensuring that your company isn’t going to receive a nasty surprise from the dark web with the leading dark web monitoring solution in the channel, Dark Web ID

  • 24/7/365 monitoring that you can feel confident about  
  • Real-time analysis alerts you to trouble fast 
  • Monitor business and personal credentials, domains, IP addresses and email addresses 

ransomware defense can be complicated by cryptocurrency risk

See how ransomware really works, who gets paid & what’s next in our tell-all Ransomware Exposed! DOWNLOAD IT>>

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!