Making predictions is a dangerous game. More than two years ago, I predicted that 2017 and 2018 would be the Years of Ransomware. And while I am not willing to admit that I completely missed out on that prediction, it does appear to be a bit short-sighted. If I could go back to May 2017, I would also include 2019 in my prediction. According to the insurance firm Beazley, ransomware attack notifications from clients increased by 105 percent in the first quarter of this year compared to the first quarter of 2018, and the average ransom demand increased to $225,000 from $116,000 during the same period. My colleague Dave Lott wrote two blogs in July highlighting the changing nature of ransomware attacks and suggesting ways to avoid them or minimize their impact.
In just the few weeks since Dave's posts were published, ransomware attacks have continued to flourish. On August 16, 22 Texas municipalities and agencies were hit by an apparent coordinated attack. On August 26, a cloud management provider for the dental industry was stricken with ransomware, impacting approximately 400 of its dental clients. And over Labor Day weekend, a small Pennsylvania school district was attacked.
In both of his posts, Dave noted that law enforcement officials urge ransomware victims not to pay ransom because doing so encourages criminals to continue. Moreover, there is no guarantee that they will send the decryption keys. Ultimately, the decision of whether or not to pay a ransom lies with the organization that has been attacked and its unique situation. The ransom payment dilemma was recently featured in the Wall Street Journal's September 18 Cybersecurity Journal Reports section. Two cybersecurity experts debated whether or not cities affected by ransomware should succumb to the criminals' demands for payment.
But now an interesting twist in ransom payments has emerged: who is making the ransom payment, the attacked organization or an insurance company?
In his last ransomware blog, Dave wrote that entities should evaluate their "cybersecurity insurance policy in terms of its ransomware coverage." This brings us to an interesting question: Are insurers making ransom payments on behalf of their clients under cybersecurity insurance policies? The answer is yes. So this begs a couple of other questions: Will insurers paying ransoms on behalf of ransomware victims guarantee that ransomware attacks will continue? And could they lead to larger ransoms? I believe the answer to both questions is a resounding yes. It's not my place to debate whether or not insurers should be in the business of paying ransoms, but continuing the practice could cause ransomware attacks to continue to flourish.