Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024, with groups targeting sectors like Construction and Healthcare, often exploiting weak VPN credentials.
In weather forecasting, even the smartest models can’t predict exactly when and where a hurricane will make landfall two years from now — or even next season. But that doesn’t mean meteorologists throw up their hands in defeat. Sophisticated analyses of emerging climate trends and weather patterns can inform preparedness measures and other long-term decisions. Are hurricanes getting more severe over time? Will they become more likely to hit areas that were spared in the past? The answers to these questions are crucial to inform recommendations to policymakers, government agencies, insurers, and reinsurers.
It’s not so different in cybersecurity. We can’t predict exactly which organizations will get hit with a major ransomware attack in the next year. (If only — as underwriters, that would make our job much easier.) But our data science team can see strong correlations within large sets of data, and these drive the assumptions we use in underwriting and risk management. Furthermore, we can foresee coming changes — what those correlations and assumptions are likely to look like in the future — and put plans in motion to stay ahead of the curve.
In fact, we’re now in the midst of one such shift thanks to the increasingly ambiguous state of the external perimeter of IT systems. The widespread adoption of Software as a Service (SaaS) solutions like Office 365, Google Workspace, and Salesforce, as well as cloud-native platforms (AWS, Google, Microsoft Azure), means what had been known as the “perimeter” — the collection of IT directly owned or operated by an organization — has eroded. This trend only accelerated with the rise in working from home during the COVID-19 pandemic.
The disappearance of the perimeter as we know it has affected the way threat actors approach cybercrime, and it in turn explains why leading security practices have changed. Best practices are no longer solely about protecting the boundaries around offices, data centers, and factories. They have evolved to focus on protecting critical data, user accounts (which access that data), and core business operations from attacks — which are now just as likely to come via third-party software as they are from exploits on one’s own systems.
For organizations, this evolution in security practices can’t happen fast enough — and last year in the months of March and July, we got a clear illustration as to why. In those months Corvus saw significant spikes in the rate of ransomware claims. But it was not because threat actors were especially busy; rather, there were three specific situations involving software vendors: a zero-day vulnerability found in Microsoft Exchange Server software and two ransomware attacks on software vendors (Prism HR and Kaseya). Each of those situations led to downstream impacts on numerous customers of those vendors. This points to what we see as the likely future of threat activity, and any organization, particularly insurers and reinsurers who manage risk in aggregate, would ignore signals like these at their peril.
So while threats to on-premise infrastructure remain, we can plainly see a change in the winds bringing new types of threats. To that end, Corvus is working to expand our visibility beyond the perimeter to better identify, analyze, and evaluate risks. This includes increased insights on the threat surface inside organizations — gaining a view of cloud-native and internal security postures, governance, and process maturity. Recall the weather forecasting analogy: this additional data will provide our data scientists with much more data, which will improve their models of risk — our equivalent of trends in storm severity, ocean temperature, and the like.
In the coming weeks and months we’ll be announcing a series of technology partnerships with cybersecurity firms that will help us to gain insights beyond the firewall. Our goal is to create an active ecosystem of partners that will help identify and respond to cyber risks, share data in aggregate between our organizations, and work alongside Corvus to help organizations mitigate or eliminate the impact of adverse events. We’re announcing the first of these partnerships today. Corvus is excited to welcome cloud security providers Orca Security, Ermetic, and ClearVector as well as managed detection and response (MDR) provider Expel as our initial Smart Cyber Partners.
We’re excited to see how new streams of data can improve our risk modeling capabilities — but more important are the thousands of policyholders who trust us with their organization's livelihood. For most of them, pushing security practices beyond a well-established paradigm is easier said than done. Knowing that they need to make a change is not the same as knowing the “what” or the “how,” and there’s a real risk of wasting their time, effort, and resources without a thoughtful approach.
That is why we believe cyber insurers, like Corvus, have an important role to play in achieving a safer world by advising organizations on managing security in a post-perimeter world. Improved visibility will help ensure we can continue to make personalized, prioritized recommendations for cybersecurity controls even as the risk landscape evolves. These partnerships will also help reduce friction for our policyholders, smoothing their path to finding the right services for their organizations. In this way, we can achieve a coveted win-win: guiding policyholders to vetted (and in many cases discounted) service options that will make their organizations safer, while we at Corvus gain data that will drive the future evolution of our risk assessment and guidance.
With more diverse data and new kinds of risk insights, Corvus will be able to help our policyholders and our reinsurer and program manager partners alike predict the next change in the cyber risk weather pattern, and make the adjustments needed to stay resilient and safe.