Chubb Ltd, best known for catering to wealthy families and corporations, is among at least three insurers facing a jump in costs tied to claims from ransomware attacks. The firms attribute much of that to the surging price of bitcoin, the currency of choice for online extortionists. And that’s bad news for everyone.
There’s been “a massive escalation” in both the number of attempts and the size of demands as criminals scramble for the hot cryptocurrency, said Michael Tanenbaum, an executive vice president at Zurich-based Chubb.
“The rise in price of bitcoin correlates,” he said in an interview, declining to specify total costs. Around midyear, top payouts in corporate ransomware attacks began to exceed $1 million, dwarfing the previous maximum of about $17,000, he said.
Insurers like Chubb are a good place to look for information on costs from ransomware — a type of malicious software that blocks access to computer files until victims pay a toll. Globally, security firms say incidents have exploded, ranging from precision hacks to this year’s mass assaults, like WannaCry.
Insurers have a unique view of what actually gets paid, especially in the most expensive cases, because they may shoulder the burden.
Typically, they enlist third-party specialists, such as Kivu Consulting and Navigant Consulting, to facilitate cryptocurrency payments and investigate perpetrators. Those firms say business is booming.
This year’s frenzy for bitcoin has made hackers bolder, demanding larger payouts, said Winston Krone, a global managing director who oversees Kivu’s ransomware services. Demands of $250,000 to $500,000 were nonexistent six months ago, and now they’re a weekly occurrence, he said.
“We can make immediate payments of six figures,” Krone noted. His firm has teams of multi-lingual investigators trained to negotiate with hackers or ensure clients aren’t dealing with a terrorist group, which can run afoul of U.S. laws. Short of that, it’s the customer’s decision whether to give in to extortion, he said. “The ethics of paying ransoms and paying criminals, we take a neutral stance.”
“Because the price of bitcoin has seen a dramatic spike in the latter half of 2017, it has made the overall price of demands much larger,” said Kimberly Horn, an executive at insurer Beazley Plc who oversees breach-response and information-security claims.
Ransomware claims at Beazley are on pace to rise more than 70 percent this year to 260. McAfee projects average payouts are about $900 to $1,200, up from roughly $600 in 2015. XL Group Ltd., another insurer, said it’s fielding demands of $20,000 to $60,000 — compared with about $300 before bitcoin took off.