Amid the uptick in Ransomware as a Service, ’keeping control of costs’ and ‘managing all stages in the cyber claim effectively is crucial’ says cyber and technology lead

Constantly evolving ransomware tactics and methods have led to the consensus that hackers and online criminals seem to be one step ahead of cyber security professionals.

The information technology world is therefore on tenterhooks waiting on the next Ryuk, Wannacry or NotPetya type attack to occur, which could disable systems globally and cost the world economy billions, said Nigel Collins, technical lead of cyber and technology at loss adjusting firm McLarens.

Speaking exclusively to Insurance Times, Collins identified two conjoined reasons as to how and why malware attacks are evolving.

Firstly, the frequency and severity of ransomware incidents are increasing and secondly, more developed strains of malware are being launched on a regular basis as a result of vulnerabilities being sought and sold on the dark web.

This transaction is commonly known as Ransomware as a Service (RaaS), which enables criminals to use pre-developed ransomware tools to execute attacks while gaining financial credit.

Traditionally, Collins said that a ransomware incident would not usually access the target’s IT systems - rather a payload would be launched to encrypt the victim’s data. Threat actors would then demand a ransom, normally in bitcoin, in return for the decryption keys.

He explained: “With companies increasingly having more resilient systems and backing up data, this has resulted in hackers being unable to monetise the attack, with the business simply reinstalling data from the backup.

“Hackers have therefore diversified and now target backup systems as well as the primary data, with these being encrypted if [they are] on the same network or an insufficiently protected cloud-based system.

”Some newer malware variants are also encrypting complete IT systems, which can result in a much longer period of disruption to the business and a more complex rebuild.

“Malware has also evolved from simply encrypting data to, in many cases, exfiltrating data from the IT systems. It’s also becoming increasingly common for hackers to threaten a business with the publication and sale of data if a ransom isn’t paid.”


According to security firm Group-IB’s Ransomware Uncovered 2020-2021 report, ransomware attacks grew by more than 150% in 2020, with an average extortion amount doubling to $170k.

Collins highlighted that the common misconception that certain sectors or business types are “more susceptible” to cyber attacks is not true.

Previously, larger corporations were primary targets for cyber crime, but taking into account the pandemic’s push for digital developments, the mid-range and SME sectors have now also become “lucrative pickings”.

He added: “No industry or sector is immune from cyber attacks and I have seen attacks on the smallest micro business through to major corporations and everything in between.”

For insurers and brokers, Collins advised that “keeping control of costs is key and project managing all stages in the cyber claim effectively is crucial”.

He explained: “Aspects such as easily blurred boundaries in relation to the initial response to an incident, as well as the range of mitigation measures following an attack, need to be effectively managed to keep claims costs under control.

“It’s important to ensure that costs outside the policy coverage - such as increases in a policyholder’s security measures, replacement of equipment not damaged and system upgrades - are identified and excluded.”

Working together

However, a “successful outcome” is not a result of insurers and brokers alone; rather “all stakeholders need to work in partnership to react to an incident and get the business operational following an attack” - and that includes policyholders.

Collins said: “Many insurers and brokers are working in partnership with their customers to analyse risks and provide the necessary solutions. Working to achieve Cyber Essential [government backed scheme] accreditation and implementation of ISO27001 are tools that can assist companies in mitigating their risk of a cyber attack.

“Insurers are also offering, as part of their policies, tools or services to prevent attacks, ultimately reducing risk from the underwriting perspective.

“Robust and adequate information security policies and business continuity planning by businesses can reduce the likelihood of attacks, or if an attack does happen – the business has measures in place to mitigate and reduce its impact.

“Depending on the nature of cyber cover in place, insurers have a key role to play in getting organisations back up and running, as well as supporting system rebuilds and repair.”