Cyber Insights for Insurers Q4 Review , March 2020

Welcome to Cyber Insights for Insurers, from the Cyber Practice Group for Aon’s Reinsurance Solutions business. As always, we aim to equip you with relevant trends and analysis to enhance your cyber insurance underwriting, portfolio management and claims handling, plus prepare you for changes in privacy law, the regulatory environment and the threat environment.

Key themes this quarter Cyber incident trends

▪ Ransomware continues to Ransomware continues to hit businesses of all sizes and sectors, although some industries dominate the cyber insurance appear to be targeted more than others. conversation, with increases in

frequency and severity. Exhibit 1: Cyber incident rates by quarter 2018-19 (Index: Q4 2018 = 1.0)

4.0 Data Breach Ransomware ▪ Although most ransomware

victims have been targets of 3.0 opportunity, insurers must also consider the potential for 2.0 ransomware aggregation events. 1.0

▪ Software supply chain attacks also 0.0 4Q18 1Q19 2Q19 3Q19 4Q19 pose significant aggregation risk, Source: Risk Based Security, Aon analysis. Data as of Feb 2020. as advanced persistent threats Ransomware continued to dominate the cyber (APTs) target ICS manufacturers. insurance discussion with carriers fielding more claims emanating from ransomware infections than in previous years. Total ransomware incidents recorded in 2019 increased 135% over 2018 levels.

In Q4, observed ransomware infections rose slightly According to Crowdstrike, Wizard Spider, the group relative to Q3; however, both quarters saw record behind the Ryuk ransomware, continues to target attritional ransomware attacks relative to Q4 2018. public entities including local school districts and municipalities. Crowdstrike noted at least 22 public Exhibit 2: Industries targeted by ransomware entities impacted by Ryuk throughout 2019. Ryuk (2018-2019) generally relies on the Trickbot or Emotet trojan delivered via spam/phishing campaigns or brute- Public Administration 22.9% forcing remote desktop protocol (RDP). Healthcare 22.4% Education 18.2% In a modus operandi twist, the actor behind the Maze ransomware variant, Twisted Spider, not only Information 8.1% encrypts data on infected machines, but also Professional Services 7.4% threatens to publicly release any sensitive data Manufacturing 5.8% exfiltrated during the attack. This unique MO suggests that the actors behind Maze are more Other Services 3.4% interested in “big game hunting” (i.e. lower Transportation 2.0% frequency, high severity attacks). Unlike Ryuk, Retail 1.6% Maze utilizes the Fallout exploit kit to initially Construction 1.3% compromise infected machines. Fallout has also been linked to the GandCrab v5.2 ransomware Entertainment 1.3% variant, which has been made available to virtually Utilities 1.1% anyone via Ransomware as a Service (RaaS). Finance & Insurance 1.1% Fallout generally relies on social engineering, including phishing to redirect victims to Administrative & Support 1.1% “malvertisements” hosting the exploit kit. Recent Accommodation & Food 1.1% iterations of Fallout exploited a known (and patched) Wholesale Trade 0.4% Adobe Flash vulnerability (CVE-2018-15982). Business Services 0.4% Operational technology (OT) is also being Mining, Oil & Gas 0.2% targeted by ransomware.

Source: Risk Based Security, Aon analysis. Data as of Feb 2020. Manufacturing, oil and gas, as well as utilities may Ransomware infections affected all industries, fall victim to ransomware attacks, which could result although some more than others. Healthcare, public in significant business interruption to their core administration, and education experienced the most business operations. The U.S. Department of incidents, according to publicly available information. Homeland Security’s (DHS) Cybersecurity and But we believe these industries are more likely to Infrastructure Security Agency (CISA) reported a report incidents – either because they are compelled U.S.-based natural gas compression facility to do so or because it is in the public interest. experienced a significant ransomware infection that Ransomware attacks affecting other industries, impacted their IT and OT environment. Human especially small businesses in those industries, may Machine Interfaces (HMIs) and other OT assets be underreported. were infected. The victim shut down its operations for an unspecified period, resulting in business While we believe that most ransomware victims are interruption and other expenses. CISA reported targets of opportunity, there are several exceptions. improper network segmentation allowed the Ryuk focuses primarily on public entities, and the adversary to traverse the IT/OT boundary. Maze ransomware appears directed at big game hunting.

Cyber Insights for Insurers – March 2020 2

Ransomware severity continues to increase. Ransomware has also been targeting single points of failure that could lead to aggregating Continuing the prior quarter’s trend, severity – losses. expressed both in downtime and ransom demands – increased relative to previous quarters. According to Although ransomware attacks against high profile Coveware, the average ransom doubled in Q4 from victims garner the most headlines, we have also $41,198 to $84,116, with at least one firm reporting seen attacks against single points of failure that losses approaching $100 million when accounting could lead to potential claims aggregation for for business interruption, incident response costs, insurers. Several notable attacks in Q4 highlight the and other associated expenses. Average potential issues. downtimes vary between 6 days to well over two weeks depending on the report. The REvil ransomware variant infected several managed service providers (MSPs), some of which boasted over 1,000 clients, including Fortune 1000 Aon Analysis: Companies large and small continue companies. REvil claimed another datacenter to be impacted by ransomware, regardless of their victim, CyrusOne, in December. According to industry. Regardless of threat actors’ specific attack ZDNet, multiple MSP customers utilizing CyrusOne’s strategies, the clear majority of initial compromises New York-based data centers were impacted by the occur either by phishing or by exploiting weak ransomware infection. In addition, ransomware authentication (RDP) or other known vulnerabilities. variant Snatch infected web-hosting provider Cyber insurers should be vigilant in encouraging SmarterASP, impacting an unknown portion of its robust anti-phishing capabilities as well as helping customers. According to CrowdStrike, SmarterASP insureds identify internet-exposed misconfigurations was able to decrypt their customers’ data in and vulnerabilities. Finally, if Maze-style relatively short order – roughly two days – limiting the potential for contingent business interruption ransomware / breach hybrid attacks become more (CBI)-type claims. commonplace, insured losses will continue to grow. Aon Analysis: Ransomware threat actors are targeting these single points of failure presumably to Aggregation risk monitor maximize their ransom demands. Although attacks on cloud providers have been infrequent, a Cloud outages during the quarter were minimal. successful attack on a top five cloud provider could U.S. market leaders experienced very little be a major insurance aggregation event. downtime for the fourth quarter in a row. An Iranian-backed group has been targeting Exhibit 3: Cloud provider downtime during Q4: industrial control systems (ICS) manufacturers. Top US providers vs. other regions Avg Total Following the killing of Iranian General Qassim Outages Provider Downtime Downtime (count) Suleimani, information security professionals warned (minutes) (minutes) of potential Iranian retaliatory cyber attacks against North America 102 35 3,549 U.S. businesses and critical infrastructure. AWS - - - However, troubling trends have also surfaced that Microsoft 2 3 5 likely preceded the recent escalation in U.S.-Iran Google 1 2 2 tensions. IBM 3 2 6 The Iran-affiliated advanced persistent threat (APT) Rackspace - - - 33 specifically targeted manufacturers of industrial All Others 96 37 3,536 control system (ICS) components. According to Europe 133 20 2,686 FireEye and Wired, APT 33 began conducted credential stuffing attacks against unnamed ICS APAC 87 6 513 Source: Cloud Harmony, analysis by Aon manufacturers in hopes of gaining a foothold on their

Cyber Insights for Insurers – March 2020 3

networks. It was unclear if the group’s attempts were successful. APT 33’s interest in ICS manufacturers About Aon presents an increased risk to critical infrastructure, Aon plc (NYSE:AON) is a leading global including entities in manufacturing, oil and gas. professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 Aon Analysis: Software supply chain compromises colleagues in 120 countries empower results for remain a concern, especially when the targets clients by using proprietary data and analytics to include ICS components. Such an attack, if deliver insights that reduce volatility and improve successful, could potentially result in physical performance. damage at sites, power outage, and downstream impacts for those who rely on these technologies and products. Disclaimer

This newsletter is made available for informational

purposes and is not intended to be a substitute for

professional or legal advice. No attorney client Contact Information relationship is formed or implied between you and the authors(s) or Aon. Craig Guiliano, CISSP Director of Threat Modeling Aon | Reinsurance Solutions +1 312 381 1566 [email protected]

Jon Laux, FCAS, MAAA Head of Cyber Analytics Aon | Reinsurance Solutions +1 312 381 5370 [email protected]

Catherine Mulligan Global Head of Cyber Aon | Reinsurance Solutions +1 212 441 1018 [email protected]

Luke Foord-Kelcey International Head of Cyber Aon | Reinsurance Solutions +44 (0)20 7086 2067 [email protected]

Cyber Insights for Insurers – March 2020 4