A countdown timer ticks menacingly in a corner of REvil’s blog on the dark web.
With each second that passes, pressure mounts on the Russian criminal gang’s latest victims to pay a hefty ransom or see their private data exposed.
REvil’s targets are usually large corporations that have been known to pay millions to keep a hack under wraps and their reputations intact.
For hackers such as REvil, business has never been better.
Last year, ransomware gangs made at least $350m (£247m) by getting into computer networks and threatening to cause disruption, according to software company Chainanalysis – an increase of 300pc from a year earlier.
The true figure, however, is likely to be far higher.
Cyber insurance claims are soaring
With claims surging, profits for cyber insurance underwriters have been dented.
Insurers are also grappling with whether the reputational baggage of funding payments to known criminals is worth the risk.
Premiums for cyber insurance are already worth about $5bn per year, according to Standard & Poor’s, and are growing fast.
“Cyber insurance is about 20 years old,” says Sarah Stephens, head of cyber at insurance broker Marsh. “When you compare it to property or marine, it is still in its young adult phase.”
Colonial Pipeline storage tanks are seen in Woodbridge, New Jersey. The company, which supplies fuel to America's East Coast, was shut down by hackers earlier this year
Credit: Ted Shaffrey/AP
Recent ransomware strikes have also revealed how its growing in scale, complexity and risk.
Last month, a cyber attack on Colonial Pipeline, which provides almost half the East Coast’s fuel supply, triggered a shutdown. And last week, hackers targeted JBS, the world’s largest meat processing company, temporarily shutting down some operations in Australia, Canada and the US.
Many cyber insurance policies cover cyber extortion, meaning the insurer will pay out to cover the cost of a ransom payment to unlock a company’s systems. The biggest cyber insurance players include Chubb, AIG, Beazley and XL, part of Axa.
For victims of hacking groups such as REvil, which specialise in ransomware, cover can help mitigate the cost of paying off hackers or rebuilding fractured IT systems.
Travelex, the money exchange group, reportedly paid $2.3m in Bitcoin to REvil to unlock its compromised systems following a hack last year. The group said it was able to recoup some of its losses thanks to its cyber policy.
Joseph Blount, chief executive of the Colonial Pipeline company, said the company paid a $4.4m ransom to hackers after its oil network was targeted.
“I admit that’s a highly controversial decision,” he told The Wall Street Journal.
The company has ransomware insurance, although has not confirmed whether it will claim for the payment to its hackers.
Ransom demands from hackers are also getting even more extravagant. In April, REvil stole plans and schematics it said contained sensitive details of forthcoming MacBook computers and an Apple Watch from Taiwanese manufacturer Quanta. It demanded a $50m payment.
‘Ban ransomware payments to known criminals’
Some cyber security professionals warn a policy of paying out to hackers has been helping to fuel a rise in ransomware cyber crime.
Ciaran Martin, the former head of the National Cyber Security Centre (NCSC), has called for ransomware payments to known criminal groups to be banned outright. “The status quo is not working, we are moving from routine losses, to quite dangerous consequences,” he says.
Paying a proscribed terror organisation a ransom is illegal under British law, but that doesn’t extend to hacking gangs.
Stuart Reed, managing director of Orange Cyberdefense, says: “The general consensus is that making payments to ransomware gangs simply fuels the rising number of attacks.”
“With some organisations now paying out eight-figure ransom demands, it is unchallenging to understand why we are amid a ransomware pandemic,” says Natalie Page, a threat analyst at Talion.
Travelex, the money exchange group, reportedly paid $2.3m in Bitcoin to REvil to unlock its compromised systems following a hack last year
Credit: PHIL NOBLE/REUTERS
Some insurers have even found themselves the target of hacking gangs hoping to trawl their databases for information on clients who are more willing to pay.
In April last year, the insurer Chubb was targeted by the Maze hacking group. It said it had investigated the incident.
In an interview with The Record, an individual, going by the pseudonym “Unknown” who claimed to be a member of REvil, said: “This is one of the tastiest morsels… to hack the insurers first.”
With payments to hackers made in cryptocurrencies such as Bitcoin or Monero, there is almost no traceability. In most cases, businesses are not required to record whether they paid a ransom with law enforcement.
Insurers hike cyber insurance premiums
Ransomware is becoming an increasingly high cost policy to cover for insurers. Some have decided to back out of the business. Axa’s French arm became the first high-profile insurer to say it would stop writing new cyber extortion coverage.
However, insurance sources say they have not seen others follow suit. Instead, they have ramped up premiums and are becoming tougher on clients to prove they have basic cyber health when writing policies.
Stephens, of the broker Marsh, says: “We are not seeing indications from insurers that they will stop covering the ransoms, absent of regulation that makes it illegal.”
But, she adds, ransomware coverage can also be key for clients who want to avoid paying out to criminals, and instead want to “fight the good fight” and refuse their demands.
Not all cyber security experts are opposed to paying ransoms in extreme circumstances. Peter Yapp, a former deputy director at the NCSC and partner at the law firm Schillings, says: “It is naive to think that any one country can legislate on its own to stop ransom payments. Clamping down on payments will just push the activity underground.”
With payments to hackers made in cryptocurrencies such as Bitcoin or Monero, there is almost no traceability
Credit: Rermrat Kaewpukdee/EyeEm
None of the major insurers contacted by The Daily Telegraph said they planned to stop offering ransomware insurance payments.
But they may be left with little choice but to re-examine their policies. Last month, Anne Neuberger, US deputy national security adviser, said the Biden administration was considering its approach to ransoms.
“Given the rise in ransomware and given the frankly troubling trend we see often targeting companies who have insurance and may be rich targets, we need to look thoughtfully at this area,” she said.
Martin, the former director of the NCSC, is also unequivocal. “What we have at the moment is a pro-criminal business model, and that needs to change.”