Ransomware hasn't slowed down as a major cybersecurity threat facing all industries. In the past 12 months, across industry, 75% of organizations were affected by ransomware more than once – a jump from 61% in 2023,
There are strong indications that insurance organizations are six times more likely to be targeted for ransomware by criminal actors that leverage malware for initial access this year than other industries. This was by and far the industry with the greatest risk of future attacks from all surveyed.
The allure of insurers to cyber criminals
Ransomware continues to be a quite lucrative endeavor for most operators. The average
Given the prevalent role of insurance companies within cyber incident response, they have a wealth of very sensitive information about their range of clients, and often even have information about their client's defenses. This type of information, coupled with the huge revenues of the insurance industry have provided sufficient incentives for bad actors to target insurance companies for malware infections and subsequent follow-on ransom attempts.
The cycle begins with malware exposure
To understand the cycle of cybercrime, and particularly of ransomware, it is necessary to look at the data that is used to begin the attack. The developments that every organization should be concerned about happen beyond the standard controls of cybersecurity, deep in the criminal underground. This underground ecosystem is home to a burgeoning number of specialized criminal products and services for cybercrime enablement, with the marketing of compromised digital identities as a top attack vector.
One such product gaining extensive popularity: information-stealing malware (or "infostealers"). According to SpyCloud's report, 95% of identity and access management directors, managers, and their team leads are most concerned about exposure from malware-infected devices being used for more harmful attacks, like ransomware. One-third of ransomware victims have experienced at least one infostealer infection in the 16-week period before the attack – a reliable warning sign.
Threat actors use infostealer harvested data to infiltrate computers and steal login credentials, session cookies, personally identifiable information (PII), and authentication data. They sift through this data, selling critical access to specialized brokers or using it themselves to gain unauthorized access to perpetrate ransomware attacks and data breaches.
With identity data at their fingertips, a growing crop of unskilled cybercriminals can easily hijack a user session, sidestep advanced authentication controls (including MFA and passwordless authentication), initiate account takeover (ATO), and gain access that enables them to launch damaging attacks, such as ransomware.
Reevaluating priorities
Despite the growing concern about the infostealer threat, organizations still have significant gaps in their ability to address malware-related identity exposures. Traditional malware mitigation, which focuses only on the infected device, continues to prove it is not completely effective.
To more comprehensively remediate the opportunities created by infostealer-exfiltrated data and to disrupt ransomware attacks, security teams and their counterparts in fraud prevention need to shift their focus to the digital identity.
The future of ransomware defense: The battle ahead
To prevent cybercriminals from gaining valuable identity data like credentials to successfully carry out attacks and profit from this stolen data, there are five strategies we recommend insurance companies should adopt to gain the upper hand:
- Adopt an identity-centric security approach
With digital identities now firmly in cybercriminal's sights, relying on old defense tactics like device-centric remediation is bound to fail. Outpacing ransomware players is an attainable goal when insurance companies act on the full expanse of compromised identity data for their users, whether employees, contractors, or vendors.
- Illuminate the full attack surface
SpyCloud found that unauthorized third-party access is the second-most risky entry point for ransomware. By improving visibility into malware-exfiltrated data – including unmanaged and third-party devices outside traditional corporate oversight – security teams will have more complete coverage and faster discovery of exposed applications. From here, organizations can significantly reduce remediation time by addressing credentials linked to third-party applications such as Single Sign-On (SSO), code repositories, payroll systems, VPNs, or remote access portals.
- Use automation to speed up detection and mitigation
We know cybercriminals leverage automation, but as they get faster, so can we. By leveraging automated alerts and incident notifications for new breaches and malware infections, insurers can more quickly operationalize data and feed it into automated remediation workflows to negate its impact.
- Expand ATO prevention to account for both traditional and next-generation threats
In addition to hardening credentials to block traditional ATO, insurance security teams must expand focus to prevent session hijacking by monitoring for stolen web sessions programmatically – and then implement processes for invalidating web sessions associated with infected identities. Think of it as changing the locks before anyone can get in.
- Deploy a continuous zero-trust approach
According to the SpyCloud survey, only 37% of organizations plan to prioritize implementing or enhancing their zero trust model soon. As it's become broadly adopted, continuing to invest in continuous zero trust can go a long way to help insurance companies account for the full scope of identity, device, and access information that criminals have in hand about employees. By continuously verifying every user's identity for compromise when accessing corporate applications, businesses can get ahead of costly attacks and prevent unauthorized access.
Moving forward despite persistent threats
By implementing the five strategies above, insurance companies can better focus resources to achieve a more complete malware response and in doing so, protect the company from account takeover, fraud and the all too costly ransomware attack.
