Connect with us

Hi, what are you looking for?


Application Security

Law Enforcement Blowback, Cyber Insurance Renewals Powering Anti-Ransomware Success

Ransomware Trends

Ransomware Trends

News analysis: SecurityWeek Editor-at-Large Ryan Naraine examines several factors driving success in the fight against data extortion attacks.

Nine months after the Colonial Pipeline hack set off a desperate ‘all-hands-on-deck’ response to the ransomware crisis, there’s a general sense that we’ve seen the worst of the data extortion attacks that exploded in 2021 to include the largest publicly disclosed cyber attack against critical infrastructure in the United States.

According to fresh data from ransomware recovery firm Coveware, there’s been a noticeable dip in major data extortion attacks in the latter half of 2021 and the company’s co-founder and CEO Bill Siegel is crediting a perfect storm of factors for the positive developments.

In an interview with SecurityWeek ahead of a session at this year’s Ransomware Resilience and Recovery Summit, Siegel said law enforcement pressure, cyber insurance renewals requirements, CEO-level anxieties, and the mandatory federal push towards zero-trust have combined perfectly to scare ransomware affiliates away from high-profile infections.

“Volume [of ransomware hacks] is definitely down and it does feel like things have settled down.  The Colonial Pipeline incident made it a geo-political issue and that was a turning point,” Siegel said, crediting publicly reported law enforcement hack-back operations for increasing the risk profile of the ransomware affiliate structure.

[ READ: Five Key Signals From Russia’s REvil Ransomware Bust ]

Over the last few months, there have been a series of major takedowns, raids and the unprecedented REvil gang arrests in Russia that Siegel believes has increased the cost and risk of executing ransomware attacks. In addition, the U.S. government has slapped sanctions against crypto-exchanges and VPN providers.

Advertisement. Scroll to continue reading.

“I think we’re past the top of the highest watermark of heavy volume and intensity of attacks,” Siegel said. “[The law enforcement ops] are imposing costs and making the attacks more expensive. The addressable market will shrink as [attackers] refine their tactics to find quieter targets.

In addition to raids and takedowns, Siegel said the White House executive order on cybersecurity is forcing the implementation of key technologies and best practices to ensure government and corporate networks are more resilient to malicious hackers attacks.

“The executive orders around zero trust and multi-factor authentication are helping to get the right controls in place to limit ransomware damage,” Siegel said, noting that early work to implement multi-factor authentication and encryption for data at rest and in transit are trickling down to help harden even the vendors that support U.S. federal agencies.

[ READ: DarkSide Shutdown: An Exit Scam or Running for the Hills ]

Cybersecurity leaders in the private sector agree that the government’s push to beef up investments in zero trust architecture and MFA has influenced positive network design decisions, especially at small- and medium-sized businesses that will continue to deal with the brunt of ransomware attacks.

In multiple conversations about ransomware resilience with multiple Chief Information Security Officers (CISOs), the topic swiftly turns to “zero-trust and MFA” as the foundational pieces needed to limit exposure to hacker attacks.  As the CISO for a fast-growing financial services startup explained, “we didn’t need the EO to tell us about the value of MFA but we certainly used the EO to get funding to go do it.”

“We’re benefiting from a top-down push for all the right things. It’s easier for me to use ‘zero-trust’ or ‘two-factor’ in a budget meeting and those conversations are very clear with my leadership,” he added. 

This, Coverware’s Siegel confirms, is another major factor at play as corporate CEOs look to avoid being dragged before lawmakers to explain security crises.  “Ransomware is now a topic on CNBC and CEOs are paying close attention.”

He specifically mentioned the Colonial Pipeline incident as a watershed moment for chief executives who are now pushing for better security and better incident preparedness. “It’s easier for a CISO to get funding for the right things and the EO has helped with that.”

[ READ: NSA’s Rob Joyce Explains ‘Sand and Friction’ Security Strategy ]

The results are already noticeable.  “At a high level, the outcomes of our cases are getting better,” Siegel said, noting that ransom payments are only paid by companies with immature disaster recovery processes.

“The percentage of victims that end up having to pay, that’s going down.  It tells me companies have gotten much better at disaster recovery and incident response.  Companies are planning and doing backups better. That’s a fact.”

Security leaders also point to another key factor — cyber-insurance renewals that are mandating stricter security controls to maintain insurance policies.

Even as the cyber-insurance sector struggles to figure out the economics (premiums have effectively quadrupled year-over-year), Siegel has noticed a pattern when renewal requirements are forcing better security controls in organizations.

[ READ: The Wild West of the Nascent Cyber Insurance Industry ]

“They’re imposing better standards for sure.  If you want a cyber insurance policy, you have to attest to MFA segmentation, adequate back-ups, testing, and running tabletops exercises. These are all crucial controls for a mature disaster recovery program,” he said.

“For a B2B company, customer contracts require them to carry cyber insurance so it’s win-win.  They must have better, basic controls in place to get policies renewed.”

Still, even amidst the rare good news, Siegel is warning that the shakeout will force the active criminal ransomware gangs to focus on hitting smaller companies with less than 10,000 employees.

He said criminal gangs will selectively focus on mid-market companies large enough to attempt a large ransom demand, but small enough to avoid law enforcement blowback.

Related: DarkSide Shutdown: An Exit Scam or Running for The Hills

Related: REvil Ransomware Gang Hit by Law Enforcement Hack-Back

Related: Colonial Pipeline CEO Explains $4.4M Ransomware Payment

Related: Black Hat 2021: New CISA Boss Unveils Anti-Ransomware Collab

Related: Five Key Signals From Russia’s REvil Ransomware Bust

Related: US Treasury Sanctions Crypto Exchange in Anti-Ransomware Crackdown 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.