Now Comes 'Retaliatory' Ransomware

A new wave of attacks is being driven by politically motived cyber mercenaries seeking revenge -- and may presage a full-fledged cyber war.

Lock icon on a computer screen showing ransomware

At the beginning of the Ukraine conflict, ransomware gang Conti issued a statement threatening to deliver "retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia." A few months later, a separate hacker group launched an attack with the following message for its victim: "You're the most widely used payment application in Russia, so the reason we've selected you for targeting should only be obvious.... Your files have been encrypted, you can thank Conti for that... If you're looking for someone to blame for your current situation, look no further than Vladimir Putin."

In light of the current Ukraine conflict, more and more ransomware gangs are beginning to issue political statements alongside their demands. This may create some issues for both the hackers and their victims, as these messages run an increased risk of triggering the "war exclusion" contained within all cyber insurance policies. A typical war exclusion will read as follows:

"Alleging, based upon, arising out of, directly or indirectly caused by, resulting from, or in connection with war (whether declared or not), invasions, hostilities, civil war, strikes or similar labor actions, acts of foreign enemies, terrorism, hijacking, warlike operations, rebellion, revolution, insurrection...".

Attacks issued with political statements are more likely to be perceived by insurers as hostile or warlike actions indirectly caused by, resulting from or in connection with the war. Remember, often "war" does not need to be declared. If these statements do trigger the war exclusion within the victim's cyber insurance policy, it could make it more difficult for a ransomware gang to collect their ransom, given that their target may be more reluctant to reach into their own corporate pocket to pay any extortion demand.

So why are groups making such statements? While it may be an oversight, or they may not realize the potential insurance implications in doing so, that's unlikely. Hackers are well-versed and have been known to specifically target companies that maintain cyber insurance. It's more likely that these new attacks are simply motivated more by political/ideological interests versus purely economic gain. The statement being made is the primary goal, with the monetary reward secondary. In addition to political retaliation, some of these statements may also be the result of feuding hacker groups, with their victims being caught in the crosshairs.

There may be an even more sinister explanation. It's also possible that the hacker groups understand that such statements have the potential of negating insurance coverage. Launching an attack and attempting to force the targeted organization to personally pay the demand, more effectively strikes at the hearts of their victims.

Regardless of the reason, such statements would appear to indicate this new wave of attacks is being driven by politically motived cyber mercenaries seeking retaliation and revenge. The bigger question is, if this is indicative of more aggressive impending attacks, or a precursor to a full-fledged cyber war.

There may be some hope. Most cyber insurance policies contain carvebacks, excepting (to the policy exclusion) acts of "cyber terrorism." A typical carveback may read as follows: "cyber terrorism means, use or threatened use of disruptive activities against the insured's computer system committed with the intent to further stated social, ideological, religious, economic or political objectives."

See also: Ransomware Grows More Pernicious

Insurers have been fairly reluctant to cite the war exclusion, but a surge of attacks could make them reconsider. The question is, will these statements be enough to justify the attacks as acts of "war" (and excluded by the policy), given that they are hostile and warlike actions in support of the war? Or will they be perceived acts of "cyber terrorism" (and covered by the policy), given that the hackers appear to be using disruptive activities to further their stated political/ideological objectives?

This is something the courts may ultimately have to grapple with, but the decision may come down to the exact phrasing of the statement itself. In the example of the statement issued by Conti, they clearly state "retaliation against attacks by western warmongers." Such phrasing may be more likely to be deemed a retaliatory act of "war." The specific ransomware gang itself may also play a role. Attacks launched by suspected state-sponsored actors with ties to a foreign government (such as Cozy Bear and Lazarus) are more likely to trigger the war exclusion, especially when their attacks are accompanied by political or warlike statements.

In the interest of maximizing insurance coverage for retaliatory ransomware, there are a few steps companies should take. In addition to implementing advanced security measures and implementing comprehensive policies and procedures, the C-suite should also perform a careful assessment of its cyber insurance policy, ensuring its terms and conditions pertaining to cyber extortion are as broad as possible. Additionally policyholders should pay special attention to the "war exclusion," given that all policies contain different versions -- some more problematic than others. In the meantime, hackers can do themselves and their victims a favor by refraining from such statements when making extortion demands.

Evan Bundschuh

Profile picture for user EvanBundschuh

Evan Bundschuh

Evan Bundschuh is a vice president at GB&A, a full-service commercial and personal independent insurance brokerage with a special focus on professional liability (E&O), cyber and executive/management liability (D&O) for tech and product based businesses and financial and professional service firms alike.


Read More