Microsoft Exchange attacks, RDP, ransomware plaguing small businesses: cyber insurers

Thousands of medium and small -sized businesses are struggling to defend themselves against ransomware groups and attacks involving the widely exploited Microsoft Exchange vulnerability and the compromise of Remote Desktop Protocols (RDP), according to data from two cyber insurance providers.

Cyber insurance prices have stabilized in recent months as more insurance companies take a proactive approach in helping organizations defend themselves. But due to the massive increase in companies purchasing cyber insurance, the companies have become valuable repositories of data on cybersecurity trends that are often not available through other sources. 

Tommy Johnson, cybersecurity engineer at cyber insurance firm Coalition, and Cowbell Cyber vice president Isabelle Dumont told The Record about several trends that stood out to them.

Dumont said email and other communications systems continue to be prime targets for cyberattackers.

“Unfortunately, it’s easy to trick users to click on a malicious email, SMS, etc. ... Then the unsecure use of internet technology or protocols, such as RDP,” Dumont said.

“Technology gets deployed to improve the business without any security consideration. Finally, the use of open source components without deploying a rigorous patch management process.

Johnson echoed Dumont’s assessment, noting that throughout 2020, Coalition identified a large number of claims arising from threat actors who were able to compromise RDP, which allows remote access to workplace resources.

While many organizations use Virtual Private Networks (VPNs) to protect against RDP hacks, Johnson said the vulnerabilities affecting the VPN architecture of SonicWall in 2021 left dozens of organizations defenseless. 

Threat groups quickly exploited the vulnerabilities and Johnson said Coalition attributed a 123% increase in claims frequency and a significant impact on losses amongst small businesses to the big.

“Due to the ephemeral nature of the protocol, it can be difficult to manage the risk from an insurance and scanning standpoint. We have seen companies open RDP intermittently to haphazardly administer machines, and threat actors take advantage. We continue to send the message that exposing RDP comes with critical risks, but sometimes these warnings fall on deaf ears,” Johnson said.

“RDP continues to be an obstacle to lowering cyber risk. In March 2022 we saw a claim where a company used RDP for their call center in southeast Asia and threat actors exploited it to deploy ransomware.”

Ransomware and phishing claims

Ransomware continues to have a dramatic effect on cyber insurance claims, according to Dumont and Johnson.

Johnson said the average ransom demand made against their policyholders increased 20% in the latter half of 2021 and the claims severity increased 10%.

Coalition found no industries that particularly stood out as targets of ransomware groups, and Johnson said threat actors are more interested in exploiting the insecure technologies organizations use, or the employees themselves.

“With ransomware, cyber criminals are no longer focused only on stealing data that can be sold on the Dark Web. Ransomware attacks give them a means to target any business sector to receive a ransom payment,” Dumont said.

One of the keys to a successful ransomware response is offline backups, according to Johnson.

In February, Coalition dealt with two companies attacked by the Hive ransomware group.

“The key difference is one company was able to restore from offline backups, and the other had to pay the full ransom,” he said. “The difference between the two claims is a stark 460k — a substantial sum of money.”

While ransomware and business email compromise garner a lot of attention, Coalition found that year-over-year phishing remains the primary attack vector for nearly half of all claims.

Phishing accounted for 41% of Coalition’s cyber insurance claims in the first half of 2021 and 42% in the second.

By contrast the number of attacks that resulted from exploit of internet facing applications or the supply chain dropped, Johnson explained.

Microsoft Exchange and Log4j

Even with the drop in attacks resulting from exploits, some vulnerabilities dominated the data.

“Microsoft Exchange has proven to be a long-tail threat because Exchange is more than email — it's tightly coupled with calendar functions, and that's critical for many organizations,” Johnson said.

“The initial vulnerability we detected with Exchange impacted roughly 1,000 policyholders. Within a week of the March 2021 disclosure, our team at Coalition notified and remediated the vulnerability for 98% of our affected policyholders. However, additional Exchange vulnerabilities continue to surface.”

The problem was so severe that Coalition developed a scanning engine that can determine which version of Exchange is running in a system, the exact patch level and what outstanding vulnerabilities exist.

The company now notifies policyholders in real-time when there is a new patch.

The other issue that multiple policyholders dealt with was Log4j. 

Johnson told The Record that throughout 2022, Coalition is seeing some adversary activity targeting VMware Horizon by using the Log4j vulnerability to deploy ransomware and target any backups that would allow for restoration of the device. 

This attack has been devastating to organizations not prepared for it because companies that employ VMware Horizon expose it to allow their distributed workforce to connect to their work machines, he added.

Small organizations under $25 million in revenue saw a 40% increase in ransomware attacks and a 54% increase in funds transfer fraud incidents, according to Coalition data.

Small businesses suffering most

For 2022, Coalition's claims data suggests that small and medium businesses suffer ransomware events far more frequently than middle market accounts. By the end of 2021, there was a 54% increase in ransomware for organizations under $25 million in revenue. 

In February 2022, all of Coalition’s reported ransomware claims came from their SME program and the same went for March aside from one reported ransomware claim.

“Cyber criminals are opportunistic, particularly when it comes to small and midsize organizations, and the technology and processes that organizations use are far more key to their risk than what their industry is,” Johnson said.

“No company is too small to be an enticing financial opportunity for attackers. Still, some industries did experience notable increases in claims in the past year. From H1 2021 through H2 2021, we saw a 40% increase in claims severity for consumer staples businesses and 23% increase for energy businesses.”

He added that these organizations typically lack dedicated IT or security staff, leaving patch management in limbo and incident response plans unfinished.

Dumont noted that in recent months, more companies have begun to take a business-like approach to cybersecurity due to processes mandated during the insurance process.

Risk assessments are now required by many cyber insurance providers and Dumont said part of what helps lessen the severity of attacks for some companies is being prepared using resources provided by cyber insurance.

“It is important to keep in mind that immunity against cyber attacks does not exist,” she said. 

“100% of businesses, regardless of size and industry, can be faced with a cyber incident.”