Ransomware-as-a-Service (RaaS) and Cyber Insurance War Exclusion Clauses
As of March 31, 2023, Lloyd’s of London (see source 1 and 2 in appendix) coverage options were updated to exclude any losses attributed to nation-state actors. Deemed the “war exclusion clause,” Lloyd’s move aims to minimize portfolio risk in the face of escalating attacks by nation-state-sponsored threat actors.
Meanwhile, insurers are seeking protection for themselves, seeking out catastrophe bonds (CATs) to cover any losses due to attacks against their policyholders. Traditionally reserved for acts of God, like earthquakes and tornados, expanding these bonds to cover cyber incidents is evidence of the growing challenge the industry faces as a result of escalating tensions around the globe. For instance, the British insurance giant Beazley just announced a new $45M bond in an attempt to capture market share. (See source 3 in appendix)
From a cyber perspective, both the proliferation of the RaaS ecosystem and the shifting operational model that now, almost always, includes multi-extortion tactics have complicated the calculus for insurance providers. Thanks to the specialization of Initial Access Brokers (IABs) within the RaaS community, the attacker’s barrier to entry is lower than it has ever been. Worse still, between the leak of nation-state offensive tool sets, prior group’s source code, as well as new advances in artificial intelligence – sophisticated attacks are now easier to execute for an adversary and significantly harder to attribute for victims.
The confluence of these points yields continual increases in premiums and coverage gaps alike, forcing providers to re-calibrate to the new reality. In a survey of IT leaders, 74% noted increased premiums, 43% cited increased deductibles, and 10% saw a reduction in coverage benefits. (See source 4 in appendix)
Cyber War: A Legal Perspective Emerges
In the United States, the first legal cases to determine the degree to which parties in the Ransomware ecosystem could be considered part of the same criminal organization have been heard. In May 2023, a New Jersey appellate court ruled $1.4B in favor of policyholder Merck that a group of insurers could not leverage their war clause exclusion to avoid paying for losses related to the 2017 NotPetya attack.
The court’s ruling came even though an independent security consultancy had concluded “with high confidence that the NotPetya cyber-attack was very likely orchestrated by actors working for or on behalf of the Russian Federation.” (See source 5 in appendix)
The court’s determined that excluding coverage under such a clause “…required the involvement of military action,” going as far as stating that the clause didn’t preclude “…coverage for damages arising out of a government action motivated by ill will.”
Ultimately, although the Court conceded a relationship between Russia and the eventual actors was likely, without tying these threat actors to a military operation, clauses that invoked a situation of war were not applicable. This ruling drives home the difficulty the RaaS ecosystem presents for the cyber insurance industry as well as Enterprise organizations alike – with adversaries starting to move further down the market as larger organizations harden their systems.
By excluding attacks by known nation-state-backed threat actors, the insurance industry is attempting to contextualize a broad swath of cyber operations and campaigns as part of a larger war between adversarial nations. However, just as definitively linking a specific offensive or malicious cyber operation to a specific individual threat actor is challenging – linking that intent to a wider national military strategy is a significantly more harrowing task.
Difficulty Defining Coverage by Threat Actor Types
While nation-state support for offensive cyber operations appears to be on the rise globally, especially as a result of the war in Ukraine, organizations face a host of nebulous threats with shifting methods, means, and motivations. The Affiliate model that made the RaaS ecosystem what it is further complicates understanding threat actor intent, making it difficult to determine if an attack was targeted or opportunistic.
Multiple services will often be strung together from unique providers, helping to ensure a successful attack. And multi-extortion tactics are on the rise, according to Palo Alto, with roughly 70% of ransomware attacks being followed by a threat of data theft in addition to the primary encryption event. These subsequent attacks are often perpetrated by a different threat actor than the one responsible for the initial ransomware attack, as appears to be the case with Conti and Karakurt.
- Initial Access Brokers (IABs)
- other support operators
- and Affiliates (the actual do-ers)
The other complexity that exists is nation-state-supported threat actors who are allowed to “moonlight” as long as they do not target host-nation or domestic interests. By having state protection, many RaaS operators are able to target victim organizations for individual financial gain until needed to execute at the behest of the state entity, making them less reliant on state funding while maintaining the appearance of independence.
Threat Analysis: Karakurt vs. Conti
The alleged relationship between the Conti group and Karakurt is a prime example of the difficulty in determining coverage. First identified in June of 2021, Karakurt labels itself as a ransomware group, although its tactics, techniques, and procedures appear to be more focused on data exfiltration. Additionally, Karakurt’s primary means of extortion comes in the form of threats to victims focused on the public release of sensitive stolen information if payment isn’t received. (See source 6 in appendix)
Accenture’s initial discovery that Karakurt leveraged a Conti-placed backdoor indicated a relationship between the groups, but it remains unclear if this was purchased access from another component of the RaaS ecosystem or if there are direct operational ties. From an Affiliate perspective, it would be logical to procure both Conti and Karakurt-style services in that multiple forms of extortion dramatically increase the overall likelihood of payment.
As experts in cyber threat attribution, Nisos took a deeper look at the relationship between Karakurt and Conti, comparing and contrasting the groups and assessing the implications of any relationship on the broader cyber insurance market.
Nisos is The Managed Intelligence Company®. Our analyst-led intel investigations, assessments, and monitoring services empower your security, intelligence and trust and safety teams. We provide accurate, customized intelligence that guides your security and risk decisions – protecting your organization, assets, and people. Learn more at nisos.com.