Ransomware Hackers Ask Victims For Cyber Insurance Details

Security researchers at Varonis have described a new strain of ransomware that prompts negotiations with their victims, rather than opting for the “naming and shaming” extortion approach commonly adopted by other criminals.

According to a blog by Varonis, the HardBit ransomware follows the usual route of targetting organisations in order to extort cryptocurrency payments for the decryption of their data. But it comes with a twist.

HardBit version 2.0 was introduced toward the end of November 2022, and it “claims to steal sensitive data from their victims, likely upon first gaining access to the network, before launching their payload to encrypt data.”

Cyber insurance

According to the Varonis researchers, unlike many of its peers, HardBit is not currently using the double extortion tactic, in which victims are “named and shamed” and threatened with public exposure of their stolen data.

That said victims are still subject to the threat of stolen data being sold or published, and the criminals do threaten further attacks should their ransom demands not be met.

According to Varonis, HardBit utilises a predefined ransom note contained within the ransomware threat, which apparently encourages the victims to contact them by email or via the Tox instant messaging platform.

And in a sick twist, rather than specifying an amount of bitcoin requested within this ransom note, the criminals seeks to negotiate with victims to reach a settlement.

Varonis says that notably as part of these negotiations, victims with cyber insurance policies are also encouraged to share details with HardBit so that their demands can be adjusted to fall within the policy.

A line in the ransom demand reads “Very important! For those who have cyber insurance against ransomware threats”.

The ransom note warns victims that insurance companies require their insurance information to be kept secret, so as to “never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations.”

The HardBit ransom demand also warns victims that insurance companies “will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount.”

In order to get around this pesky interruption to the hacker’s extortion scheme, the hackers said that if the victim “told us anonymously that that your company was insured for $10 million and other important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent.”

“That way you will have avoided a leak and decrypted your information,” the ransom note reads.

Varonis advises that “organisations should continue to follow general counter-ransomware advice, such as having strong cybersecurity and data protection practices in place, limiting exposure to risk, and, should the worst happen, avoiding ransom payments to reduce the incentive for these groups to operate.”

Uninsurable cyberattacks

In December last year, Mario Greco, chief executive at insurer Zurich, one of Europe’s biggest insurance companies, warned that cyberattacks, rather than natural catastrophes, will become “uninsurable”.

The FT reported at that the time that natural catastrophe-related claims were expected to top $100bn, but Zurich’s Mario Greco told the Financial Times that cyber was the risk to watch.

“What will become uninsurable is going to be cyber,” he said. “What if someone takes control of vital parts of our infrastructure, the consequences of that?”

It seems that spiralling cyber losses in recent years have prompted emergency measures by the insurance sector’s underwriters to limit their exposure.

As well as pushing up prices, some insurers have responded by tweaking policies so clients bear more of the losses.

Last August Lloyd’s of London defended its move to limit systemic risk from cyber attacks by requesting that insurance policies written in the market have an exemption for nation-state cyber-attacks.