One of Europe”s top five insurers has said it will stop reimbursing people in France who pay up after being targeted by cybercriminals with ransomware.
The global insurance company said on Thursday that it will stop writing cyber-insurance policies that cover customers for extortion payments to ransomware attackers.
Ransomware attacks see criminals break into computer networks, seeding malware and scrambling data. Only after ransoms – often huge sums – are paid do the perpetrators provide software keys to decode it.
As of last year, some ransomware attackers also began stealing sensitive data before encrypting networks and threatening to dump it online unless victims paid up.
This helped drive ransom payments up nearly threefold to an average of around €250,000. The average recover time from a ransomware attack is three weeks.
AXA said it made the decision in response to concerns aired by French justice and cybersecurity officials during a Senate roundtable in Paris last month about the global epidemic of ransomware, in which France is the second worst-hit country in the world after the US.
Last year alone, according to cybersecurity firm Emsisoft, France’s overall losses amounted to more than €4.5 billion in damage from ransomware to businesses, hospitals, schools and local governments.
“The word to get out today is that, regarding ransomware, we don’t pay and we won’t pay,” cybercrime prosecutor had Johanna Brousse said at the hearing.
The insurance industry has recently come under considerable criticism for reimbursing ransom payments. Often, cybercriminals have gathered intelligence about potential targets in advance – up to and including whether their insurance will cover a ransom payment, and the payment ceiling.
Emsisoft analyst Brett Callow told AP that AXA’s decision had been “smart”, adding: “The only way to break this vicious cycle is to cut off the flow of cash — and ceasing to reimburse ransom demands may well do that.”