Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

case study

Ransomware: The Best Response When Backups Fail

These days, no organization of any industry or size is immune from cyber attacks — especially from ransomware. One healthcare policyholder suffered a ransomware attack that even encrypted and exfiltrated their patient data. Without uncompromised backups, the organization was forced to pay their attackers. Fortunately, Coalition’s Active Response reduced the threat actor’s demand by 75% from the original ransom.

Healthcare worker reading documents on a clipboard




  • Employees: 100

  • Coverages for extortion, breach response, and digital asset restoration

If this ever happens to your business — don’t answer the phone. Don’t pick up calls from unknown numbers. It simply starts the clock. After you’ve engaged, there is no turning back.

Case Study

When ransoms must be paid, negotiations can save

After more than 30 years in business, a medical practice management company started their day like any other before their IT team realized they couldn’t get into their system. IT logged in, and all files were encrypted with the dreaded .crypted file extension. Unfortunately, their backup data was also compromised, a concerning development given the large amount of Protected Health Information (PHI) and billing information they stored. The policyholder had been hit with HelloKitty malware, a dangerous new ransomware variant known to exfiltrate victims' data before encrypting it.

The policyholder contacted Coalition immediately. We assessed their environment and prepared to start communications with the threat actor. It was important to get in touch with the attacker because the victim’s phone had been ringing off the hook — at least seven times within the first 24 hours. We asked the policyholder to stop communicating with the threat actors and helped assess their backups. 

With their backups fully encrypted by the attackers, and without any other options to restore their operations, the company made the difficult decision to pay the ransom in order to restore their operations. Fortunately, CIR was able to negotiate the ransom demand down by nearly 75% from $750,000 to $200,000 and proceeded to help the company restore all of their data. The costs to respond to the incident, recover lost data, and pay the extortion — together with the lost income resulting from the incident — were covered by the company’s cyber insurance policy with Coalition. 

Coalition provides Active Risk Assessment of an organization’s real-time cyber risk, Active Protection through continuous threat monitoring, and Active Response to incidents if they occur — providing the most comprehensive insurance available to solve cyber risk.