Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

case study

Ransomware: How Active Protection Reduces Risk

Before, during, and after a ransomware or other cyber attack, Coalition’s Claims and Incident Response teams actively monitor and help to mitigate or recover from losses. Even if circumstances require an organization to pay a ransom, Coalition can even help negotiate significant reduction in the demand. Here’s how our Active Insurance methodology saved one manufacturer $1.8 million.

Asset: Case Study 9 - Hero Image


Chemical Manufacturing


  • Employees: 251-1000

  • Coverage for ransomware, breach response, and digital asset restoration

We contacted Coalition as soon as we knew something was wrong and within 90 minutes, they were helping us manage the ransomware attack.

Case Study

Cyber extortionists have many tools and vectors for deploying ransomware on victims’ systems. Fortunately, Coalition policyholders have the benefit of our Claims and Incident Response teams also have extensive tools and expertise for actively preventing attacks, remediating vulnerabilities, and — if worse comes to worst — reducing ransom demands.

Coalition’s teams are agile –– we skip the red tape and have people around the globe who are ready to help. Our Claims and Coalition Incident Response teams respond immediately to keep our policyholders safe after an incident, at no additional cost. 

Early one September morning, at roughly 5 am, an IT professional at a large manufacturing company booted up their computer and logged in. They immediately noticed a series of mass file changes on their network –– a clear sign of a ransomware attack. The policyholder contacted Coalition, and within 90 minutes, we were discussing the steps we needed to take next to diagnose, eradicate the threat, remediate the systems, and get their business up and running again.

We deployed an endpoint detection and response (EDR) tool, Carbon Black, to collect and visualize comprehensive information about endpoint events to see how widespread the infection was. Next, we preserved all the data we could, changed all passwords, and got a copy of the ransomware note: a request for $2,000,000. The ransomware variant, known as Mount Locker, was fairly new at the time. Finally, we took a forensic image, including all files, folders, and unallocated space. 

The attacker had likely utilized TrickBot, a modular banking trojan that acts as a dropper for other malware. This policyholder had a previous infection in 2018 with powerful ransomware that they didn’t fully remediate. While combing through the system data, we noted a TrickBot banking trojan that appeared to be on a handful of systems from 2018. Thus, the connection to the bad actor was persistent and most likely aided the new Mount Locker infection. 

Ultimately, we worked tirelessly over five days to image various systems, move them to a new, clean network, give legal advice, provide security recommendations going forward, and work with counsel to negotiate the ransom. While they did end up paying the ransom, we negotiated it down from $2 million to $200,000. That’s a difference of $1.8 million dollars — an amount that could cripple any business.

Coalition provides Active Risk Assessment of an organization’s real-time cyber risk, Active Protection through continuous threat monitoring, and Active Response to incidents if they occur — providing the most comprehensive insurance available to solve cyber risk.