Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

Ransomware Insurance

An increasingly common cyber threat, a ransomware attack can encrypt and freeze an organization’s system until a fee is paid. Demands are rising and such extortion incidents can be ruinous. Here’s how cyber insurance can help.

Coalition Passive-Ransomware-Hero

Organizations are facing a growing surge of cyber extortion in the form of ransomware. The number of incidents, as well as the average ransom demands, have risen sharply since the pandemic began in 2020. The hardest-hit organizations have been small businesses, which reported a 71% increase in ransomware frequency and a 56% jump in claims severity, averaging $1.8 million in 2021. Ransomware coverage is more important than ever. Traditional measures like firewalls and virus scans are no longer enough to fully protect organizations. Attacks have grown more sophisticated, workforces have become more remote, and operations have become more outsourced, dependent on third-party vendors and supply chains – amplifying exposure to ransomware attacks.

Coalition Passive-Ransomware-Secondary
Attune About Background

Cyber insurance can help prevent losses from ransomware. Click here to learn more. Get Started

What is Ransomware?

Ransomware is a type of malware attack that encrypts the files on a computer or network unless a ransom is paid. Ransoms can range from thousands of dollars to millions. Once struck by a ransomware attack, organizations have few options other than:

  1. Pay the ransom and decrypt the files,

  2. Restore the computers from backups, or,

  3. Recreate the data from scratch.

Why does a ransomware attack matter?

Ransomware is a cyber epidemic that's evolved into a lucrative industry of its own. Hackers have shifted their focus from individuals to businesses who have the means to pay larger ransom demands. In 2021, the ransomware group Conti made $180 million from extortion payments — averaging roughly $760,000 per victim.

Worse yet, even paying the ransom does not guarantee that a victim’s files will be decrypted and recovered. Sometimes victims never get the keys, or they discover that much of the original data is missing. In a 2021 survey by Sophos, a global cybersecurity firm, only about 8% of ransomware victims who made the ransom payment were able to restore all their encrypted data after an attack.

Modern ransomware is designed to spread across the network to infect as many systems as possible, thereby incapacitating an entire organization to increase the likelihood of paying a ransom. Attacks are growing in both size and frequency, so businesses can no longer brush them off as just a concern for security or IT teams. 

How does Ransomware happen?

Ransomware is a criminal business model that uses a variety of techniques to attack victims — most frequently by sending phishing emails, infiltrating computers that use Remote Desktop Protocol (RDP), or by exploiting software vulnerabilities.

Remote Desktop Protocol

RDP software allows anyone from outside of the organization (such as an organization's IT staff or employees working from home) to remotely gain access into the company internal network. However, this can also create an open door for hackers to gain access — especially when employees use weak or reused passwords to connect.

Email phishing

Phishing involves cyber criminals crafting and sending emails that look legitimate — usually posing as a company or coworker you know and trust — but contains links or files with malicious code such as a Trojan virus. It can be embedded in common Office documents including resume submissions. When an unsuspecting user clicks the link or attachment, malware encrypts and replaces user files with unrecognizable file extensions along with a ransom note.

External-facing applications

Criminals can also scan the internet for organizations using vulnerable, public-facing applications like VPNs, firewall devices, web servers, and more.

Drive-by downloads

Some threat actors set up their own websites using evasive tactics like typo-squatting (masquerading as a reputable website) or even compromising a legitimate website and hosting malicious code within that site, deploying ransomware once a visitor clicks on a link.

Software vulnerabilities

Some companies or agencies use free or antiquated software products with expired support. Such applications often contain known vulnerabilities that — if left unpatched — can allow threat actors to access the organization's computer systems and launch a cyber extortion scheme.

Making threats even more prolific, some large criminal syndicates offer Ransomware-as-a-Service (RaaS), leasing malicious source code or variants out to freelance threat actors. This has made small businesses even more susceptible to ransomware because the low entry cost makes it very easy for less-sophisticated attackers to target anyone. Ransomware attacks can come via phishing emails or by exploiting vulnerabilities, then encrypting data and demanding a ransom.

What are some ransomware examples?

The most commonly targeted industries by ransomware attacks are currently Healthcare and Public Health organizations, Professional Services, Financial Services, and Information Technology. Recent ransomware attacks have made headlines and impacted thousands of organizations. Here are just a few of the biggest cases:


This outsourced managed service provider (MSP) of computer network resources paid cybercriminals a ransom of $50 million. Third-party vendors such as Kaseya are increasingly targeted since their customer network amplifies the attack. Approximately 800 to 1500 small to medium-sized companies that were Kaseya customers experienced a ransomware compromise.

Colonial Pipeline

The 2021 ransomware attack against the Colonial Pipeline Company shut down parts of the company’s network and 5,550 miles of pipe for nearly a week. Delays led to panic buying of gasoline nationwide. The company paid extortionists roughly $5 million for the decryption key.

Kia Motors America

A ransomware attack caused an IT outage that took its operations offline. Extortionists leaked some sensitive data as a demonstration and originally demanded $50 but settled for $20 million.


The world's largest meat processor paid a ransom of $11 million, justifying the payment to prevent further disruptions of the food supply.

Washington, D.C. Police Department

Cyber attackers demanded $4 million. After the blackmail demand was refused, the gang released thousands of sensitive documents including police officer disciplinary files and intelligence reports.

Numerous healthcare organizations

A 2021 report says that cybercriminals are targeting small clinics as well as major hospitals, causing EHR downtime and care disruptions. Worse yet, one in four healthcare industry respondents reported higher patient mortality rates as a result of a ransomware attack on their facility.

Is ransomware covered by insurance?

Ransomware insurance coverage is one of the most important elements of carrying cyber insurance, since it has become such a pervasive threat to all businesses. The insurance industry recognizes the importance of this cyber risk, so most cyber insurance policies cover ransomware including ransom demand amounts. Many insurers, like Coalition, also cover costs required to respond to the ransomware event — including digital forensics, costs to restore and recover lost assets, and even lost income due to business interruption.

Depending on the policy, cyber coverage should include legal costs and expenses to guide the policyholder with navigating the complex legal and regulatory implications, including notification obligations and related cyber liability. If Coalition policyholders are impacted by ransomware, our team of legal experts works closely with the policyholder to appoint necessary breach response vendors to work towards the resolution of a cyber event and may even join in calls.

Most clients and insurance companies want to avoid paying a ransom. In fact, the FBI discourages paying a ransom, since payouts may both fund and encourage criminal actors to target additional organizations and further distribute ransomware. Often assets can be restored without paying ransoms — in which case the insurance policy can cover the cost of restoring data from backups, plus additional compensation for lost revenue to the business.

Occasionally, assets cannot be restored, especially if backups were not accessible or up to date. In this case, the cyber insurer will work with the policyholder to make the decision whether to pay the ransom and make the coverage determination. Another advantage of ransomware insurance is that the breach response experts and negotiators are often able to reduce ransom demands. With the average initial ransom demand being $1.8M in 2021, it’s critical for businesses to leverage expert resources that are provided with insurance. As an example: for one Coalition policyholder in the healthcare industry, we were able to negotiate the demand down by nearly 75% from $750,000 to $200,000. Organization who are shopping the cyber insurance market have numerous options to weigh. Before purchasing a cyber insurance policy, organizations should carefully consider and compare more than the pricing of premiums, but also the coverage terms, sub-limits, clauses, and any possible exclusions that may limit coverage in the event of a ransomware or extortion incident.

What to do in the event of a ransomware attack

Coalition policyholders who know or suspect they are facing a ransomware attack should immediately contact our Coalition Claims team. Reporting early and swift action is critical to minimize impact to an organization. After contacting your insurer, the claims and breach response professionals will further guide the policyholder in navigating the cyber incident response process. Below are some risk management steps organizations can limit the damage  if ransomware strikes:




Stop the spread

Remove the affected machine from the network immediately to help keep encryption files from spreading to other local computers.

Halt the program

Open your task manager. If you can find the malware running, attempt to kill it in the task manager or by using “taskkill /f /im [MalwareFileName]” in a command prompt.

Find and remove the Infection

Scan your system with the antivirus software of your choice. Try to find the file(s) and process(es) responsible for the ransomware infection.

Find and remove the Infection

Scan your system with the antivirus software of your choice. Try to find the file(s) and process(es) responsible for the ransomware infection.

Check your registry

Look for files set to run at startup by looking in the registry hives.

At Coalition, we generally advise against attempting to find and remove ransomware on systems. In the event that you miss something, a reinfection could occur and potentially put you in a worse position. We always recommend complete re-installation of computers and servers either from backups (when available) or from source media.

How can you prevent ransomware?

While there is no way to fully protect a connected computer from a ransomware attack, here are some best practices that can limit an organization's exposure or losses from cyber criminals. 

Maintain offline backups and test them regularly from which you could restore critical data. Keeping backups segmented from potentially compromised systems and testing them regularly can be the difference in paying a ransom or not.

Stay current with critical updates and patches. Install updates to servers, software, and browsers as soon as security patches are released. Threat actors scan for and exploit servers which have not been updated after news of major security vulnerabilities becomes public.

Implement multi-factor authentication (MFA). Adding additional verification methods across critical systems and privileged accounts increases the chances a threat actor will be detected or will find an easier target. 

Strengthen passwords Adopt strong password guidelines (and never reuse passwords between accounts) to make user credentials harder to guess or steal.

Disable Remote Desktop Protocol (RDP). RDP is one of the most common exploits  ransomware gangs rely on to infiltrate networks. Use a Virtual Private Network) VPN to protect access into a network instead.

Strengthen email protocols and train/encourage safer email habits:

Enable strong spam filters to screen phishing emails.

Train employees to remain vigilant with simulated phishing attacks.

Before clicking links, hover over them to examine the URL.

Note any misspellings or inconsistencies in senders' email addresses.

Be suspicious when emails convey a sense of urgency to click.

Never open unexpected attachments, especially when you didn’t request them.

Only download software from known sources. Never download software from suspicious websites or emails from people you don't know.

Run antivirus/anti-malware scans regularly.

Monitor unknown connections and block them.

Block/disable macros in Office documents like Word or Excel to prevent document-based attacks.

Password-protect  documents that contain any sensitive information.

Avoid naming sensitive documents in a way that announces their content.

How does Coalition protect businesses from ransomware?

With our Active Insurance methodology, Coalition protects policyholders before, during, and after a ransomware attack. Our active risk monitoring alerts policyholders — and their brokers — about potential vulnerabilities.

We then recommend security methods that help reduce the risk of a ransomware incident and other cybercrime.

If a ransomware event occurs, Coalition’s Claims team is available 24/7 to quickly react. While ransomware events are notoriously complex, our team has successfully remediated incidents and, when possible, restored business operations through backups. As a result, we saw a 16% decrease in ransomware payments in 2021.

Coalition also offers a wealth of resources to help businesses implement good cybersecurity practices, including our Cybersecurity Guide. Brokers can also benefit from Coalition’s Active Risk Assessment that optimizes underwriting and speeds the quoting process. Additionally, Coalition policyholders can manage their risk profile in real time using Coalition Control, our active risk monitoring platform.

Attune Hero Green Background

Cyber insurance can help prevent losses from ransomware. Click here to learn more.