How Hackers Leverage Insurance Details in Ransomware Attacks

pCyber InsuranceppTech Errors OmissionsppExecutive RisksppMiscellaneous Professional LiabilityppCoalition ControlppManaged Detection Response MDRppCoalition Incident Response CIRppCoalition Security Awareness Training SATppFor BrokersppFor BusinessesppFor Security TeamsppActive Data GraphppCoalitionAIppCyber Knowledge CenterppCase StudiesppIndustriesppSecurity Knowledge CenterppExploit Scoring SystemppMSPs Become A PartnerppAbout UsppNewsroomppContact UsppImagine walking into a contract negotiation where the other side already knows your budget You sit down at the table ready to play hardball but the person across from you already knows your maximum spend and what youve paid for similar deals in the past ppSuddenly youre at a disadvantage and no one has even said a wordppThats what its like when threat actors gain access to a business cyber insurance policy during a ransomware attack The policy gives them inside knowledge of how much coverage a policyholder has indications of their willingness to pay a ransom demand and likely responses during potential negotiations ppOf course this doesnt mean that having a policy is risky cyber insurance remains essential for every modern business as it can be the difference between recovery and collapse after a major cyber incident But in the same way that financials or trade secrets ought to be protected businesses should secure their cyber insurance policies like any other highly sensitive documentppWhen attackers gain access to a business network theyre not just looking for files to encrypt Theyre looking for leverage A cyber insurance policy gives attackers a peek behind the curtain into limit amounts whether ransom payments are reimbursable under the policy which vendors forensic IT experts breach counsel etc are likely to be covered as response services and how the claims process might unfoldppCoalition Incident Response CIR has recently observed that threat actors initial ransom demands mirror victims coverage limits more frequently This supports the notion that once threat actors access a victims cyber insurance policy they use it to their advantageppIf a policy covers up to 1 million in ransom payments attackers can demand a ransom just low enough to feel reasonable compared to a long recovery process operational downtime and reputational damage said Jason Vitale Incident Response Lead at CIR ppAttackers will often use policy details when available to coerce businesses into paying ransoms Theyll also reference applicable laws and associated fines for leaking customer data then further insist that payment is a victims best option because ransomware claims are covered under the policy In some cases threat actors will even threaten to contact clients vendors or employees directly in an attempt to apply more pressureppIts psychological warfare added Vitale Theyre aiming to get paid quickly and knowing the details of a business policy turns their guesswork into strategy ppIf a policy covers up to 1 million in ransom payments attackers can demand a ransom just low enough to feel reasonable compared to a long recovery process operational downtime and reputational damage Jason Vitale Incident Response Lead Coalition Incident Response ppA law firm in North America recently felt the pain of these tactics after being attacked by the Qilin ransomware group The firm initially wanted to avoid paying a ransom but ultimately decided to enter negotiations with the threat actors to protect its clients and their informationppThe attackers demanded a nearly 900000 ransom payment and exhibited an unusual level of sophistication once CIR engaged in negotiations making direct references to the firms cyber insurance policy limits and legal obligationsppThe threat actor cited specific privacy laws and made threats to notify authorities and the victims clients if an agreement wasnt reached said Ramya Ragavan Senior Incident Response Analyst at CIR They also cited provisions in the victims cyber insurance policy which had been stored on a shared server that wouldve been accessible during the attackppTargeting cyber insurance policies in ransomware attacks isnt a new tactic this practice made headlines back in 2021 following the leak of training material used by Conti ransomware affiliates ppSecurity researchers at SRM recently css1fc1bsMuiTypographyrootMuiLinkrootLinkrootmargin0fontinheritcolor2773e0webkittextdecorationunderlinetextdecorationunderlinetextdecorationcolorrgba39 115 224 04css1fc1bsMuiTypographyrootMuiLinkrootLinkroothovertextdecorationcolorinheritcss1fc1bsMuiTypographyrootMuiLinkrootLinkroot subTextwebkittextdecorationunderlinetextdecorationunderlinemarginleft4pxreported on a new extortion tactic used by the Qilin group known as Call Lawyer that provides affiliate attackers with access to a legal adviser who offers a legal assessment of the consequences of the victims failure to pay According to SRMppThe lawyer reportedly provides affiliates with legal advice including a legal assessment of the victims exfiltrated data concerning applicable laws and regulations and the potential implications of nonpayment enabling affiliates to more precisely pressure victims
ppUltimately CIR successfully negotiated a 61 reduction from the initial demand and helped facilitate payment to suppress the stolen datappTargeting cyber insurance policies in ransomware attacks isnt a new tactic this practice made headlines back in 2021 following the leak of training material used by Conti ransomware affiliates Yet as we see with Qilin threat actor groups are continuing to pursue and iterate on this tactic which is why businesses must take proactive steps to sufficiently protect their policiesppPreventing threat actors from accessing and leveraging a cyber insurance policy doesnt require major investments or technical overhauls just an increased awareness and a few adjustments to how policies are stored shared and handledppRansomware attackers often move laterally across systems looking for valuable data The policy becomes lowhanging fruit if its stored in an area of the network thats easily accessibleppCyber insurance policies should be stored in secure systems with strict access controls like a safe deposit box for digital files Businesses are encouraged to use document management systems with permissionbased access For an added layer of security endpoint detection and response EDR tools can be set up to monitor the specific segment for suspicious behaviorppBusinesses should avoid storing policies on open or shared cloud drives like Google Drive or Microsoft SharePoint without strong access controls and never keep unencrypted copies on laptops email inboxes or local servers If an unencrypted policy must be transmitted by email archive the email in an encrypted offline location and delete the original emailppCyber insurance policies should be stored in secure systems with strict access controls like a safe deposit box for digital files ppNot everyone within a business needs to see the full policy Limiting access reduces the number of places it can be leaked or intercepted and also helps prevent accidental exposureppIn general businesses should only grant access to legal finance IT security and senior leadership If policies are reviewed by outside vendors or board members share passwordprotected versions using encrypted email or secure filesharing portals with instructions to download and save in encrypted formats Always share the password separately and when possible add time limits to access or download to expire that accessppLimiting access to your cyber insurance policy reduces the number of places it can be leaked or intercepted and also helps prevent accidental exposureppInternal systems may be encrypted or offline during a ransomware attack Having a clean offline copy of the policy ensures incident response teams can still access it when needed Businesses should store a copy of the policy with outside legal counsel dedicated incident response vendors or insurance brokersppRelatedly a properly created incident response plan should include contact information for a business cyber insurance providers and IT teams plus outofband contact information for key employees if escalation is needed A copy of the cyber insurance policy can be included with the incident response plan just make sure to protect it based on the above best practices including limiting policy accessppHaving a clean offline copy of your cyber insurance policy ensures incident response teams can still access it when neededppKey employees across finance legal and IT should understand that the policy could become a bargaining chip in the wrong handsppBusinesses should include cyber insurance policy handling in security awareness training and encourage stakeholders to treat policies with the same caution as sensitive customer data or internal financialsppCyber insurance plays an essential part in any modern business resilience strategy But just like other critical assets the policy should be protectedppWhen attackers gain access to coverage details it can shift the balance of power in their favor making ransom demands more calculated negotiations more difficult and outcomes more costly The policy itself isnt a liability but its important enough to defendppThe steps needed to protect a policy are straightforward secure storage limit access and educate appropriate teams on the sensitivity of coverage details With a proactive mindset and a few operational adjustments organizations can make sure cyber insurance continues to serve its purpose of supporting resilienceppThis article originally appeared in the August 2025 edition of the Cyber Savvy Newsletter Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most uptodate and noteworthy topics in cyber insurance ppTagsppCyber Insurancecss1vooibuMuiSvgIconrootwebkituserselectnonemozuserselectnonemsuserselectnoneuserselectnonewidth1emheight1emdisplayinlineblockfillcurrentColorwebkitflexshrink0msflexnegative0flexshrink0webkittransitionfill 200ms cubicbezier04 0 02 1 0mstransitionfill 200ms cubicbezier04 0 02 1 0msfontsizeinheritppTech Error OmissionsppEmployment Practices LiabilityppFiduciary LiabilityppCrimeppMisc Professional LiabilityppCoalition ControlppManaged Detection ResponseppCoalition Incident ResponseppSecurity Awareness TrainingppCyber Knowledge CenterppSecurity Knowledge CenterppHelp CenterppCase StudiesppIndustry GuidesppWebinarsppActivate ConferenceppAboutppCareersppNewsroomppBlogppLicensesppIncident 1 833 8661337ppEmail Support helpcoalitioninccomppUSAppSitemapppLegalppPrivacyppDisclaimerspp 2025 Coalition Inc Licensed in all 50 states and DC CA License 0L76155ppInsurance products may be underwritten by North American Capacity Insurance Company North American Specialty Insurance Company or an affiliated company which are members of Swiss Re Corporate SolutionsppInsurance products may be underwritten by Peleus Insurance Company Colony Specialty Insurance Company or an affiliated company which are members of Argo Group US Incp