Cyber Extortion occurs when someone holds business operations hostage and demands a ransom. It is a form of crime, and it is becoming extremely common to the point of being one of the main drivers of cyber insurance claims. There are two main types of cyber extortion, ransomware and DDoS attacks (Distributed Denial of Service). Ransomware, in particular, is growing in popularity right now as companies continue to pay ransoms to unlock their systems.

What is a Ransomware Attack?

Ransomware encrypts a company’s servers and data so that the company is locked out of its systems. The files encrypted are typically not destroyed but are just made inaccessible without the decryption key.  Ransomware attacks are often resolved by paying a ransom and receiving a decryption key from the attackers or reverse-engineering the ransomware.  In some cases, there is no decryption key, and the ransomware is impossible to reverse-engineer.  Ransomware spreads throughout a network, encrypting more and more of a company’s sensitive data. In this way, it puts increasing pressure on the company to pay the ransom and receive the encryption key so they can restart their systems.

Ransomware attackers work progressively by gaining a foothold in the victim’s networks through a security vulnerability. For example, an employee clicks on a link in an email.  The three most common vectors for a ransomware infection are Remote Desktop Protocol (RDP), email phishing, and software vulnerabilities.  The attack then progresses by spreading the malware more widely throughout the network and gaining more profound control over compromised devices to infect other systems with the ransomware. This helps the attacker achieve their end objective, whether to extort or cause damages.

There’s a lot of pressure on a company to resolve a ransomware attack as quickly as possible. The attackers threaten to escalate things by further spreading their ransomware throughout the network, releasing sensitive data to the public, or even selling it to the highest bidder on the dark web if their ransom demands are not met.  Furthermore, ransomware brings business operations to a standstill leading to substantial revenue and profit losses.

Data shows that ransomware is one of cybercrime’s most profitable variants today, outstripping the likes of banking Trojans, phishing, DDoS, and cryptojacking. In part, because it has become so easy to do, ransomware has become a virtual industry, encrypting data only to sell it back to its rightful owner. It has crippled organizations across the globe and has carried with it a cumulative price tag well into the billions of dollars.

How can a policy’s ransomware coverage help?

Ransomware coverage typically extends financial support for the following items (subject to policy language):

  1. To meet a hacker’s ransom demand
  2. To pay for extortion-related expenses, such as hiring a consultant to remediate an attack
  3. To bring damaged computer hardware or databases back to their original working condition

Examples of Ransomware activity.

A Medical Company


A company that operates medical urgent care facilities has a cyber insurance policy with ransomware attack coverage. The company gets hit by ransomware attack that encrypts its data and cripples its systems. The ransomware criminals demand $100,000 in Bitcoin to restore access and threaten to sell patients’ health data on the dark web if their demands are not met.


After consulting an incident response and forensic expert, the company decides to pay the ransom. The company receives a decryption key that permits access to the once-encrypted data. A forensic accountant also calculates that the company missed out on $150,000 of revenue during the downtime. The cyber insurance policy covered the $100,000 ransom, and because the insured also had business interruption coverage, it also covered the $150,000 of revenue losses during the interruption period. The policy paid out a total of $245,000.

Lost revenues: $150,000

Ransomware: $100,000

Retention: $5,000

Paid by the insurer: $245,000

A Retail Company


A company that sells athletic apparel suffers a ransomware attack that encrypts its data, and the criminals demand a $75,000 ransom to hand over the decryption key.


The company decides to retain a technical company to undo the malware. An accountant calculates that the company lost $250,000 in potential sales during the downtime. The cyber insurance policy covered the fee for retaining the specialist, $10,000, and because the insured also had business interruption coverage, it also covered the $250,000 of business interruption loss. The policy paid out a total of $255,000.

Lost revenues: $250,000

Network Recovery Costs: $10,000

Retention: $5,000

Paid by the insurer: $255,000