Lauren Winchester is Vice President of Smart Breach Response for Corvus Insurance. In this role, Lauren guides policyholders of all sizes through cyber security incidents, ensuring efficient coordination of counsel, digital forensics firms, and other key incident response resources. She also manages Corvus’s risk mitigation services, such as tabletop exercises and incident response planning, that are designed to minimize the frequency and severity of data breaches. Lauren has handled over 1,000 cybersecurity incidents for organizations in healthcare, financial services, higher education, retail, professional services and more.

The nation-state hack of SolarWinds, thought to be an act of espionage, has stolen the cybersecurity headlines so far in 2021. But if your work involves cyber liability we don’t have to explain that it’s ransomware that remains the major story from the perspective of those in the trenches. This particular category of malware may not be responsible for the majority of claims filed under cyber liability policies, but the eye-popping figures associated with these claims means they are the focus of any insurer offering coverage for cyber events. (According to broker Lockton, in 2020 ransomware caused 15% of claims, but 95% of the amounts paid.)

As has always been the case with cybersecurity and cyber insurance coverage, the only constant is change. What presented the most concern to underwriters regarding ransomware in 2019 is not the same as it is now. Staying ahead on the trends can help underwriters, brokers and policyholders to make critical adjustments to coverage, risk mitigation steps and claims management. The following are three of the major trends in ransomware in 2021.

Rising demands, rising costs – but perhaps a break in the clouds

Growth in total numbers of reported ransomware attacks has thankfully not kept up the torrid pace observed in 2019. But costs have exploded. As NetDiligence found, in 2019 overall costs of a ransomware attack increased 57% — more if business interruption costs are added. The growth in cost was driven in no small part by the ransom demands themselves, as the average ransom grew by a whopping 276% (3.75x) to reach $175,000.

The latest data, going up through the last quarter of 2020, showed that this trend continued through most of the year, finally tapering off in the last quarter. A report from Coveware put the average ransom payment at $154,108 for Q4 2020, a significant 34% drop from the previous quarter, but still much higher than figures reported throughout previous year (Coveware’s data, different from NetDiligence, found average ransom to be less than $100,000 at the end of 2019).

It’s too early to say that one quarter redefines a more than two year trend, but it’s an encouraging sign that the average ransom payment may not continue to grow inexorably. In the meantime, the major story remains that the dollar figures we’re dealing with from ransomware operators are in a much different ballpark than they were just a couple of years ago. Corvus regularly sees demands in the 7 figure range, and 8 figure demands are unfortunately not uncommon.

Amid this gold rush of criminal ransom activity, the focus is increasingly on the largest ransoms — the ones really driving up the average, which sometimes reach into seven figures. These are amounts that would have made for the ransomware story of the year just recently. It’s rumored that Foxconn, the electronics giant, received a demand for $34 million in November 2020 — and that’s hardly the only eight-figure demand fueling the rumor mill.

With these figures, fewer of the victims are choosing to pay up, taking the risk of starting from scratch with whatever unencrypted data or backups that managed to avoid attack. In answer, some ransomware groups may start to pull demands back to earth; others however, instead turn to other tactics to leverage their demands, which leads us to the next trend: exfiltration.


You’ll recognize the names from headlines if you follow cybersecurity: Ryuk, Sodinokibi, Maze. These were three of the most active strains of ransomware in 2020, whose operators have successfully stolen data from victims as a way to increase leverage in the ransom negotiation. (Maze later shut down as its operators moved on to using derivatives of the original software).

In some cases, attackers have been able to make money by auctioning off stolen data, even when they were thwarted in their attempt to get a ransom from the victim. Others have gone “back to the well” to get a second ransom by threatening to release sensitive data. A troubling new trend of using this exfiltrated data to contact customers or employees directly is starting to be reported (see next section). Exfiltration was used by roughly half of all ransomware attacks in 2020, according to Coveware.

While first experimented by a handful of ransomware actors, most notably the Maze group, the success of the tactic has led to others taking it up. Emisoft reports that at least 17 ransomware groups were observed using exfiltration (or at least threatening it) by the end of 2020. Nearly 30% of Corvus ransomware claims in 2020 involved a threat of data exfiltration.

Responding to situations where data was exfiltrated has created another layer of complexity in breach response, so, as ever, the selection of experienced teams or coaches in managing response is critical.


Typically a ransom demand is communicated through the screen of a hijacked device — thus the only people who know the specifics of the demand are employees of the victim organization, and then perhaps only select employees. But we are seeing a new trend in the way that threat actors leverage their ransom demands: by going straight to broader groups of employees of the organization or their customers to create an environment of urgency and perhaps even panic among affected groups.

By involving customers, or the employees of the organization, the threat actors hope to effectively recruit an army of individuals afraid of their data being publicized or experiencing fraud to further pressure a victim organization to comply with their demand. Messages sent by attackers even include calls to action, such as: “Call or write to this store and ask to protect your privacy!” The threat actors attempt to paint companies as irresponsible to their customers for not meeting their demands and potentially putting personal data at risk.

This data that enables this kind of tactic is normally sourced from attacks where unencrypted data is exfiltrated (stolen) from a company’s network. That data then becomes a tool extortionists use to broaden the scope of their attack. BleepingComputer reported on ransomware actor “Clop,” who used the tactic of directly emailing customers at a bank, a maternity store, and a manufacturer of jets. In the case of the jet manufacturer, Bombardier, Clop threatened to go to journalists first — but Bombardier had already been public about the hack. That’s when the threat actor decided to escalate the situation, and emailed customers directly.

We’re likely to continue to see a push and pull between attack trends and defenses. As more companies work to mitigate the impacts of ransomware by implementing IT security measures that limit how attackers can move within their systems, attackers are coming up with novel ways to increase leverage with whatever encryption or exfiltration they can accomplish.