Ransomware in 2021: Three Trends Cyber Insurers are Seeing Now

Lauren Winchester is Vice President of Smart Breach Response for Corvus Insurance. In this role, Lauren guides policyholders of all sizes through cyber security incidents, ensuring efficient coordination of counsel, digital forensics firms, and other key incident response resources. She also manages Corvus’s risk mitigation services, such as tabletop exercises and incident response planning, that are designed to minimize the frequency and severity of data breaches. Lauren has handled over 1,000 cybersecurity incidents for organizations in healthcare, financial services, higher education, retail, professional services and more.

The nation-state hack of SolarWinds, thought to be an act of espionage, has stolen the cybersecurity headlines so far in 2021. But if your work involves cyber liability we don’t have to explain that it’s ransomware that remains the major story from the perspective of those in the trenches. This particular category of malware may not be responsible for the majority of claims filed under cyber liability policies, but the eye-popping figures associated with these claims means they are the focus of any insurer offering coverage for cyber events. (According to broker Lockton, in 2020 ransomware caused 15% of claims, but 95% of the amounts paid.)

As has always been the case with cybersecurity and cyber insurance coverage, the only constant is change. What presented the most concern to underwriters regarding ransomware in 2019 is not the same as it is now. Staying ahead on the trends can help underwriters, brokers and policyholders to make critical adjustments to coverage, risk mitigation steps and claims management. The following are three of the major trends in ransomware in 2021.

Rising demands, rising costs – but perhaps a break in the clouds

Growth in total numbers of reported ransomware attacks has thankfully not kept up the torrid pace observed in 2019. But costs have exploded. As NetDiligence found, in 2019 overall costs of a ransomware attack increased 57% — more if business interruption costs are added. The growth in cost was driven in no small part by the ransom demands themselves, as the average ransom grew by a whopping 276% (3.75x) to reach $175,000.

The latest data, going up through the last quarter of 2020, showed that this trend continued through most of the year, finally tapering off in the last quarter. A report from Coveware put the average ransom payment at $154,108 for Q4 2020, a significant 34% drop from the previous quarter, but still much higher than figures reported throughout previous year (Coveware’s data, different from NetDiligence, found average ransom to be less than $100,000 at the end of 2019).

It’s too early to say that one quarter redefines a more than two year trend, but it’s an encouraging sign that the average ransom payment may not continue to grow inexorably. In the meantime, the major story remains that the dollar figures we’re dealing with from ransomware operators are in a much different ballpark than they were just a couple of years ago. Corvus regularly sees demands in the 7 figure range, and 8 figure demands are unfortunately not uncommon.

Amid this gold rush of criminal ransom activity, the focus is increasingly on the largest ransoms — the ones really driving up the average, which sometimes reach into seven figures. These are amounts that would have made for the ransomware story of the year just recently. It’s rumored that Foxconn, the electronics giant, received a demand for $34 million in November 2020 — and that’s hardly the only eight-figure demand fueling the rumor mill.

With these figures, fewer of the victims are choosing to pay up, taking the risk of starting from scratch with whatever unencrypted data or backups that managed to avoid attack. In answer, some ransomware groups may start to pull demands back to earth; others however, instead turn to other tactics to leverage their demands, which leads us to the next trend: exfiltration.


You’ll recognize the names from headlines if you follow cybersecurity: Ryuk, Sodinokibi, Maze. These were three of the most active strains of ransomware in 2020, whose operators have successfully stolen data from victims as a way to increase leverage in the ransom negotiation. (Maze later shut down as its operators moved on to using derivatives of the original software).

In some cases, attackers have been able to make money by auctioning off stolen data, even when they were thwarted in their attempt to get a ransom from the victim. Others have gone “back to the well” to get a second ransom by threatening to release sensitive data. A troubling new trend of using this exfiltrated data to contact customers or employees directly is starting to be reported (see next section). Exfiltration was used by roughly half of all ransomware attacks in 2020, according to Coveware.

While first experimented by a handful of ransomware actors, most notably the Maze group, the success of the tactic has led to others taking it up. Emisoft reports that at least 17 ransomware groups were observed using exfiltration (or at least threatening it) by the end of 2020. Nearly 30% of Corvus ransomware claims in 2020 involved a threat of data exfiltration.

Responding to situations where data was exfiltrated has created another layer of complexity in breach response, so, as ever, the selection of experienced teams or coaches in managing response is critical.


Typically a ransom demand is communicated through the screen of a hijacked device — thus the only people who know the specifics of the demand are employees of the victim organization, and then perhaps only select employees. But we are seeing a new trend in the way that threat actors leverage their ransom demands: by going straight to broader groups of employees of the organization or their customers to create an environment of urgency and perhaps even panic among affected groups.

By involving customers, or the employees of the organization, the threat actors hope to effectively recruit an army of individuals afraid of their data being publicized or experiencing fraud to further pressure a victim organization to comply with their demand. Messages sent by attackers even include calls to action, such as: “Call or write to this store and ask to protect your privacy!” The threat actors attempt to paint companies as irresponsible to their customers for not meeting their demands and potentially putting personal data at risk.

This data that enables this kind of tactic is normally sourced from attacks where unencrypted data is exfiltrated (stolen) from a company’s network. That data then becomes a tool extortionists use to broaden the scope of their attack. BleepingComputer reported on ransomware actor “Clop,” who used the tactic of directly emailing customers at a bank, a maternity store, and a manufacturer of jets. In the case of the jet manufacturer, Bombardier, Clop threatened to go to journalists first — but Bombardier had already been public about the hack. That’s when the threat actor decided to escalate the situation, and emailed customers directly.

We’re likely to continue to see a push and pull between attack trends and defenses. As more companies work to mitigate the impacts of ransomware by implementing IT security measures that limit how attackers can move within their systems, attackers are coming up with novel ways to increase leverage with whatever encryption or exfiltration they can accomplish.

Building Cyber Resilience Against Ransomware

Tim SmitTimothy Smit
Sr. Global Privacy and Cyber Security Risk Leader, Lockton Companies

Timothy develops long-range strategies directing clients how to optimize their data effectively and responsibly.  He focuses on privacy compliance, data protection, and the use of or introduction to digital technology.  He assists in identifying data privacy risks, operational risk, process improvement, and conducting data flow mapping exercises.  Timothy conducts risk assessments and develop strategic solutions for managing those risks along with building incident response programs and plans to improve operational resiliency to a cyber or privacy event.

Over the past six months, ransomware attacks have increased exponentially.  In some reports, the figure is reported as a 700% increase since March 2020. (1)

Adding to the complexity of the ransomware difficulties, on October 1, 2020, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory regarding potential sanctions for facilitating ransom payments.  That same day, the Financial Crimes Enforcement Network (FinCEN) issued an advisory on ransomware and the use of financial systems to facilitate payment.  Our summary of the Advisories and attendant issues can be found here.

Given that ransom payments may no longer be a viable option or at a minimum, paying ransom to threat actors may be more difficult, organizations need to focus on preventing, identifying, responding, and recovering which outlines the foundation of becoming resilient to ransomware attacks.

What can organizations do to minimize their risks of ransomware attacks? 

On September 23, 2020, the National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-53, Revision 5 entitled Security and Privacy Controls for Information Systems and Organizations. The SP contains 20 security and privacy control families.  While we do not address all 20 control families, we have highlighted several prioritized and focused controls that should be considered and potentially implemented by organizations from a ransomware loss control perspective.

The controls below will also map to possible questions insurance carriers are starting to ask in their cyber applications to better understand what proactive controls have been implemented at your organization, which may make you a better risk to them.

With more people working remotely, the increase in end point devices for organizations to manage and protect continue to grow.  Following the cyber kill chain model (2), here are a few ways to help your organization protect itself.

Identification and containing the incident is critical.  According to the 2020 Ponemon Institute Cost of a Data Breach Report (3), the average time to identify and contain an incident was 280 days.  That number has risen due to workforce members working remote and not necessarily identifying or reporting an incident to their organization.

Implementing tools that protect your workforce and their endpoint devices, or endpoint and device protection and response, is where we will begin.

Training & Education

Implement recurring security trainings for your workforce presented on their primary means of communication, i.e., desktops, laptops, mobile devices, or smart phones.  Focused trainings delivered on those devices will help your workforce identify phishing attempts on their primary communication tools.

One of the most common ways ransomware is launched within organizations is through a phishing attack.

Train and encourage your workforce to report anything suspicious in real time.  Your incident response teams need that information as soon as feasible to confirm the integrity of your systems and/or to start their investigation on how/where an attempt to infiltrate originated, so they can respond immediately and potentially eradicate the possibility of further attempts.

Technical Controls

Several technical controls for different endpoint protections that remove the likelihood of your organization succumbing to a targeted attack include:

  • implementing prescreen links in emails
  • scanning for files with exploits and,
  • stripping and detonation of attachments

These controls protect your organization, if malware circumvents your current controls in place, by identifying those infected files, attachments, etc., expediting your response to those issues rapidly, allowing you to contain incidents sooner, decreasing the probability of infected files cascading and propagating throughout your network, both internal and externally.

Segmentation of networks.  This control indirectly self-contains malware from cascading to your entire organization, as well, reducing the overall possible business interruption impact on your organization.

The implementation of configuration management, a patch management program, and intrusion detection and prevention systems alerting your security operations center (SOC) provides a quick reactionary force to engage and contain abnormal activity before it becomes a larger issue.

Vulnerabilities exploited by the threat actor leaves a digital footprint within your networks and should be captured, investigated and responded to, where needed.  Those efforts are improved with the implementation of security event logging solutions, applying threat intelligence to those events, conducting analysis of behaviors captured and respond to those incidents, prevent catastrophic losses to your organization.

Data inventories and data maps of information flow paths aid your organization in classifying critical data while overlaying the proper controls to protect that data based on its data classification. The data inventory sheds light on end-of-life (EOL) systems, operating systems, etc. that currently do not have additional security updates or patches available, which exposes your organization at a much higher rate to new threat agents making you non-compliant with most regulatory requirements that explicitly state you must protect your network and data.

One example of that is the HIPAA Security Rule 45 C.F.R. § 164.308 (a)(5)(ii)(B), which highlights that the entity must have protection from malicious software which implies you must apply patches on all systems.

Another example is the global PCI DSS standards that require each entity to “develop and maintain secure systems and applications by installing applicable vendor-supplied security patches.” (4)

Best practices also address the following response and recovering control aspects to build a resilient organization to a ransom attack.

Data inventorying provides your organization with a catalog of systems, categorized on importance to business operations and organizational goals and objectives.  It provides your organization with a prioritized list of critical systems and assets to protect most, data being proactively backed up and protected while the data is at rest, and accessible only by authorized users.

Data must be backed up, protected from unauthorized access and alteration or deletion with a planned and tested restoration plan which empowers your organization to be resilient to cyber-attacks, including ransomware attacks.  Backups may be locally conducted and stored, or they may be virtual within a cloud environment.

Authentication Controls

Implementing multi-factor authentication (MFA) is critical to confirm the identity of those accessing your systems and/or devices.  For example, if your organization utilizes MS Office365 (O365), MFA implementation is free and available today to implement.  If your organization does utilize O365, ensure that the Advanced Threat Protection add-on is being utilized.

MFA should be applied to protect every account, including privileged accounts.  Also, if you allow work emails to be forwarded to personal email accounts, ensure that your workforce has enabled MFA on their personal accounts, especially in today’s work from home setting.

Even though MFA will not prevent phishing emails from being clicked on or executed, it can prevent a successful phishing attempt from exploiting credentials, by over 90%. (5)

Incident Response

Incident response is an organized approach to addressing and managing privacy and data incidents.  The goal is to identify, respond, contain, and recover from the incident limiting damages and reducing business interruptions.

Incorporating training to identify and how to and when to report an incident is one component of the incident response plan.  Investigating the digital footprints of a bad actor is another component of the incident response plan.

Your incident response plan is the cornerstone to building resilience within your organization, where building cyber resilience is a necessity today.

Cyber Insurance Carriers

Organization’s that currently purchase a cyber liability insurance program have access to all the above- mentioned recommendations and many other services that are provided either as complimentary or at a reduced cost.  The insurers are helping their clients proactively improve their overall risk posture while reducing the probability of a cyber event causing a loss, which triggers a claim.



Configuration Management – Configuration management is a system’s engineering process for establishing and maintaining consistency of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life.

End-of-Life (EoL) – “End-of-life” (“EOL”) is a term used with respect to a product supplied to customers, indicating that the product is in the end of its useful life (from the vendor’s point of view), and a vendor stops marketing, selling, or rework sustaining it. (The vendor may simply intend to limit or end support for the product.)

Patch Management – Patch management is the process that helps acquire, test and install multiple patches (code changes) on existing applications and software tools on a computer, enabling systems to stay updated on existing patches and determining which patches are the appropriate ones.

Segmentation of Networks – Network segmentation is an architectural approach that divides a network into multiple segments or subnets, each acting as its own small network. This allows network administrators to control the flow of traffic between subnets based on granular policies.


  1. https://www.zdnet.com/article/ransomware-huge-rise-in-attacks-this-year-as-cyber-criminals-hunt-bigger-pay-days/#:~:text=It’s%20something%20that%20cyber%20criminals,%E2%80%93%20and%20blocked%20%E2%80%93%20ransomware%20attacks.
  2. https://www.varonis.com/blog/cyber-kill-chain/
  3. https://securityintelligence.com/posts/whats-new-2020-cost-of-a-data-breach-report/
  4. https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
  5. https://www.knowbe4.com/how-to-hack-multi-factor-authentication



Medical: Is it BI or BI?

Lynn Sessions will moderate a panel at the 2017 PLUS conference called “Medical: Is it BI or BI?,” which will discuss which policies should respond when multiple lines of insurance are affected at the same time.

Sessions is both an RN and a lawyer who focuses her practice specifically on healthcare law. She previously worked for Texas Children’s Hospital in a variety of different areas, and is now a partner at Baker & Hostetler LLP, and concentrates on healthcare privacy.

The panel will focus specifically on ransom-ware attacks on medical facilities, and how they could potentially cause both business interruption and bodily injury claims. The panel will consist of lawyers and insurance professionals who will discuss cyber liability insurance policies, and whether business interruption and bodily injury would be covered under them, and how to respond if they aren’t covered.

“These are a little bit different, and more novel issues than what we’ve seen on the cyber liability front up until now,” Sessions said. In the past, Sessions said, the main concern with cyber attacks in medical facilities was information breaches, but as cyber attacks have evolved to targeting medical devices, the concern has become patients not being able to receive the care they need, which is where the bodily injury issues come into play.

Sessions believes that a cyber attack on a medical facility is one of the most misunderstood risks for both insurance companies and medical facilities, and because it is misunderstood, becomes a big risk.

Sessions hopes that the panel opens the audience’s eyes to risks that they may not have thought about before, and prompts underwriters and insurers to revisit their cyber liability policies to make sure business interruption and bodily injury is covered. She said that underwriters and brokers would benefit the most from attending the panel, because they’ll hopefully become aware of gaps in cyber liability policies and will start to think about how to create products that meet the needs of healthcare organizations.

“I think as we’re looking at what the emerging risks are in healthcare with a cyber event, that this is something that I think underwriters, and brokers, and frankly insurers are going to have to start thinking about, because the policies- at least in the past- have not been, would not perfectly match up to be able to cover these types of events,” Sessions said.

As insurers begin to consider the risks to healthcare organizations in the event of a cyber attack, Sessions hopes the panel will give them more information about the type of coverage that is needed.

“Hopefully a light bulb will go off that this is a needed response to healthcare organizations with an emerging risk that frankly, all of them are in the process of considering or they’ve actually already faced it,” Sessions said.

Don’t miss this fascinating and informative panel. Register now for the 2017 PLUS Conference, taking place November 1-3 in Atlanta, GA.

BI or BI Sessions image