5 minutes read

The Anatomy of A Ransomware Event

What happens when a ransomware attacker strikes? Our CCIS graduate, David Finz, unpacks the common steps taken in a typical incident response as part of his participation in our industry leader program.

In this article, we’re going to take a deep dive into the chronology of a ransomware event: who’s a part of a company’s incident response plan, what steps are typically taken, and how Cyber insurance coverage comes into play. 

We’re going to follow the travails of an imaginary manufacturer of water treatment monitoring equipment for large municipalities (we’ll call them XYZ Corp.) who has fallen victim to a ransomware event; they discover that their files have been encrypted by a threat actor who is demanding a $10 million ransom payment in cryptocurrency within 72 hours, or they will release the company’s proprietary information into the wild.

Alerting the Professionals to the Ransomware Event

The first step XYZ should take is to notify the necessary parties. Thankfully, the company bought Cyber insurance from a carrier that maintains a 24/7 incident response hotline. This hotline puts the company’s CISO in touch with privacy counsel, who gathers some basic information about the incident and then engages a forensics investigator and threat consultant. The goal is to maintain privilege around these communications and any work product, to the extent possible.

One of the first things these service providers will seek to determine is whether the company’s email is secure; they don’t want to be using email to discuss strategies around the incident response, or the availability of insurance coverage if the threat actors have access to these messages.

Speaking of insurance, XYZ should also notify its broker of the incident. XYZ may have already called the carrier hotline, but under most policies, calling the hotline does not satisfy the requirement to provide written notice of the event. Even if the carrier has opened a file and acknowledged receipt of the matter, they still want their broker to give notice so that the adjuster who gets assigned to the matter knows to keep them in the loop on any correspondence to their client.

Fortunately, XYZ knows all of this, because they had their chosen service providers run a tabletop exercise six months ago. Their insurance broker was part of that exercise, and when the broker discovered that the insured’s preferred public relations firm was not on the insurer’s pre-approved panel, they had the firm added to the policy by endorsement. That will prove important in case XYZ needs to get some messaging out to its customers.

Root Cause Analysis in a Ransomware Event

Within minutes, counsel has secured the engagement of a forensics investigator, who advises XYZ’s management to disconnect any infected hardware from the network.

The forensics team now begins to undertake what is known as a “root cause analysis”. Over the next several days, they determine that the initial compromise of the network resulted from an unprotected Remote Desktop Protocol gateway, which enabled the threat actors to install malware and explore XYZ’s computer system looking for sensitive data. The threat actors appear to have been in the network for some time and went undetected while they managed to encrypt files containing proprietary algorithms, trade secrets, and other sensitive data. There are backups so the company can operate without the files, but they still do not want this sensitive information getting into the wrong hands. Mercifully, customer data was encrypted and does not appear to have been taken.

Disinfecting the system of malicious scripts and other malware is another service the forensics team provides, but this does not negate the damage that can be done by the threat actors if the information they are holding gets into the wrong hands.

Reservation of Rights in a Ransomware Event

While this is happening, the adjuster issues a coverage letter approving the vendors and affording coverage, subject to what is known as a “reservation of rights.” The broker explains to XYZ that this simply means that if the carrier learns something that could impact coverage, for example, that XYZ knew about the intrusion to their network prior to binding and failed to disclose it, or that the ransomware is deemed attributable to a nation-state and an act of war, these revelations could impact coverage.

Buying Time

Since the forensics team has not been able to wrap up their investigation within 72 hours, the threat consultant asks the threat actors for more time, stating that XYZ is trying to come up with as much money as they can. The threat actors agree to a 48-hour extension but make clear their patience is running thin.

The threat consultants are also able to determine that the threat actors are a known criminal syndicate with operations in South America, and do not appear to be on the list of entities sanctioned by the U.S. government, so a payment of the ransom is permissible by law.

However, the threat consultant makes clear to XYZ that three is no guarantee of “honor among thieves” and while this ransomware gang is known to provide the decryption key, it may not work as quickly or completely as one might hope.

Negotiating the Ransom

The threat consultants recommend that XYZ be prepared for an ultimate ransom payment in the $3 to $5 million range, but that they should start with an initial offer of $750k. XYZ explains to the adjuster that placed in the hands of a competitor or foreign government, the intellectual property in question would destroy their business model and could even jeopardize critical infrastructure. The adjuster defers to the judgment of the threat consultant and the wishes of their insured and approves up to a $5 million ransom payment.

Predictably, the threat actor responds by saying this is an insult, but they continue talking. Meanwhile, the threat consultant confirms that no decryption key is available from the FBI for this particular form of malware. Over the next few days, the threat actor provides “proof of life” by unlocking a small portion of stolen data.

The parties arrive at a figure of $3.5 million which, along with several hundred thousand dollars in service provider fees, is well within the $10 million policy limit. In exchange for the payment, the threat actor not only agrees to provide a decryption key, but to destroy all files in its possession, make no public statement about the incident, and provide the threat consultant with information about how they exploited the RDP gateway so that XYZ could take remedial action.


Our friends at XYZ Corp endured a great deal of stress and inconvenience, but thanks to the cooperation of the service providers and the availability of insurance coverage, they were able to weather this attack and, hopefully, they will emerge from it a more resilient company with the lessons they have learned. Not every company is so fortunate. A qualified insurance broker can participate in the development of their clients’ incident response plans, making sure that the resources, as well as the responsibilities that come with having a Cyber insurance policy, are factored into the planning.


David Finz is an attorney and insurance broker, specializing in Cyber and Technology Risk. His seventeen years in the industry span claims, client advisory, and product development roles. David currently serves as First Vice President of Cyber Solutions at Alliant Insurance Services and is the host of the weekly podcast, “The Cyber Insurance Imperative,” and author of the book by the same name. David completed the CCIS program in April of 2022.

Are you interested in joining our industry leader program? We shine a spotlight on cyber insurance professionals who go above and beyond to further their academic and professional development in this fast-paced field. Contact us for more information on how you can get involved.

Reach Out to Us

Can’t find what you’re looking for? Leave your details and we’ll get back to you shortly