4 minutes read

Ransom Payment Trends 2023: To Pay Or Not To Pay

Should insurers attempt to recover ransom payments from threat actors? This expert panel provided key insights.
ransom payment trends

If you were unable to attend the incredible Zywave Cyber Risk Insights Conference in London this year, then you will have missed key insights on ransom payment trends for 2023. 

A panel discussion on the topic brought together a group of experts to share their insights and experiences from the front lines of cyber incidents. Moderated by Anthony Hess from Asceris, the panel included Carolyn Purwin Ryan from Mullen Coughlin, Danielle Haston from Chainalysis, Luke Johnson from Canopius, and Daniel Tobok from Cypfer

Check out this panel’s discussion on claims trends here.

Ransom payment trends imply a decline, but should more still be done?

According to Danielle Haston, an experienced financial fraud investigations and recovery professional, the past year has seen nearly half a billion dollars paid in ransoms. However, this amount only represents 41% of the total number of people who have paid the full amount being demanded.

While the individual amounts paid by insurance companies may not be significant, the destination and impact of the funds can be significant, especially if the payments risk surpassing regulatory safeguarding against terrorist financing or sanctions (the latter of which has been an increasingly tricky issue since the outbreak of war in Ukraine). Daniel Tobok added that attribution has become increasingly difficult to identify as the Russian-Ukrainian conflict emerged: a lack of global cooperation since the outbreak has exacerbated existing issues with non-uniformity of legislation. This has effectively made ransomware one of the few crimes where criminals can demand and receive vast sums of money without any consequences

With better education, insurance professionals could use blockchain for ransom payment recovery

As ransomware attacks continue to surge, Danielle Haston urged financial and insurance professionals to take necessary measures to impede criminals from profiting from their illicit activities. These measures include diligently tracking the flow of funds in blockchain and cryptocurrency and pursuing the recovery of stolen funds through legal avenues.

The flows of funds in blockchain and cryptocurrency differ from traditional finance; it is possible to trace the destination address of funds even before payment is made – a unique characteristic of blockchain transactions. By reporting the address where the funds would be directed, it then becomes possible to identify their path, particularly if they end up in centralized exchanges

Boost your career
Boost your salary

Stay Relevant with the Global Standard in accredited Cyber Insurance Certification.


These exchanges, which account for 48% of ransom payments, are obligated entities with Anti-Money Laundering (AML) requirements for their customers; they possess the ability to undertake necessary actions upon identifying the source of funds. Such measures may encompass filing suspicious activity reports or bolstering law enforcement databases, effectively hindering criminals’ access to the funds, even if they ultimately need to be disbursed. Equipped with their own compliance tools and those from external firms, exchanges diligently scrutinize fund origins and flag any suspicious behavior, thereby empowering compliance officers to make critical decisions like freezing accounts or reporting them to the authorities.

Insurers can also potentially look to the UK courts for further insights: in the 2019 case of AAA plc & ors v Persons Unknown, an insurance company managed to recover £950,000 after the court agreed to their definition of cryptocurrency as recoverable property

Could increased focus on crypto funds tracing deter cyber threat actors from executing ransomware attacks? Haston believes that, where criminals face the risk of being traced and facing consequences for their actions, they are less likely to continue their pursuit. This leads them to target individuals who are less likely to track their activities or expose their identities.

Significant risks deter carriers from chasing ransom recovery

When it comes to the recovery of funds paid out in ransomware attacks, Luke Johnson pointed out that insurers often have good reasons for not pursuing such actions. Insurers base their financial risk models on which they determine customer premiums, with recoveries typically not factored into these calculations. Moreover, pursuing recoveries could potentially harm insured clients, as threat actors might retaliate against them, leading to increased litigation for insurers. Additionally, since the insurer is still obligated to pay out the claim to their insured, any recovered funds go to the insurers rather than their clients, creating a lack of motivation for insured individuals to pursue recovery.

Carolyn Purwin Ryan also  argued for a cautious approach regarding involving law enforcement in ransomware cases. She highlighted the potential risks of early law enforcement involvement, citing the case of the FBI’s increased intervention in such incidents in the United States. While law enforcement’s presence may deter companies from paying ransoms, it can also result in heightened litigation and increased risks for the targeted companies. She also noted the rising costs of business interruption, making it potentially more cost-effective for companies to pay ransoms rather than rebuild from scratch.

Potential shifting tactics in ransom payment negotiations

Additionally, Haston highlighted instances within the crypto world where substantial sums, ranging from one million pounds to over £100 million, have been unlawfully withdrawn from crypto protocols through hacking incidents. She noted that negotiation opportunities may arise in such situations. Surprisingly, where funds have been traced to an exchange, “ethical hackers” commonly engage in negotiations where the result is often mutually beneficial: the hacker can walk away with a percentage of the original sum stolen, while releasing the rest back to the victim. As such, recovering at least half of the funds becomes a realistic possibility, given these hackers’ willingness to settle in such arrangements. 

In conclusion, insurance professionals must take into account multiple perspectives when contemplating the recovery of ransom payments. The key aspect lies in their awareness of the actions that can be taken to shift the trajectory of events and reshape the prevailing narrative. By embracing a comprehensive understanding of the complexities involved, insurance professionals can navigate the challenging landscape of ransomware attacks with greater efficacy and contribute to mitigating the impact of these threats. 

Why Choose
Cyber Insurance Academy?

We are the global standard for accredited cyber insurance certification, with +4,000 Members from +40 countries.


Reach Out to Us

Can’t find what you’re looking for? Leave your details and we’ll get back to you shortly