How a Ransomware Attack Unfolds
The median ransom payment hit $2 million in 2024, up 5x from 2023. Recovery costs averaged $2.73 million on top of that. Here's how these attacks actually work, what they cost, and where cyber insurance changes the outcome.
Anatomy of a Ransomware Attack
Ransomware doesn't happen instantly. Attackers typically spend days or weeks inside your network before triggering encryption. Understanding the stages helps you understand where insurance and preparation actually matter.
Initial Access
An employee clicks a phishing link, or attackers exploit a vulnerable VPN, RDP port, or unpatched server. According to Verizon's 2024 DBIR, 68% of breaches involve a human element. The attacker gains a foothold, usually a single workstation.
Reconnaissance & Privilege Escalation
The attacker maps your network, identifies high-value targets (domain controllers, backup servers, databases), and escalates privileges. They'll steal admin credentials and create backdoor accounts. Most of this activity looks like normal network traffic.
Data Exfiltration
Before encrypting anything, modern ransomware gangs steal your data first. This enables "double extortion": pay to decrypt, and pay again to prevent the data from being published on leak sites. Veeam's 2024 Ransomware Trends Report found that 93% of ransomware attacks target backup repositories specifically.
Encryption & Ransom Demand
The attacker deploys ransomware across all accessible systems simultaneously, often at 2-3 AM on a Friday or before a holiday weekend. Systems lock up. The ransom note appears. Your backups may already be compromised. The clock starts ticking.
Negotiation & Recovery
This is where insurance makes the difference. Professional negotiators engage with the attackers. Forensic specialists assess what's recoverable. Legal counsel determines notification obligations. Business continuity plans activate. Average recovery time: 22 days (Sophos 2024).
Real Ransomware Attacks and Their Costs
These attacks made headlines because of their scale, but similar tactics are used against businesses of every size, including the 20-person company that never expected to be a target.
Colonial Pipeline (May 2021)
Largest fuel pipeline in the eastern U.S.
The DarkSide ransomware group compromised Colonial Pipeline through a single compromised VPN password that lacked multi-factor authentication. The company shut down 5,500 miles of pipeline, causing fuel shortages across the southeastern U.S. CEO Joseph Blount authorized the $4.4 million Bitcoin payment within hours, calling it "the right thing to do for the country."
The DOJ later recovered $2.3 million of the ransom through cryptocurrency tracing, but that recovery was exceptional, not typical.
JBS Foods (June 2021)
World's largest meat processor
REvil ransomware shut down JBS operations across the U.S., Canada, and Australia. Nine beef processing plants went offline, threatening the meat supply chain. JBS paid the $11 million ransom to prevent further disruption, despite having restored most systems from backups. The payment was described as insurance against future data leaks.
City of Baltimore (May 2019)
Municipal government · refused to pay
The RobbinHood ransomware attack encrypted city government systems, shutting down email, payment processing, and real estate transactions for weeks. The attackers demanded 13 Bitcoin (~$76,000 at the time). Baltimore refused to pay. The city spent $18.2 million on recovery and lost revenue, more than 200x the ransom demand. The city had no cyber insurance.
The Baltimore numbers aren't an outlier. Atlanta, New Orleans, and dozens of mid-sized U.S. cities have all faced similar events in the last few years, with recovery costs dwarfing the ransom demands.
Change Healthcare / UnitedHealth (Feb 2024)
Largest healthcare data breach in U.S. history
The ALPHV/BlackCat group attacked Change Healthcare, which processes 15 billion healthcare transactions annually. The breach disrupted insurance claims processing nationwide, leaving pharmacies unable to process prescriptions and hospitals unable to submit claims. UnitedHealth paid a $22 million ransom. Through Q3 2024, the company reported $872 million in direct response costs. Over 100 million individuals' data was compromised.
To Pay or Not to Pay: What the Data Says
The FBI says don't pay. Your board says protect the business. Your employees can't work. Here's what actually happens when organizations pay, and when they don't.
The Case Against Paying
- • Only 65% of data is recovered on average even after payment (Sophos 2024 State of Ransomware)
- • 80% of organizations that paid were targeted again (Cybereason 2024)
- • Payment funds criminal organizations and incentivizes future attacks
- • Risk of OFAC sanctions violations if the group is on the Treasury Department's list
- • Decryption tools provided by attackers are often buggy and slow
When Organizations Pay Anyway
- • Patient safety: hospitals can't wait weeks. Lives are at stake
- • No viable backups: when backups were on the same network and got encrypted
- • Data leak prevention: stolen data will be published if the ransom isn't paid
- • Business survival: extended downtime costs more than the ransom
- • 46% of organizations paid the ransom in 2024 (Sophos), down from 66% in 2023
What Insurance Changes About This Decision
Without insurance, you're making a multi-million-dollar decision under extreme pressure with no expert guidance. With insurance, you get:
- Professional negotiators who've handled hundreds of ransom situations and routinely reduce demands by 60-80%
- OFAC screening to verify the attacker group isn't sanctioned before any payment
- Forensic assessment of whether your data is actually recoverable without payment
- Financial coverage whether you pay or don't. Business interruption, recovery, and legal costs are covered either way
Ransomware & Cyber Insurance FAQ
Does cyber insurance actually cover ransom payments?
Most comprehensive cyber policies cover ransom payments where legally permissible. This includes the ransom itself, cryptocurrency transaction costs, and professional negotiation fees. However, payments to OFAC-sanctioned entities are prohibited regardless of insurance coverage.
Should a business pay the ransom?
There's no universal answer. According to Sophos 2024 State of Ransomware report, organizations that paid ransoms recovered only 65% of their data on average. The FBI advises against payment but acknowledges each situation is different. Cyber insurance provides access to expert negotiators who can assess the specific situation and advise on the best course of action.
How much does ransomware insurance cost?
Ransomware coverage is typically part of a broader cyber insurance policy. Premiums vary based on company size, industry, security posture, and claims history. A small business might pay $1,500–$5,000 annually for $1M in coverage, while mid-market companies pay $10,000–$50,000+ for higher limits.
What security measures reduce ransomware insurance costs?
MFA on all remote access and email, endpoint detection and response (EDR), offline backups tested regularly, employee phishing training, and a documented incident response plan. These aren't just premium reducers. Many insurers now require them for coverage.
Does insurance cover attacks on our vendors or cloud providers?
Many policies include "dependent business interruption" or "contingent business interruption" coverage for losses caused by attacks on your key vendors or cloud providers. This is increasingly important as supply chain attacks become more common.
Where Cyber Insurance Fits In
Ransomware attacks hit businesses of every size. A cyber policy turns a catastrophe into a manageable response, covering ransom negotiation, business interruption, and recovery. Here's how the coverage works.