How Hackers Leverage Insurance Details in Ransomware Attacks

Imagine walking into a contract negotiation where the other side already knows your budget. You sit down at the table ready to play hardball, but the person across from you already knows your maximum spend and what you’ve paid for similar deals in the past. 

Suddenly you're at a disadvantage, and no one has even said a word.

That’s what it’s like when threat actors gain access to a business’ cyber insurance policy during a ransomware attack. The policy gives them inside knowledge of how much coverage a policyholder has, indications of their willingness to pay a ransom demand, and likely responses during potential negotiations. 

Of course, this doesn’t mean that having a policy is risky; cyber insurance remains essential for every modern business, as it can be the difference between recovery and collapse after a major cyber incident. But in the same way that financials or trade secrets ought to be protected, businesses should secure their cyber insurance policies like any other highly sensitive document.

Having a policy in-hand turns guesswork into strategy

When attackers gain access to a business’ network, they’re not just looking for files to encrypt. They’re looking for leverage. A cyber insurance policy gives attackers a peek behind the curtain into limit amounts, whether ransom payments are reimbursable under the policy, which vendors (forensic IT experts, breach counsel, etc.) are likely to be covered as response services, and how the claims process might unfold.

Coalition Incident Response (CIR)* has recently observed that threat actors’ initial ransom demands mirror victims’ coverage limits more frequently. This supports the notion that once threat actors access a victim’s cyber insurance policy, they use it to their advantage

“If a policy covers up to $1 million in ransom payments, attackers can demand a ransom just low enough to feel ‘reasonable’ compared to a long recovery process, operational downtime, and reputational damage,” said Jason Vitale, Incident Response Lead at CIR. 

Attackers will often use policy details, when available, to coerce businesses into paying ransoms. They’ll also reference applicable laws and associated fines for leaking customer data, then further insist that payment is a victim’s best option because ransomware claims are covered under the policy. In some cases, threat actors will even threaten to contact clients, vendors, or employees directly in an attempt to apply more pressure.

“It’s psychological warfare,” added Vitale. “They’re aiming to get paid quickly, and knowing the details of a business’ policy turns their guesswork into strategy.” 

“If a policy covers up to $1 million in ransom payments, attackers can demand a ransom just low enough to feel ‘reasonable’ compared to a long recovery process, operational downtime, and reputational damage." — Jason Vitale, Incident Response Lead, Coalition Incident Response 

Ransomware group cites policy in new extortion tactic

A law firm in North America recently felt the pain of these tactics after being attacked by the Qilin ransomware group. The firm initially wanted to avoid paying a ransom, but ultimately decided to enter negotiations with the threat actors to protect its clients and their information.

The attackers demanded a nearly $900,000 ransom payment and exhibited an unusual level of sophistication once CIR engaged in negotiations, making direct references to the firm’s cyber insurance policy limits and legal obligations.

“The threat actor cited specific privacy laws and made threats to notify authorities and the victim’s clients if an agreement wasn't reached,” said Ramya Ragavan, Senior Incident Response Analyst at CIR. “They also cited provisions in the victim’s cyber insurance policy, which had been stored on a shared server that would’ve been accessible during the attack.”

Targeting cyber insurance policies in ransomware attacks isn’t a new tactic; this practice made headlines back in 2021, following the leak of training material used by Conti ransomware affiliates.

Security researchers at S-RM recently reported on a new extortion tactic used by the Qilin group, known as “Call Lawyer,” that provides affiliate attackers with access to a legal adviser who offers a “legal assessment” of the consequences of the victim’s failure to pay. According to S-RM:

“The lawyer reportedly provides affiliates with legal advice, including a legal assessment of the victim's exfiltrated data concerning applicable laws and regulations, and the potential implications of non-payment, enabling affiliates to more precisely pressure victims.”


Ultimately, CIR successfully negotiated a 61% reduction from the initial demand and helped facilitate payment to suppress the stolen data.

Targeting cyber insurance policies in ransomware attacks isn’t a new tactic; this practice made headlines back in 2021, following the leak of training material used by Conti ransomware affiliates. Yet, as we see with Qilin, threat actor groups are continuing to pursue and iterate on this tactic, which is why businesses must take proactive steps to sufficiently protect their policies.

Best practices for safeguarding cyber insurance policies

Preventing threat actors from accessing and leveraging a cyber insurance policy doesn’t require major investments or technical overhauls; just an increased awareness and a few adjustments to how policies are stored, shared, and handled.

1. Store policies like confidential financial documents

Ransomware attackers often move laterally across systems looking for valuable data. The policy becomes low-hanging fruit if it’s stored in an area of the network that’s easily accessible.

Cyber insurance policies should be stored in secure systems with strict access controls, like a safe deposit box for digital files. Businesses are encouraged to use document management systems with permission-based access. For an added layer of security, endpoint detection and response (EDR) tools can be set up to monitor the specific segment for suspicious behavior.

Businesses should avoid storing policies on open or shared cloud drives (like Google Drive or Microsoft SharePoint) without strong access controls and never keep unencrypted copies on laptops, email inboxes, or local servers. If an unencrypted policy must be transmitted by email, archive the email in an encrypted, offline location and delete the original email.

Cyber insurance policies should be stored in secure systems with strict access controls, like a safe deposit box for digital files.

2. Limit policy access to those who need it

Not everyone within a business needs to see the full policy. Limiting access reduces the number of places it can be leaked or intercepted and also helps prevent accidental exposure.

In general, businesses should only grant access to legal, finance, IT security, and senior leadership. If policies are reviewed by outside vendors or board members, share password-protected versions using encrypted email or secure file-sharing portals with instructions to download and save in encrypted formats. Always share the password separately and, when possible, add time limits to access or download to expire that access.

Limiting access to your cyber insurance policy reduces the number of places it can be leaked or intercepted and also helps prevent accidental exposure.

3. Keep a backup copy of the policy offline 

Internal systems may be encrypted or offline during a ransomware attack. Having a clean, offline copy of the policy ensures incident response teams can still access it when needed. Businesses should store a copy of the policy with outside legal counsel, dedicated incident response vendors, or insurance brokers.

Relatedly, a properly created incident response plan should include contact information for a business’ cyber insurance providers and IT teams, plus out-of-band contact information for key employees if escalation is needed. A copy of the cyber insurance policy can be included with the incident response plan — just make sure to protect it based on the above best practices, including limiting policy access.

Having a clean, offline copy of your cyber insurance policy ensures incident response teams can still access it when needed.

4. Educate teams on policy protection

Key employees across finance, legal, and IT should understand that the policy could become a bargaining chip in the wrong hands.

Businesses should include cyber insurance policy handling in security awareness training and encourage stakeholders to treat policies with the same caution as sensitive customer data or internal financials.

It’s not the policy, it’s how you handle it

Cyber insurance plays an essential part in any modern business’ resilience strategy. But just like other critical assets, the policy should be protected.

When attackers gain access to coverage details, it can shift the balance of power in their favor, making ransom demands more calculated, negotiations more difficult, and outcomes more costly. The policy itself isn’t a liability, but it’s important enough to defend.

The steps needed to protect a policy are straightforward: secure storage, limit access, and educate appropriate teams on the sensitivity of coverage details. With a proactive mindset and a few operational adjustments, organizations can make sure cyber insurance continues to serve its purpose of supporting resilience.

This article originally appeared in the August 2025 edition of the Cyber Savvy Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.

*Incident response services are provided by Coalition Incident Response, Inc dba Coalition Security™, an affiliate of Coalition Inc. Coalition Security does not provide insurance products. 

This communication is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The statements contained herein are for informational purposes only. Insurance coverage is subject to and governed by the terms and conditions of the policy issued. Coalition makes no representations regarding coverages, exclusions or limitations in any products offered on behalf of any insurer. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. This communication may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.

Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.