Ransomware attacks — in which attackers encrypt a victim’s data and systems and demand payment to restore access — have become one of the most pervasive and financially devastating threats facing US businesses of every size. What began as a tactic directed primarily at large enterprises has spread comprehensively into the small and mid-size business market, where attackers have learned that companies without enterprise-grade security defenses are often more profitable and easier targets.

The financial toll of a ransomware event extends well beyond the ransom payment itself. It encompasses the cost of forensic investigation to understand how attackers gained entry, system restoration costs that often dwarf the ransom demand, business interruption losses that accumulate every hour systems are down, legal and breach counsel fees, and — increasingly — the regulatory costs associated with data exfiltration. Modern ransomware attacks frequently combine encryption with data theft in what attackers call “double extortion”: pay the ransom to get your files back, or we will publish your sensitive data publicly. This means a ransomware event can simultaneously trigger your data breach notification obligations under state and federal law.

Cyber insurance covers many of these costs, but navigating a ransomware event from a legal perspective involves complexity that goes well beyond filing a claim. There are federal law restrictions on who you are legally permitted to pay a ransom to, federal agency guidance on whether ransom payments should be made at all, and insurer requirements that govern every step of the payment and recovery process. Business owners who understand this landscape before they need it are far better positioned than those who encounter it for the first time during an active attack.

What Cyber Insurance Covers in a Ransomware Event

A well-structured cyber insurance policy covers multiple categories of loss that arise from a ransomware attack. Understanding each category — and the conditions attached to it — helps businesses understand both what they are buying and what documentation they will need to support a claim.

The ransom payment itself is covered by most cyber policies under a “cyber extortion” or “ransomware” coverage grant, subject to important legal constraints discussed below. Insurers typically require prior written authorization before a ransom payment is made and expect to be involved in the payment decision. Ransomware negotiation costs are also typically covered — these are the fees charged by professional negotiators who engage with the attackers to reduce the initial demand. In practice, skilled negotiators routinely reduce initial ransom demands by thirty to seventy percent, which means the negotiation cost is nearly always worth incurring.

System restoration and data recovery costs are covered and typically represent the largest single cost component of a ransomware event. Rebuilding compromised systems, reinstalling software, restoring data from backup (if usable backups exist), and testing restored systems to confirm they are clean is expensive and time-consuming work. Business interruption coverage pays for revenue lost and extra expenses incurred while systems are down — this is triggered from the moment the attack is discovered through the period of restoration. Forensic investigation costs cover the work of determining how attackers gained initial access, which matters both for the insurance claim and for preventing recurrence.

If data was exfiltrated during the attack — as is now common — the event may also trigger legal and breach counsel fees, notification costs for affected individuals, credit monitoring costs, and potential regulatory response costs. All of these should be covered under a comprehensive cyber policy. Total event costs in a mid-size business ransomware event can easily reach five to ten times the ransom demand itself, which is why understanding the full scope of coverage before an event occurs is essential.

The OFAC Sanctions Problem — When Paying Ransom May Violate US Law

One of the most important and widely underappreciated legal risks in ransomware response is the intersection of ransom payments with federal sanctions law. The US Treasury Department’s Office of Foreign Assets Control — known as OFAC — maintains a Specially Designated Nationals and Blocked Persons list of individuals, organizations, and countries with whom US persons and entities are prohibited from conducting financial transactions. Paying ransom to a group on this list can constitute a violation of the International Emergency Economic Powers Act regardless of whether the victim knew the group was sanctioned.

This is not a hypothetical concern. Several of the most active ransomware operations, including groups associated with or operating from Russia, North Korea, Iran, and other sanctioned jurisdictions, have been formally designated by OFAC. In 2020, OFAC issued an advisory specifically warning that ransomware payments to sanctioned groups or jurisdictions may violate US sanctions law, and that OFAC could impose civil penalties on victims who made such payments even if they had no intent to violate the law. The advisory also noted that voluntary self-disclosure of a potential sanctions violation — reporting to OFAC that a payment may have been made to a sanctioned entity — is treated as a mitigating factor in penalty determinations.

The practical implication for any business facing a ransomware demand is that an OFAC sanctions screening must be conducted before any payment is made. This means attempting to identify who is behind the attack based on available forensic and threat intelligence information, and checking that identification against OFAC’s sanctions lists. This is not something most business owners can do themselves — it requires the kind of threat intelligence and legal expertise that professional negotiators and breach counsel attorneys bring to the engagement. Cyber insurers understand this obligation and have their own compliance requirements; a reputable insurer will not fund a ransom payment to a sanctioned group, which makes early insurer involvement in any ransom decision essential.

FinCEN Reporting and the FBI’s Guidance

The Financial Crimes Enforcement Network, known as FinCEN, has issued guidance indicating that financial institutions facilitating ransomware payments — including cryptocurrency exchanges used to purchase bitcoin or other digital currency used to pay the ransom — may have obligations under the Bank Secrecy Act to file Suspicious Activity Reports. This does not directly affect the victim business in most cases, but it illustrates the degree to which the federal government treats ransomware payments as transactions that implicate financial crime law, not merely commercial transactions.

The FBI’s official position is that ransom payments should not be made. The FBI’s reasoning is straightforward: paying ransoms validates the ransomware business model, funds criminal enterprises, and creates incentives for additional attacks. The FBI encourages all ransomware victims to report incidents to its Internet Crime Complaint Center, known as IC3. In some cases, FBI field offices have been able to assist victims — either by providing intelligence about the attacking group, helping identify whether decryption keys are already available, or in some instances recovering encryption keys through law enforcement action against attacker infrastructure.

In practice, many businesses do pay ransoms when the alternative is prolonged business interruption or permanent data loss. This is a pragmatic business decision that is legal in most circumstances (absent a sanctions violation). But it should be made deliberately, with full awareness of the legal landscape, with the involvement of legal counsel and the insurer, and with a ransom payment not as the reflexive first response but as a considered option after evaluating alternatives. Notifying the FBI does not require you to follow their guidance against payment — but their assistance can sometimes change the calculus.

Insurer Involvement in Ransom Negotiations and Payment Decisions

When a cyber policy covers ransom payments, the insurer expects — and typically requires — to be involved in the payment decision before any payment is made. Most policies include conditions that must be satisfied for ransom payments to be covered. These typically include obtaining the insurer’s prior written authorization; using the insurer’s approved professional negotiator rather than engaging the attackers directly or through an unauthorized third party; conducting an OFAC sanctions screening; and maintaining documentation of the entire process.

Insurers who provide ransomware coverage have developed significant expertise in this area, and their involvement is not merely bureaucratic. A professional ransomware negotiator working with the insurer’s backing has negotiated hundreds of these situations and understands attacker tactics, typical settlement patterns, and how to assess whether the attacker actually holds the decryption key they claim to have. This expertise has real financial value — businesses that use professional negotiators consistently pay less than those who negotiate directly or pay the initial demand without pushback.

The single most important procedural point for any business facing a ransomware demand is this: do not make any payment without first notifying your insurer and engaging legal counsel. A payment made without insurer authorization may not be covered. A payment made to a sanctioned entity without an OFAC screening could result in regulatory penalties. The hours spent on notification and authorization at the outset of the crisis will return their investment many times over.

War Exclusion and Nation-State Ransomware

A growing number of ransomware attacks are conducted by groups that are affiliated with, tolerated by, or directed by nation-state actors — particularly Russia, North Korea, and Iran. This creates a direct intersection with one of the most consequential exclusions in cyber insurance policies: the war exclusion. If the insurer can attribute a ransomware attack to a nation-state or nation-state-affiliated group and invoke the war exclusion, it may deny the entire claim.

The war exclusion in the cyber context became a major insurance dispute following the NotPetya malware attack in 2017, which was widely attributed to the Russian government and caused billions of dollars in losses to companies worldwide. Several major insurers invoked war exclusions to deny claims arising from NotPetya, leading to significant litigation. Courts in different jurisdictions reached different conclusions depending on the specific policy language. The industry has since moved to clarify and standardize war exclusion language in cyber policies, but the exclusion remains a real source of coverage risk for state-sponsored attacks.

The attribution problem makes this exclusion particularly difficult to manage. Attributing a specific ransomware attack to a nation-state with certainty is technically complex, requiring forensic and intelligence analysis that goes beyond what most businesses and even most forensic firms can perform. The insurer and the insured may reach different conclusions about attribution, and those disagreements can lead to coverage disputes. Business owners should review their cyber policy’s war exclusion language carefully, ask their broker and attorney to explain how it would apply to a state-sponsored ransomware scenario, and consider whether the policy’s exclusion language is more or less favorable than what the market offers.

How to Preserve Coverage During a Ransomware Event

The steps that preserve coverage during a ransomware event are essentially the steps of good incident response. Notify your insurer immediately upon discovering the attack, even before you fully understand its scope. Do not pay any ransom without the insurer’s prior written authorization — this is a coverage condition and violating it can void the ransom payment coverage entirely. Do not engage in public communications about the attack without involving your breach counsel and any PR support the insurer provides, because premature or inaccurate public statements can create legal liability and undermine the insurance claim.

Preserve all forensic evidence from the moment of discovery. This means not immediately reimaging or rebuilding compromised systems before the forensic team has had the opportunity to collect evidence. The temptation to “clean up” immediately is understandable, but destroying forensic evidence can impair both the investigation and the insurance claim. The forensic firm should be the ones to direct what can and cannot be preserved or removed.

Document the business interruption loss from the moment of discovery, not retrospectively. Keep daily records of revenue losses, identify what normal operations look like and how the disrupted period differs, and capture all extra expenses incurred because of the attack. Many claims are underpaid not because coverage does not exist but because the insured cannot substantiate the full extent of their business interruption loss with adequate documentation. Starting this process on day one — even in the midst of the crisis — lays the foundation for a fully supported claim.