Last Updated: 12/19/2025

Issue: Ransomware, also known as cyber extortion, is a type of malicious software that infiltrates computer systems and locks them down. It typically encrypts data or systems, holding them hostage until a ransom is paid or other demands are met. Victims are directed to pay a sum of money to regain access to their device or data.

This form of cyber-attack can infect virtually any computer, including desktops, laptops, tablets, and smartphones. The primary goal of attackers is not to destroy or permanently encrypt data but to secure quick payment of the ransom.

Ransomware attacks are on the rise and are considered an escalating threat for the foreseeable future.

Background:  According to the FBI Internet Crime Complaint Center (IC3) fraud represented the bulk of reported losses in 2024, and ransomware was again the most pervasive threat to critical infrastructure, with complaints rising 9% from 2023.

The FBI’s IC3 received 859,532 cybercrime complaints totaling $16.3 billion in losses. Ransomware remained the leading threat to critical infrastructure, with 3,156 complaints and losses exceeding $12 million, a 9% increase from 2023. Exploited software vulnerabilities drove 32% of attacks, while malicious emails fell to 23%.

Authorities strongly advise against paying ransoms, as recovery is not guaranteed; 78% of organizations that paid were attacked again. Cyber insurance can offset costs, but coverage often requires prior notification and robust security controls. Global cyber insurance premiums reached $15 billion in 2024, with the U.S. market at $16.6 billion.

Authorities strongly advise against paying ransoms, as recovery is not guaranteed. According to Cybereason’s Ransomware: The Cost to Business Study 2024 nearly 80% (78%) of organizations that paid a ransom were targeted by another ransomware attack—often by the same threat actor.

One recommended mitigation step is the purchase of a cybersecurity insurance policy. Many policies cover ransom payments, extortion-related expenses, and repair costs. However, insurers typically require notification prior to payment; failure to comply may result in denial of coverage. Globally, cyber insurance premiums reached nearly $15 billion in 2024, a 7% increase from the previous year. In the U.S., the market volume was $16.6 billion, with ransomware and data theft remaining primary loss drivers. Insurers increasingly mandate robust cybersecurity controls and may impose limits on ransom coverage. For further details, refer to the NAIC Coalition Cyber Claims Report.

Although data breach notification laws in many states require entities to notify consumers if their data has been access or stolen, it's  not always clear if ransomware attacks are subject to the same disclosure rules. This means many ransomware attacks go unreported. The SEC’s cybersecurity rules, effective in 2024, mandate public companies to disclose material cybersecurity incidents—including ransomware attacks and payments—within four business days of determining materiality. Insurance coverage for ransom payments does not exempt companies from disclosure requirements.

Both government and business communities continue to intensify efforts to address the rising threat of ransomware. The National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (Model #668) in 2017 to establish standards for data security, investigation, and notification of cybersecurity events within the insurance industry. As of late 2025, more than 22 states have adopted the NAIC Insurance Data Security Model Law or similar legislation, with additional states considering adoption.

The Model Law serves as a framework for states to enact their own legislation, requiring insurers and related entities to implement comprehensive information security programs, conduct regular risk assessments, oversee third-party service providers, and notify regulators and affected consumers in the event of a data breach.

The Federal Trade Commission and the Department of Homeland Security have also released guidance for consumers and businesses on best practices to avoid ransomware attacks.