Resources

Life of a Ransomware / Extortion Event

Table of Contents

    Old Republic Cyber Dedicated Breach Response Hotline: 1.844.789.2312

    Step 1. Immediate Response & Notice

    When you discover a potential ransomware or extortion event, you may know immediately what you’re dealing with—or you may simply suspect something isn’t right. Either way, your first step is to call our 24/7 Data Breach Hotline. Within minutes, you’ll be connected to a dedicated claims professional who will remain your primary contact from start to finish.

    Having a single claims specialist guiding you through the process ensures consistency, continuity, and a smoother experience for you and your organization. It also fosters a strong working relationship between you, your claims professional, and the broader triage team.

    Step 2. Building Your Response Team

    Your claims professional will gather key details about the incident and quickly assemble the right response team. This always includes specialized privacy counsel, and when ransomware is active—or suspected—digital forensics and incident response (DFIR) experts are also brought in from the outset.

    We quickly convene an initial kickoff call with DFIR experts, privacy counsel, and potentially restoration specialists. This call helps to:

    • Clarify the situation at hand.
    • Define roles and responsibilities of all team members, including your internal team.
    • Establish immediate containment steps and action items.
    • Identify whether additional vendors may be needed, such as restoration services or public relations.

    This rapid coordination ensures that time is not lost and the right experts are engaged from the outset.

    Step 3. Assessing the Situation and Exploring Options

    Once the team is assembled, several workflows begin in parallel:

    • Evaluating impact: Has data been encrypted? How are operations affected? Are backups available and viable?
    • Identifying the threat actor: DFIR experts analyze tactics, communications, and technical indicators to determine attribution and credibility.
    • Considering engagement: Depending on severity and operability levels, the team will discuss whether it makes sense to engage with the threat actor at all.

    If engagement proceeds, specialized threat actor communicators will gather intelligence such as:

    • Proof that data was exfiltrated.
    • Proof that decryption is possible.
    • The ransom demand and typical negotiation patterns of the group.

    This information, combined with your business’s unique circumstances, informs whether the best path is to negotiate, pay, or proceed with restoration without payment.

    Step 4. Evaluating the Decision to Pay

    If your business determines that payment may be necessary, we will work with you and your counsel to evaluate:

    • Reasonableness and necessity — Does payment make sense given the facts and impact on your business?
    • Legality — Any payment must be lawful, including compliance with OFAC and other sanctions requirements.

    To guide this process, we provide a structured Extortion Payment Assessment Guide that mirrors your internal decision-making, such as:

    • What will it cost if we don’t pay?
    • How long will downtime last if we restore from backups?
    • How quickly could we recover with a decryption key?
    • What are the risks and costs associated with each path?

    This ensures that decisions are clear, well-supported, and aligned. In some cases, the best choice may be not to pay and instead focus on restoration — we fully support you whichever path makes the most sense for your business.

    Step 5: Payment Facilitation and Compliance

    If payment is required, we request documentation from the payment facilitator confirming that sanctions checks and due diligence were completed, a copy of your IC3 submission and list of regulatory authorities that have been notified of the incident, and a compliance statement from your counsel confirming their due diligence. Once this is received, we confirm that a reimbursement of the extortion will be covered by your policy and reimbursable.

    A specialized payment facilitator arranges the transfer—typically in Bitcoin—to the threat actor’s wallet. Your company coordinates directly with the facilitator on timing of funds, and we reimburse you for amounts above your SIR and subject to the applicable limit of liability.

    Step 6. Restoration and Resolution

    After payment—or a decision not to pay—we continue working closely with you to:

    • Partner with you and your response team to restore operations quickly.
    • Coordinate with counsel to ensure all notification obligations to customers, employees, regulators, or others are met properly and on time.
    • Assist you with your business interruption loss including connecting you with forensic accounting experts.
    • Support you through to the conclusion of the incident so your business can return to normal with confidence.