Article 4 · Ransomware
Ransomware exclusions — what your policy won't pay for.
The 2026 US cyber market priced ransomware as the dominant loss vector, then quietly priced exclusions and sub-limits into every policy. Five patterns now determine whether your cyber coverage actually pays out when a ransomware actor lands in your environment — and most owners only discover them mid- incident, after the encryption is already in progress.
This piece walks through the five exclusion patterns, explains how the OFAC sanctions analysis actually works, demystifies what carrier-approved ransomware negotiators do, and runs the financial math on paying versus recovering.
The patterns
5 common ransomware exclusion patterns in 2026 policies
All five patterns appear in some form in most 2026 cyber policies. The payment cap and OFAC exclusion are universal; the carrier-approved negotiator and notification window are standard but vary in tightness; the named-actor exclusion is the newest pattern and still spreading across the market.
Ransom payment cap (sub-limit)
Plain English:The policy reimburses ransom payment only up to a fixed sub-limit — typically $100k-$500k — regardless of the overall policy limit. A $5M cyber policy with a $250k ransom payment sub-limit pays at most $250k of any ransom.
Sample policy language
"Notwithstanding the Policy Aggregate Limit of Liability, the Insurer's maximum liability for Ransom Payment Loss arising from any one Cyber Incident or related series of Cyber Incidents shall not exceed the Ransom Payment Sub-Limit set forth in the Declarations."
What it means in practice:Most ransomware demands in 2025-2026 ranged from $500k to $5M for mid-market targets. With a $250k sub-limit, the insured pays the delta out of pocket. Owners read the policy aggregate limit ("$5M of cyber!") and assume that's the ransom-available money. It almost never is.
OFAC sanctions exclusion
Plain English:The policy will not reimburse any payment to a threat actor on the US Treasury OFAC Specially Designated Nationals (SDN) list. Most prolific ransomware groups (LockBit affiliates, BlackCat/ALPHV affiliates, Conti successors, North Korean Lazarus Group, Iranian-linked actors) are sanctioned or affiliated with sanctioned entities.
Sample policy language
"This Policy does not cover any Loss arising from a payment, transfer, or transaction prohibited under the laws or regulations of the United States, including but not limited to the Office of Foreign Assets Control (OFAC) sanctions regulations."
What it means in practice:The OFAC analysis happens before payment. The carrier's panel IR firm and panel ransomware negotiator run threat-actor attribution and an OFAC check. If attribution maps to a sanctioned entity, the carrier cannot legally reimburse the payment — and you cannot legally make it. Treasury OFAC has issued advisories making it clear that ransomware payments to sanctioned actors are themselves sanctions violations subject to civil penalties.
Carrier-approved negotiator requirement
Plain English:The policy reimburses ransom-related expenses only if you use a negotiator from the carrier's approved panel. The most common panel firms in 2026: Coveware, Arete, GroupSense, Mandiant Ransomware Negotiation, Kivu, Tetra Defense, Charles River Associates, Unit 221B.
Sample policy language
"Coverage under this Insuring Agreement is conditioned upon the Insured's use of a Ransomware Response Vendor approved by the Insurer and listed in the Policy Schedule. Costs and payments incurred through non-approved vendors are not reimbursable."
What it means in practice:Calling your local IT shop instead of the carrier panel firm caps or eliminates reimbursement. The panel firms have established threat actor relationships, OFAC attribution capabilities, and standardized engagement procedures that the carrier trusts. The panel list is in the policy schedule; pull it now and program the numbers into your incident response plan.
Notification window (carrier approval before payment)
Plain English:Most 2026 policies require carrier approval before any ransom payment is made. The notification window is typically 4-6 hours — sometimes 24 hours — and pre-approval from the claim handler is a condition of reimbursement.
Sample policy language
"No Ransom Payment shall be made without the prior written consent of the Insurer. The Insured shall provide notice of any ransomware incident to the Insurer's 24/7 hotline within four (4) hours of discovery, and shall obtain the Insurer's consent prior to any payment."
What it means in practice:Most ransomware threat actors deliberately demand payment in 24-72 hours to compress your decision time. The 4-6 hour carrier-notification window forces you to call the carrier hotline first, before negotiation, before posture assessment — sometimes before you've even confirmed the encryption is real. The IR plan in the application cheat sheet article needs the carrier hotline number on page one.
Affiliate / known-actor exclusion
Plain English:Some 2026 policies now explicitly exclude losses tied to named ransomware families or affiliate programs — LockBit (post-takedown variants), BlackCat/ALPHV, Hive, REvil successors, Conti spinoffs. The exclusion list updates quarterly via endorsement.
Sample policy language
"This Policy does not cover Loss arising from any Cyber Incident attributable to a Threat Actor or ransomware variant listed in the Excluded Threat Actor Schedule, as updated from time to time by Endorsement."
What it means in practice:The exclusion list isn't yet standard across all carriers but it's growing. Coalition, At-Bay, and Resilience have published or quietly maintain excluded-actor lists. The exclusion is justified by repeated re-encryption attacks ("double-tap" where the same actor returns 6 months later) and by post-payment data leaks where paid actors still publish the data. Read the schedule before binding.
How the OFAC analysis works
How the OFAC sanctions exclusion really works
OFAC (Office of Foreign Assets Control) sits inside the US Treasury Department and maintains the Specially Designated Nationals (SDN) list. The list includes most prolific ransomware groups and their affiliates. Payments to listed entities are sanctions violations — for the insured, for the carrier, for any IR firm or bank or cryptocurrency exchange that facilitates the payment.
- 1.Attribution is probabilistic, not certain. The IR firm and panel negotiator analyze the ransomware variant, infrastructure, communication patterns, and payment instructions to estimate the threat actor identity. Most attributions are graded as high / medium / low confidence — and "high confidence sanctioned actor" is the trigger for non-payment.
- 2.OFAC issued formal advisories in 2020 (updated 2021, 2023) clarifying that ransomware payments to sanctioned actors are themselves sanctions violations, exposing the insured (and any facilitator — including the IR firm, the negotiator, the bank, the cryptocurrency exchange) to civil penalties.
- 3.The carrier's panel IR firm runs the OFAC check. If they conclude the actor is sanctioned (or affiliated with a sanctioned entity), the carrier cannot legally reimburse the payment — and you can be exposed to civil penalties even if you pay out of pocket.
- 4.Voluntary self-disclosure to OFAC can mitigate civil penalty exposure if you (a) cooperated with law enforcement, (b) used a credible IR firm, (c) implemented post-incident remediation. The panel firms have established self-disclosure procedures.
- 5.Most prolific 2025-2026 ransomware groups have sanctioned affiliations — Russian-affiliated criminal groups, North Korean state actors (Lazarus, APT38), Iranian-linked groups. Practical implication: assume OFAC attribution is likely to apply, plan to NOT pay, and budget recovery from backups instead.
The ransomware negotiator role
What carrier-approved negotiators actually do (and don't)
Demystifying the panel negotiator role. Two sides of the ledger — what they handle and where the rest of your incident response team has to take over.
What carrier-approved ransomware negotiators DO
- •Run threat actor attribution and OFAC analysis within the first 24 hours.
- •Negotiate the ransom amount down — typical 30-60% reduction from initial demand based on actor pattern and posture signals.
- •Validate the decryption key actually works on a sample file before recommending payment.
- •Coordinate the cryptocurrency payment via compliant exchange with KYC + sanctions screening.
- •Document the engagement, the attribution analysis, the negotiation transcript, and the post-payment outcome for the carrier file.
- •Coordinate with law enforcement (FBI IC3, CISA) where appropriate.
What carrier-approved ransomware negotiators DON'T do
- •Promise the threat actor will release the decryption key — they often don't, especially for sanctioned actors.
- •Restore your systems — that's the IR / forensic vendor's job, often a different firm on the panel.
- •Handle the regulatory notification — that's your General Counsel + outside coverage counsel + state AG office.
- •Negotiate with sanctioned actors — payment to OFAC-listed entities is illegal regardless of business pressure.
- •Guarantee the data won't be leaked — pure double-extortion (encrypt + leak) actors often leak data even after payment.
- •Provide ongoing protection — the actor that hit you once is statistically likely to return in 6-12 months, especially if you paid.
What recovery actually looks like
Best-case payment recovery patterns
In the cases where the carrier does approve the payment — non-sanctioned actor, within sub-limit, via panel negotiator, with carrier consent — the payment recovery sequence typically runs:
- Day 0-1: Incident detected, carrier notified within 4 hours, panel IR firm engaged, panel negotiator engaged, threat actor attribution begins.
- Day 1-3: Attribution and OFAC analysis completed. Negotiator opens dialogue with threat actor. Ransom amount typically negotiated down 30-60% from initial demand based on actor pattern and posture signals.
- Day 3-5: Carrier approves negotiated payment amount (within sub-limit). Cryptocurrency payment executed via compliant exchange with KYC + sanctions screening. Decryption key received. Sample file decryption verified.
- Day 5-10: Decryption applied across affected systems. IR forensic team rebuilds remaining infrastructure. Business operations restored. Breach notification timeline triggered (where applicable).
- Day 30-90: Forensic report finalized. Claim reimbursement processed. Carrier and IR team complete OFAC self-disclosure documentation.
Best-case is rare. Most 2025-2026 incidents involve sanctioned actors (no payment), partial backup recovery, longer downtime, and material out-of-pocket cost beyond what insurance covers.
The financial math
Why owners should plan to NOT pay and recover from backups
Three scenarios with the math worked out. The recovery-from- backups path is materially less expensive in the long run for any business with tested offline backups — and is the only available path when the threat actor is OFAC-sanctioned.
Pay $750k ransom on a $250k sub-limit policy + lose 5 days of operations
Ransom: $750k (carrier pays $250k, you pay $500k). Business interruption: $1M (typical $200k/day for a mid-market SMB). IR + forensic + legal: $400k. Public relations + breach notification: $150k. Total: $2.3M. Carrier covers: $1.5M (sub-limit + BI + IR). You absorb: $800k.
Recover from backups, don't pay, lose 7 days of operations
Ransom: $0. Business interruption: $1.4M (7 days vs 5 — recovery is slightly slower than paying). IR + forensic + legal: $400k. Public relations + breach notification: $150k. Total: $1.95M. Carrier covers: $1.75M (no ransom, full BI + IR + PR). You absorb: $200k.
Threat actor is OFAC-sanctioned, you cannot pay, recover from backups
Same as above — $200k out-of-pocket if your backups are recoverable. If your backups are not recoverable, you face full recovery from scratch — typical $2M-$10M depending on complexity. The investment that determines whether "recover from backups" is a viable strategy is the offline / immutable backup posture you build before the incident, not during it.
Numbers are directional and based on Coveware Q4 2025 quarterly ransomware report aggregates plus Sophos State of Ransomware 2025 mid-market data. Specific outcomes depend on industry, data sensitivity, recovery posture, and the threat actor tradecraft.
FAQ
Ransomware exclusions — the questions owners ask
If our cyber policy has a $5M aggregate limit, isn't the full $5M available for ransom payment?
Almost never in 2026. The ransom payment sub-limit (typically $100k-$500k) is buried in the policy schedule and is the only number that matters for ransomware reimbursement. Read the schedule, find the sub-limit, and treat that as your real number for ransomware planning.
What happens if we pay the ransom without notifying the carrier first?
The payment is typically not reimbursable. Most 2026 policies require carrier consent before payment as a condition of coverage. Payment without consent is treated as a coverage condition violation and the entire ransom payment line item is denied. Other coverage (BI, IR, legal, PR) may still be available, but the ransom reimbursement is gone.
Is it ever legal to pay a sanctioned ransomware actor?
Practically no. OFAC has been clear that payments to SDN-listed entities are sanctions violations regardless of business duress. The narrow exception is an OFAC-issued specific license — which is rarely granted and slow. Plan to NOT pay sanctioned actors and to recover from backups instead.
How does the carrier confirm the threat actor identity for the OFAC check?
The carrier's panel IR firm runs the attribution. They analyze the ransomware variant, the negotiation infrastructure (TOR-based portals, communication patterns), the cryptocurrency payment wallet history, and known IOCs (indicators of compromise). The attribution is graded high / medium / low confidence; high confidence sanctioned actor is the OFAC trigger.
What's the best preparation against ransomware exclusions?
Backups you've actually tested. Most ransomware exclusions are concerned with payment — payment caps, OFAC, panel negotiators, notification windows, excluded actors. None of them limit recovery from backups. The single most leveraged investment in ransomware resilience is offline / immutable backups with documented restore tests in the last 30 days. That's also what the carrier wants to see on the application.
Three ways to get ready before renewal
Quantify what a ransomware incident would actually cost your business, benchmark your recovery posture in five minutes, or book a 20-minute call to review your ransomware sub-limits and IR plan.