Boards may ignore alerts, but they listen to losses: new data from Resilience links security gaps directly to financial impact.
The post Cyber Insurance Data Gives CISOs New Ammo for Budget Talks appeared first on SecurityWeek.
A South Florida man pleaded guilty to conspiring with multiple ransomware affiliates to commit attacks against and extort payments from the same U.S. companies he represented as a ransomware negotiator for DigitalMint in 2023, the Justice Department said Monday.
Angelo John Martino III shared confidential information about victim organizations’ internal negotiating positions and insurance policy limits he gained from his work as a ransomware negotiator to extract the maximum ransom payment for himself and other BlackCat affiliates, according to his plea agreement.
Five of Martino’s victims hired DigitalMint, which assigned the 41-year-old to conduct ransomware negotiations on their clients’ behalf — a rare position he exploited to play both sides. DigitalMint, which is not accused of any knowledge or involvement in the crimes, fired Martino the day after the Justice Department informed the company they were investigating him in April 2025.
The five U.S.-based victims that hired DigitalMint and unwittingly tapped Martino to allegedly conduct ransomware negotiations with himself and his co-conspirators include a nonprofit and companies in the hospitality, financial services, retail and medical industries. All five of those victims paid a ransom.
Prosecutors previously said Martino helped accomplices extort a combined $75.3 million in ransom payments, including a nearly $26.8 million payment from the unnamed nonprofit, and a nearly $25.7 million payment from the unnamed financial services company.
Martino also admitted to conspiring with Kevin Tyler Martin, another former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former manager of incident response at Sygnia, to deploy BlackCat ransomware, also known as ALPHV, against five additional U.S. companies between April and November 2023.
Goldberg and Martin pleaded guilty in December to participating in a series of ransomware attacks and are scheduled for sentencing April 30.
“Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims,” A. Tysen Duva, assistant attorney general at the Justice Department’s Criminal Division, said in a statement. “Instead, he betrayed them and began launching ransomware attacks himself by assisting cybercriminals and harming victims, his own employer, and the cyber incident response industry itself.”
The case against Martino showcases an extreme, albeit rare, example of the dark underbelly of ransomware negotiation as a practice. The pitfalls of ransomware negotiation are excessive and these backchannel negotiations, which remain largely unscrutinized, can go awry for various reasons.
Officials shared a series of chats Martino held with co-conspirators and his victims that exemplify the lengths he went to betray DigitalMint’s clients and empower his accomplices with crucial tips for a successful negotiation strategy.
DigitalMint did not respond to a request for comment on Martino’s guilty plea.
During an incident response with one of his victims, Martino told a BlackCat affiliate the company’s insurance carrier “was only approving small accounts,” according to his plea agreement. “Keep denying our offers and I will let you know once I find out the max the[y] want to pay,” he added.
“We don’t know how you came up with your demand but we are losing money operationally and all of our loans are going to turnover on us this year at double the interest rates,” Martino said in a negotiation chat visible to DigitalMint and the victim organization in the hospitality industry. “We are able to give you $1 million now, which is a very serious offer.”
Following Martino’s instructions, the BlackCat accomplice responded: “Well, you can keep that for the penalties and lawsuits which are coming your way in case we expose you. Time is ticking — we know how much you can pay. Contact your insurance. We know about them also. Stop wasting time.”
That victim company ultimately paid a ransom worth nearly $16.5 million at the time to receive a decryptor and the BlackCat affiliate’s commitment to not publish stolen data. The two other victims Martino represented via DigitalMint at the time paid $6.1 million and $213,000 ransoms for similar commitments.
“Ransomware victims turned to this defendant for help, and he sold them out from the inside,” Jason A. Reding Quiñones, U.S. attorney for the Southern District of Florida, said in a statement.
Martino received a portion of the ransomware payments for his involvement in the conspiracy.
Authorities have seized $10 million in assets and cryptocurrency wallets controlled by Martino. Law enforcement seized multiple vehicles, a food truck and a 29-foot luxury fishing boat that he obtained using proceeds from his crimes.
Officials also seized two properties owned by Martino in Nokomis, Florida, including a bayfront home with an estimated value of $1.68 million and a second single-family home with an estimated value of $396,000.
Martino surrendered in March to the U.S. Marshals in Miami and was released on a $500,000 bond.
“The FBI works every day to dismantle the ransomware ecosystem,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement. “That includes apprehending key facilitators like Angelo Martino, who abused the trust placed in him as a private sector negotiator by collaborating with ransomware criminals.”
ALPHV/BlackCat was a notorious ransomware and extortion group linked to a series of attacks on critical infrastructure providers. The ransomware variant first appeared in late 2021, and was later used in dozens of attacks on organizations in the health care sector.
The group behind the ransomware strain also claimed responsibility for the February 2024 attack on UnitedHealth Group subsidiary Change Healthcare, which paid a $22 million ransom and became the largest health care data breach on record, compromising data on about 190 million people.
Martino pleaded guilty to conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion. He faces up to 20 years in federal prison and is scheduled for sentencing July 9.
You can read Martino’s plea agreement below.
The post Former DigitalMint ransomware negotiator pleads guilty to extortion scheme appeared first on CyberScoop.
The Treasury Department is soliciting public feedback on whether it should change a terrorism risk insurance program to address cyber-related losses.
In a Federal Register notice set for publication Wednesday, Treasury seeks comment from the public for a mandatory report it must deliver to Congress this summer on the effectiveness of the terrorism risk insurance program (TRIP) created by the 2002 Terrorism Risk Insurance Act. That law arose from the Sept. 11 terror attacks and provided a federal backstop to make terrorism risk insurance more available and affordable.
Some experts have suggested that the cyber insurance industry should also get a federal backstop as the industry struggles to develop fully. With the law set to expire at the end of 2027, tying it to the reauthorization of the terrorism risk insurance law could be one way to get Congress to create such a cyber backstop.
Among the topics Treasury hopes commenters will address before it sends the report to Congress in June is the interaction between the terrorism risk insurance law and program, and cybersecurity. The agency will accept comments until May 8.
That includes: “Any potential changes to TRIA or TRIP that would encourage the take up of insurance for cyber-related losses arising from acts of terrorism as defined under TRIA, including, but not limited to the potential modification of the lines of insurance covered by TRIP and revisions to any of the current sharing mechanisms for cyber-related losses, such as, for example, the individual insurer deductible or the federal share percentage.”
In 2021, Treasury issued a rule making it clear that TRIP could cover cyber losses when written in a TRIP-eligible line of insurance. However, a Government Accountability Office report last year outlined some of the limitations there.
“Because TRIA was designed specifically as a federal backstop for losses from acts of terrorism, only losses from cyberattacks certified by Treasury as acts of terrorism would have TRIA coverage,” it states. “As a result, even large cyberattacks that result in catastrophic losses would not be covered under TRIA if they were not certified as acts of terrorism.”
Treasury said in its Federal Register notice that it wants feedback on cyber-related terrorism losses within TRIP and losses outside of it.
Cyberattacks would need to meet definitions under the terrorism risk insurance law to be certified. They need to be violent or otherwise dangerous to life, property or infrastructure, and designed to influence the U.S. population or government. Damage to U.S. organizations outside the United States still might not qualify.
Medical device maker Stryker recently suffered a wiper attack, with the pro-Palestinian, Iranian government-linked group Handala taking credit. It said the attack was in retaliation for U.S. and Israel military strikes against Iran, specifically a U.S. missile strike on a school that killed 175 people, according to Iran’s government.
The post Treasury asks whether terrorism risk insurance program should bolster cyber coverage appeared first on CyberScoop.
Synthetic media, including AI-generated deepfake audio and video, has been increasingly leveraged by criminals, scammers and spies to deceive individuals and businesses.
Sometimes they do so by imitating an employee’s CEO, urging them to transfer large sums of money or provide them access to work accounts. Other times this fake media is created by a competitor or bad actor to ruin the reputation of executives or their companies.
Now cybersecurity insurance provider Coalition is offering coverage to organizations for deepfake-related incidents. On Tuesday, the company announced its cybersecurity insurance policies will now cover certain deepfake incidents, including ones that lead to reputational harm. The coverage will also include response services such as forensic analysis, legal support for takedown and removal for deepfakes online and crisis communications assistance.
In response to questions about deepfake coverage, Michael Phillips, head of Coalition’s cyber portfolio underwriting, said Coalition has covered deepfake-enabled fraud leading to fraudulent transfers since last year. Now, coverage is being expanded to “any video, image, or audio content that is created or manipulated through the use of AI by a third party, and that falsely purports to be authentic content depicting any past or present executive or employee, or falsely frames the organization’s products or services.”
“Today’s threat actors use AI and deepfakes for more than quick rip-and-run wire transfer theft, so we expanded our coverage to include the additional expenses a business could incur,” Phillips wrote. “We have seen many examples of this type of threat in recent headlines. For example, the deepfake of Warren Buffett promoting fake investment and crypto schemes forced Berkshire Hathaway to issue public warnings not only to protect its reputation, but also to prevent the spread of misinformation, market manipulation, and investor fraud.”
In an interview, Shelley Ma, incident response lead at Coalition, told CyberScoop that deepfakes still represent a small fraction of the claims the company processes, and that 98% of their claims don’t involve any advanced use of AI.
This is largely because “the low hanging fruits still very much work” for malicious hackers, with exploited VPNs, unpatched software and phishing still largely effective for those attempting to gain access to targeted organizations. Even in impersonation scams, attackers tend to rely on lower tech tactics like spoofing phone numbers.
Ma said that deepfake-enabled breaches they have seen tend to be from sophisticated threat actors that can bring the necessary technical expertise to deploy them in credible and believable ways.
“In the handful of cases where we have spotted deepfakes, we’ve seen attackers mostly use AI-generated voice or text to impersonate trusted contacts,” said Ma. “So typically, it would be a CEO or finance executive to authorize fraudulent payments or share credentials, and these are highly targeted and designed to blend into an existing workflow, which makes them quite dangerous even when they’re not yet that common.”
While traditional phishing relies on persuading victims through convincing text, deepfake video and audio adds “a whole new dimension of sensor authenticity” that make this type of attack more effective. Malicious parties can also generate dozens of tailored voice or text impersonations “in minutes,” something she said used to take days of reconnaissance and manual effort to pull off before LLM automation.
“These attacks, they shortcut skepticism, and they can bypass even very well-trained employees,” Ma said.
These successful campaigns still require a lot of work, and for now, small and medium-sized businesses may not be attractive enough targets to justify using AI-enabled attacks. However, Ma estimated that as AI technology becomes more advanced, affordable and accessible, these organizations are likely just 12 to 24 months away from seeing AI regularly used in fraud and business email compromise scams.
Update 12/11/25: This article has been edited to remove a reference to a Digital Citizens Alliance report.
The post Organizations can now buy cyber insurance that covers deepfakes appeared first on CyberScoop.
Sixty million school children’s personal information exposed. Thousands of flights canceled. A venerated retailer brought to its knees. Dire warnings from public officials about urgent threats to our national security.
This isn’t speculative fiction. These are all real incidents that have happened in the last year. The stakes in cyberspace are high and growing, especially as the LLM boom means society is increasingly reliant on software. Yet, repeated incidents show we are not doing enough to protect ourselves from cybercriminals or adversary nation-states. Unfortunately, Congress appears poised to leave a key tool on the shelf that could raise our cyber defenses: insurance.
In other areas of risk, insurance has a proven track record of both reducing the likelihood of incidents and helping with recovery when they do occur. Consider homeowners’ insurance: If you act recklessly—maybe by deep frying your Thanksgiving turkey indoors—your insurer may deny your claim, which incentivizes you to avoid risky behavior. Insurers also lower your premium if you make safety and security investments, like installing smoke detectors. And if a fire still breaks out, your insurance helps you recover quickly by covering the cost of repairs and even paying for a hotel room while your house is fixed.
The same set of virtuous incentives increasingly applies in cybersecurity. Cyber insurers have already shown their value in helping victims recover. Now, they are increasing underwriting standards and are even beginning to deny claims if they find reckless behavior or insufficient security investments. Policymakers should be overjoyed, as insurance represents the kind of market-based solution for cybersecurity challenges that both Democrats and Republicans have long embraced.
But there’s a problem: cyber insurance is marked by a persistent coverage gap. Today, about 90 percent of cyber damages are not insured. And the gap is being exposed. In the wake of the $2.5 billion hack of Jaguar Land Rover, the CEO of the United Kingdom’s Financial Conduct Authority said last week that the UK is “potentially massively underinsuring.”
The coverage gap exists for several reasons, including a lack of awareness of cyber insurance, since it’s a relatively new product and because it is rarely required by contracts or regulations. But as we argued in a paper published in June, one of the biggest obstacles for the industry is the risk of a “systemic” incident—and the difficulty insurers have in diversifying their policyholders to mitigate that risk.
Normally, insurers have many ways to make sure risk is “uncorrelated,” meaning the likelihood of a claim is independent of another. For example, when insuring businesses, they might aim to diversify by location, business size, or industry. This approach helps prevent all policyholders from filing claims at the same time, because of a single event or other underlying factor.
Unfortunately, that diversity is hard to come by in cyberspace. The information technology we rely on is functionally the same, no matter the location, business size or industry. For insurers, the complexity of software systems and the lack of historical claims data makes it extremely difficult to predict large-scale cyber events. This uncertainty causes insurers to raise premiums or limit coverage. As a result, the organizations that would benefit most from cyber insurance can struggle to find adequate coverage.
Fortunately, there is a practical policy solution: A government-backed reinsurance program. Such a program can cap the losses insurers face if a cyber catastrophe — known as a “grey swan” event — occurs. Even if disaster never strikes, the mere existence of this financial backstop helps lower cyber insurance costs, benefitting the entire economy. If a massive cyber incident does happen, the backstop ensures that cyber insurers continue to operate and support their policyholders. It also protects taxpayers through a built-in recoupment process. This backstop approach has worked before; after the September 11 attacks, the Terrorism Risk Insurance Program (TRIP) kept terrorism insurance market from collapsing.
Unfortunately, Congress is set to pass on a critical opportunity to enact this common-sense proposal. At a hearing last month on reauthorizing the TRIP, policymakers only seemed focused on whether or not “cyber terrorism” would qualify for the existing program.
To be clear, we agree that acts of cyber terror fall within the scope of the existing program. However, terrorism is not the acute national security threat facing us in cyberspace. Time and again, assessments of cyber threats by governments and private industry point to financially-motivated criminals and nation-state actors, not politically-motivated terror groups. A clear example of the kind of threat that should concern policymakers is NotPetya, a state-sponsored cyberattack launched by Russia against Ukraine in 2017. The attack quickly spread worldwide, causing billions of dollars in damages.
Congressional leaders are asking the wrong question. They should be asking: are the cyber incidents costing billions of dollars in damage each year covered by TRIP? If there was another NotPetya-style incident targeting American businesses, would it be covered by TRIP? How much damage have insurers themselves assessed a systemic event would cause?
A cyber reinsurance program should be different from TRIP. We encourage cybersecurity leaders, like House Homeland Security Committee Chairman Rep. Andrew Garbarino, to hold a new set of hearings on the topic with a goal of developing a legislative solution. However, in our experience, Congress moves fastest when there is a deadline. In the case of TRIP, a deadline is approaching: the program must be reauthorized by the end of next year. If Congress doesn’t use this opportunity to address cybersecurity and insurance, the issue could remain unresolved for almost another decade.
We don’t have that kind of time. Cyber terrorism is not what’s keeping us up at night. It’s cyber criminals and adversary states. Let’s hope Congress takes another shot at addressing the real challenges in cybersecurity and the critical role market-based solutions can play in protecting our nation.
Nicholas Leiserson is Senior Vice President for Policy at the Institute for Security and Technology. He previously served in the White House Office of the National Cyber Director and as a senior Congressional staffer focused on cyber issues.
RADM (Ret.) Mark Montgomery is senior director of the Foundation for the Defense of Democracies’ Center on Cyber and Technology Innovation. Mark served for more than three decades in the U.S. Navy, held senior leadership roles in Congress, and served as Executive Director of the Cyberspace Solarium Commission.
The post Don’t let Congress punt on cyber insurance reform appeared first on CyberScoop.
John Strand // It’s odd, we try to push security forward through standards like NIST, the Critical Controls, and PCI, but most organizations strive to meet the bare minimum required […]
The post WEBCAST: Insurance & Ransomeware appeared first on Black Hills Information Security, Inc..
Login