Explore Munich Re Group

Get to know our Group companies, branches and subsidiaries worldwide.

Ransomware: A threat actor’s perspective
Public Entity Risk Virtual Symposium 2024
Ransomware
    alt txt

    properties.trackTitle

    properties.trackSubtitle

    Protecting your organization from cyber threats such as ransomware is more crucial than ever. Ransomware can infiltrate public entities in an instant, leading to devastating consequences, from data breaches to complete shutdowns.

    As part of our Public Entity Risk Virtual Symposium 2024, join Hannah Hays, senior underwriter public entity cyber, Munich Re Specialty, and Matt Dowling, director digital forensics and incident response, Surefire Cyber to discover essential best practices for identifying security gaps and fortifying your defenses against cyberattacks. Don’t miss a demonstration from Sure Fire Cyber, showcasing their innovative model for delivering rapid and robust responses to cybersecurity challenges. 

    During this webinar, you will learn:

    • What ransomware is
    • The reasons ransomware exists
    • Common stages of a ransomware attack
    • A view from the threat actor’s perspective
    • Valuable insights on prevention strategies

    Listen as we dive into the most urgent risks facing public entity managers and brokers today — and how to mitigate them.

    Hannah Hays 

    My name is Hannah Hays.

    I am the Public Entity Cyber Lead for our product and underwriting team here at Munich Re Specialty.

    We entered the public entity cyberspace as a direct writer this year, ensuring single entity risk as well as pools and we work closely with Lauren's team.

    I am pleased to be joined by Matt Dowling, who is the Director of Digital Forensics and Instant Response from our vendor partner Surefire Cyber.

    Matt is going to guide us through a live ransomware demonstration from the threat actors perspective, offering valuable insights on prevention strategies.

    Surefire specializes in instant response, digital forensics, cybersecurity, ransomware response and other threats with end to end response capabilities.

    They assist clients by helping them repair, respond and recover from cyber incidents.

    Matt, thank you for being with us today.

    I will turn it over to you for the demonstration.

    Matt Dowling

    Thank you so much, Hannah.

    Alrighty.

    Well, let's do some level setting and introductions here.

    So to start with this, I'm sure most of you, if not all of you know what ransomware is, but just in case, we'll just go through it.

    So ransomware is big and bad, often is perpetrated through a network intrusion, can lead to business interruption, data theft, legal, legal and regulatory reputational risks.

    Why is ransomware a thing?

    Well, because it's enormously lucrative for, you know, money motivated criminals and we refer to them as threat actors.

    So through this presentation, as Hannah mentioned, we're going to go through a ransomware demo how, how a ransomware attack is perpetrated from the eyes of a criminal as well as from the eyes of the victim.

    So with that, we'll, we'll get, we'll get to it.

    So what are the common stages of a, of a ransomware attack?

    Well, stage 1 is reconnaissance.

    I need to know my target in order to be able to exploit it #2 is that point of entry, that root point of compromise.

    So breaking in third stage of a ransomware attack is privileged escalation.

    So getting more access, getting my administrative access to a network.

    The fourth piece, a lot of movement.

    How do I move about the network?

    So I start on one computer, how do I move to the servers?

    How from there do I launch this massive encryption engagement?

    The fifth stage here is going to be exfiltration.

    So while threat actors back back in the day used to only encrypt systems, now they do something called double extortion where they extort you by encrypting your files, but they also take data and threaten to release that publicly.

    And then the final piece is the encryption part or locking your files and extorting you for a decryption key.

    With that, we'll get right into it.

    So first stage of reconnaissance.

    So threat actors are always scanning the public Internet.

    They're looking for weaknesses, ports, protocol stuff out there that you have that are, you know, publicly exposed.

    A full scan of the Internet for a targeted piece can take as little as 45 minutes.

    So very, very quick.

    So here as a threat actor, what am I doing?

    I'm scanning really quick for my target list or my my target victims network to see if there's any vulnerabilities here that I can find in this example here, scanned a hundred 252 IP addresses in 11 seconds.

    I didn't find anything really too interesting.

    So from a threat actor side, I'd be moving on to my my second piece, which is to get a little more of a targeted attack.

    A couple takeaways here.

    Threat actors don't need to be targeting you, you know, as an organization and entity, whether it's public or private, in order to attack you, right?

    They're scanning the Internet broadly and they're looking for low hanging fruit very frequently.

    So it's really important to basically secure your Internet facing perimeter and make yourself a harder target.

    Don't be an easy target for these criminals, make it hard on them.

    So my scanning failed as a threat actor, but we really want to get into this organization.

    So what are we going to do?

    Well, in this case here, we're going to go back to the Old Faithful, which is a phishing campaign.

    We're going to send a message that I think is going to garner the response or something interesting from from my victim.

    So what do I do?

    I send an e-mail here.

    It's pretty interesting.

    Me as a user.

    I click on it.

    Oh boy, can't open that up.

    What do I need to do?

    All right, I'll download it.

    Let's take a look at it.

    I can't tell you how common this is still in this day and age where people will download these emails and look at them.

    They'll read this piece here.

    It's going to say, all right, oh boy, I got to enable editing.

    All right, well, let's go ahead and do that and enable content.

    Well, here's my editing.

    Here's my content.

    Oh boy.

    Well, can't read this document still.

    Oh well, let me get back to my day.

    I'll reach out to this individual later and figure out what's going on with this document.

    Let's flip back over to the threat actor, though, and see what's going on.

    So from a threat actor's perspective, I just launched a payload.

    A payload is like a script that runs in the background.

    So that Word document had something bad embedded there.

    When you enable the content, you enable the macro.

    That macro essentially launched my malware onto your system and gave me access to it.

    Clicking into it.

    I have a lot of things I can do here, so not not great.

    So I can run the different commands here like a standard command line utility, but I can also do a bunch of other stuff.

    I can turn on your webcam if I wanted to.

    I can get your system information.

    I can record your keystrokes.

    I can even record your microphone if I wanted to.

    So a lot of stuff that really you wouldn't think about opening a document can cause.

    But at this point, as a threat actor, I have full access to your computer without you even knowing it.

    And right here, I'll just show you, I drop into a command line and I can show you the desktop, you know, of your computer, what you were just looking at.

    So scary stuff.

    And, you know, some of these actions can have some serious, you know, consequences.

    And this type of thing is happening day in and day out in the real world.

    Every tool that I use in this demonstration, it's publicly accessible.

    This isn't custom stuff that I've built.

    This isn't stuff that you have to pay for.

    This is stuff that anybody can go out and download.

    And it's stuff that threat actors use in in real world scenarios.

    So of course, how do you prevent this?

    The first one is going to be user awareness training, making sure users know, listen, don't click on a document.

    If it seems weird, report it right away.

    If I as a, as an individual, clicked on that e-mail, enable content, enabled everything in there, and then immediately said, something's not right here, let me shut my computer off and call IT, the rest of this attack is over, right?

    I've stopped the attack very early on where we're done.

    So even if you made those mistakes, calling it out when it's weird right away is a is a is a lifesaver from a phishing perspective.

    I mean, if my goal was to take over your e-mail account, have a multi factor authentication is a big help.

    It's not the silver bullet it once was, but it certainly is something that is is very useful.

    And this, the last piece here is a very strong endpoint security solution like a next Gen.

    AB slash EDR product in this case would really help with this with this activities.

    So I'm a threat actor.

    I now have very low level access to machine.

    So what do I what do I need to do here?

    Well, I need to get higher privileges.

    A tool that threat actors very commonly use, and we see this in a very high percentage of cases is a tool called Mimi cats.

    Mimi Cats is a tool that essentially leverages a weakness in Windows systems to exploit their passwords that are stored in memory.

    So I want to now gain more access to the computer and I need to extract them out.

    So anybody logged into this computer, I can try to steal their credentials essentially.

    So in order to elevate these privileges, I need to do some stuff to to gain that access.

    So I'm going to run this tool called Mimi Cats and see who else is logged into this computer.

    This is the point of an attack where it could take some time.

    So we usually see a little bit of a lag time between that initial point of access to when a threat actor starts moving around the environment moving laterally.

    And that's because it could take some time for a threat actor to elevate those privileges.

    In this case here I get lucky, there's an administrator account already logged in, so I can go ahead and steal that password and leverage that.

    But really I want the domain administrator, which is one of these two accounts that that be Krebs account.

    So I'm going to take that NTLM hash, which is just a way that computers basically store passwords right, in a, in an encrypted format.

    And I'm going to go ahead and crack that again, takeaways.

    Minimizing privileged accounts in this in your environment can really help minimize the effectiveness of elevating privileges.

    If everybody has administrative privileges, that gets a bit dicey, right?

    It's a lot easier for a threat actor to compromise accounts if there's more of them to compromise.

    Invest in good tools to detect the suspicious and malicious activity.

    Again, a very good next Gen.

    AV slash EDR product is going to help with detecting this this activity.

    It's very anomalous.

    And the final piece is keeping systems up to date with patches.

    So a lot of these tools are more effective on older systems, Mimicats in particular.

    Windows 7 and older systems can get me the full password here, where on newer systems I only get the hash.

    So making sure I'm using newer systems like Windows 1011, etcetera can help because you'll get you'll get the advantages of the better security in those systems.

    Great.

    Well, now that I've gained some additional privileges or credentials, I first need to crack them.

    So threat actors are going to take these hashes and they're going to do some what we call offline cracking.

    Offline cracking is a technique where threat actors essentially crack the passwords.

    Is your password cracking?

    And they can use a variety of different methods.

    In this case here I'm going to do a very quick scenario, but threat actors can rent hardware on the dark web or sorry, on on on the cloud.

    So Amazon, Microsoft, they both have cloud systems.

    I can rent hardware for relatively cheap, couple 100 bucks that I can use to crack these passwords very, very quickly.

    So even if you have a very, very secure password, I may be able to crack it just by renting this hardware for for a couple $100.

    From a threat actors perspective, in this case here, Kate Metnic did not have a very good password, super secure one, was it?

    It was not very super or secure in this case, but we're going to leverage that password to start connecting to other systems.

    So I'm pretty excited.

    As a threat actor, I now have a password.

    I've now logged back into that computer that I've already compromised and I'm going to upload some software here to it.

    So as as you noticed, previously I only had access via the command line here.

    Now I have a full regular user interface access.

    So just like you guys see your computer when you're logged into it, me as a threat actor, I have that too.

    That gives me a lot, opens up my arsenal, tools that I can use.

    The first thing I'm going to do in this situation is I'm going to upload a scanning tool.

    This scanning tool is essentially one that can scan the network for other systems that are there.

    So I'm trying to identify how big your network is as a, as a victim, where are your important servers and systems in order for me to perpetrate or further my attack.

    So it's very important to me at this point to keep that going.

    Advanced IP scan or something that regular IT folks use on a regular basis.

    And that's the big reason why bad guys use it too, because it can get stuck or a lot of antivirus tools are not going to pick up on this because it's a normal tool.

    It's a real tool that's used day in and day out by IT people.

    So in this case here, it takes just a couple seconds here to to run a quick IP scan to figure out where all my endpoints are.

    And you'll see pretty quickly here that I do see my my domain controller server showing up there.

    I can tell that pretty easily just given the host name there.

    A lot of times DC1DC2 for domain controller is the name of that, but there's other ways to figure out if it's a domain controller as well.

    So I'm going to take my newly compromised credentials and I'm going to quickly log into this domain controller to see what other damage I can do for those on the call that may not be as technical.

    A domain controller is essentially the brains of the network.

    So when you log into a computer, when you, when your settings are applied to your computer from the security side, when you get that mapped share, you know, when you log in, you know so that the the file share, that all happens from the domain controller.

    It controls your authentications, it controls what happens to your computer when you log in and all the policies there.

    For that reason, it's a common place where threat actors are going to live because they can create their own accounts when they go over here and they can access any computer.

    So it's essentially doomsday scenario for an IT person when a threat actor is taking over your domain controller.

    And it's absolutely the goal for a threat actor to take over the demand controller right before taking perpetrating in a, in a ransom attack.

    So on the screen there towards the end, you saw me just making some examples of I can, I can create a user if I wanted to, I can modify other users.

    That's a very common thing threat actors are going to do is create their own users.

    This way, if my account ever gets disabled or password changes, I have a backup account.

    A good way to detect this stuff is to keep track of all your domain admins and when domain admins and privileged accounts are created, that could be a good early warning system that something weird going on is when you see some of those accounts being created.

    So what are some key takeaways here from a privilege escalation, lateral movement perspective?

    Use long and very strong passwords.

    I can't stress that enough, especially for your privileged accounts, even using very good technology such as this password cracking that I mentioned before, where you can rent that stuff in the cloud if you use a very strong long password.

    We're talking 30 characters in some instances for your privileged accounts, not your daily drivers.

    That can really throw a monkey wrench into the threat actors, you know, plans and getting those accounts and those those privileges.

    They can still use your password hash to do some stuff, but that is going to raise alarm bells and other security tools we're logging in using username and password is exactly how your network is designed to work.

    So most security tools aren't going to pick up on that.

    Another suggestion here is to use network tools that basically detect scans.

    So I find honeypots are a wonderful addition.

    It's something that's really not used as much anymore.

    So what a honeypot is, is it's a special type of tool.

    It's a, it's a basically a little computer that it's only purpose is to essentially exist on your network and seem like a very enticing target.

    So if there's someone that's in your network that is poking around at things that they may not supposed to be, they're not supposed to be poking around at, this honeypot is going to be a very enticing target for them.

    And when anybody starts peeling back the layers of that honeypot, it starts sending out alarm bells to your IT staff and your security teams.

    This will give them a good idea that something's going on that's not supposed to happen because it shouldn't be used in any other method.

    Honeypots are very cheap.

    You know that you can have it on a $35 Raspberry Pi and there are plenty of free programs out there that you can download from GitHub to put on there.

    So it can be very cheap investment that can give you a pretty good early warning system from that side.

    All right, so moving on to stage 5, exfiltration and backup deletion.

    So now that I've gained access to your network, right, I've elevated my privileges.

    I'm now a domain admin.

    I've moved over to domain controller.

    I essentially I could launch a ransom or attack at this stage.

    However, if you have good backups, my ransom or attack is going to be for naughty, right?

    And let's say you have good cloud backups.

    That means that even if I delete your local backups, you can still recover.

    You have no reason to pay me.

    Let's steal some data too, right?

    Give you a double extortion method in order to give you a reason to pay me.

    So in this case here, we're going to look for your backups first.

    We're going to go ahead and delete those.

    Then we're going to look for data to potentially exfiltrate.

    So I happen to be on your domain controller.

    I see a a share here.

    Now, thread actors will scan the network and look for these.

    For the purpose of time, I just threw the backups here, but essentially they'll go ahead and delete these backups, reformat your backup partitions.

    I've seen them even just totally delete your backup VMS if you haven't virtualized.

    So this is stuff that threat actors will absolutely do.

    Now, of course, I'm going to clear the recycling bin to make sure that the backups are completely gone, which is which is great.

    Now I'm going to start looking for some data that might be sensitive.

    I see a file share here with some data in there.

    So let's take a look.

    Finance folder first for those thinking, oh, there might be some credit card numbers here.

    This is all randomly generated data, just to let you know.

    So, so there's nothing real here.

    But here I do see some credit card numbers.

    OK, that could be PCI consideration, but that's also for me as a threat actor.

    That's actually marketable data that I could sell if if it doesn't work out.

    Here as well, I see Social Security numbers and I see some information around COVID vaccinations, so maybe HIPAA.

    So that's not great for from a endpoint perspective from from a threat actor, I'm pretty excited.

    So I'm going to go ahead and exfiltrate this data out.

    In this case here, I'm just going to use a web browser.

    Just it looks a lot better to do it this way, but a threat actor may use command line tools to send this data out.

    Mega NZ is a very common place where threat actors exfiltrate data.

    This is a file sharing site just like Dropbox, except it's hosted in a place that doesn't really care about, you know, the DCMA requests and other stuff like that do to take down that private data.

    So in this case here, I'm just going to quickly upload all these files to my to my Expo location and, and basically being a good spot here to exfiltrate that data.

    If there's a lot of data, if there's a lot of data in these locations, the threat actor might zip that data up to make it a lot easier to transport.

    But in this case here, it's a couple CSV files and I'm an actual trade out that probably are pretty important for you.

    Some good takeaways here.

    Unauthorized access to personal information obviously can trigger legal obligations depending on the jurisdiction, even if the data's not even taken, right.

    So if it's just looked at opening those documents could trigger that depending on where you are acquiring that data in this instance here like it was done also can trigger that.

    So, so it's definitely some legal things to keep in mind in this case here, doing some good DLP or data loss prevention tools can help prevent this activity from happening and also can help alert you to when this has happened.

    So those are tools that'll that'll look for outbound transition, outbound file transfers that may not normally occur.

    Also using a strong backup solution here can really be the difference maker between having to pay a ransom or not for that first part there.

    So usually when we think of a strong backup solution, I like to think of, I like to think of the 321 method, which is recommended by SISA and, and, and, and just industry wide.

    So 321 means you have three types of data including or three, 3 copies of the data, including your live copy.

    So that's your live copy and a local copy and A and a cloud copy, two different copy medias.

    So that's going to be, you know, that's going to be physically and then in the cloud.

    And then the final piece here is a, a strong way to bring back that data.

    So it's also important to make sure that you test your backup restoration.

    I can tell you how many incidents I get into where we say we have strong backups, we're good from that side and they haven't tested it in five years.

    Lo and behold, when we go to test it, backups are corrupted.

    The process for pulling down the data may take three weeks, which is a huge business interruption, which can obviously affect a lot of things.

    So it's really important to make sure that we know how long this stuff can happen and how quickly we can restore.

    All right, And then finally, the moment we've all been waiting for this is the ransomware deployment.

    So as a threat actor, I have now deleted your backups.

    I've now taken some data to extort you not only on the ransom decryption side, but also on the on the data exfiltration side.

    And now it's time for me to encrypt your data.

    So in this case here I'm going to upload my evil.exe, which is going to be my ransom, my ransomware, and I'm going to use a tool called PS Exec to go ahead and and launch my ransomware.

    PS Exec is a Microsoft tool.

    It's developed by Microsoft and the purpose of it is to allow administrators to run a piece of software or run a command on many different systems in a very quick period of time, exactly like what I want to do with ransomware.

    So in this case, here, I'm going to run PS Exec against my target machine.

    I can do it for the whole network if I wanted to.

    And of course, I'm going to use the credentials that I stole and I'm going to accept the end user license agreement because that's, you know, something that Microsoft makes you do as you see here as a user, I'm just living about my day.

    You know, you don't see any signs of anything bad going on.

    But the ransomware is running during that time.

    All the files in this case here has flipped over to this dot V society extension, which is which is ransomware group by society.

    And you'll be left behind with this note in every single directory that basically says you've been encrypted.

    Here's how you contact us.

    And here's all the bad things that will happen if you don't pay us this money.

    At this point in time, your domain controllers, your servers, your workstations, anything that was on during the time of this incident would be encrypted and it would happen very quickly, you know, matter of a couple minutes to a couple hours for everything to be fully encrypted.

    So this process is very quick.

    And this often happens overnight, five o'clock 4:00 in the morning.

    So most of the time you wake up, you get into the office and you realize that something's wrong very quickly when you try to log into your systems and servers.

    Couple takeaways here.

    If you notice that this encryption has occurred, do not disconnect the power from these systems.

    It may be the initial knee jerk reaction to say maybe not everything's encrypted.

    Let me just pull the plug and maybe we can preserve some data.

    While in theory that sounds good, that is a great way to get a large database corrupted.

    And if that were to happen, you have very limited options to getting that data back and it may be corrupted beyond repair.

    And that has happened before where organizations thought that they were doing the right thing by just disconnecting the power from a, from a server.

    And they actually corrupted the whole thing and, and caused the essentially data to be lost permanently.

    And they went through multiple data recovery companies and none of them were able able to, to recover the data, unfortunately.

    Another thing that you have to keep in mind here is have a plan to how, have a plan for how you're going to access your resources to help you through this.

    So whether that's a contact in your insurance, having a breach coach ready to go, someone that you're familiar with, whether it's a forensics firm, but more importantly, how are you going to operate as a business, you know, or a public entity, you know, during this time, right?

    If you're, how are you going to accept tax payments?

    How are you going to, you know, serve your constituents if you're a police, you know, department, how are you going to take 911 calls, right, if all your systems are down?

    We've definitely had to navigate through these things.

    And it sometimes it's forwarding 911 to a cell phone and you have an operator with five different cell phones sitting in front of them.

    That's how they're operating.

    And they're dispatching the old fashioned way through the radio.

    And and if that's what you have to do during the first couple hours of an incident until you can get your dispatch system back up, then that's what you have to do.

    But it's having a plan for this.

    You're not brainstorming on the fly, you're ready to go.

    You've tested these options and everybody knows, you know how to do that when you get into that scenario.

    Awesome.

    So with that, I would love to open up for any questions that might have come in during this.

    But more essentially that is that's that's how ransomware incident is perpetrated in most instances.

    You know something similar to to that.

    Hannah Hays

    Thanks Matt, that was very insightful.

    We do actually have a couple questions that have come in.

    The first one which I think you did touch on some points during your presentation, but the question is what are some cost effective ways that public entities can reduce their cyber risk?

    Matt Dowling

    Sure.

    I'd say, I always say the most cost effective way to reduce your risk is making yourself a difficult target.

    So it doesn't cost much money to go ahead and scan your perimeter and look to see if there's anything there that would that would essentially make you an easy target.

    So I'm talking things like RDP or remote desktop protocol.

    Nowadays that should not be something that's publicly, publicly accessible.

    Multi factor authentication, using multi factor authentication for any remote access that you may have.

    So if you have VPN, making sure you're using multi factor authentication for that, there are plenty of free or very low cost options for multi factor authentication that you can that you can leverage.

    If you do those things and secure your perimeter, you make yourself a much harder target for for many of these actors.

    Hannah Hays

    Yeah, I thought it was interesting.

    You also highlighted the passwords and password management

    Matt Dowling

    Strong passwords. That's right.

    Hannah Hays

    Yeah, I do see that as well, something that can be annoying to do, right?

    From the user perspective, it can make a huge difference.

    Yeah.

    OK, great.

    We have another question.

    How should public entities be thinking about the advancements of artificial intelligence in relation to their cyber risk?

    Matt Dowling

    Yeah, So AI has been an issue coming down the pipe for a while now, right?

    And realistically, we see AI being integrated now, especially within the last couple years into so many different things.

    There's been proof that being OpenAI has even said threat actors are using AI to create malware and other malicious codes.

    The best thing that I can say is I don't think AI is going away.

    It's really hard to regulate because you can download your own models.

    But it just goes back to my previous point, make yourself a harder target.

    What AI is going to do for threat actors is it's going to speed up the process and then finding those weak targets and exploiting those weak targets.

    You don't want to be a weak target.

    You want to be someone that has a very strong perimeter in order for for AI to basically skip over you.

    Because I see AI being leveraged as a way for a threat actor to say, Hey, create me a list of the top 50 organizations on the Internet right now that I can hack, right?

    And you can tell it to say, OK, public entity, right?

    As, as you get through it, Don't be part of that 50 right?

    Be be difficult target.

    Make sure you're fully patched, you have your perimeter tightened up so it's a lot harder to attack you.

    I, I'd say that's the best thing you can do right now.

    Making sure you're, you're keeping everything up to date.

    Patches on your firewalls, patches on your on your systems, All that kind of stuff is what you can do really to to thwart the the advancements of AI as a as an individual contributor or or an organization.

    Hannah Hays

    Great, thanks, Matt.

    I think that's it for questions from our side.

    So I'm going to pass it back to Lauren.

    Thank you everybody for your time.

    Lauren Tredinnick

    Thanks, Hannah.

    Thanks Matt.

    Actually, Matt, I did have a question for you really quick.

    One of the things that I struggle with and you hit on it here was passwords.

    And what do I do if I want a really super awesome password?

    But I, I have all of these things that require really awesome, super long passwords.

    How do I keep track of all of them?

    Or what do I do with all these mega passwords?

    Matt Dowling

    Yeah, I'd say the best thing you can do is use the password manager.

    So what I see a lot of and, and as a former pen tester, what I can say is a lot of people would put passwords, if they have to use a strong password, write it on a post it on a note on their on their monitor, put it under their keyboard.

    Don't do that.

    Password managers is the way to go.

    So there's plenty of really good tools that have browser extensions that make it, it's never been so easy to use it, but it has a master password.

    It has multi factor to open it up and it makes your life a lot easier to log into stuff while also allowing you to use a very strong password to make it much more difficult for a threat actor or malicious third party to steal that.

    View the entire Public Entity Risk Virtual Symposium 2024

    Contact us
    Hannah Hays
    Hannah Hays
    Senior Underwriter Public Entity Cyber
    Munich Re Specialty - Global Markets
    About Munich Re Specialty Munich Re Specialty – North America products and services are offered by and provided through insurance companies and producers/surplus lines brokers that are eligible or licensed in accordance with the laws and regulations of individual jurisdictions. Products and services are not available in every, and may vary by, jurisdiction. The information provided on this site is intended as general information only and does not constitute an offer to sell or a solicitation to purchase insurance or non-insurance products and services. Please be aware that the insurance policy and not any information provided on this site will form the contract between the parties thereto, and will govern in all cases. Munich Re Specialty – North America’s insurance products and services in the United States, Canada, and the United Kingdom are underwritten and provided by or through one or more of the insurers, producers/surplus lines brokers that are members of the Munich Re Group identified below. Each company is financially responsible only for insurance policies it has issued. For more information on Munich Re Specialty, including licensing, regulatory-required, and other information on the operating companies, please click here.

    Newsletter

    Stay ahead of the curve with exclusive insights and industry updates! Subscribe to our Munich Re Insights Newsletter for a front-row seat to the latest trends in risk management, expert analyses and assessments, market insights, and innovations in the insurance industry. Join our community of forward-thinkers at Munich Re and empower your journey towards a more resilient future.