Cyber Claims Data Shows ‘New Economics’ of Cybercrime

Cybercriminals are prioritizing long-term leverage over immediate disruption, according to a new report showing that in the second half of 2025, more than two-thirds of ransomware attacks leveraged data theft and not encryption.

Cyber insurance claims data from Resilience shows an evolution in the economics of cybercrime, with a shift in how threat actors execute prolonged attacks on organizations.

Related: Delaware High Court Rescues Cyber Insurers’ Subrogation Claims

Extortion demands to suppress stolen data were 49% of all extortion claims in the first half of the year, then grew to 65% in the second half. Across the entire year, data theft-only attacks accounted for 57% of all attacks, as hackers sought to bypass increasingly strong backup practices.

“Fueled by AI-amplified social engineering and a surge in litigious activity, the financial severity of claims has become increasingly concentrated,” the report states.

“Resilience’s 2025 claims data demonstrates that cyber criminals are no longer optimizing solely for immediate business disruption,” the report states. “Instead, attacks are now designed to generate sustained financial, regulatory, and reputational damage that extends well beyond the initial incident—accumulating over months and years rather than days.”

Infostealers harvested more than 2 billion credentials and were frequently observed in victim organizations’ environments before ransomware attacks occurred.

Related: Open-Source AI Models Vulnerable to Criminal Misuse, Researchers Warn

Threat groups like Interlock continued to find victim organizations’ cyber insurance policies among stolen data to better calibrate their ransom demands—maximizing payouts while staying below coverage limits, according to the report.

Vendor risk was the second-highest loss category across Resilience’s portfolio, representing 18% of total losses. Threat actors were leveraging password reset attacks and are increasingly infiltrating open-source code repositories, which opens the door to short- and long-term disruption following the compromise of a critical vendor, the report shows.

Other findings in the report include:

• Extortion evolved from encryption to data theft. Data theft-only attacks accelerated from 49% of extortion claims in H1 to 65% in H2, rendering backup-based defenses ineffective against the primary threat: reputational and regulatory damage from data exposure.
• AI-amplified social engineering to unprecedented effectiveness. Phishing surged to become the #1 point of failure, jumping from 21% of incurred losses in 2024 to 50% of incurred losses in 2025. While it is difficult to attribute any given attack to AI, the increased success may be explained by AI’s ability to automate more believable attacks.
• Vendor risk continues to be a major cause of loss. Vendor-related failures accounted for 22% of losses in 2024 with a modest decline to 18.8% in 2025.
• Waves of litigation extend risk. Between the “no honor among thieves” reality—where threat actors continue selling data they were paid to suppress—and an increasingly litigious plaintiffs’ bar eager to file lawsuits, the tail risk of ransom events is a growing concern from an underwriting perspective.

Manufacturing continued to be the highest total loss industry, even though average severity declined by 29% from 2024 to 2025. Healthcare was the highest-severity sector in the company’s portfolio. Retail jumped from zero material losses in 2024 to become the second-highest average severity, primarily driven by Scattered Spider’s May 2025 campaign targeting major U.K. retailers before spreading to U.S. retailers.