A large cyber insurance provider says it saw the number of ransomware attacks rise 45% last year.
Cyber insurance MGA Cowbell’s 2026 claims report also shows average ransom payments fell by roughly 44% between 2022 and 2025. The firm attributed the payment decrease to stronger negotiation strategies and more effective claims handling. According to Stephanie Hewerdine, the MGA’s director of claims, the drop is also being driven in part by increased preparedness among insureds.
“It’s likely attributable to several factors, but I think one of the most key factors is that insureds are often better prepared for these events nowadays,” she said, pointing to incident response plans and robust backups that enable quicker recovery without the need of a decryption key.
When negotiations do occur, Hewerdine explained, response teams assess the compromised data. If no sensitive or personally identifiable information is involved, there may be little reason to pay, she said.
“Rather than just acting from emotion, we’re really delving into it and doing a cost-benefit analysis of when it’s appropriate to pay a ransom and when we don’t need to do it in order for the insured to recover,” she said.
Data breaches (33.5%), cybercrime (31.8%) and extortion events (18.3%) accounted for most of Cowbell’s reported claims over the past 18 months. Ransomware and other extortion-based attacks are evolving from encryption to data-only schemes and double-extortion, the report shows.
In data-only schemes, hackers do not encrypt systems but instead exfiltrate data and threaten to release it. Without the need for encryption tools for more complex schemes, the barrier to entry is lower, allowing attackers to move quickly.
Hewerdine is seeing an emergence of smaller and less sophisticated threat actor groups.
“We see smaller groups doing this type of ransomware event, where they maybe don’t have the resources to purchase the tools or develop the tools, but they can still try to extort insureds without those tools,” Hewerdine said.
Related: Cyber Claim Severity Nearly Doubled for Large Businesses, Chubb Says
Also worrisome are what is known as double extortion attacks, in which threat actors demand payment to restore access and prevent the release of sensitive information, with some attackers failing to honor those agreements—either by not fully decrypting systems or by demanding additional payments after an initial ransom is paid, Hewerdine said.
In the past, there was more of an “honor among thieves” understanding during negotiations, Hewerdine said. If attackers failed to follow through, they risked damaging their reputation and reducing the likelihood of future payments.
“Now that we’re seeing more of these … smaller groups emerging, they don’t seem to have that level of honor among thieves,” she said. “And so we’re seeing a little bit more of this double extortion.”
Cowbell’s claims data shows that more than two-thirds of the cases with identified threat actors involved just seven groups. The top two threat actor groups—Akira (38.8%) and Qilin (14.2%)—made up more than half of the cases.
The MGA also reported that professional services, construction, manufacturing, healthcare and wholesale trade all rely heavily on systems and sensitive information, making preparation and response planning especially important for these industries.
In a separate report, Resilience, a cyber insurance MGA and risk platform, said ransomware accounted for 90% of total incurred losses in its manufacturing portfolio despite representing just 12% of total claim volume. The IBM X-Force Threat Intelligence Index found the sector was the most targeted industry for the fifth consecutive year, accounting for more than one in four cyberattacks.
Moving forward, Hewerdine expects artificial intelligence to be used increasingly to automate attacks. She also believes we’ll see more data extortion attacks and the continued emergence of small threat actor groups.
“What we know is that law enforcement has been going after some of these larger groups and they have splintered some of them,” Hewerdine said. “And so now, they have splintered off into different subgroups, and they actually even have affiliates where they’ll lease out their encryption tools.”
Hacking has become big business, Hewerdine said, and the more threat actors are fed, the more the industry grows.
“So if we can come up with workarounds to get our insureds up and running again and continue to drive down the ransom numbers, then that’s for the benefit of everybody,” she added. “For premiums, for insureds, for insurance companies themselves—for everybody.”
Was this article valuable?
Here are more articles you may enjoy.
Trump Says US to Start Guiding Trapped Ships Through Hormuz 
California Taking Action Against State Farm Over LA Wildfire Claims 
OpenAI Sued by Families of Canada School Shooting Victims 
Florida Woman Drives Elevated Pickup Over Lamborghini Sports Car in Parking Lot 
Want to stay up to date?
Get the latest insurance news
sent straight to your inbox.