Threatonomics

New insights on the evolving threat landscape, from our 2025 Midyear Cyber Risk Report 

by Emma McGowan , Senior Writer
Published

We’re seeing fewer attacks than last year, but the ones getting through are hitting harder

The cybersecurity world is experiencing an unexpected paradox in 2025. While cyber insurance claims in the Resilience portfolio dropped by 53% in the first half of the year—suggesting that organizations are getting better at preventing attacks—the financial damage from successful incidents has actually increased. Our latest 2025 Midyear Cyber Risk Report reveals that when cybercriminals do break through Resilience client defenses, they’re hitting 17% harder than before, with ransomware attacks now averaging over $1.18 million in damages.

Threat actors are working multiple angles

After the turbulent claims surge of 2024—when vendor-related incidents jumped from zero to 21% of incurred losses—the cybersecurity world might have expected some relief. Instead, we’re witnessing something more concerning: Attackers are working smarter and expanding their arsenal of tactics.

Key findings from our analysis include:

  • Ransomware now accounts for 91% of incurred losses, despite representing only 9.6% of total claims
  • Increasingly, victims face demands for decryption of data and also for data suppression in what are now common double extortion attempts
  • The average ransomware claim cost has jumped to over $1.18 million in 2025, up from $705,000 in 2024
  • Social engineering attacks fueled 88% of material losses, with AI-powered phishing achieving a 54% success rate compared to just 12% for traditional attempts
  • Healthcare organizations faced extortion demands as high as $4 million

Three critical trends reshaping cyber risk

1. AI is supercharging social engineering

The era of obviously fake phishing emails is over. According to CrowdStrike’s 2025 Threat Hunting Report, 78% of enterprises experienced at least one AI-specific breach this year. Cybercriminals are leveraging artificial intelligence to create more convincing phishing campaigns, voice synthesis for fraudulent calls, and sophisticated browser-based attacks that bypass multi-factor authentication.

In our portfolio, 1.8 billion credentials were compromised in the first half of 2025 alone—an 800% increase since January. This credential harvesting is feeding a new wave of identity exploitation that’s proving increasingly difficult to detect and defend against.

2. Ransomware groups are getting tricky

Perhaps most disturbing is the evolution of ransomware tactics. In at least two recent cases, threat actors located and referenced their victim’s cyber insurance policy to calibrate their ransom demands. In one instance, attackers explicitly stated they had set their demand below the client’s policy limit—turning insurance coverage into a roadmap for extortion.

Double extortion has become standard practice, with criminals demanding payment both for data decryption and to prevent public data release. Our analysis shows that 79% of Resilience clients have successfully avoided paying ransoms over our portfolio’s lifetime, but those who do face increasingly sophisticated pressure tactics.

3. Third-party risks remain interconnected

While vendor-related incidents dropped to 19% of claims notices and 15% of incurred losses (down from 37% of claims notices and 21% of losses in 2024), the potential for cascading failures remains significant. The interconnected nature of modern business means that vulnerabilities in one organization can expose entire industries, as we saw with high-profile incidents like CDK Global and Change Healthcare in 2024.

The Rogues Gallery: Meet your adversaries

Our threat intelligence team has identified several ransomware groups driving attacks against our portfolio in 2025:

  • Scattered Spider: The sophisticated, English-speaking group that made headlines with attacks on retail, aviation, and insurance companies
  • Interlock: Known for locating and referencing victim insurance policies during negotiations
  • Chaos: Operates more like destructive malware, with early versions permanently corrupting files

What you can do

The data reveals both encouraging progress and persistent challenges. While overall claims have decreased and third-party incidents have become less frequent, successful attacks are becoming more expensive and destructive.

Three critical recommendations emerge from our analysis:

  1. Treat your cyber insurance policy like a crown jewel—secure it with the same care as your most sensitive data
  2. Don’t pay for data suppression—focus on comprehensive resilience rather than reactive measures
  3. Invest in intelligence-led defenses that can independently track stolen data and provide early warning of potential compromises

Download the full report

This blog post only scratches the surface of our comprehensive analysis. The full 2025 Midyear Cyber Risk Report includes detailed case studies, sector-specific recommendations, threat actor profiles, and actionable insights from our Risk Operations Center.

Download the complete report here to access:

  • Detailed methodology and data analysis
  • Comprehensive threat actor profiles
  • Industry-specific risk assessments
  • ROC case studies and response strategies
  • Practical recommendations for strengthening your cyber defenses

The cyber threat landscape continues to evolve rapidly, but with the right intelligence and preparation, organizations can build true cyber resilience. Our report provides the insights you need to stay ahead of tomorrow’s threats.

The Resilience 2025 Midyear Cyber Risk Report represents analysis of actual claims experience and threat intelligence from the first half of 2025. For the most current information and specific guidance for your organization, consult with Resilience’s risk management and insurance professionals.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

What your CFO actually cares about (and how to speak their language)

You walk into your CFO’s office with a carefully prepared business case for a critical security investment. The risk assessment is complete, the vulnerabilities are documented, and you’re ready to make your argument. But the moment you mention “attack surface” or “zero-day vulnerabilities,” you can see their attention drift. The issue isn’t that your CFO […]

Risk Briefing: Cyber extortion has fundamentally changed

On January 14, 2026, Resilience launched its inaugural Risk Briefing Series with a clear message for CISOs: the cyber extortion playbook has been rewritten, and organizations relying on traditional defenses are dangerously exposed. In the first session of this monthly intelligence series, Jud Dressler, Director of Resilience’s Risk Operations Center and retired U.S. Air Force […]

The 65% shift that proves ransomware as we know it is dead

The cybersecurity industry has a terminology problem. We’re still calling it “ransomware” when the majority of attacks no longer encrypt and request a ransom for decryption as their primary weapon. Resilience’s analysis of cyber extortion claims in our portfolio throughout 2025 reveals a dramatic acceleration in attack methods. Data theft extortion-only events rose from 49% […]

Why your enterprise risk framework needs threat intelligence

Here’s a question that should make any enterprise risk management (ERM) professional uncomfortable: How can you manage a risk you don’t even know exists? In my role leading threat intelligence at Resilience, I work at the intersection of cybersecurity and business risk. And I’ve noticed a persistent gap: many ERM professionals know cyber risk belongs […]

Your 90-day roadmap to sustainable vendor risk management

We’ve covered why vendor discovery matters, how to mine data streams for comprehensive vendor identification, which vendor categories are commonly overlooked, and how to implement risk-based tiering. Now comes the critical question: how do you actually implement this in your organization and make it sustainable over time? Chuck Norton from Resilience emphasizes the resource reality: […]

How our 2025 cybersecurity predictions held up

At the start of 2025, we made some bold predictions about the cyber landscape. Now, as we look back at the year that was, it’s time to see how accurate our crystal ball really was. Dr. Ann Irvine, Chief Data and Analytics Officer at Resilience, sat down with us to evaluate what happened—and what surprised […]