We’re seeing fewer attacks than last year, but the ones getting through are hitting harder
The cybersecurity world is experiencing an unexpected paradox in 2025. While cyber insurance claims in the Resilience portfolio dropped by 53% in the first half of the year—suggesting that organizations are getting better at preventing attacks—the financial damage from successful incidents has actually increased. Our latest 2025 Midyear Cyber Risk Report reveals that when cybercriminals do break through Resilience client defenses, they’re hitting 17% harder than before, with ransomware attacks now averaging over $1.18 million in damages.
Threat actors are working multiple angles
After the turbulent claims surge of 2024—when vendor-related incidents jumped from zero to 21% of incurred losses—the cybersecurity world might have expected some relief. Instead, we’re witnessing something more concerning: Attackers are working smarter and expanding their arsenal of tactics.
Key findings from our analysis include:
- Ransomware now accounts for 91% of incurred losses, despite representing only 9.6% of total claims
- Increasingly, victims face demands for decryption of data and also for data suppression in what are now common double extortion attempts
- The average ransomware claim cost has jumped to over $1.18 million in 2025, up from $705,000 in 2024
- Social engineering attacks fueled 88% of material losses, with AI-powered phishing achieving a 54% success rate compared to just 12% for traditional attempts
- Healthcare organizations faced extortion demands as high as $4 million
Three critical trends reshaping cyber risk
1. AI is supercharging social engineering
The era of obviously fake phishing emails is over. According to CrowdStrike’s 2025 Threat Hunting Report, 78% of enterprises experienced at least one AI-specific breach this year. Cybercriminals are leveraging artificial intelligence to create more convincing phishing campaigns, voice synthesis for fraudulent calls, and sophisticated browser-based attacks that bypass multi-factor authentication.
In our portfolio, 1.8 billion credentials were compromised in the first half of 2025 alone—an 800% increase since January. This credential harvesting is feeding a new wave of identity exploitation that’s proving increasingly difficult to detect and defend against.
2. Ransomware groups are getting tricky
Perhaps most disturbing is the evolution of ransomware tactics. In at least two recent cases, threat actors located and referenced their victim’s cyber insurance policy to calibrate their ransom demands. In one instance, attackers explicitly stated they had set their demand below the client’s policy limit—turning insurance coverage into a roadmap for extortion.
Double extortion has become standard practice, with criminals demanding payment both for data decryption and to prevent public data release. Our analysis shows that 79% of Resilience clients have successfully avoided paying ransoms over our portfolio’s lifetime, but those who do face increasingly sophisticated pressure tactics.
3. Third-party risks remain interconnected
While vendor-related incidents dropped to 19% of claims notices and 15% of incurred losses (down from 37% of claims notices and 21% of losses in 2024), the potential for cascading failures remains significant. The interconnected nature of modern business means that vulnerabilities in one organization can expose entire industries, as we saw with high-profile incidents like CDK Global and Change Healthcare in 2024.
The Rogues Gallery: Meet your adversaries
Our threat intelligence team has identified several ransomware groups driving attacks against our portfolio in 2025:
- Scattered Spider: The sophisticated, English-speaking group that made headlines with attacks on retail, aviation, and insurance companies
- Interlock: Known for locating and referencing victim insurance policies during negotiations
- Chaos: Operates more like destructive malware, with early versions permanently corrupting files
What you can do
The data reveals both encouraging progress and persistent challenges. While overall claims have decreased and third-party incidents have become less frequent, successful attacks are becoming more expensive and destructive.
Three critical recommendations emerge from our analysis:
- Treat your cyber insurance policy like a crown jewel—secure it with the same care as your most sensitive data
- Don’t pay for data suppression—focus on comprehensive resilience rather than reactive measures
- Invest in intelligence-led defenses that can independently track stolen data and provide early warning of potential compromises
Download the full report
This blog post only scratches the surface of our comprehensive analysis. The full 2025 Midyear Cyber Risk Report includes detailed case studies, sector-specific recommendations, threat actor profiles, and actionable insights from our Risk Operations Center.
Download the complete report here to access:
- Detailed methodology and data analysis
- Comprehensive threat actor profiles
- Industry-specific risk assessments
- ROC case studies and response strategies
- Practical recommendations for strengthening your cyber defenses
The cyber threat landscape continues to evolve rapidly, but with the right intelligence and preparation, organizations can build true cyber resilience. Our report provides the insights you need to stay ahead of tomorrow’s threats.
The Resilience 2025 Midyear Cyber Risk Report represents analysis of actual claims experience and threat intelligence from the first half of 2025. For the most current information and specific guidance for your organization, consult with Resilience’s risk management and insurance professionals.