Threatonomics

New insights on the evolving threat landscape, from our 2025 Midyear Cyber Risk Report 

by Emma McGowan , Senior Writer
Published

We’re seeing fewer attacks than last year, but the ones getting through are hitting harder

The cybersecurity world is experiencing an unexpected paradox in 2025. While cyber insurance claims in the Resilience portfolio dropped by 53% in the first half of the year—suggesting that organizations are getting better at preventing attacks—the financial damage from successful incidents has actually increased. Our latest 2025 Midyear Cyber Risk Report reveals that when cybercriminals do break through Resilience client defenses, they’re hitting 17% harder than before, with ransomware attacks now averaging over $1.18 million in damages.

Threat actors are working multiple angles

After the turbulent claims surge of 2024—when vendor-related incidents jumped from zero to 21% of incurred losses—the cybersecurity world might have expected some relief. Instead, we’re witnessing something more concerning: Attackers are working smarter and expanding their arsenal of tactics.

Key findings from our analysis include:

  • Ransomware now accounts for 91% of incurred losses, despite representing only 9.6% of total claims
  • Increasingly, victims face demands for decryption of data and also for data suppression in what are now common double extortion attempts
  • The average ransomware claim cost has jumped to over $1.18 million in 2025, up from $705,000 in 2024
  • Social engineering attacks fueled 88% of material losses, with AI-powered phishing achieving a 54% success rate compared to just 12% for traditional attempts
  • Healthcare organizations faced extortion demands as high as $4 million

Three critical trends reshaping cyber risk

1. AI is supercharging social engineering

The era of obviously fake phishing emails is over. According to CrowdStrike’s 2025 Threat Hunting Report, 78% of enterprises experienced at least one AI-specific breach this year. Cybercriminals are leveraging artificial intelligence to create more convincing phishing campaigns, voice synthesis for fraudulent calls, and sophisticated browser-based attacks that bypass multi-factor authentication.

In our portfolio, 1.8 billion credentials were compromised in the first half of 2025 alone—an 800% increase since January. This credential harvesting is feeding a new wave of identity exploitation that’s proving increasingly difficult to detect and defend against.

2. Ransomware groups are getting tricky

Perhaps most disturbing is the evolution of ransomware tactics. In at least two recent cases, threat actors located and referenced their victim’s cyber insurance policy to calibrate their ransom demands. In one instance, attackers explicitly stated they had set their demand below the client’s policy limit—turning insurance coverage into a roadmap for extortion.

Double extortion has become standard practice, with criminals demanding payment both for data decryption and to prevent public data release. Our analysis shows that 79% of Resilience clients have successfully avoided paying ransoms over our portfolio’s lifetime, but those who do face increasingly sophisticated pressure tactics.

3. Third-party risks remain interconnected

While vendor-related incidents dropped to 19% of claims notices and 15% of incurred losses (down from 37% of claims notices and 21% of losses in 2024), the potential for cascading failures remains significant. The interconnected nature of modern business means that vulnerabilities in one organization can expose entire industries, as we saw with high-profile incidents like CDK Global and Change Healthcare in 2024.

The Rogues Gallery: Meet your adversaries

Our threat intelligence team has identified several ransomware groups driving attacks against our portfolio in 2025:

  • Scattered Spider: The sophisticated, English-speaking group that made headlines with attacks on retail, aviation, and insurance companies
  • Interlock: Known for locating and referencing victim insurance policies during negotiations
  • Chaos: Operates more like destructive malware, with early versions permanently corrupting files

What you can do

The data reveals both encouraging progress and persistent challenges. While overall claims have decreased and third-party incidents have become less frequent, successful attacks are becoming more expensive and destructive.

Three critical recommendations emerge from our analysis:

  1. Treat your cyber insurance policy like a crown jewel—secure it with the same care as your most sensitive data
  2. Don’t pay for data suppression—focus on comprehensive resilience rather than reactive measures
  3. Invest in intelligence-led defenses that can independently track stolen data and provide early warning of potential compromises

Download the full report

This blog post only scratches the surface of our comprehensive analysis. The full 2025 Midyear Cyber Risk Report includes detailed case studies, sector-specific recommendations, threat actor profiles, and actionable insights from our Risk Operations Center.

Download the complete report here to access:

  • Detailed methodology and data analysis
  • Comprehensive threat actor profiles
  • Industry-specific risk assessments
  • ROC case studies and response strategies
  • Practical recommendations for strengthening your cyber defenses

The cyber threat landscape continues to evolve rapidly, but with the right intelligence and preparation, organizations can build true cyber resilience. Our report provides the insights you need to stay ahead of tomorrow’s threats.

The Resilience 2025 Midyear Cyber Risk Report represents analysis of actual claims experience and threat intelligence from the first half of 2025. For the most current information and specific guidance for your organization, consult with Resilience’s risk management and insurance professionals.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

The seven places you should be looking when building your vendor list

In our first post, we established why comprehensive vendor discovery matters and how most organizations approach it incorrectly. Today, we’re diving into the practical mechanics: the seven data streams that can reveal vendor relationships hiding in your existing systems. The key insight is to start with data you already have rather than surveys or questionnaires. […]

How to get people to care about security when they don’t report to you

Getting executive sign-off on a new control? Hard. Getting peer buy-in on security initiatives when they don’t report to you? Harder. In modern organizations, cybersecurity professionals often find themselves in the ultimate matrix of organizational challenges: you need buy-in from every department within the organization – operations, sales, HR, and finance – but none of […]

Why vendor discovery matters now (and how most organizations get it wrong)

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to […]

The healthcare cybersecurity crisis that’s costing organizations millions in damages

The U.S. healthcare sector faces an unprecedented cybersecurity crisis. With 168 million healthcare records breached in 2023 and ransomware attacks surging 32% in 2024, the industry confronts threats that have evolved beyond data theft to sophisticated campaigns capable of paralyzing critical patient care infrastructure. Despite these trends, cybersecurity often receives insufficient leadership attention. A 2025 […]

Your cyber insurance policy could be a target

Organizations invest heavily in cyber insurance policies to shield their businesses from evolving threats, but many overlook a critical vulnerability: the security of the insurance policy documents themselves. While these policies are designed to protect you from cyber threats, they can become powerful weapons when they fall into the wrong hands. Over the past year, […]

A complete guide to domain spoofing

Domain spoofing is a cyberattack technique most commonly used in phishing and fraud, where criminals impersonate a legitimate organization’s domain name to deceive users. Think of it as digital identity theft at scale: Attackers make fraudulent emails or websites appear as if they originate from your trusted company domain, tricking victims into revealing sensitive data, […]