Cyber insurance claims frequency dropped 53% year-over-year, and the average loss per incurred claim decreased by 11% in the first half of 2025 compared to the same period in 2024, according to Resilience’s Midyear Cyber Risk Report. However, ransomware attacks grew in severity by 17%, accounting for 76% of incurred losses—or 91% if including losses from a vendor experiencing ransomware.
2025 Midyear Outlook
“There was a significant claims surge in 2024,” states the report. “Claim notifications jumped 86% and vendor-related incidents went from zero to 21% of incurred losses.” However, with claims notice frequency down 53% in Resilience’s portfolio, H1 2025 indicates a return to operational equilibrium, the report notes. Meanwhile, there was an 11% reduction in average loss per incurred claim in H1 2025 vs. H1 2024.
The average cost of a ransomware claim has increased 17% year-over-year, according to the report. “This isn’t just inflation,” the report notes. “It’s a sign that threat actors are becoming more systematic in how they target and exploit organizations.”
AI and Social Engineering
The report references CrowdStrike’s 2025 Threat Hunting Report data, which shows that “78% of enterprises experienced at least one AI-specific breach in 2025, with AI-generated phishing campaigns achieving a 54% success rate, compared to just 12% for traditional attempts.”
Phishing attacks represent the most significant challenge in the threat landscape and are responsible for 19% of incurred claims and 49% of incurred losses in H1 2025, the report states. “AI-driven browser-based attacks appear to be driving this surge, as they can bypass multi-factor authentication and endpoint detection software. When paired with SIM swapping, these attacks effectively access critical assets while remaining difficult to detect.”
Attacker Tactics
“The ransomware playbook is evolving. While Resilience data shows that 79% of clients who were attacked with ransomware over the entire lifetime of our portfolio successfully avoided paying a ransom, these attacks are still costly and disruptive to recover from,” explains the report. Ransomware attacks that lead to incurred claims average over $1.18 million per claim in 2025 so far, compared to $1.01 million in H1 2024.
Ransomware Threat Evolution
“According to analysis by the Resilience Risk Operations Center (ROC), the broader ransomware ecosystem underwent significant disruption and diversification in the first half of 2025,” the report notes. “In Q1, ransom gang Scattered Spider abandoned the RansomHub platform in favor of the DragonForce platform. This move—together with some law enforcement activity associated with the group—caused a surge of attacks as ransomware affiliates rushed to cash in on planned campaigns before they were detected.”
Resilience researchers observed legacy groups fade and newer, more volatile actors rise to prominence, introducing new tactics and targets, according to the report. This transition contributed to a significant increase in publicly disclosed ransomware attacks during Q1 2025, which the ROC attributed to multiple factors: “Scattered Spider’s platform switch created operational chaos; turf wars erupted among ransomware affiliates competing for territory; and intensified law enforcement activity pressured groups to accelerate their timelines. Attack volumes declined by 30% in Q2, though H1 ransomware attacks still exceeded the previous two quarters by 41%.”
As a result of the evolved threat landscape, global ransomware attacks increased by 73%. In Resilience’s portfolio, specifically, ransomware incidents increased significantly—from 5.8% of claims by frequency in 2024 to 9.6% in H1 2025—an increase of 65%,” according to the report. Only 42% of ransomware claims have led to payouts this year, down from 60% in 2024, thanks in part to stronger backup and recovery strategies.
Alarmingly, threat actors are evolving their extortion methods by making double extortion common, with primary extortion for decryption and secondary extortion to suppress exfiltrated data. In some of the most alarming cases, attackers have escalated to “triple extortion” with the threat of bodily harm if ransom is not paid. Over the past 12 months, executives were physically threatened in 40% of ransomware incidents, notes the report.
Recommendations for Mitigating Ransomware
“Multiple factors influence whether clients pay extortion fees, but our data indicates that organizations with robust backup systems, regular validation testing, and comprehensive business continuity planning are far less likely to submit to ransom demands,” states the report. While ransomware attacks have grown more sophisticated, many organizations do not realize the gaps in their preparedness until they face an attack.
“While many high-profile attacks begin with a phishing attack or an exploited vulnerability, the speed with which actors move to take over and exfiltrate information is rapidly accelerating, with breakout occurring in fewer than 50 minutes, on average,” the report emphasizes.
Data Encryption
Since attackers steal data before encrypting it and demand payment twice, Resilience notes that paying for data suppression is a risky move with no guarantee of data destruction and no mitigation when it comes to regulatory investigations, notifying customers, or subsequent third-party actions.
In order to prevent this from occurring, Resilience recommends encrypting sensitive data, establishing clear breach protocols with pre-approved disclosure frameworks, and implementing intelligence-led defenses that can independently track stolen data without depending on ransom demands. Other recommendations include leadership education, incentivizing security hardening, promoting intelligence sharing between clients, and providing robust post-breach support services that strengthen overall organizational resilience.
Policy Safeguarding
“Protecting [one’s] cyber insurance policies isn't just about following best practices—it's about treating these critical documents with the same care [one would] give [their] most sensitive customer data,” explains the report. “Smart organizations are taking a comprehensive approach that starts with encrypted cloud storage featuring zero-knowledge architecture and AES-256 encryption, implementing identity-first security controls with role-based access and multifactor authentication, and utilizing a specialized digital vault solution that goes beyond basic cloud storage.”
Threats Beyond Ransomware
Vendor Risk
Business interruptions due to vendor unavailability emerged as the second-largest driver of loss after ransomware in 2024. In the same year, “vendor-related incidents accounted for over a third (37%) of all claims notices…and led to 22% of incurred losses, compared to 32% of claims notices and 0% of incurred losses in 2023,” states the report, highlighting how “exploiting a single point of failure can lead to a cascading disruption downstream, affecting entire industries and economic sectors.” Ransomware attacks targeting vendors made up 18% of incurred losses in 2024, demonstrating their financial attractiveness to cyber criminals.
In the Resilience portfolio, 22% of losses in 2024 and 15% in 2025 attributed to vendors experiencing ransomware, data breach, or system failure, states the report.
Transfer Fraud
“Transfer fraud refers to internal failure of payment controls that results in fraudulent financial transactions; most often, these are carried out through social engineering. Business email compromise remains the leading driver, but attackers are now expanding their methods, using AI-driven voice synthesis to make their schemes more convincing and harder to detect,” according to the report.
Furthermore, payment control failures account for a large amount of cyber insurance activity—26% of incurred claims and 8% of incurred losses in H1 2025. “Yet the financial impact is likely understated, as transfer fraud coverage is often capped by sub-limits within cyber policies. In Resilience’s portfolio, the average severity of $139,000 recorded in 2024 likely underrepresents the true scale of client losses.”