Ransomware Costs Climb While Claims Drop – Resilience Insights

Executive Summary

Ransomware continues to dominate the cyber threat landscape, but a paradox is emerging: fewer incidents are leading to insurance claims, yet the financial impact of each attack is rising sharply. According to Resilience, advanced tactics such as AI-powered phishing, double extortion, and insurance policy theft are driving this shift. Attackers are no longer just encrypting data—they are leveraging intelligence, psychology, and negotiation strategies to maximize ransom demands and amplify damage.

Organizations must now focus on technical resilience, strategic preparedness, and awareness of evolving attack methods to survive the era of low-volume, high-impact ransomware.

Double extortion: attackers demand payment to decrypt data and to avoid publication.

Introduction

Historically, ransomware attacks were relatively straightforward: malicious actors encrypted systems and demanded a ransom for decryption. While still dangerous, these attacks have become increasingly sophisticated, often combining multiple tactics to increase leverage over victims.

Recent data from Resilience reveals a concerning trend: ransomware claims are declining, yet overall losses have surged, signaling that attackers are focusing on quality and impact rather than sheer volume.

Double extortion, AI-driven phishing campaigns, and even insurance policy theft have emerged as powerful tools that allow attackers to extract maximum financial value while minimizing their exposure to detection.

AI-powered phishing is increasingly precise and destructive in ransomware chains.

Core Question

Why are ransomware losses increasing despite fewer insurance claims, and what strategies can organizations adopt to defend against increasingly sophisticated attacks?

Background and Current Landscape

In the first half of 2025, ransomware incidents accounted for 76% of all incurred cyber insurance losses, highlighting their outsized impact. While traditional ransomware involved encrypting files and demanding payment, the modern attack chain is more intricate:

• **AI-Powered Phishing:** Attackers use artificial intelligence to craft highly convincing, targeted phishing emails. These campaigns are more likely to deceive employees, creating a direct pathway to ransomware deployment.
• **Double Extortion:** Beyond encrypting data, attackers threaten to publish sensitive information if their ransom demands are not met. This tactic pressures organizations to pay, even if backups are available.
• **Insurance Policy Theft:** Cybercriminals now actively gather policy details to fine-tune ransom demands, increasing their leverage in negotiation and maximizing payouts.

This new landscape demonstrates that frequency is no longer the main threat metric—impact and sophistication have become the defining factors in modern ransomware risk.

In-Depth Analysis

a. Fewer Claims, Higher Damage

While the number of reported claims has decreased, the severity of each claim has escalated:

• Average ransom demands for retail targets have reached approximately $2 million, nearly double from the previous year.
• Average recovery costs excluding ransom have dropped 40% to $1.65 million, reflecting improved organizational resilience, better backup strategies, and stronger negotiation practices.

This divergence indicates that organizations are managing to mitigate operational recovery costs, but the monetary pressure from ransom payments is at an all-time high.

b. What’s Fueling the Shift?

Several aggressive new tactics are driving the surge in losses:

1. **AI-Powered Phishing:**

• AI tools analyze employee behavior, writing style, and email habits to craft ultra-realistic phishing messages.
• These campaigns bypass traditional filters and increase the likelihood of initial compromise, forming the first stage in a ransomware chain.

2. **Double Extortion:**

• Ransomware attackers now encrypt data and simultaneously exfiltrate sensitive information.
• Threats of public disclosure or sale of stolen data add pressure to pay even if backups exist, amplifying financial and reputational impact.

3. **Insurance Policy Theft:**

• Attackers obtain insurance details to calculate exact ransom thresholds, maximizing leverage.
• This approach reflects a strategic evolution in ransomware negotiation, where cybercriminals understand both organizational pain points and insurer payout limits.

c. The Bigger Picture: Ransom Growth vs. Recovery Costs

• Ransom demands are skyrocketing, driven by targeted AI-powered attacks and double extortion strategies.
• Recovery costs have declined, suggesting organizations are better prepared technically, with improved incident response protocols, backups, and negotiation strategies.
• This pattern indicates that resilience matters more than incident frequency, shifting the focus of cybersecurity strategy from prevention alone to comprehensive impact mitigation.

d. Why This Matters

Even with fewer claims, the financial and operational consequences of ransomware are escalating:

• Attackers have shifted from volume attacks to high-value targets, ensuring maximum ROI per attack.
• Organizations must adopt multi-layered defenses, including advanced phishing awareness, robust backups, and risk-informed negotiation strategies.
• Insurers are recalibrating policies to account for high-impact ransomware, reflecting the changing economics of cyber risk.

> **Anikethan D Shetty:** “The era of low-volume, high-impact ransomware is here. Our defenses must evolve accordingly—not just in volume, but in resilience and sophistication.”

Mitigation and Prevention Strategies

To counter these evolving ransomware threats, organizations should focus on strategic, layered defenses:

1. **AI-Driven Threat Detection:** Implement systems capable of detecting sophisticated phishing and lateral movement patterns.

2. **Employee Awareness Programs:** Simulate high-fidelity phishing campaigns, train staff to recognize AI-generated threats.

3. **Incident Response and Recovery Planning:** Ensure backups, segmentation, and testing are current and effective.

4. **Insurance and Risk Management:** Monitor policy exposure and anticipate ransom negotiation strategies.

5. **Data Minimization & Segmentation:** Reduce the potential impact of double extortion by limiting sensitive data accessibility.

HacFy Insights / Expert Commentary

Modern ransomware attacks have evolved from opportunistic encryptions to highly targeted, multi-stage extortion schemes. AI phishing, double extortion, and policy theft reflect a sophistication-first approach that requires a fundamental shift in defensive strategy. Organizations that combine technical resilience, strategic foresight, and employee training are best positioned to withstand these attacks.

Conclusion

Ransomware in 2025 is less about how many attacks occur and more about how damaging each attack can be. AI-driven phishing, double extortion, and insurance policy theft make every incident potentially catastrophic. Organizations must adapt defense strategies to address both technical vulnerabilities and social engineering threats, ensuring resilience in an era of high-impact cybercrime.

Call to Action (CTA)

Protect your organization from the rising threat of sophisticated ransomware. Subscribe to HacFy for actionable insights, threat intelligence, and real-world strategies to stay ahead of AI-powered attacks, double extortion, and emerging ransomware tactics.

References

• Resilience Cyber Risk Report, 2025
• HacFy Cybersecurity Research
• Industry analysis of ransomware trends and insurance claims