Emerging ThreatsMalware & Ransomware

Ransomware Attacks Shift to Data Theft Tactics

Analyst 207||Source: InfoSecMag
Modern office space with scattered papers and an open file cabinet, hinting at disruption.

"Paying a ransom for a decryption key is a transaction with a verifiable outcome: either the key works or it does not,” Insurer Resilience observed in a new report, drawing a sharp line between traditional ransomware and the surge in extortion-only attacks that dominate today's claims.

Encryption is no longer the central axis of ransomware claims

Insurer Resilience found that extortion-related claims handled in the second half of 2025 were dominated by data theft rather than encryption: 65% did not involve data encryption, up from 49% in the first half of the year. By the end of 2025, only 13% of attacks relied on encryption alone. Data theft — whether alone or combined with encryption — accounted for 87% of ransomware claims, the report said.

Payments, promises and outcomes: suppressed data is not a guarantee

The report drills into what paying actually buys organizations today. It notes a clear difference between paying for a decryption key and paying for data suppression: “Paying for data suppression is something else entirely — a payment for a promise from a criminal that a digital copy has been deleted, with no way to confirm the claim.”

Resilience reported that 30–40% of policyholders who paid to suppress stolen data did not succeed in preventing that data from being leaked, sold, or shared. The report offered comparative figures as well: when payment was made, it claimed 30–40% of stolen data was eventually leaked; when payment was refused the figure rose to 40–50%.

Magnitude of the shift: incidents relying on data theft surged

Insurer Resilience cited earlier reporting from January that identified nearly 1,500 incidents in 2025 which relied on data theft alone, compared to just 28 the previous year. That jump underpins the insurer’s central argument: extortion-only attacks have moved from a niche threat to a dominant modus operandi.

Resilience's pragmatic checklist for reducing exposure

Rather than endorse a single binary choice to pay or not pay, the report focuses on preparation and controls. Resilience recommended concrete changes in posture and practice:

  • Shift from recovery to prevention: prioritize data loss prevention technology that intercepts exfiltration before it occurs, and deploy zero trust architectures to limit the blast radius of identity compromise.
  • Prepare for the ransom decision: develop a “decision framework” and engage legal counsel, an incident response retainer, and a clear chain of authority for payment decisions.
  • Protect insurance policy information: store these documents outside the primary network where possible and monitor for unauthorized access or exfiltration, since policy details can give attackers leverage.
  • Test preparedness: run tabletop exercises and breach simulations focused on “extortion-specific decision points,” including the ransom payment question, involving legal counsel, communications, executive leadership and security teams.
  • Track the long tail of financial impact: monitor regulatory fines, litigation outcomes, customer churn and reputational recovery to capture the full cost of paying or refusing to pay.

What this means for technologists, insurers and business leaders

  • Technologists and security teams — The report directs them to prioritize data loss prevention and zero trust controls to stop exfiltration before lateral movement and extortion can occur; it also urges routine tabletop exercises that include legal and executive stakeholders.
  • Insurers and claims handlers — Insurer Resilience's data suggests that underwriting and incident response models should account for the growing likelihood that payments for suppression may not stop leaks, and that payment decisions require valuation and negotiation expertise.
  • Business leaders and legal teams — The report counsels establishing a clear decision framework and retainer relationships in advance so that when an extortion demand arrives, leadership is not making a high-stakes payment decision for the first time under pressure.

“Paying a ransom is no longer a straightforward recovery decision,” Jud Dressler, author of the report and director of the Resilience Risk Operation Centre, told Infosecurity, underlining the central conclusion: prevention must precede reaction. “Understanding how attackers operate, how they negotiate, and how they select their targets is what gives organizations a fighting chance of making the right call when it matters.”

The data in the report leaves a pointed operational imperative: stop exfiltration before it happens, codify the ransom-decision process ahead of time, and treat payments to suppress data as a purchase of an unverifiable promise rather than a guaranteed fix. For insurers and insureds alike, the practical work ahead is less about whether to pay and more about reducing the chance of ever facing that question under duress.

Read the original reporting on Infosecurity

Cyber InsuranceData TheftEmerging ThreatsExtortionRansomware-As-A-ServiceRansomware AttacksMFA Bypass Is Not Relevant HereThreat TacticsBut Insurer Resilience Report Relates To Financial Sector Indirectly Via Insurer And Directly To Cybercrime. Ransomware Attacks
Related Intelligence

Continue Reading

Law enforcement officers gather around seized computer equipment in a server room.

Interpol Disrupts SniperDz Phishing-as-a-Service Platform

In a major blow to cybercrime, Interpol has dismantled the notorious SniperDz Phishing-as-a-Service platform, a significant player in the global phishing landscape. This success is a testament to the power of cross-border collaboration, with 13 countries joining forces to bring down the operation.

Analyst 207
Busy office in Vietnam with cityscape view and people working at desks.

OceanLotus Targets Vietnam Investors with SPECTRALVIPER Backdoor

The notorious 15-year-old APT group, OceanLotus, is now setting its sights on Vietnam's investors with a cunning new backdoor attack called SPECTRALVIPER, showcasing their relentless adaptability and aggressive tactics. This latest move has left experts wondering if it's a temporary shift or a long-term strategy.

Analyst 207
Formal government briefing room with podium, American flags, and seals, daylight streaming through tall windows.

FBI Disrupts Chinese Spy Websites Targeting US Security Clearance Holders

The FBI and Justice Department have shut down 13 fake websites pretending to be legitimate consulting firms, targeting US security clearance holders with lucrative job offers that aimed to extract sensitive information for the Chinese government. These seized domains were part of a sophisticated intelligence collection campaign that began in November 2023.

Analyst 207
Smartphone on a plain surface with subtle screen reflection in natural light.

NSO Group Defies Court Order, Continues Targeting WhatsApp Users

Despite a court order blocking it from doing so, NSO Group continues to target WhatsApp users, defying the ruling and putting users at risk. The company is fighting to overturn the order, claiming it will suffer harm if it's forced to comply.

Analyst 207