Insurance experts have urged organizations to reduce their exposure to extortion-only attacks and better manage the consequences when they occur, after revealing a surge in this category of threats.
Insurer Resilience said in a new report that 65% of extortion-related claims it handled in the second half of 2025 did not involve data encryption. That’s up from 49% in the first half of the year.
By the end of 2025, only 13% of attacks relied on encryption alone, while data theft – on its own or combined with encryption – accounted for 87% of ransomware claims, it noted.
The report also revealed that 30-40% of policyholders that paid to suppress data being leaked, sold or shared failed in that goal.
“Paying a ransom for a decryption key is a transaction with a verifiable outcome: either the key works or it does not,” the report noted. “Paying for data suppression is something else entirely – a payment for a promise from a criminal that a digital copy has been deleted, with no way to confirm the claim.”
Read more on extortion: Over Half of CISOs Would Consider Paying Ransom to Hackers
The findings bolster the case against paying, especially when doing so often marks out an organization for future attacks.
“Paying a ransom is no longer a straightforward recovery decision,” report author and director of the Resilience Risk Operation Centre, Jud Dressler, told Infosecurity.
“In most attacks today there is no encryption and no decryption key, so organizations are effectively paying for a promise from a criminal, when there is no honor amongst thieves.”
Nick Harris, CISO at UK cyber-insurance specialist Assured, told Infosecurity that the firm’s claims data reflects broadly the same trends as Resilience is seeing.
“As organizations improve backup and recovery capabilities, encryption is becoming a less effective means of extortion. Data theft often offers threat actors a faster, lower-risk route to monetization, making it an increasingly attractive tactic,” he said.
“We’ve also seen cases where attackers claim to have stolen data when they have not, simply to pressure organizations into making a quick payment. Any allegation of data theft should therefore be independently verified through forensic investigation.”
If organizations do suffer a data breach resulting in extortion demands, they could seek professional help from negotiators. The Resilience report said that these teams can help to buy time, and ensure any extortion sum is anchored to a valuation of the data stolen, among other things.
That said, the report also claimed that 30-40% of stolen data is eventually leaked, even if payment is made. By contrast, if it is refused, the figure is 40-50%.
Reducing Risk Exposure
A report from January claimed that there were almost 1500 incidents in 2025 that relied on data theft alone for extortion attacks, versus just 28 the year before.
Amid this surge in extortion attempts, Resilience recommended the following ways for organizations to reduce risk exposure:
- Shift from recovery to prevention: Prioritize data loss prevention technology that intercepts exfiltration before it occurs, and deploy zero trust architectures to limit the blast radius of identity compromise
- Prepare for the ransom decision: Develop a “decision framework” and engage legal counsel, an incident response retainer, and a clear chain of authority for payment decisions
- Protect insurance policy information: Store these documents outside the primary network where possible and monitor for unauthorized access or exfiltration, as the information contained within can give attackers leverage
- Test preparedness: Use tabletop exercises and breach simulations to test “extortion-specific decision points” including the ransom payment question. These exercises should involve legal counsel, communications, and executive leadership alongside security teams
- Track the long tail of financial impact: Organizations and their insurers should track regulatory fines, litigation outcomes, customer churn, and reputational recovery to build a more complete picture of the true cost of paying and refusing to pay
“Understanding how attackers operate, how they negotiate, and how they select their targets is what gives organizations a fighting chance of making the right call when it matters,” Dressler concluded.
“The practical implication is that prevention has to come first: stop exfiltration before it happens, retain legal counsel and incident response specialists before an incident occurs. And stress-test the ransom decision in a tabletop exercise so that leadership isn’t facing that question for the first time under pressure.”
