New cyber insurance claims data from cyber risk company Resilience reveals a dramatic evolution in the economics of cybercrime. An analysis of claims across Resilience’s client portfolio in 2025 showcases a remarkable shift in how threat actors execute prolonged attacks on organizations, while painting an increasingly common picture of the material consequences of cyber incidents, both in their immediate aftermath and in the shockwaves that follow.
Based on claims data and research from Resilience’s Risk Operations Center (ROC), Resilience’s 2025 Cyber Risk Report details a particularly complex challenge for organizations and provides a unique look into how they can best mitigate material loss.
In 2025, extortion demands aimed solely at suppressing stolen data made up less than half, or 49%, of all extortion claims in the first half of the year, but climbed to nearly two thirds, or 65%, in the second half. Over the full year, data theft–only attacks accounted for 57% of incidents, reflecting a shift by attackers seeking to bypass increasingly resilient backup strategies.
Infostealer malware harvested more than 2 billion credentials and was frequently detected in victim environments before ransomware was deployed. This pattern indicates that infostealer activity should be treated as a critical early warning signal, requiring swift action to prevent credential abuse and subsequent attacks.
Threat groups such as Interlock were observed searching stolen data for cyber insurance policies, enabling them to fine tune ransom demands to maximize payouts while staying within coverage limits. Vendor risk also emerged as the second highest loss category across Resilience’s portfolio, accounting for 18% of total losses. Attackers increasingly exploited password reset mechanisms and infiltrated open source code repositories that underpin enterprise software, raising the risk of cascading disruption if a key vendor is compromised.
Taken together, the data points to a concerning new reality for organizations. Cyberattacks are more calculated, strategic, and well-planned; resulting losses can extend well beyond the moment they happen and accumulate over months and even years.
“Cyber risk is constantly changing. As cybercriminals shift their tactics, a new reality is setting in: the real risk is about more than a security incident’s immediate disruption, it’s about the long-tail aftershocks that follow,” said Vishaal Hariprasad, co-founder and CEO of Resilience. “Claims data gives us the best and most granular insight into the real-world costs of those shockwaves. Understanding the materiality of the full lifecycle of a cyber incident is the only way to meaningfully arm ourselves against advanced new tactics and grow more resilient to inevitable threats.”
Resilience’s report recommends that organizations work to meaningfully mitigate material losses by prioritizing investments in data loss prevention systems and zero-trust architecture, credential monitoring, vendor incident contingency plans, tabletop exercises, and comprehensive insurance coverage that reflects 2025’s severity levels rather than mere historical averages.
“Looking at the increasing professionalization of the threat landscape, it can be tempting to assume that there’s no recourse. But our latest findings give us incredibly useful insight into the incentives behind the incidents—and how we can best fight back,” said Judson Dressler, head of Resilience’s Risk Operations Center (ROC). “For instance, to mitigate infostealer activity, our ROC team proactively hunts for stolen credentials on the dark web or new exploits or vulnerabilities that affect their environment and alerts our clients to these critical findings. That’s one example of what it looks like in practice to adjust to the reality that we’re facing an ‘everything, everywhere, all at once’ model of cyber risk.”
