Cyber extortion is entering a new and more complex phase, with data theft now overtaking traditional ransomware encryption as the dominant pressure tactic used by attackers.
New claims data and frontline intelligence shared by Resilience show that strong backups alone are no longer enough to blunt the most damaging cyber events. Instead, identity compromise, data access, and reputational fallout are increasingly at the centre of extortion losses.
Speaking during a recent Resilience Risk Briefing, company leaders warned that paying ransoms, particularly in data-theft-only cases, offers “zero assurance” of a favourable outcome and may increase the likelihood of repeat attacks. That shift carries major implications for insureds and their brokers.
According to Andrew Bayers (pictured on the right), director of threat intelligence at Resilience, the industry’s language has lagged attacker behaviour. Ransomware, he said, refers to malicious software used to achieve a ransom payment, such as encryptors or lockers.
Cyber extortion, by contrast, now encompasses a much broader set of coercive tactics, including data theft and leak threats, harassment and public shaming, denial-of-service attacks, and even attempts at market manipulation or false whistleblower claims.
“Historically, ransomware malware dominated,” Bayers said. “But over the past year, that’s changed.”
Resilience’s 2025 claims data illustrates this shift: only about 13% of cases involved encryption alone. Roughly 57.6% were data-theft-only incidents, while 29.4% combined theft and encryption. By late 2025, nearly two-thirds of extortion cases involved no meaningful encryption at all.
“Data extortion creates stronger leverage. Threat actors know organizations fear reputational harm, regulatory penalties, and lawsuits. Sensitive data equals money,” Bayers said.
“As defenders, this requires a shift from recovery-focused controls to prevention-focused controls, particularly identity and data containment.”
Law enforcement actions against large ransomware syndicates have reshaped, though not reduced, the extortion threat. According to Resilience’s experts, high-profile groups such as LockBit have lost dominance, but the ecosystem has fragmented, with newer players like Akira quickly filling the gap.
More concerning for insurers is the rise of “access-for-sale” markets. Initial access brokers now sell stolen credentials and footholds into corporate networks for relatively small sums, enabling multiple attackers to target the same victim.
Resilience has observed cases where companies paid extortion demands believing data was deleted, only to see the same data resurface for sale or be used in subsequent attacks. For brokers, this reinforces why claims severity can escalate long after an initial incident appears resolved.
The cybersecurity experts are united and unequivocal about ransom payments. Resilience leaders cited recent cases, including the 2024 PowerSchool data breach, where payment did not prevent further extortion attempts.
“Paying signals willingness to pay again,” said Jud Dressler (pictured on the left), head of Resilience’s risk operations centre. “Data or access is often resold, enabling follow-on attacks months later.”
Beyond operational risk, ransom payments can also create legal exposure. Plaintiffs’ attorneys, Dressler said, are increasingly asking why funds were paid to criminals rather than used to support affected customers. “The FBI advises against paying. It fuels the ecosystem and does not provide assurance,” he added.
High-profile refusals to pay, such as those reported by crypto exchange firm Coinbase, have not deterred attackers. Instead, they have accelerated the pivot toward data-centric extortion, where backups offer little protection.
Looking ahead, experts stress that cyber resilience must extend beyond recovery. Priority action steps must include limiting access to sensitive data, detecting and stopping exfiltration, and hardening identity and session security.
Dressler said Resilience has adopted a “defend forward” approach to ransomware modelled on US military cyber doctrine. Rather than focusing solely on recovery after an incident, Resilience’s team aims to disrupt attackers earlier.
This strategy includes proactive disruption of adversary capabilities, intelligence-driven defensive action, rapid cross-client learning to prevent repeat attacks, and deterrence by raising attackers’ costs.
How can insurance brokers adapt this proactivity? One way is to advise clients on controls that truly reduce loss severity; in this case, helping steer a strategic shift in insureds’ defensive posture, from a recovery-focused model (backups) to a prevention-focused model (identity and data containment).
“Threat actors have pivoted away from disruptive encryption, more towards precision, data theft, supply chain amplification and also persistent re-extortion,” Bayers said. “Backups become irrelevant because the leverage is now... reputational, regulatory, rather than operational.”
