The ransomware playbook that defined cyberattacks for the better part of a decade is being rewritten.
Cybercriminals moved sharply away from encryption-based schemes in 2025, with data theft and extortion overtaking traditional ransomware as the dominant attack model, the annual Cyber Risk Report from Resilience's Risk Operations Center has found.
Data theft-only attacks rose from 49% of extortion claims in the first half of 2025 to 65% in the second half, the report said, drawing on 827 total claims and 43 incurred claims. For the full year, 57.6% of extortion cases involved data theft without encryption, while just 13% used encryption alone.
This shift has rendered backup-based recovery strategies largely ineffective against the primary threat of reputational, regulatory, and legal exposure from stolen data.
The year-over-year trend is stark. Resilience's midyear data, published in September 2025, showed cyber insurance claims in its portfolio dropped 53% in the first half of the year even as the average cost of an individual ransomware attack rose 17%.
In 2024, ransomware had driven 43% of incurred claims, with vendor-related incidents surging to 27% from just 6% a year earlier.
Resilience cautioned that paying ransoms in data theft-only cases provides no assurance of a favorable outcome and may raise the likelihood of repeat attacks.
Perhaps the sharpest reversal was in phishing, which jumped from 21% of incurred losses in 2024 to 50% in 2025, with average severity exceeding $1.6 million per claim.
Resilience pointed to a Harvard University study showing AI-generated phishing campaigns achieved 54% success rates – a 4.5x increase over traditional methods. Companies with phishing awareness training reduced total potential risk by more than $100,000.
Wrongful data collection claim notices more than doubled year over year, fueled by a wave of litigation under the California Information Privacy Act.
Read more: Cyber insurance enters the AI risk era
Research from Allianz Commercial, published earlier this year, found that data breaches and privacy actions tied to wrongful collection accounted for a record 18% of large claims by value in 2024 – triple the share three years prior.
The legal pressure shows little sign of easing. Law firm Eckert Seamans reported that 1,500 CIPA lawsuits had been filed in the 18 months to August 2025, while WTW's 2026 cyber outlook noted some markets have already begun pulling back coverage for wrongful collection risk.
A California bill intended to narrow CIPA's scope stalled in 2025, leaving businesses exposed to continued litigation.
Cybercriminals are unlikely to reverse course, Resilience warned, projecting that extortion-only attacks will dominate in 2026, deepfakes will reach critical mass for social engineering, and breaches tied to rushed AI adoption will begin to materialize.
The firm urged insurers and businesses alike to shift from recovery to prevention, embrace zero trust architecture, and ensure coverage reflects 2025 severity levels.
