Growing Concerns Over Extortion-Only Cyber Attacks Prompt New Strategies for Organizations
In response to a notable increase in extortion-only cyber attacks, insurance experts are advising organizations to mitigate their vulnerability and manage the fallout of such incidents effectively. A recent report from Insurer Resilience has shed light on this alarming trend, indicating that the landscape of cyber extortion is shifting significantly.
The report reveals a striking statistic: during the second half of 2025, 65% of extortion-related claims processed did not involve any form of data encryption. This marks a considerable rise from the 49% reported in the first half of the year. By the end of 2025, it is projected that merely 13% of extortion instances will rely solely on encryption methods, while a staggering 87% will involve data theft—either on its own or coupled with encryption tactics. This shift underscores the evolving strategies employed by cybercriminals, who appear to favor data theft as a means for extortion.
Moreover, the report highlighted a significant failure among policyholders who opted to pay ransoms to prevent the release of sensitive data. It found that 30-40% of these individuals or organizations did not achieve their objective of suppressing the leaked data, raising questions about the effectiveness of such payments. The report articulates a critical distinction: while paying a ransom for a decryption key yields a clear outcome—either the key functions or it does not—funds paid for data suppression hinge on unverifiable promises made by criminals. In a world where “there is no honor amongst thieves,” such guarantees are rarely trustworthy.
The emphasis on these findings has intensified discussions about the implications of ransom payments, particularly since such actions may inadvertently signal to cybercriminals that an organization is willing to comply, thus marking them as potential future targets. Jud Dressler, the report’s author and director of the Resilience Risk Operation Centre, elaborated on this notion, emphasizing that paying ransoms has transformed into a complex decision rather than a straightforward recovery tactic.
Supporting this viewpoint, Nick Harris, Chief Information Security Officer (CISO) at Assured, a UK-based cyber-insurance provider, confirmed that trends reflected in their claims data are consistent with those identified by Resilience. He noted that as organizations enhance their backup and recovery capabilities, the efficacy of encryption as a means of extortion appears to wane. Instead, data theft has emerged as a more rapid and lower-risk method for cybercriminals to monetize their illicit activities. Harris also highlighted troubling instances where attackers falsely claim to have stolen data as a negotiation tactic, pressuring organizations to make rapid payment decisions without verification.
For organizations grappling with extortion demands stemming from data breaches, seeking assistance from professional negotiators is advised. The Resilience report recommends employing these teams to gain time and ensure that any a demanded ransom amount reflects a fair valuation of the stolen data.
Yet, the report presents a sobering reality: even when payments are made, there is still a significant risk. Approximately 30-40% of stolen data is ultimately leaked regardless of payment, and the numbers only increase if payment is declined, with leakage rates estimated at 40-50%.
Strategies for Reducing Exposure to Cyber Extortion
Amid the rising tide of extortion attempts, the Resilience report proposes several strategies to mitigate risk exposure effectively:
-
Emphasize Prevention Over Recovery: Organizations are urged to invest in data loss prevention technologies designed to intercept data exfiltration before it occurs. Implementing zero trust architectures can also help restrict the potential damage from identity compromises.
-
Develop a Ransom Decision Framework: Establishing a comprehensive “decision framework” involving legal counsel and an incident response retainer is crucial. A clear chain of authority should guide payment decisions when extortion demands arise.
-
Secure Insurance Policy Information: Protecting crucial insurance documents is vital. Storing these records outside the primary network when possible and monitoring them for unauthorized access can prevent attackers from leveraging this information for extortion.
-
Test and Prepare for Extortion Scenarios: Conducting tabletop exercises and breach simulations can help organizations prepare for “extortion-specific decision points.” These drills should involve legal counsel, communications teams, executive leadership, and security personnel to ensure all bases are covered.
- Monitor the Extended Financial Impact: Organizations and their insurers should systematically track regulatory fines, litigation outcomes, customer retention, and reputational recovery. This holistic analysis provides a clearer picture of the genuine costs associated with both paying and refusing to pay ransoms.
Dressler concludes with a powerful message: understanding the strategies employed by attackers is essential for organizations to make informed decisions when under pressure. He stresses the importance of prioritizing prevention and retaining key advisors well in advance of any incident. By stress-testing ransom decisions through realistic simulations, organizations can ensure they are not confronting life-altering choices for the first time when tensions are high.