Ransomware Demands Jump 47%, But Payouts Don't
Cybercriminals are getting bolder, with initial ransom demands surging 47% according to a new report from Coalition. Despite the higher demands, most businesses are refusing to pay. Business email compromise and funds transfer fraud continue to be the most common sources of cyber insurance claims.
The refusal to pay is a growing trend, with the percentage of victims paying ransoms dropping to a record low of 28% in 2025. Despite this, the median ransom payment has surged by 368%, suggesting attackers are successfully targeting larger organizations with more to lose. The financial fallout extends far beyond the ransom itself. The global average cost of a data breach hit $4.44 million in 2025, but for U.S. companies, that figure skyrocketed to a record $10.22 million, driven by regulatory fines and high detection costs. Recovery from an attack takes an average of 241 days. Attackers are evolving their methods beyond simple encryption. "Double extortion," where cybercriminals exfiltrate sensitive data before encrypting it and threaten to leak it publicly, is now a standard tactic for groups like Cl0p and Akira. Some groups are even forgoing encryption altogether, focusing solely on data theft and extortion. Phishing and compromised credentials remain the primary entry points for these attacks. Threat actors are increasingly using Ransomware-as-a-Service (RaaS) platforms, which lower the technical bar for entry, and are leveraging generative AI to craft more sophisticated and convincing phishing emails. While ransomware is costly, Business Email Compromise (BEC) is more frequent, accounting for 60% of all cyber insurance claims. These social engineering attacks resulted in over $2.9 billion in reported losses in the U.S. in one year, making it the second-costliest cybercrime. In response, Big Tech is engineering new defenses. Google now uses AI-driven protection in Google Drive that detects ransomware activity, automatically pauses file syncing to prevent the spread of encryption, and allows users to restore their files to a pre-attack state. The core of modern defense strategy, as implemented in platforms like Google Cloud, is a zero-trust architecture. This model assumes no user or device is inherently trustworthy, requiring continuous verification for access, which limits an attacker's ability to move laterally across a network to find and encrypt sensitive data.
