Ransom Demands Spike 47%, But Payouts Don't

Despite the spike in initial demands, the percentage of companies paying ransoms has hit a record low. In 2025, only 28% of identified victims paid a ransom, a steep decline from previous years, as more organizations invest in robust data backup and recovery strategies. This refusal to pay is partly driven by guidance from law enforcement, like the FBI, which warns that paying does not guarantee data recovery and only encourages further criminal activity. In fact, studies have shown that even after paying, a significant percentage of companies are unable to restore all of their data. In response to lower payment rates, attackers are shifting tactics to "double extortion," not only encrypting data but also stealing it and threatening to leak it publicly. This method significantly increases pressure on victims and more than doubles the value of losses when data exfiltration is involved compared to incidents without it. The most financially damaging cybercrime remains Business Email Compromise (BEC), which accounted for nearly $8.5 billion in reported losses between 2022 and 2024. Attackers are increasingly using AI to generate convincing, personalized phishing emails, with some analyses finding 40% of BEC emails are AI-generated. This evolving threat landscape is forcing cyber insurers to adapt their underwriting. Insurers are now mandating more stringent cybersecurity controls for policyholders, such as multi-factor authentication, endpoint detection, and comprehensive incident response plans before they will issue or renew a policy. Ransomware remains the primary driver for the severity of cyber insurance claims, making up 60% of the value of large claims in the first half of 2025. In response, some insurers now offer financial incentives, like lower retentions, for clients who report fraudulent funds transfers within 72 hours to improve the chances of recovering the money.