Full Report
Insurance experts have urged organizations to reduce their exposure to extortion-only attacks and better manage the consequences when they occur, after revealing a surge in this category of threats. Insurer Resilience said in a new report that 65% of extortion-related claims it handled in the second half of 2025 did not involve data encryption. That’s…
Analysis Summary
# Industry News: The Rise of Extortion-Only Cyber Attacks
## Summary
A new report from cyber insurer Resilience reveals a seismic shift in the ransomware landscape, where data theft and extortion have largely replaced encryption as the primary lever for profit. As of late 2025, 65% of extortion claims no longer involve the locking of systems, signaling a "silent" threat era that prioritizes data exfiltration over operational disruption.
## Key Details
- **Date:** June 12, 2026 (Report covering H2 2025)
- **Companies Involved:** Resilience (Cyber Insurance Provider)
- **Category:** Market Analysis / Threat Intelligence
## The Story
The traditional "ransomware" model—encrypting files to halt business operations—is in rapid decline. According to data from Resilience, extortion-related claims that did not involve data encryption jumped from 49% in the first half of 2025 to 65% in the second half.
The data indicates that attackers are moving away from the "noisy" method of encryption, which immediately alerts IT teams and triggers disaster recovery protocols. Instead, they are focusing on "extortion-only" attacks: gaining access to a network, stealing sensitive data, and threatening to leak it unless paid. By the end of 2025, a staggering 87% of all ransomware-related insurance claims involved data theft (either alone or paired with encryption), while only 13% relied on encryption alone.
## Business Impact
### For the Companies Involved
- **Resilience:** By publicizing these trends, Resilience positions itself as a data-driven thought leader, potentially allowing them to adjust underwriting premiums and risk assessment models to account for the pivot from "interruption risk" to "reputational/regulatory risk."
### For Competitors
- **Insurance Market:** Other cyber insurers must recalibrate their coverage. Traditional policies focused on "business interruption" from downtime may no longer reflect the primary costs of a breach, which are now shifting toward legal fees, notifications, and brand damage.
- **Cybersecurity Vendors:** Security providers focusing solely on "anti-ransomware" (encryption detection) are becoming less relevant compared to those specializing in Data Loss Prevention (DLP) and zero-trust data access.
### For Customers
- **Enterprises:** Organizations can no longer rely on "good backups" as a total solution for ransomware. If the data is stolen, a backup doesn't stop the extortion demand or the ensuing regulatory fines.
- **Small-to-Medium Businesses (SMBs):** These entities are at high risk as they often lack the sophisticated DLP tools required to track data exfiltration in real-time.
### For the Market
- **The "Extortion Economy":** The shift suggests that the cybercrime market is maturing. Attackers are opting for lower-effort, higher-reward tactics that bypass the technical challenges of maintaining sophisticated encryption software.
## Technical Implications
This trend highlights a move away from **Availability** attacks (locking systems) toward **Confidentiality** attacks. Technically, this necessitates a shift in focus from EDR/XDR (Endpoint/Extended Detection and Response) toward:
- **Data-Centric Security:** Monitoring for large outbound data transfers (exfiltration).
- **Identity Security:** Monitoring for credential theft, as attackers need legitimate access to move and steal data quietly.
## Strategic Analysis
- **Market Positioning:** Resilience is advocating for a shift in "resilience" strategies—moving from "how we reboot" to "how we prevent the exit of data."
- **Competitive Advantage:** Firms that integrate insurance with active risk management will likely outperform those that treat insurance as a passive safety net.
- **Challenges:** It is much harder to prove that stolen data has been "deleted" by an attacker after payment than it is to verify that a decryption key works, making the "to pay or not to pay" decision even more complex.
## Industry Reactions
- **Analyst Opinions:** Analysts suggest this trend is a direct result of improved backup and recovery postures; since victims can now restore systems, attackers have shifted their leverage to the threat of public exposure and regulatory penalties (GDPR/CCPA).
- **Market Response:** There is an increasing demand for "threat hunting" services that look for quiet persistence within a network rather than just waiting for an encryption event.
## Future Outlook
- **Predictions:** We should expect "extortion-only" attacks to become the default standard. We will likely see more "double" and "triple" extortion, where attackers contact not just the company, but also their clients and employees directly.
- **What to watch for:** Watch for changes in SEC or EU regulatory reporting requirements that may force companies to disclose data theft even if no operational downtime occurred.
## For Security Professionals
Practitioners should audit their **egress filtering** and **data classification** policies. If your current ransomware playbook relies heavily on the "recovery from backup" scenario, it is officially outdated. Priority must be shifted toward visibility of data movement and reducing the "blast radius" of privileged accounts.