Ransomware Gangs Shift to Data Theft as Backups Improve
▼ Summary
– Business email compromise (BEC) and funds transfer fraud (FTF) together accounted for 58% of all cyber insurance claims in 2025, with BEC being the single most common claim type at 31%.
– While BEC frequency rose, its average loss fell to $27,000; FTF frequency fell but had a higher average loss, with 71% of FTF events involving social engineering.
– Ransomware accounted for 21% of claims, with average initial demands rising 47% to over $1 million, though 86% of victims declined to pay and professional negotiators reduced payments by 65% on average.
– VPNs were the most frequently targeted technology in ransomware incidents, and organizations with VPNs or remote desktop applications exposed online were three to eight times more likely to experience a cyber incident.
– Effective backup strategies require hardened, isolated, and regularly tested systems, and must be paired with data governance like minimizing sensitive data to mitigate the impact of dual extortion attacks.
A new analysis of cyber insurance claims reveals a significant shift in the financial impact of digital threats, with business email compromise (BEC) and funds transfer fraud now accounting for the majority of incidents. Data from over 100,000 policyholders indicates these two categories combined for 58% of all claims filed in the most recent year. BEC alone represented 31% of claims, with its frequency climbing 15% year-over-year. Interestingly, the average financial loss per BEC event fell by 28% to $27,000, a trend experts link to quicker organizational detection and response efforts.
Funds transfer fraud followed closely, making up 27% of total claims. Its frequency actually decreased by 18%, and the average severity dropped 14% to $141,000. Social engineering tactics were involved in 71% of these fraud cases, where criminals impersonated company executives, trusted vendors, or financial institutions to authorize illegitimate payments. The average loss in these social engineering schemes was $127,000. A more direct method, where fraudulent instructions were sent straight to banks, constituted 20% of FTF events and resulted in a much higher average loss of $218,000. In over half of all funds transfer fraud incidents, business email compromise acted as a precursor, with attackers using access to email systems to intercept transactions or steal banking credentials, leading to an average associated loss of $112,000. Insurers managed to recover $21.8 million in stolen funds across these events, with recovery occurring in nearly one-third of reported cases.
While ransomware accounted for a smaller share of claims at 21%, its financial demands are becoming more brazen. The frequency of ransomware attacks remained steady, but the average initial ransom demand surged by 47% to just over $1.019 million, with some demands reaching as high as $16 million. The average ransom demand now exceeds seven figures, though there is a wide range; opportunistic attacks on smaller businesses often see demands around $9,000, while highly targeted attacks on resource-rich organizations command the highest sums. The Akira variant was the most frequently identified, linked to a quarter of all incidents. Notably, 86% of ransomware victims chose not to pay the ransom. For the 14% that did pay, professional negotiators were able to reduce the initial demand by an average of 65%, bringing the average final payment down to $355,000.
The tactics of ransomware gangs are evolving in response to improved corporate defenses. Dual extortion attacks, which combine system encryption with data theft, now represent 70% of ransomware claims. This shift underscores that while better backup strategies have reduced the cost of recovery from encryption, average ransomware severity dropped 19%, attackers are now leveraging the threat of data exposure to increase pressure. Encryption-only and data-theft-only attacks each accounted for 15% of claims.
This trend places new demands on backup and recovery plans. Experts emphasize that backups must be hardened, immutable, and completely isolated from the main network, protected with multi-factor authentication and strict access controls. Regular, full-scale restoration tests are non-negotiable to ensure critical systems can be rebuilt on clean infrastructure. A comprehensive strategy also requires detailed recovery runbooks that prioritize business-critical systems and must be paired with robust data governance. This involves minimizing the retention of sensitive information, segmenting high-value data stores, and encrypting data at rest to mitigate the legal and reputational damage from a theft event. The focus varies by industry: manufacturing firms need frequent backups of operational technology systems, while healthcare and financial services must prioritize data minimization and audit trails.
Attackers continue to exploit common network entry points. Virtual Private Network (VPN) appliances were the most frequently compromised technology in ransomware incidents, involved in 59% of cases where the entry point was confirmed. Remote desktop applications accounted for another 14%. Organizations with VPN login panels exposed to the public internet were three to four times more likely to suffer a cyber incident. The leading attack vector in ransomware cases was the exploitation of software vulnerabilities at 38%, highlighting the risk of unpatched, internet-facing systems, followed by the use of compromised credentials at 27%.
On a broader scale, the global frequency of cyber insurance claims across all event types rose by 3%. However, in a positive development, the global average severity of those claims fell by 19% to $116,000, with nearly two-thirds of closed claims resolved without any out-of-pocket cost to the insured organization. In the realm of privacy liability, a 1967 California law is seeing renewed application, cited in 72% of privacy rights allegations related to modern web-tracking technologies like session replay scripts and embedded chat features.
(Source: HelpNet Security)
