Ransomware remains the primary digital threat to business. Phishing, often the initial point of failure, further expands into voice triggered transfer fraud.
An analysis of risk based on cyberinsurance claims history provides an accurate overview of the true risk of cybercrime. It doesn’t provide a full global picture of risk since it can only be drawn from known cyberinsurance claims. Resilience is a cyberinsurance provider with a deep knowledge of cybersecurity.
There are three major takeaways from the 2025 Midyear Cyber Risk Report produced by Resilience: vendor-related risk is down but still significant; ransomware remains the main threat; and phishing has leapt to clear prominence as the most common point of failure (aided in scale and sophistication by AI).
The report notes a reduction in vendor-related risk (down from 22% of incurred losses in 2024 to 15% in H1 2025), but stresses that the downstream loss to affected companies remains high. “While incidents dropped in frequency, clients who experienced business interruption from a vendor-related incident had significant losses that rivaled losses from companies directly affected by ransomware.” This is an unseen risk that can only be addressed by continuously monitoring the vendors’ security posture.
Ransomware attacks in H1 increased dramatically — a 73% increase in Q1 2025 — but this may have been caused as much by turbulence in the ransomware threat actor market as by the evolution of ransomware and the assistance of AI.
The ransomware threat is resilient. It adapts quickly to threats against its own profitability. This is seen in the rapid evolution to, and use of, triple extortion as victims fought back to avoid loss. Improved backup and recovery led to a greater disinclination to pay classic encryption-based ransoms – so, the criminals added data exfiltration with a threat to disclose sensitive information if the ransom is unpaid (double extortion).
Double extortion doesn’t work if companies encrypt their data (which they should, and hopefully increasingly do); so, the criminals are evolving into triple extortion — often the threat of a DDoS attack to maintain disruption and cost on the victim. Triple extortion maximizes the threat to operational continuity, compliance, and brand reputation.
More subtle persuasion comes from criminals linking their monetary demand to the victim’s cyberinsurance policies, keeping the amount to just below the amount that can be claimed. The implication is that all the disruption and cost can be avoided if the victim simply pays up and gets reimbursed through insurance.
The report advises: don’t panic, and don’t be afraid to negotiate. In February 2025, a high end real estate firm discovered it had been compromised by Chaos ransomware. The company was able to continue operating but faced a serious threat If the exfiltrated data was exposed. This included financial statements, social security numbers and the PII of wealthy residents. The demand was a payment of $4 million.
Resilience negotiated with Chaos. “Calculated delays, strategic radio silence, and psychological pressure tactics to wear down the attackers’ patience” were employed. It worked, and brought the demand initially down to $2 million, and ultimately down to a “final settlement at approximately $615,000”.
Threat groups Interlock, Chaos, Medusa, Akira, and Nightspire (which only emerged in 2025) were the primary drivers of attacks on the Resilience portfolio in H1 2025.
The cost of ransomware claims has increased by 17% over last year. This is thought to be evidence that the gangs are becoming more adept at who they target, and Scattered Spider is used as an example. “The infamous Scattered Spider threat group, for instance, recently targeted retail, aviation, and insurance companies; we expect to see similar behavior of intense, focused campaigns going forward.”
But apart from the size and resourcefulness of the ransomware market, Resilience believes the surge in attacks in Q1 2025 may partly be a side-effect of law enforcement activity. There were rumors the RansomHub group had been targeted. These are unconfirmed, but the group is currently off-line. True or not, Scattered Spider abandoned RansomHub for the DragonForce platform. However, Resilience comments on increased “attacks as ransomware affiliates rushed to cash in on planned campaigns before they were detected.”
The report also notes the increased activity of Scattered Spider in 2025. “This surge in activity comes after a quieter period following the arrest of five members in November 2024, suggesting the group’s resilience and ability to continue operations despite law enforcement actions.” The group is thought to comprise young UK- and US-based operatives.
During Q1 2025, phishing has surged into the primary initial point of failure for financial loss.
This is almost certainly driven by the massive boost in scale and sophistication of social engineering provided by AI. CrowdStrike has reported that AI-generated phishing campaigns achieve a 54% success rate compared to just 12% for traditional attacks. But it isn’t just email phishing that has benefited. “Cybercriminals are increasingly diversifying their attack vectors with AI-driven voice synthesis technology enabling more convincing social engineering tactics.”
The report notes that social engineering accounts for 42% of incurred claims and 88% of incurred losses in the first half of 2025. Email, voice BEC attacks, ClickFix / FileFix and SIM swapping are all subsets of phishing and social engineering – and all have been supercharged by AI.
Synthetic voice is also being used to increase the success rate of SIM swapping. This is dangerous since a successful attack provides access to the victim’s browser. It can by-pass MFA controls and endpoint detection, and actor activity does not automatically get flagged by anomaly detection systems.
The most obvious target for phishing is credential harvesting. Amply supported by the growth in number and sophistication of infostealers, Resilience reports that 1.8 billion credentials were compromised in the first half of 2025: “an 800% increase since January—including over 1 billion corporate and personal email accounts.”
The Resilience report is based on internal cyberinsurance claims and external threat intelligence. This results in genuine knowledge of the effect of cyber incidents that can subsequently be related to threat intelligence to discover trends.
Overall, Resilience sees a bad actor community working smarter (with the assistance of AI) rather than harder. For example, commenting on the cost of a ransomware claim increasing by 17%, Resilience suggests, “It’s a sign that threat actors are becoming more systematic in how they target and exploit organizations.”
The firm makes several recommendations based on its analysis. For ransomware, it suggests (beyond normal defense in depth) regularly validated robust backup should be employed against simple ransomware; refusal to pay for data suppression in double extortion attacks should be the default (there’s no guarantee the data will ever be fully suppressed – instead concentrate on encrypting sensitive data throughout); and treat cyber insurance policies as critical documents that should be fully protected lest attackers use them against you.
For phishing, it suggests greater investment in more sophisticated awareness training to detect AI-based social engineering; and the implementation of AI-driven defenses to detect AI-generated phishing attacks in progress.
Related: PromptLock: First AI-Powered Ransomware Emerges
Related: BlackSuit Ransomware Group Transitioning to ‘Chaos’ Amid Leak Site Seizure
Related: UK Student Sentenced to Prison for Selling Phishing Kits
Related: AI-Powered Polymorphic Phishing Is Changing the Threat Landscape
