Ransomware Attacks Surge 45% as Payment Trends Shift, Cyber Insurer Reports
Cyber insurance provider Cowbell revealed a 45% increase in ransomware attacks over the past year, even as average ransom payments dropped by 44% between 2022 and 2025. The decline in payouts is attributed to stronger negotiation tactics, improved incident response plans, and robust backups among insured organizations, reducing reliance on decryption keys.
According to Stephanie Hewerdine, Cowbell’s Director of Claims, threat actors are now conducting cost-benefit analyses before demanding ransoms. If compromised data lacks sensitive or personally identifiable information, insurers may advise against payment. However, extortion tactics are evolving, with attackers shifting from encryption-based schemes to data-only extortion stealing and threatening to leak data without locking systems. This lowers the barrier to entry, enabling smaller, less sophisticated groups to launch attacks.
Double extortion remains a growing concern, where hackers demand payment for both data decryption and non-release of stolen information. Hewerdine noted that newer, smaller threat groups often fail to honor agreements, either by incomplete decryption or demanding additional payments a departure from the past "honor among thieves" approach.
Cowbell’s claims data identified seven dominant threat actor groups, with Akira (38.8%) and Qilin (14.2%) accounting for over half of reported incidents. Industries most targeted include professional services, construction, manufacturing, healthcare, and wholesale trade, due to their reliance on critical systems and sensitive data.
Looking ahead, Hewerdine warned of AI-driven automation in attacks and the continued rise of smaller threat groups, some operating as affiliates of larger organizations. Law enforcement crackdowns on major cybercrime syndicates have led to splintering, with former members forming new, decentralized operations. The report underscores the growing commercialization of hacking, where ransom payments fuel further criminal activity.
Source: https://www.insurancejournal.com/news/national/2026/05/08/869023.htm
Cowbell cybersecurity rating report: https://www.rankiteo.com/company/cowbell-cyber
"id": "COW1778221633",
"linkid": "cowbell-cyber",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Professional services',
'Construction',
'Manufacturing',
'Healthcare',
'Wholesale trade'],
'type': 'Industry'}],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Sensitive data',
'Personally identifiable '
'information']},
'description': 'Cyber insurance provider Cowbell revealed a 45% increase in '
'ransomware attacks over the past year, with average ransom '
'payments dropping by 44% between 2022 and 2025. Threat actors '
'are shifting tactics from encryption-based schemes to '
'data-only extortion, and double extortion remains a growing '
'concern. Smaller, less sophisticated groups are increasingly '
'involved, with seven dominant threat actor groups identified, '
'including Akira and Qilin.',
'impact': {'data_compromised': True, 'identity_theft_risk': True},
'lessons_learned': 'Stronger negotiation tactics, improved incident response '
'plans, and robust backups reduce reliance on ransom '
'payments. Threat actors conduct cost-benefit analyses '
'before demanding ransoms, and extortion tactics are '
'evolving toward data-only extortion.',
'motivation': ['Financial gain', 'Data extortion'],
'post_incident_analysis': {'corrective_actions': 'Improve negotiation '
'tactics, strengthen '
'backups, and enhance '
'incident response plans.',
'root_causes': 'Evolving extortion tactics, rise '
'of smaller threat groups, and '
'commercialization of hacking.'},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': True,
'ransom_paid': ['Declined (44% drop in average payments)'],
'ransomware_strain': ['Akira', 'Qilin']},
'recommendations': 'Enhance incident response plans, maintain robust backups, '
'and adopt proactive cybersecurity measures to mitigate '
'ransomware risks. Monitor for AI-driven automation in '
'attacks and the rise of smaller threat groups.',
'references': [{'source': 'Cowbell Cyber Insurance Report'}],
'response': {'incident_response_plan_activated': True,
'recovery_measures': ['Robust backups']},
'threat_actor': ['Akira', 'Qilin', 'Other smaller threat groups'],
'title': 'Ransomware Attacks Surge 45% as Payment Trends Shift, Cyber Insurer '
'Reports',
'type': 'Ransomware'}