Hacker in data security concept. Hacker using laptop. Hacking the Internet. Cyber attack. Credit: Oleksii/Adobe Stock

There has been a remarkable shift in how threat actors execute prolonged attacks on organizations, according to a cyber risk report from Resilience.

In the second half of 2025, more than two-thirds of ransomware attacks leveraged data theft, not encryption, as cybercriminals prioritized long-term leverage over immediate disruption. At the same time, the attacks paint an increasingly common picture of the material consequences of cyber incidents, both in their immediate aftermath and in the shockwaves that follow.

"As cybercriminals shift their tactics, a new reality is setting in," said Vishaal Hariprasad, co-founder and CEO of Resilience.

"The real risk is about more than a security incident's immediate disruption, it's about the long-tail aftershocks that follow," he added. "Claims data gives us the best and most granular insight into the real-world costs of those shockwaves. Understanding the materiality of the full lifecycle of a cyber incident is the only way to meaningfully arm ourselves against advanced new tactics and grow more resilient to inevitable threats."

Other key takeaways…

  • In 2025, extortion demands to suppress stolen data comprised less than half (49%) of all extortion claims in the first half of the year, then grew to nearly two-thirds (65%) in the second half. Across the entire year, data theft-only attacks accounted for more than half (57%) of all attacks, as hackers look to bypass organizations' increasingly strong backup practices.
  • In 2025, infostealers harvested more than 2 billion credentials and were frequently observed in victim organizations' environments before ransomware attacks occurred, meaning that infostealer activity should be treated as a critical early warning signal requiring immediate action to prevent credential harvesting and prevent follow-on attacks.
  • In 2025, threat groups like Interlock continued to find victim organizations' cyber insurance policies among stolen data to better calibrate their ransom demands—maximizing payouts while staying below coverage limits.
  • In 2025, vendor risk was the second-highest loss category across Resilience's portfolio, representing nearly one-fifth (18%) of total losses. Threat actors are successfully leveraging password reset attacks and are increasingly infiltrating open-source code repositories that serve as the foundation for enterprise applications; this opens the door to an industry-wide cascade of short- and long-term disruption following the compromise of a critical vendor.

See also:

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.