Cybercriminals are increasingly abandoning encryption in favor of pure data theft extortion, according to new research from cyber insurer Resilience. The company found that 65% of extortion claims handled in the second half of 2025 did not involve any data encryption, a significant jump from 49% in the first half of the year. By year's end, only 13% of attacks used encryption alone, while data theft accounted for 87% of ransomware-related insurance claims.

The shift reflects a fundamental change in attacker tactics. Traditional ransomware attacks encrypted victim data and offered a decryption key in exchange for payment, creating a verifiable transaction. Modern extortion attacks instead threaten to publish, sell, or share stolen data, forcing victims to pay for an unverifiable promise that criminals will delete their copies. This evolution makes the payment decision far more complex and risky for targeted organizations.

Resilience's data reveals the limited effectiveness of paying extortionists. Among policyholders who paid ransoms to suppress data leaks, 30-40% still saw their information published or shared. Organizations that refused to pay fared only slightly worse, with leak rates of 40-50%. The narrow difference in outcomes, combined with evidence that paying marks organizations for future attacks, strengthens arguments against meeting extortion demands. Jud Dressler, director of the Resilience Risk Operation Centre, emphasized that organizations are "effectively paying for a promise from a criminal, when there is no honor amongst thieves."

The scale of the threat has grown dramatically. A January report documented nearly 1,500 data theft extortion incidents in 2025, compared to just 28 the previous year. This surge has forced organizations and their insurers to reconsider both prevention strategies and incident response plans. The financial impact extends beyond immediate ransom payments to include regulatory fines, litigation costs, customer churn, and long-term reputational damage.

Resilience recommends organizations prioritize prevention over recovery by deploying data loss prevention technology and zero trust architectures to limit exposure from compromised credentials. Companies should establish decision frameworks before incidents occur, including pre-arranged legal counsel and incident response retainers with clear payment authority chains. Additional measures include storing insurance policy documents outside primary networks, conducting tabletop exercises that test extortion scenarios with legal and executive teams, and tracking the full financial impact of both paying and refusing ransom demands to inform future decisions.

Source: https://www.infosecurity-magazine.com/news/extortion-only-attacks-surge/