Do You Need Ransomware Insurance Right Now?

by

Estimated reading time: 7 minutes

This question feels critical after reading BlackFog’s 2025 annual ransomware report. The findings show attacks are happening faster, reaching more places, and affecting more victims quietly. There’s also a clear move toward data theft and extortion. If you run a business, ask yourself two things: Do I need ransomware insurance? If I have it, is it the right type and amount?

Foreword Signals A New Ransomware Playbook

BlackFog explains that ransomware is now a “data-driven, AI enabled threat” and no longer relies only on causing disruption. Attackers go after sensitive data to force extortion. They use automation to act quickly and avoid older security measures. The report also warns about Shadow AI, noting that many teams can’t see or control how employees use AI.

This lack of oversight opens new ways for data to leak. BlackFog sums up the risk: many threats “converge on a single risk: loss of control over data.” The report also makes it clear: “Detection and recovery remain important, but they are no longer enough.” Preventing data from being stolen is now the main goal.

Ransomware attack locked laptop screen with warning icons and padlock, showing a cyber extortion incident and ransomware insurance risk. The need for cyber liability insurance is a topic to consider.

BlackFog has tracked reported attacks since 2020 on its State of Ransomware blog. In 2023, it started including attacks found on leak sites, not just those made public. This matters because the dark web often reveals the real situation first. The report offers “actionable recommendations” and global trend benchmarks. It also highlights how AI is driving the changes in 2025’s threats.

This helps with discussions about cyber liability insurance, since insurers need data to set prices. The report aims to measure what most companies keep private.

Disclosed Attacks Hit A Record High

BlackFog counted 1,174 publicly reported ransomware incidents in 2025, a 49% increase from the previous year. The number of attacks in 2025 was almost four times higher than in 2020. In seven months, there were more than 100 reported attacks, with March reaching 117. Even December had 80, which would have been considered high in 2024. Healthcare was the top target, making up 22% of attacks.

Services saw a 118% jump, while education dropped by about 12%. The report also points out that many different groups are involved—102 were linked to attacks, but 31% of incidents couldn’t be traced to any group. This makes it harder to respond to incidents and affects how cyber insurance policies handle attribution.

See also  Cyber Insurance in Denmark and Sweden: Coalition and Allianz Launch Active Coverage in 2025
Undisclosed Attacks Dominate The Real Risk Picture

One of the report’s most striking numbers is hidden from public view. BlackFog found 7,079 victims listed on leak sites in 2025, a 37% rise from 2024. About 86% of attacks are never made public. For every 100 attacks that stay hidden, only about 17 are reported. The size of the affected companies also varies. Publicly reported victims had an average of 10,757 employees, while unreported ones averaged 2,782.

Watch Our Podcast On Ransomware And How The Negotiations Unfold

This is important for cyber liability insurance buyers, especially mid-sized firms that may think they’re not targets. The data shows otherwise. Manufacturing was the top target for hidden attacks at 23%, followed by services with 1,359 incidents, and construction, which entered the top three with 675 attacks. For leak posts that included data size, the average stolen data was 1.423 TB. The average ransom demand in reported cases was over $1 million, with one case reaching $91 million.

Ransomware Power Players Multiply And Rotate

BlackFog identified 130 different ransomware groups active in 2025, including 52 new ones that appeared during the year. These new groups were behind 17% of hidden attacks. The report highlights some unusual tactics, like one group threatening to use stolen art to train AI models, and another making ransom demands from $6,000 up to $91 million.

Qilin was the most active group, with 1,115 victims, followed by Akira with 776 attacks. Play ranked third for reported attacks, and INC was second feor hidden ones. This constant change means companies need defenses that can handle many different attack methods.

Enterprise Platforms Become Extortion Enablers

BlackFog dedicates a section to how attackers exploit trust in enterprise systems. It looks at ERP, SaaS, and AI platforms that can make data theft easier. For example, a vulnerability in Oracle E-Business Suite (CVE-2025-61882) was used by groups like Clop to run code remotely. The report describes how these attacks affected different industries and led to high-level extortion.

Teams had to handle forensics, breach reporting, and coordination between divisions. BlackFog also details attacks involving Salesforce, where criminals used compromised integrations, OAuth abuse, and social engineering. The report names several brands as victims. The main point for risk leaders: trusted connections in SaaS platforms can become major security risks.

See also  Cyberwrite and Howden Expand Cyber Risk Analytics Partnership Globally
Attackers Follow The Data, Not The Sector

BlackFog says ransomware risk follows the value of data, not the type of company. Publicly reported attacks mostly targeted healthcare, services, and government, making up 48% of cases. Hidden attacks focused on manufacturing, services, and construction.

The report also notes big increases in arts and entertainment (up 175%) and finance (up 144%). It reports serious impacts on critical infrastructure, like a water authority being disrupted and an energy-sector data theft affecting about 280,000 people.

Three Attacks Show The Cost Curve

BlackFog points to three major incidents. Covenant Health had a breach linked to Qilin, causing disruption and exposing patient data. The report says 478,188 patients were affected, and attackers claimed to have stolen 850 GB of data. Marks & Spencer experienced major retail disruption, with online sales dropping 40% during outages and a possible profit loss of up to £300 million.

The company received £100 million in insurance for about £101.6 million in cyber costs in theading  first half of the year. Jaguar Land Rover faced data extortion, service outages, and supply chain problems, with effects radiating across the economy. These examples are important for anyone considering ransomware insurance, as they show both direct and indirect costs.

Ransomware Without Borders Becomes A Baseline

BlackFog recorded attacks in 135 countries in 2025, covering 69% of all nations. The U.S. had the most reported incidents, making up 58% of cases. Australia had 110 attacks, and the U.K. had 42. For hidden attacks, the U.S. was also first with 3,768 incidents, followed by Canada at 6% and Germany at 4%.

The report also describes a focused Qilin campaign in South Korea and gives examples of national service disruptions in France, Tonga, and Curaçao. The message is clear: no country or sector is safe from these threats.

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

Data Exfiltration Drives Leverage And Insurance Claims

According to the report, 96% of reported ransomware attacks involved data being stolen, the highest rate so far. This changes how cyber insurance policy claims are handled, making breach response, notifications, and regulatory costs standard. BlackFog also references IBM’s 2025 data, showing the average global breach cost was $4.44 million, and $10.22 million in the U.S. About 32% of breaches led to fines, and those involving AI sometimes cost $200,000 more. These numbers make a strong case for ransomware insurance and push policyholders to show they have solid security controls.

See also  Cybersecurity Threats: Malicious AI - Cyber Insurance Reshaping Business Risk in 2024 - Chubb
AI And Shadow AI Push Ransomware Into A Faster Era

BlackFog says that in 2025, AI became central to cybercrime. Attackers used AI for better phishing, faster information gathering, and more advanced attack methods. The report mentions PromptLock, an experimental AI-powered ransomware. It also warns about Shadow AI, noting that 49% of employees use unauthorized AI tools at work, and 71% think the productivity benefits are worth the privacy risks.

The report warns that unmanaged AI creates hidden risks and calls Shadow AI a “significant risk multiplier.” It recommends focusing on prevention and having real-time control over data leaving your systems, whether on devices, in the cloud, or through AI tools.

What This Means For Ransomware Insurance Buyers

The report’s numbers support one clear step: treat data theft as the main cause of loss. Make sure your cyber insurance policy is consistent with the real costs of breach response, not just recovering from encryption. Check your policy’s limits for incident response, legal help, notifications, and regulatory defense.

Review the terms for business interruption and waiting periods. Confirm you have access to response teams and know the timelines. Make sure your policy covers data extortion. Ask your insurer about their requirements for Shadow AI controls and what proof they need when you renew.

Martin Hinton

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment

×