Cyber Insurance Claims Report: 86% Of Ransomware Victims Eighty-Six The Idea Of Paying

by

Estimated reading time: 7 minutes

In the old Popeye cartoons, Wimpy liked to say, “I’ll gladly pay you Tuesday for a hamburger today.” When it comes to ransomware payment, companies seem to be stealing Wimpy’s line and saying, “I’ll gladly pay you Tuesday for your ransomware today.” And just like the cartoon, Tuesday, or “pay day,” never comes. Coalition’s new report on cyber insurance claims shows that 86% of ransomware victims refused to pay attackers in 2025, even as ransom demands soared.

“The data suggests a turning point in the economics of ransomware: while threat actors escalate their demands to push for higher, seven-figure payouts, cyber insurer support is helping businesses limit losses and is starting to help tip the scales back in favor of defenders,” said Rob Jones, Coalition’s Global Head of Claims. Business email compromise (BEC) on the other hand…

The finding appears in Coalition’s 2026 Cyber Claims Report, based on data from more than 100,000 policyholders across North America, Europe, and Australia.

Ransomware demands jumped 47% in a year, now averaging over $1 million. But more companies just walked away. That shift points to tougher backups, faster response, and insurance that actually shows up.

Editorial cartoon of a Wimpy-style character in a cybersecurity operations center refusing a ransomware payment demand on computer screens, referencing the Coalition cyber insurance report showing 86% of businesses refused ransomware payments in 2025.

Ransom Demands Rise, But Most Businesses Walk Away

Ransomware remained the most expensive type of cyber event, though it accounted for fewer claims than email-based fraud.

Coalition reported an average ransomware loss of about $262,000 in 2025, down 19% from the previous year.

The falling loss amount reflects a growing willingness to refuse ransomware payment. Only 14% of ransomware victims paid attackers last year.

The report clearly describes the economic shift. “Ransomware demands have jumped significantly in the past year,” the report states, “but the ransomware economy is under pressure.”

Even when companies paid, they haggled. Responders slashed demands by 65% on average, dropping payments from $873,000 to $355,000.

Attackers still pushed for higher demands. Some ransomware gangs demanded as much as $16 million per incident.

Dual Extortion Drives Higher Costs

Ransomware attacks now often combine two tactics. Attackers encrypt systems while also stealing data.

This approach, called dual extortion, accounted for 70% of ransomware claims in 2025.

Dual extortion drives costs sharply higher. Businesses experience operational downtime due to encrypted systems. They also face legal exposure from stolen data.

See also  More Government Control and Less Reliance on Cyber Insurance: Predictions on Forthcoming National Cyber Strategy

The report found average losses of nearly $299,000 for dual extortion incidents. Encryption-only attacks averaged about $138,000.

Coalition company logo image Ransomware payment, business email compromise, their new cyber insurance claims report gets into it all.

Email-Based Fraud Still Dominates Cyber Insurance Claims

Despite headlines about ransomware, email-enabled scams accounted for the largest share of cyber insurance claims.

Business email compromise (BEC) and funds transfer fraud together accounted for 58% of incidents observed by Coalition.

“Understandably, ransomware generates headlines, and while we’re encouraged to see more organizations willing to walk away from extortion demands, our claims data shows that old-fashioned email-based crime hasn’t gone anywhere,” said Jones.

BEC alone accounted for 31% of claims, making it the most common attack type.

These attacks rely on social engineering rather than malware. Criminals impersonate executives, vendors, or banks. They convince employees to send money or share sensitive information.

BEC claims frequency increased 15% year over year, though average losses dropped to $27,000.

Funds transfer fraud produced larger financial damage. These attacks averaged $141,000 per incident, even as claim frequency declined.

More than half of all funds transfer fraud cases began with a compromised email account. That link highlights the continued importance of securing business email systems.

Check Out Our Latest Podcast

Data Governance: Cut Cyber Breach Blast Radius + Cyber Insurance Risk

Faster Response Limits Financial Losses

Cyber insurers increasingly help recover stolen funds or reduce incident costs.

Coalition reported $21.8 million recovered for policyholders in 2025, with average recoveries of about $202,000 per incident.

Speed matters. Rapid reporting enables insurers and banks to freeze transactions before funds are transferred out of international accounts.

Across all claims, 64% closed with no out-of-pocket loss for the policyholder.

The report attributes that outcome to a model called “Active Insurance.” The approach combines security monitoring, incident response, and insurance coverage.

Cyber Incidents Happen More Often, But Cost Less

Overall, cyber incidents rose slightly in 2025.

Claims frequency increased 3% year over year, reflecting persistent attack activity.

However, average claim severity fell 19%, dropping to about $116,000 per claim.

The trend suggests organizations have improved their defensive posture. Businesses detect intrusions earlier. They restore systems faster.

See also  Got an Opinion on Whether the Feds Should Take a Major Role in Cyber Insurance? You've Still Got Time to Weigh In with the Government

The report notes that attackers are still knocking on doors more often. Companies simply limit the damage once breaches occur.

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

Large Companies Face The Most Claims

Company size plays a major role in cyber risk.

Organizations with more than $100 million in revenue experienced the highest claims frequency, nearly 5 times that of small businesses.

Large enterprises present a larger attack surface. They also operate more internet-exposed infrastructure.

Yet those organizations also contain incidents faster. Their average claim severity declined to $268,000.

Smaller firms experienced fewer incidents but often lacked the extensive security resources of larger firms.

Security Tools Alone Do Not Solve The Problem

The report warns of a “Cyber Protection Paradox.” Businesses spend record sums on security technology. Yet cyber incidents continue to rise.

Security leaders often struggle with complex toolsets. The report cites widespread alert fatigue and visibility gaps.

The coalition argues that a coordinated response, risk monitoring, and cyber insurance can stabilize losses.

The Ransomware Economy Faces Pushback

The refusal to pay ransomware marks a turning point.

Criminal groups rely on steady payments to sustain operations. Falling payment rates challenge that model.

Negotiations, backups, and incident response tools shift the balance of leverage toward defenders.

As the report concludes, stronger coordination between cybersecurity and insurance helps organizations recover faster and reduce losses.

FAQ Coalition Cyber Insurance Claims Report

What are cyber insurance claims?

Cyber insurance claims are requests businesses submit to insurers after a cyber incident. These incidents include ransomware attacks, business email compromise, funds transfer fraud, data breaches, or system failures.

Why did ransomware demands increase in 2025?

Ransomware groups raised demands because attacks grew more targeted and sophisticated. Some criminals now tailor ransom amounts based on a victim’s financial capacity and operational dependence on data.

Why are most companies refusing ransomware payment demands?

Many organizations now rely on stronger backups, better incident response plans, and cyber insurance support. These improvements allow them to restore systems without paying attackers.

What is business email compromise (BEC)?

Business email compromise occurs when attackers gain access to or impersonate a company email account. They use that access to trick employees into sending money or sharing sensitive data.

What is funds transfer fraud (FTF)?

Funds transfer fraud happens when attackers manipulate victims into sending money to fraudulent accounts. These attacks often involve impersonating vendors, executives, or banks.

What is dual extortion ransomware?

Dual extortion ransomware combines two tactics. Attackers encrypt systems and steal data at the same time. They threaten to leak the stolen data if the victim refuses to pay.

How does cyber insurance help during a ransomware attack?

Cyber insurers often provide incident response services, legal guidance, and forensic investigations. They may also assist with ransom negotiations, system recovery, and financial losses tied to the attack.

Which businesses experience cyber insurance claims most often?

Larger companies typically face cyber incidents more frequently because they have larger digital footprints and more internet-exposed systems. However, small and mid-size businesses also face significant risk.

What can businesses do to reduce cyber insurance claims?

Organizations can reduce risk by enforcing multi-factor authentication, maintaining secure backups, patching vulnerabilities quickly, training employees to spot phishing, and implementing strong incident response plans.

Martin Hinton

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment

×