Global rise in ransomware costs casts a shadow over UK government’s proposed ransomware ban

The financial fallout of ransomware attacks is climbing even as the number of cyber insurance claims falls, according to new data from Resilience, one of the world’s leading cyber risk solutions companies. In the first half of 2025, across Resilience’s portfolio, the average cost of an individual ransomware attack rose by 17%, while the volume of incurred claims dropped by more than half (53%), highlighting the persistent and destructive threat of financially motivated cybercrime.

In the UK, the impact of these global trends is already being felt. Recent high-profile ransomware incidents targeting Harrods, Marks & Spencer, and Jaguar Land Rover show how consumer brands and manufacturers alike are in the crosshairs of cybercriminal groups. Attacks linked to groups such as Scattered Spider have been especially damaging, demonstrating how UK retailers and manufacturers are increasingly singled out for sophisticated extortion campaigns.

By translating trends in the threat landscape into concrete financial consequences, Resilience’s data offers a rare glimpse into the threat landscape as well as the cyber defence strategies with the highest potential ROI. Published today, Resilience’s Midyear 2025 Cyber Risk Report leverages data from the company’s Risk Operations Centre (ROC) and insurance claims portfolio to analyse trends in hacking activity and industry responses in the first half of 2025. Additional report findings include:

• Ransomware accounted for almost all (91%) of incurred losses in Resilience’s portfolio in the first six months of 2025.
• Financially motivated social engineering, especially via tailored attacks bolstered by AI-powered phishing content, fuelled a disproportionate share of incurred losses (88%).
• Vendor-driven claims notifications fell 18%; however, vendor-related claims still accounted for 15% of incurred losses estimated so far this year.
• Healthcare, retail, and manufacturing remained the most targeted sectors, with manufacturing facing several ransomware incidents generating claims averaging over $1 million in severity, and healthcare experiencing extortion demands as high as $4 million.
• While 78% of Resilience clients over all time have avoided paying a ransom, threat groups such as Interlock, Chaos, Medusa, Akira, and Nightspire were the primary drivers of attacks on the Resilience portfolio in H1 2025.

“Across the UK and Europe, we are seeing fewer claims but far greater severity. Double extortion, policy harvesting, and crypto-linked fraud are driving higher losses, often during high-stakes events like acquisitions”, says Tom Egglestone, Head of International Claims at Resilience, based in the company’s London office. “The real risk extends beyond internal controls to vendors and financial workflows, which is where defences must now focus. Strengthening those links is critical to reducing the financial fallout we continue to see.”

Cybercriminals are using increasingly sophisticated and profitable extortion tactics, including AI-powered social engineering, double extortion (attacks that demand two separate payments, one for data decryption and another to prevent public data release), and the theft of an organisation’s cyber insurance policy to better benchmark and set higher ransom demands. These new strategies are fuelling a threat landscape where fewer attacks can still cause immense financial damage.

UK businesses are facing the same high-severity tactics seen globally. Attackers have already deployed double-extortion and policy-theft techniques in incidents impacting both retail and automotive firms, showing that no sector is immune. The prominence of Scattered Spider’s recent UK breaches underscores how attackers are exploiting local industries and public sentiment to maximise disruption.

The consequences have extended beyond the companies directly targeted, with supply chains and customer services also disrupted, amplifying the financial and operational impact across the economy. These breaches highlight the stakes of the UK government’s proposed ransomware ban, with critics questioning whether outlawing payments could inadvertently increase the financial fallout for victims.

“Financial incentives are driving cyber criminals to be more clever and creative, and companies are facing larger losses than ever before,” says Vishaal “V8” Hariprasad, Co-Founder and CEO of Resilience. “Cybercrime comes in waves. Attackers exploit a tactic until defenders catch up, then pivot to new weaknesses. Understanding the financial consequences of attacks and the most common points of failure is paramount to stopping that fallout at the root.”

Read the full report here. For more information about Resilience, visit www.cyberresilience.com.

About Resilience

Resilience helps organisations become cyber resilient to material losses by staying ahead of bad actors. Founded by experts from across the highest tiers of the US military and intelligence communities – and built by prominent leaders and innovators from the cybersecurity, technology, and insurance industries – Resilience is the world’s first cyber risk company that offers risk quantification software, cybersecurity experts, and highly rated insurance in integrated solutions purpose-built for large and middle-market organisations.

Resilience is proud to be backed by leading technology investment firms, including General Catalyst, Lightspeed Venture Partners, Intact Ventures, Founders Fund, CRV, and Shield Capital. With headquarters in San Francisco, Resilience is globally dispersed, with teams in New York, Chicago, Los Angeles, Baltimore, Toronto, London, Milan, Madrid, Stockholm, Rotterdam and Dublin. Resilience offers insurance coverage through its licensed and appointed insurance agents and security services through its expert security team. The Resilience Solution is available through all broker partners to clients in the United States, the United Kingdom, Canada, and Europe.

Media Contact: Whitney GlocknerBlack, [email protected]