{"id":2553,"date":"2025-10-07T15:52:18","date_gmt":"2025-10-07T15:52:18","guid":{"rendered":"https:\/\/www.insuracarelife.com\/blog\/cops-and-robbers-top-5-ransomware-groups-behind-nearly-half-of-all-attacks\/"},"modified":"2025-10-11T11:03:42","modified_gmt":"2025-10-11T11:03:42","slug":"cops-and-robbers-top-5-ransomware-groups-behind-nearly-half-of-all-attacks","status":"publish","type":"post","link":"https:\/\/www.insuracarelife.com\/blog\/cops-and-robbers-top-5-ransomware-groups-behind-nearly-half-of-all-attacks\/","title":{"rendered":"&#8216;Cops and robbers&#8217;: Top 5 ransomware groups behind nearly half of all attacks"},"content":{"rendered":"<div>\n<div>\n<div>\n<p><em>This article was created in partnership with Cowbell.\u00a0\u00a0<\/em><\/p>\n<\/div>\n<div>\n<p>&#8216;Cops and robbers&#8217;: Top 5 ransomware groups behind nearly half of all attacks &#8211; As cyber threats grow in frequency and complexity, businesses are facing mounting pressure to ramp up their defenses. According to Cowbell\u2019s Cyber Roundup: Claims Report 2025, organizations are seeing a continued global rise in cyberattacks, both in volume and sophistication, largely driven by AI-enhanced campaigns.<\/p>\n<\/div>\n<div>\n<p>What\u2019s more, industry-wide data from the 2024 NAIC Cyber Insurance Report revealed there\u2019s been a record 33,561 reported cyber insurance claims of late, indicating a steady increase in claims frequency. Despite this, Cowbell&#8217;s internal claims data paints a nuanced picture: while general incident frequency has risen, ransomware claims have remained stable, consistently comprising 17\u201319% of all Cowbell claims between 2022 and 2024.<\/p>\n<\/div>\n<div>\n<p>Speaking to <em>Insurance Business<\/em>, Trent Cooksley, co-founder and chief operating officer of Cowbell, revealed that in the face of this growing concern acting preventatively rather than curatively is crucial.<\/p>\n<\/div>\n<div>\n<p>\u201cFrequency is increasing across the board,\u201d Cooksley agreed. \u201c[As such], employers should be thinking about the downtime that they could experience if they experience an attack. Longer events, meaning you have business interruption, are some of the bigger things that we&#8217;re seeing come into the market, as well as lawsuits and class actions &#8211; specifically in the US.<\/p>\n<\/div>\n<div>\n<p>\u201cEvery organization, regardless of size, can adopt low or even no-budget protections that can dramatically reduce risk. Multi-Factor Authentication (MFA) &#8211; we talk about that all the time and it\u2019s amazing how people still don&#8217;t leverage it or even worse, using it but not configuring correctly.\u00a0 [It\u2019s all about] employee training \u2013 because, again, phishing is getting more complex to interpret.\u201d<\/p>\n<\/div>\n<h2 role=\"heading\" aria-level=\"2\"><strong>Cyber insurance as a tool of resilience\u00a0\u00a0<\/strong><\/h2>\n<div>\n<p>And the data\u2019s there to back Cooksley up. Cowbell\u2019s report found that that phishing remains the most common method of attack initiation, often serving as the entry point for more severe incidents such as business email compromise (BEC), funds transfer fraud, and ransomware. What\u2019s more, the FBI reported 193,000 complaints related to phishing and spoofing in 2024, making these tactics the most reported cybercrimes in the US.<\/p>\n<\/div>\n<div>\n<p>As Cooksley told <em>IB<\/em>, preparation is essential here. The real measure of success for organizations is having a plan in place before an incident occurs &#8211; so you&#8217;re not just \u201cshooting in the air\u201d and acting reactively.<\/p>\n<\/div>\n<div>\n<p>\u201cHave a response plan. People should know how they&#8217;re going to address those things,\u201d Cooksley stressed. \u201cOur team at Cowbell can help policyholders with all of this.\u201d<\/p>\n<\/div>\n<div>\n<p>And there\u2019s no shortage of organized cybercrime groups out there looking to pry open your data. As per Cowbell\u2019s report, there\u2019s five ransomware groups behind nearly 48% of incidents with known threat actors:<\/p>\n<\/div>\n<div>\n<div>\n<div>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li><span id=\"cke_bm_1172S\" style=\"display: none;\">\u00a0<\/span>Akira (17.4%): Known for double extortion, targeting mid-sized businesses.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>Play (9.2%): Utilizes stealthy attacks with delayed execution, making detection harder.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>LockBit (7.7%): Operates as a ransomware-as-a-service (RaaS) platform with global reach.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>Fog (7.2%): Exploits unpatched VPNs and email systems, indicating opportunistic and technical sophistication.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>RansomHub (6.2%): Focuses on data exfiltration and public leak threats.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/div>\n<\/div>\n<div>\n<div>\n<p>With that in mind Cooksley, and his team at Cowbell, believes cyber insurance shouldn\u2019t be viewed merely as a post-incident safety net; it&#8217;s also a real-time tool for risk management.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div>\n<div>\n<p>\u201cA lot of small to medium-sized companies still don&#8217;t purchase it,\u201d he told <em>IB<\/em>. \u201c[But] it\u2019s a critical financial and operational safety net when an incident does occur. For us, however, the best carriers aren\u2019t just responding to breaches and paying them \u2013 we want to proactively help policyholders build their resilience.<\/p>\n<\/div>\n<div>\n<p>\u201cAt Cowbell, we do that through complimentary or discounted services such as [cybersecurity awareness] training, dark web monitoring, phishing simulations, pen testing, and having incident response hotlines. That\u2019s the investment in cyber insurance &#8211; just as much as making a payment when something occurs.\u201d<\/p>\n<\/div>\n<h2 role=\"heading\" aria-level=\"2\"><strong>Defenses against supercharged cyber risk\u00a0\u00a0<\/strong><\/h2>\n<div>\n<p>While foundational defenses are critical, Cooksley revealed that more sophisticated protections become essential as companies grow or face elevated risk.<\/p>\n<\/div>\n<div>\n<p>\u201cThe next step after that is more advanced cybersecurity measures,\u201d he said. \u201cSo if you&#8217;re an organization of size, this is when you really need to start thinking about how you\u2019re growing or facing heightened risk and expanding beyond the basics. That includes managed detection and response, endpoint protection, penetration testing so you know where your weak points are. Third-party assessments, vendor and supply chain risk evaluations &#8211; are you exposed to specific vendors where, if they have something, how is that going to impact your business?\u201d<\/p>\n<\/div>\n<div>\n<p>Cowbell\u2019s report certainly agrees, with their researchers highlighting that this fight against cybercrime requires a whole organizational shift. Here, the report points to a four step approach;<\/p>\n<\/div>\n<div>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>Strengthening incident response capabilities through skilled negotiation and rapid action.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>Prioritizing cyber hygiene and patch management to defend against increasingly targeted attacks.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>Enhancing partnerships between businesses and cyber insurers, ensuring support through both prevention and recovery phases.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>Investing in proactive tools and risk monitoring, such as Cowbell Factors, to reduce exposure and improve claims outcomes.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/div>\n<h2 role=\"heading\" aria-level=\"2\"><strong>SMEs: The overlooked target\u00a0\u00a0<\/strong><\/h2>\n<div>\n<p>All too often, when it comes to organizations investing in cyber insurance, smaller companies tend to have a misplaced sense of security. Because the media tends to only print headlines around global cyberattacks, ransomware heists that cost corporations millions, SMEs think \u2018it will never happen to them\u2019 &#8211; but how wrong they are.<\/p>\n<\/div>\n<div>\n<p>\u201cThey probably have more gaps than they\u2019re aware of,\u201d added Cooksley. \u201cAnd a lot of threat actors, while they would rather go after large fish, aren\u2019t always specifically targeting that. They\u2019re taking a shotgun approach &#8211; think of it as walking down the street and burgling whoever\u2019s door is unlocked.\u201d<\/p>\n<\/div>\n<div>\n<p>It\u2019s this false sense of confidence that\u2019s leaving SMEs ripe for the picking. Data collated by Astra found that small businesses account for 43% of cyberattacks every year, costing SMEs an average of $25,000 each. What\u2019s more, just 14% of SMEs impacted were actually prepared to face such an attack &#8211; and money is just part of the loss.<\/p>\n<\/div>\n<div>\n<p>\u201cIf you&#8217;re small, you may not have the resiliency to continue moving on,\u201d added Cooksley. \u201cCan you continue operating if you&#8217;re hit with ransomware? I would argue that there&#8217;s many who cannot. A lost client for a small business is much more impactful than lost clients in really large organizations \u2013 they can withstand that a little bit more. There\u2019s also an additional expense to actually get to the recovery because you don&#8217;t have the capabilities in-house to do it. [Here], insurance can help bridge the gap providing protection as well as providing the critical resources to recover quickly after an attack.\u201d<\/p>\n<\/div>\n<\/div>\n<h2 role=\"heading\" aria-level=\"2\"><strong>\u2018Cops and robbers\u2019\u00a0<\/strong><\/h2>\n<div>\n<p>As these attack become more advanced so too must the defenses &#8211; cyber insurance must evolve in lockstep. And Cooksley affirmed that it is.<\/p>\n<\/div>\n<div>\n<p>\u201cThis is the age-old cops and robbers,\u201d he told <em>IB<\/em>. \u201cIf the bad guys are going to develop more sophistication, the good guys are going to continue to fight back or even be ahead in a lot of cases. [Here], more organizations are leveraging AI to streamline processes, improve speed and accuracy and offer proactive tools to monitor those threats.\u201d<\/p>\n<\/div>\n<div>\n<p>And for Cooksley, he was quick to emphasize the value of cyber insurers\u2019 ecosystem-wide view.<\/p>\n<\/div>\n<div>\n<p>\u201cWe\u2019re seeing the developments of the threat actors in real time,\u201d he said. \u201cI know about particular things that are happening in the ecosystem that we haven\u2019t had to deal with ourselves yet -but I see that because our partners have. What Cowbell was premised on was continuous monitoring. You have to continually be up to date on the new exposures that are occurring and the new threats that are happening.<\/p>\n<\/div>\n<div>\n<p>\u201cOur platform was built to take in real-time information and not have it be on your standard insurance cycle that is typically always looking into the past. At Cowbell, we\u2019re trying to look into the future.\u201d<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>This article was created in partnership with Cowbell.\u00a0\u00a0 &#8216;Cops and robbers&#8217;: Top 5 ransomware groups behind nearly half of all attacks &#8211; As cyber threats grow in frequency and complexity, businesses are facing mounting pressure to ramp up their defenses. According to Cowbell\u2019s Cyber Roundup: Claims Report 2025, organizations are seeing a continued global rise [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2554,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1534,1577,1580,1579,1578,229],"class_list":["post-2553","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-attacks","tag-cops","tag-groups","tag-ransomware","tag-robbers","tag-top"],"_links":{"self":[{"href":"https:\/\/www.insuracarelife.com\/blog\/wp-json\/wp\/v2\/posts\/2553","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.insuracarelife.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.insuracarelife.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.insuracarelife.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.insuracarelife.com\/blog\/wp-json\/wp\/v2\/comments?post=2553"}],"version-history":[{"count":1,"href":"https:\/\/www.insuracarelife.com\/blog\/wp-json\/wp\/v2\/posts\/2553\/revisions"}],"predecessor-version":[{"id":2611,"href":"https:\/\/www.insuracarelife.com\/blog\/wp-json\/wp\/v2\/posts\/2553\/revisions\/2611"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.insuracarelife.com\/blog\/wp-json\/wp\/v2\/media\/2554"}],"wp:attachment":[{"href":"https:\/\/www.insuracarelife.com\/blog\/wp-json\/wp\/v2\/media?parent=2553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.insuracarelife.com\/blog\/wp-json\/wp\/v2\/categories?post=2553"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.insuracarelife.com\/blog\/wp-json\/wp\/v2\/tags?post=2553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}