Nearly half of organisations impacted by ransomware over the previous 12 months paid a ransom to recover access to their data, according to a new survey by Sophos. Its latest ransomware report draws from a vendor-agnostic global survey of 3,400 IT and cybersecurity leaders across 17 countries, covering incidents reported between January and March 2025.
Despite the high payment rate, over half of those who paid, at 53%, settled for less than the initial demand. In 71% of those cases, the reduced payments resulted from negotiations, either conducted in-house or via third-party services. Sophos noted that while the median ransom demand dropped by one-third between 2024 and 2025, the median ransom payment fell by 50%. These shifts point to increased success among organisations in managing and limiting the financial impact of ransomware incidents.
“For many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025,” said Sophos’ field CISO director, Chester Wisniewski. “The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress.”
Larger organisations encountered significantly higher ransom demands than their smaller peers
The median ransom payment stood at $1m, but demand levels varied depending on company revenue. For organisations with annual revenue exceeding $1b, the median ransom demand was $5m. By contrast, firms generating $250m or less typically received demands below $350,000. Sector-specific disparities were not detailed in the general statistics, though the report did note that state and local governments reported the highest median ransom payment at $2.5m, while the healthcare sector recorded the lowest at $150,000.
For the third consecutive year, exploited vulnerabilities were the top technical entry point. As per the survey, 40% of affected organisations reported that attackers took advantage of a gap they were not previously aware of, reinforcing the challenge of maintaining complete visibility across the attack surface.
Resourcing issues played a major role in exposure, with 63% of organisations citing such limitations as a contributing factor. Larger firms, defined as those with more than 3,000 employees, most often attributed the breach to a lack of in-house expertise. Mid-sized firms, particularly those with 251 to 500 staff, pointed to staffing and capacity shortages as the primary issue.
A six-year high of 44% of companies successfully stopped ransomware attacks before data encryption occurred. At the same time, backup usage declined to 54%, which is the lowest level in six years, according to the report.
The average cost of recovery dropped from $2.73m in 2024 to $1.53m in 2025. The report found that 53% of organisations fully recovered within one week, while only 18% required more than a month, down from 34% the year prior.
