Nearly 50% of companies paid the ransom to recover their data, the second-highest rate in six years, according to Sophos.
How actual payments stack up with the initial demand
Ransom payments and recovery costs are on the decline
Despite the high percentage of companies that paid the ransom, 53% paid less than the original demand. In 71% of cases where the companies paid less, they did so through negotiation, either through their own negotiations or with help from a third party. In fact, while the median ransom demand dropped by a third between 2024 and 2025, the median ransom payment dropped by 50%, illustrating how companies are becoming more successful at minimizing the impact of ransomware.
Overall, the median ransom payment was $1 million, although the initial demand varied significantly depending on organization size and revenue. The median ransom demand for companies with over $1 billion in revenue was $5 million, while organizations with $250 million revenue or less, saw median ransom demands of less than $350,000.
Exploited vulnerabilities remain top cause of ransomware
For the third year in a row, exploited vulnerabilities were the number one technical root cause of attacks, while 40% of ransomware victims said adversaries took advantage of a security gap that they were not aware of – highlighting organizations’ ongoing struggle to see and secure their attack surface.
Overall, 63% of organizations said resourcing issues were a factor in them falling victim to the attack, with lack of expertise named as the top operational cause in organizations with more than 3,000 people and lack of people/capacity most frequently cited by those with 251-500 employees.
“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,” says Chester Wisniewski, director, field CISO, Sophos.
“Of course, ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We’re seeing more companies recognize they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start,” Wisniewski continued.
More companies are stopping attacks in progress
Data encryption during attacks has reached its lowest level in the six years of our study. This drop suggests that organizations are becoming better at stopping attacks before the encryption process begins.
However, larger organizations still face greater challenges. They are more likely to have their data encrypted during an attack, indicating they may struggle more than smaller companies to detect and block threats in time or to recover from them.
Adversaries don’t just encrypt data, they often steal it too. Larger companies are more likely to experience data theft than smaller ones, possibly because attackers see them as more valuable targets. It may also be harder for smaller organizations to detect when data has been stolen.
Most organizations that have their data encrypted are able to recover it. Many rely on backups, though this method is being used less often each year. A significant number still choose to pay the ransom to get their data back, while others manage recovery through alternative means, such as using publicly available decryption tools.
Companies are getting faster at recovery
Organizations are recovering from cyberattacks more quickly than in previous years. Many are now able to fully recover within days, and the vast majority are back to normal within a few months. This trend suggests increased investment in incident response and recovery planning.
As expected, recovery tends to take longer for organizations whose data was encrypted during an attack, compared to those that managed to stop the encryption in time.
