The scourge of ransomware is not abating, but some of its impact may be. That’s because companies are getting better at negotiating payments of less than the original demand, according to a new report from Sophos, a cyberfraud-prevention firm.
In its “State of Ransomware” report, released Tuesday, Sophos says 49% of the 3,400 organizations surveyed across 17 countries paid the ransom demand to regain their data, a drop from 56% in 2024, but still the second-highest rate in six years. It’s not a small demand either, as the median ransom demand is $1,324,429 in 2025, meaning half of the amounts were above and half less than that figure. The median was $2 million in 2024.
While ransomware victims are paying, for many the amounts they fork over are not the full demand. Sophos says only 29% paid the initially demanded amount, while 53% paid less and 18% paid more. That’s an indication that companies are becoming more successful at minimizing the impact of ransomware, the report says, either through their own negotiations or with assistance from a third party. The median ransom payment in 2025 is $1 million, half of the $2 million in 2024. United Kingdom-based Sophos notes another factor is that the number of ransom payments of $5 million or more fell 31% from 2024.
Of the 445 organizations that paid less than the initial demand, 47% said they negotiated a lower amount. Forty-five percent said the criminals reduced the ask because of external pressures, such as from media exposure or law enforcement. Forty-three percent received a discount for paying quickly.
As to how ransomware infiltrates a company’s network, exploitation of vulnerabilities, such as a security gap the company was not aware of, is the top factor, with 32% citing it, the same as in 2024. That is followed by compromised credentials, 23% in 205 and 29% in 2024, phishing emails, 18% and 11%, respectively, brute force attacks, 6% and 3%, and downloads, 2% and 1%.
There is some good news. Sophos found that 44% of companies were able to stop the ransomware attack before their data was encrypted, a high in six years of tracking. That’s up from 27% in 2024 and 21% in 2023.
“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage,” Chester Wisniewski, Sophos director and field chief information security officer, says in a statement.
