Nearly half of organisations hit by ransomware attacks in the past year chose to pay the ransom, making it the second-highest ransom payment rate in six years, according to Sophos, a cybersecurity solutions provider.
According to its ‘State of Ransomware 2025’ report, 53 percent of those who paid negotiated a lower amount than the initial demand, which reduced financial losses significantly.
The sixth annual global survey of 3,400 IT and cybersecurity leaders across 17 countries revealed that the median ransom payment dropped to $1 million, which translates to a 50 percent decrease from 2024, despite the ransom demands still varying widely.
Read also: Bank auditors tasked to enhance cybersecurity to curb attacks
“Many companies are increasingly turning to professional incident responders to negotiate with attackers, limit payment amounts, and accelerate recovery,” said Chester Wisniewski, director, Field CISO at Sophos. “This growing sophistication is helping businesses reduce impact, though the threat of ransomware remains persistent.”
Large organisations with over $1 billion in revenue faced median demands of $5 million, while smaller businesses reported demands of less than $350,000.
The report reveals that in 71 percent of cases where a reduced ransom was paid, negotiation was involved either directly or through third-party experts.
Despite the concerning rate of payments, there are some signs of resilience as 44 percent of organisations were able to stop the attack before data encryption, a six-year high.
Data encryption hit a six-year low, with only half of victimised companies experiencing it. Ransomware recovery is accelerating, with 53 percent of victims fully recovered within a week, up from 35 percent in 2024.
The average cost of recovery dropped to $1.53 million, down from $2.73 million the previous year. However, challenges remain, as for the third consecutive year, exploited vulnerabilities were the leading cause of attacks. “40 percent of victims said attackers exploited security gaps they weren’t even aware existed,” the report said.
It also highlighted resourcing constraints as 63 percent of victims cited resource-related shortcomings, including a lack of cybersecurity personnel and skills.
Read also: NCC begins work on cybersecurity framework to outwit hackers
Use of backups also declined, with only 54 percent of organisations relying on them for data restoration, the lowest percentage in six years. Industry-specific impacts varied, with state and local governments paying the highest median ransoms at $2.5 million, while healthcare organisations paid significantly less, at $150,000.
To boost their cybersecurity response, Sophos recommends a proactive defence posture that includes eliminating common vulnerabilities and improving visibility into attack surfaces, investing in Managed Detection and Response (MDR) services, and ensuring regular testing of backup and recovery systems.
