Nearly half of firms subjected to ransomware attacks last year opted to pay their aggressors to recover their data, the second-highest rate of ransom payment per ransom demand in six years, according to new research from Sophos.
Sophos’ sixth annual State of Ransomware report, drawing on insights from 3,400 IT and cybersecurity leaders across 17 countries, reveals that despite many victims choosing to pay up, more than half (53%) managed to pay a lower ransom amount than initially demanded.
Sophos found that in 71% of cases where companies paid less, they did so through negotiation, either on their own or with help from a third party, with median ransom demands falling by a third between 2024 and 2025 as a result.
Overall, the data shows that median ransom payments dropped by 50% to $1 million (£734.5k), although the initial demand varied significantly depending on organisation size and revenue.
However, the median ransom demand for companies with over $1 billion (£734m) in revenue was $5 million (£3.6m), while organisations with a revenue of $250 million (£184m) or less saw median ransom demands of less than $350,000 (£257k).
Recovery costs are also on the decline, dropping on average from $2.73 million (£2m) in 2024 to $1.53 million (£1.1m) in 2025, with companies getting faster at recovering after an attack.
Over half (53%) of organisations reported being fully recovered from a ransomware incident after a week, up from 35% last year, with just 18% taking more than a month to recover – down from 34% in 2024.
While the research illustrates that companies are becoming more successful at minimising the impact of ransomware, the figures show that attackers are still able to walk away with significant sums, fuelling their motivation for future attacks.
To cut cyber-attackers off at the source, Sophos found organisations are getting faster when faced with imminent threat, with 44% of firms able to stop ransomware attacks in progress before data was encrypted, a six-year high, while data encryption was at a six-year low, with only half of companies having their data encrypted.
The bad news is that many organisations are not taking basic precautions, despite the spate of ransomware attacks over the last few years.
Backup use is down, with only 54% of companies using backups to restore their data after a cyber incident, the lowest percentage in six years, while 63% of organisations said resourcing issues were a factor in falling victim to an attack, with lack of expertise named as the top operational cause in enterprise level firms.
Recommended reading
For the third year in a row, exploited vulnerabilities were the number one technical root cause of attacks, with 40% of ransomware victims saying their adversaries took advantage of a security gap that they were not aware of, highlighting the persistent struggle many firms are facing as attack surfaces expand.
“For many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025,” said Chester Wisniewski, director and field CISO at Sophos.
“The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage.
“Ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. Managed Detection and Response coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”
Related
