However the average ransom payment is now over £1 million.
Only 17% of organisations hit by ransomware went to pay the ransom.
According to DataBarracks’ Data Health Check 2025, three times as many organisations recovered from backups rather than pay a ransom than in 2024.
The news comes in the wake of government consultation that will seek to ban ransom payments.
Gavin Knapp, cyber threat intelligence principal lead at Bridewell, pointed out that companies paying ransoms for encryption based ransomware attacks has been steadily trending downwards since 2019. This highlights that encryption only attacks are less successful, and threat actors are moving to data theft only models which are proving to have a higher success rate than encryption only attacks.
Rik Ferguson, VP security intelligence at Forescout, said that the 17% figure is certainly a better figure than we have seen in the past, and the fact that the ratio of organisations restoring from backups compared to those paying has risen to three to one is an encouraging development, “but it would be a mistake to treat this as evidence that ransomware is in decline.”
In an email to SC UK, Ferguson says this tells us that more organisations have finally begun to give proper attention to backup strategy, and while that is both welcome and long overdue, it’s still only one part of a robust defensive posture.
“True resilience is about far more than working backups,” he says. “It’s about knowing exactly what is connected to your network, understanding in detail where the exposures are, segmenting effectively to contain intrusions, and making it as difficult as possible for an attacker to reach, and more importantly, to exfiltrate the data that would cause the most harm if exposed.
“That level of preparation comes from doing the fundamentals properly, consistently, and with a thorough and continuously updated understanding of your organisation’s assets and operational realities.
“So while the drop in ransom payments is a positive sign, it is not proof that the threat is shrinking, only that it is becoming more agile and more selective. Disaster recovery is critical, but it will always be only one element of a much broader cybersecurity strategy.”
Other research released this week showed that the average ransom payment rocketed to $1.13 million, up 104% from Q1 2025. According to Veeam, this spike is attributed to larger organisations paying out after data exfiltration-only incidents, even as the overall rate of organisations paying ransoms held steady at 26%.
Michael Tigges, senior hunt & response analyst at Huntress, said: “Ransomware isn’t going anywhere, but stronger policies surrounding data retention and IT security have helped erode ransomware’s primary business model.
“Not paying for ransom effectively degrades ransomware groups’ bottom lines, profit. This highlights the importance of effective and well-tested data backup solutions.
“It is unlikely that we are “winning” the fight against ransomware until we see significant downturns in the rate of these intrusions, especially in small to medium-sized businesses, where the data being protected may be just as valuable, but the technology protecting it may be less advanced.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show.
Outside work, Dan supports Tottenham Hotspur, manages mischievous cats, and samples the finest craft beers.
