Nearly half of organisations affected by ransomware attacks in the past year paid to recover their data, according to Sophos’ State of Ransomware 2025 report, despite a noticeable drop in overall ransom payments and recovery costs.
The report, based on responses from 3,400 IT and cybersecurity leaders across 17 countries, found that 50% of victims paid a ransom, the second-highest rate recorded in the past six years. However, 53% of them paid less than what was originally demanded, with 71% achieving this through negotiations.
Sophos noted that while the median ransom demand dropped by a third between 2024 and 2025, the actual median payment fell by 50% to US$1 million. Demands varied widely: companies with over US$1 billion in revenue faced median demands of US$5 million, while smaller firms with less than US$250 million revenue saw demands below US$350,000.
The most common technical root cause of attacks for the third consecutive year was exploited vulnerabilities. 40% of respondents admitted that attackers capitalised on security gaps they were unaware of.
A total of 63% of respondents cited resourcing issues as a key factor in falling victim, with larger organisations pointing to a lack of expertise and smaller ones citing insufficient capacity.
Among other key findings:
- 44% of companies stopped the attack before data encryption – a six-year high
- Only 54% used backups for data restoration – the lowest in six years
- Recovery costs dropped from US$2.73 million in 2024 to US$1.53 million in 2025
- Ransom payment amounts varied by sector, with local governments paying the most (US$2.5 million) and healthcare the least (US$150,000)
- 53% of victims recovered fully within a week, compared to 35% last year
Sophos recommends organisations strengthen defences by patching vulnerabilities, using dedicated anti-ransomware protection, maintaining updated backups, and ensuring 24/7 monitoring—either in-house or through managed detection and response (MDR) providers.
Related
