Nearly half of companies paid a ransom to get their data back last year, according to new research, but they’re taking a hard line with hackers to strike fair deals.
In its latest State of Ransomware report, Sophos said this was the second highest rate of ransom payments in six years. However, more than half (53%) paid less than the original demand.
In nearly three-quarters (71%) of these cases, the hackers were haggled down, either through the victims’ own negotiations, or with help from a third party.
Chester Wisniewski, director, field CISO at Sophos, said that for many organisations, the threat of falling victim to ransomware groups is now “just a part of doing business”.
What Sophos’ research shows, however, is that victims are taking a more pragmatic approach to the situation and are recovering at a quicker pace.
“The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage,” he said. “This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress.”
Companies are getting better at negotiation, Sophos noted. The median ransom demand dropped by a third between 2024 and 2025, but the actual payment made also dropped by half.
Overall, the median ransom payment was a round one million dollars – this was also half the figure cited for the previous year.
Not all ransomware victims are successful
It’s worth noting that 28% paid more than the initial ransom, largely due to extra demands from the hackers. Sophos said this usually happened because the attackers realized they could ask for more or they got frustrated.
Other causes included a lack of backups or a failure to pay up quickly enough.
Ransom payments varied by industry, with state and local government reporting paying the highest median amount at $2.5 million, while healthcare reported the lowest at $150,000.
Initial demands also varied significantly depending on the organization’s size and revenue. The median ransom demand for companies with over $1 billion in revenue was $5 million, while those with $250 million revenue or less were asked for less than $350,000.
For the third year in a row, the number one technical root cause of attacks was exploited vulnerabilities, while 40% of ransomware victims said adversaries took advantage of a security gap that they hadn’t been aware of.
Nearly two-thirds (63%) of organizations blamed resourcing issues as a major reason they fell victim to the attack.
Indeed, a lack of expertise was cited as the top operational cause in organizations with more than 3,000 people, and lack of people or capacity was most frequently cited by those with between 251 and 500 employees.
Enterprises are getting better at recovery
The good news is that 44% of companies were able to stop the ransomware attack before data was encrypted – a six-year high – with data encryption at a six-year low, with only half of companies having their data encrypted.
Only 54% of companies used backups to restore their data – the lowest percentage in six years.
However, the average cost of recovery dropped from $2.73 million in 2024 to $1.53 million in 2025.
Companies are getting faster at recovery, Sophos noted, which is a positive sign both in terms of preparedness and resilience. More than half (53%) fully recovered from a ransomware attack in a week, up from 35% last year.
Meanwhile, only 18% took more than a month to recover, down from 34% in 2024.
