But firms are coughing up less cash and recovering faster
Security outfit Sophos has released its latest State of Ransomware report and it paints a picture that’s still grim, but with a few green shoots for businesses sick of being fleeced.
According to the vendor-agnostic survey, nearly half of the companies hit by ransomware ended up paying the ransom in 2025 which is the second-highest rate recorded in six years. But 53 per cent of those payments were for less than the crooks originally demanded.
Most companies haggled their way to a lower bill, often using third-party negotiators. The median ransom payment dropped a hefty 50 per cent from 2024, falling to $1 million, while the median demand slipped by a third. Sophos reckons this shows companies are getting better at fighting back.
There’s a clear split by size. For companies raking in more than $1 billion, the typical ransom demand was a painful $5 million. Smaller outfits with less than $250 million in revenue were hit with demands below $350,000 (around €327,000).
Unpatched vulnerabilities remained the top root cause for the third year running, while 40 per cent of those hit didn’t even know the exploited security hole existed. A lack of skilled security staff was flagged by 63 per cent of respondents as a reason they got owned, with bigger companies pointing to expertise gaps and mid-sized ones blaming sheer lack of capacity.
Sophos director and field CISO Chester Wisniewski said: “For many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage.”
“Ransomware can still be ‘cured’ by tackling the root causes of attacks which are exploited vulnerabilities, lack of visibility into the attack surface, and too few resources.”
While backups should be the gold standard for recovery, only 54 per cent of firms actually used them which is the lowest figure in six years. More are managing to stop attacks before data is encrypted, with 44 per cent catching the attack mid-way, and only half seeing any data locked up at all.
The cost of bouncing back is also on a downward slide. The average recovery bill dropped from $2.73 million in 2024 to $1.53 million in 2025. Even the time it takes to recover is shrinking with 53 per cent of companies on their feet within a week, up from 35 per cent, and only 18 per cent took longer than a month.
Ransom amounts varied wildly by sector. Local and state governments paid out a median $2.5 million, while healthcare organisations got off lighter with a median of $150,000 (around €140,000).
Sophos surveyed 3,400 IT and security leaders in 17 countries, each of whom had suffered a ransomware attack in the previous year. The survey ran from January to March 2025, and Sophos promises more detailed breakdowns in upcoming releases.
