British organizations are far more likely than their global peers to have data encrypted in ransomware attacks, and to pay a higher ransom demand, according to Sophos.
The security vendor revealed the findings in its latest report, The State of Ransomware in the UK 2025, which was based on a vendor-agnostic study of 201 UK ransomware victims in the past year. It’s part of a wider global study of 3400 IT/cybersecurity leaders working in organizations hit by ransomware over the period.
It revealed that 70% of UK victims had data encrypted – well above the global average of 50% and the 46% reported by UK firms last year. Exploited vulnerabilities (36%), malicious emails (20%) and compromised credentials (19%) were the top causes of initial access.
The median UK ransom demand in the last year was $5.4m (£3.9m) – more than double the $2.5m (£1.9m) reported in the 2024 Sophos survey. Some 89% of ransom demands were for $1m or more, up from 71% in 2024.
Read more on ransomware: Over Half of Breached UK Firms Pay Ransom
More concerning is the fact that UK organizations typically paid 103% of the demand, much higher than the global average of 85%. This can most likely be tied to the large percentage that had data encrypted.
This bucks the global trend of ransomware victims refusing to pay their extorters. Chainalysis data from February revealed a 35% annual global decline in the value of payments in 2024, to $813m. It has been suggested that threat actors are demanding higher sums from victims as revenue falls.
The rising cost of ransomware breaches may be another causal factor influencing payment decisions for British companies. The average bill for recovery came to $2.6m last year, up from $2.1m the year before. This included the costs of downtime, people time, device cost, network cost and lost opportunity, Sophos said.
UK Firms Recover Faster
On the positive side, Sophos claimed UK organizations are getting faster at recovering from attacks, with 59% fully recovered in up to a week – much higher than the 38% reported last year. It’s unclear whether this is linked to the fact that more are paying up.
Some 99% of UK organizations that had data encrypted were able to get it back – roughly in line with the global average. However, they may still have been exposed to the risks associated with theft of said data.
Interestingly, data was stolen only in a quarter (26%) of attacks where it was also encrypted, a significant drop from the 49% reported last year.
UK organizations may have to change their ransomware response strategy soon. The forthcoming Cyber Security and Resilience Bill is expected to ban certain organizations including critical infrastructure providers from making ransom payments and impose new reporting obligations on all victims.
Sophos urged network defenders to focus on:
- Prevention, by looking at the root causes of attack such as vulnerability exploitation, phishing and abuse of credentials
- Protection via endpoint security and anti-ransomware tooling
- Detection and response to stop attacks before they can spread
- Incident response planning and regular backups
