Cybersecurity company Sophos published its sixth annual State of Ransomware report. This vendor-agnostic survey looks at responses from IT and cybersecurity leaders across 17 countries, examining the impact of ransomware attacks on businesses.
This year’s report noted that nearly 50 percent of organizations paid the ransom to get their data back, reflecting the second-highest rate of ransom payment for ransom demands in six years.
Despite this, 53 percent reported paying less than the original demand; in 71 percent of those cases, they did so following either first-hand or third-party negotiations. Overall, the median ransom demand dropped by a third YOY, while median ransom payment fell 50 percent.
The median ransom demand for companies with over $1 billion in revenue was $5 million, while organizations with $250 million or less in sales saw median ransom demands less than $350,000. For the third year in a row, exploited vulnerabilities were the top cause of attack, while 40 percent of ransomware victims said adversaries took advantage of a security gap that they were not aware of.
Additionally, 63 percent said resourcing issues were a factor in them falling victim to the attack, with lack of expertise named as a top operational cause in organizations with more than 3,000 people, and lack of people/capacity most frequently cited by those with 251-500 employees.
“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025,” said Sophos director and field CISO, Chester Wisniewski. “The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress.”
“Of course,” he continued, “ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface and too few resources. We’re seeing more companies recognize they need help and moving to managed detection and response (MDR) services for defense. MDR, coupled with proactive security strategies such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”
Additional key findings included:
- 44 percent of companies were able to stop the ransomware attack before data was encrypted – a six-year high. Data encryption was also at a six-year low with only half of companies having their data encrypted.
- Just 54 percent of companies used backups to restore their data – the lowest percentage in six years.
- Average cost of recovery dropped from $2.73 million (2024) to $1.53 million (2025), while ransom payments fell by 50 percent, from $2 million (2024) to $1 million (2025).
- State and local government reported paying the highest median amount ($2.5 million), while healthcare reported the lowest ($150,000).
- 53 percent of organizations fully recovered from a ransomware attack in a week, up from 2024’s 35 percent. 18 percent (2025) took more than a month to recover – down from 34 percent (2024).
