Nearly Half of Companies Opt to Pay the Ransom, Sophos Report Finds
Sophos, a global leader of innovative security
solutions for defeating cyberattacks, released its sixth annual State of
Ransomware report, a vendor-agnostic survey of IT and cybersecurity
leaders across 17 countries that studies the impact of ransomware attacks on
businesses. This year’s survey found that nearly 50% of companies paid the
ransom to get their data back – the second highest rate of ransom payment for
ransom demands in six years.
Despite the high percentage of
companies that paid the ransom, over half – 53% – paid less than the original
demand. In 71% of cases where the companies paid less, they did so through
negotiation – either through their own negotiations or with help from a third
party. In fact, while the median ransom demand dropped by a third between 2024
and 2025, the median ransom payment dropped by 50%, illustrating how companies
are becoming more successful at minimizing the impact of ransomware.
Overall, the median ransom payment
was one million dollars, although the initial demand varied significantly
depending on organization size and revenue. The median ransom demand for
companies with over $1 billion in revenue was five million dollars, while
organizations with $250 million revenue or less, saw median ransom demands of
less than $350,000.
For the third year in a row,
exploited vulnerabilities were the number one technical root cause of attacks,
while 40% of ransomware victims said adversaries took advantage of a security
gap that they were not aware of – highlighting organizations’ ongoing struggle
to see and secure their attack surface. Overall, 63% of organizations said
resourcing issues were a factor in them falling victim to the attack, with lack
of expertise named as the top operational cause in organizations with more than
3,000 people and lack of people/capacity most frequently cited by those with
251-500 employees.
“For many organizations, the chance
of being compromised by ransomware actors is just a part of doing business in 2025.
The good news is that, thanks to this increased awareness, many companies are
arming themselves with resources to limit damage. This includes hiring incident
responders who can not only lower ransom payments but also speed up recovery
and even stop attacks in progress,” says Chester Wisniewski, director, field
CISO, Sophos.
“Of course, ransomware can still be
‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack
of visibility into the attack surface, and too few resources. We’re seeing more
companies recognize they need help and moving to Managed Detection and Response
(MDR) services for defense. MDR coupled with proactive security strategies,
such as multifactor authentication and patching, can go a long way in
preventing ransomware from the start.”
Additional Key Findings from the
State of Ransomware 2025 Report:
- More Companies are Stopping Attacks in
Progress: 44% of companies were able to stop the ransomware attack
before data was encrypted – a six-year high. Data encryption was also at a
six-year low with only half of companies having their data encrypted.
- Backup Use is Down: Only 54% of companies
used backups to restore their data – the lowest percentage in six years.
- Silver Lining: Ransomware Payments and
Recovery Costs are on the Decline: The average cost of recovery
dropped from $2.73 million in 2024, to $1.53 million in 2025. While ransom
payments are high, they declined by 50% from $2 million in 2024 to $1
million in 2025.
- Ransom Payments Vary by Industry: State
and local government reported paying the highest median amount ($2.5
million), while healthcare reported the lowest ($150,000).
- Companies are Getting Faster at Recovery: Over
half (53%) of organizations fully recovered from a ransomware attack in a
week – up from 35% last year. Only 18% took more than a month to recover –
down from 34% in 2024.
Leave A Comment