Nearly 50% of companies in 2025 paid ransom to get their data back – the second highest rate of ransom payment for ransom demands in six years. This is according to the sixth annual State of Ransomware report by cybersecurity firm Sophos.
The report notes that despite the high percentage of companies that paid the ransom, over half – 53% – paid less than the original demand. In 71% of cases where the companies paid less, they did so through negotiation – either through their own negotiations or with help from a third party.
In fact, while the median ransom demand dropped by a third between 2024 and 2025, the median ransom payment dropped by 50%, illustrating how companies are becoming more successful at minimizing the impact of ransomware.
Overall, the median ransom payment was one million dollars, although the initial demand varied significantly depending on organization size and revenue. The median ransom demand for companies with over $1 billion in revenue was five million dollars, while organizations with $250 million revenue or less, saw median ransom demands of less than $350,000.
For the third year in a row, exploited vulnerabilities were the number one technical root cause of attacks, while 40% of ransomware victims said adversaries took advantage of a security gap that they were not aware of – highlighting organizations’ ongoing struggle to see and secure their attack surface. Overall, 63% of organizations said resourcing issues were a factor in them falling victim to the attack, with lack of expertise named as the top operational cause in organizations with more than 3,000 people and lack of people/capacity most frequently cited by those with 251-500 employees.
“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,” says Chester Wisniewski, director, field CISO, Sophos.
“Of course, ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We’re seeing more companies recognize they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”
The State of Ransomware 2025 Report however reveals several encouraging trends in the fight against ransomware. A record 44% of companies successfully stopped ransomware attacks before data encryption could occur — the highest rate in six years — and only half experienced data encryption, marking a six-year low. However, the use of backups for data restoration has declined, with just 54% of organizations relying on them, the lowest figure in the past six years.
Despite this, there is a silver lining: both ransomware payments and recovery costs are decreasing. The average cost of recovery has dropped significantly from $2.73 million in 2024 to $1.53 million in 2025. Ransom payments have also halved, from $2 million last year to $1 million this year. Interestingly, payment amounts vary widely by industry — state and local governments reported the highest median payments at $2.5 million, while the healthcare sector paid a median of only $150,000.
Recovery speeds are also improving. Over half (53%) of affected organizations fully recovered within a week, compared to just 35% in 2024. At the same time, the number of companies taking more than a month to recover has dropped to 18%, down from 34% last year.
Data for the State of Ransomware 2025 report comes from a vendor-agnostic survey of 3,400 IT and cybersecurity leaders in organizations that were hit by ransomware in the previous year. Organizations surveyed ranged from 100 – 5,000 employees and across 17 countries.
The survey was conducted between January and March 2025, and respondents were asked about their experience of ransomware over the previous 12 months. Sophos says it will be releasing additional industry findings throughout the year.
Follow us on WhatsApp, Telegram, Twitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke
