Sophos, a global leader of innovative security solutions for defeating cyberattacks, recently released its sixth annual State of Ransomware report, a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries that studies the impact of ransomware attacks on businesses.
This year’s survey found that nearly 50% of companies paid the ransom to get their data back – the second highest rate of ransom payment for ransom demands in six years.
- High Ransom Payments Persist: Nearly 50% of organizations paid a ransom—making it the second-highest rate in six years.
- Negotiation Pays Off: 53% of those who paid, did so below the initial demand, with 71% negotiating the amount either directly or via third parties.
- Median Ransom Dropped: While the median ransom demand was $1 million, this figure dropped 50% from the previous year.
- Attack Entry Points Remain the Same: Exploited vulnerabilities were again the leading cause of attacks, continuing a three-year trend.
- Lack of Visibility a Major Problem: 40% of victims were unaware of the security gaps exploited in their systems.
- Staffing & Expertise Shortages: 63% of respondents cited internal resourcing challenges. Larger firms lacked expertise, while smaller ones lacked people.
- Improved Attack Prevention: 44% of companies stopped the ransomware before data encryption occurred—a six-year high.
- Backup Usage Falls: Only 54% of organizations used backups for recovery—the lowest in six years.
- Recovery is Faster and Cheaper: Average recovery costs fell from $2.73 million to $1.53 million, and more than half recovered within a week.
- Sector-Based Variance in Payments: State and local governments paid the most (median $2.5 million), while healthcare paid the least (median $150,000).
These insights highlight a growing maturity in response strategies—though prevention
Sophos recommends the following best practices to help organizations defend against ransomware and other cyberattacks:
- Take steps to eliminate common technical and operational root causes of attacks, such as exploited vulnerabilities. Tools like Sophos Managed Risk can help companies access their risk profile and minimize their exposure.
- Ensure all endpoints (including servers) are well-defended with dedicated anti-ransomware protection.
- Have an incident response plan in place and tested for when things go wrong. Have good backups and practice restoring data regularly.
- Companies need around-the-clock monitoring and detection. If they do not have the resources in-house for this, they can work with a trusted managed detection and response (MDR) provider.
Download the full State of Ransomware 2025 report on Sophos.com.
