This year’s survey found that nearly 50% of companies paid the ransom to get their data back – the second highest rate of ransom payment for ransom demands in six years.

Despite the high percentage of companies that paid the ransom, over half – 53% – paid less than the original demand.

In 71% of cases where the companies paid less, they did so through negotiation – either through their own negotiations or with help from a third party.

In fact, while the median ransom demand dropped by a third between 2024 and 2025, the median ransom payment dropped by 50%, illustrating how companies are becoming more successful at minimizing the impact of ransomware.

Overall, the median ransom payment was one million dollars, although the initial demand varied significantly depending on organization size and revenue.

The median ransom demand for companies with over $1 billion in revenue was five million dollars, while organizations with $250 million revenue or less, saw median ransom demands of less than $350,000.

For the third year in a row, exploited vulnerabilities were the number one technical root cause of attacks, while 40% of ransomware victims said adversaries took advantage of a security gap that they were not aware of – highlighting organizations’ ongoing struggle to see and secure their attack surface.

Overall, 63% of organizations said resourcing issues were a factor in them falling victim to the attack, with lack of expertise named as the top operational cause in organizations with more than 3,000 people and lack of people/capacity most frequently cited by those with 251-500 employees.

“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,” says Chester Wisniewski, director, field CISO, Sophos.

“Of course, ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We’re seeing more companies recognize they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”

Additional Key Findings from the State of Ransomware 2025 Report:

• More Companies are Stopping Attacks in Progress: 44% of companies were able to stop the ransomware attack before data was encrypted – a six-year high. Data encryption was also at a six-year low with only half of companies having their data encrypted.
• Backup Use is Down: Only 54% of companies used backups to restore their data – the lowest percentage in six years.
• Silver Lining: Ransomware Payments and Recovery Costs are on the Decline: The average cost of recovery dropped from $2.73 million in 2024, to $1.53 million in 2025. While ransom payments are high, they declined by 50% from $2 million in 2024 to $1 million in 2025.
• Ransom Payments Vary by Industry: State and local government reported paying the highest median amount ($2.5 million), while healthcare reported the lowest ($150,000).
• Companies are Getting Faster at Recovery: Over half (53%) of organizations fully recovered from a ransomware attack in a week – up from 35% last year. Only 18% took more than a month to recover – down from 34% in 2024.

According to the report, 97% of those with a cyber policy invested in improving their defenses to help with insurance, with 76% saying it enabled them to qualify for coverage, 67% to get better pricing and 30% to secure improved policy terms.

The survey also revealed that recovery costs from cyberattacks are outpacing insurance coverage. Only one percent of those that made a claim said that their carrier funded 100% of the costs incurred while remediating the incident.

The most common reason for the policy not paying for the costs in full was because the total bill exceeded the policy limit.

According to The State of Ransomware 2024 survey, recovery costs following a ransomware incident increased by 50% over the last year, reaching $2.73 million on average.

“The Sophos Active Adversary report has repeatedly shown that many of the cyber incidents companies face are the result of a failure to implement basic cybersecurity best practices, such as patching in a timely manner. In our most recent report, for example, compromised credentials were the number one root cause of attacks, yet 43% of companies didn’t have multi-factor authentication enabled,” said Chester Wisniewski, director, global Field CTO.

“The fact that 76% of companies invested in cyber defenses to qualify for cyber insurance shows that insurance is forcing organizations to implement some of these essential security measures. It’s making a difference, and it’s having a broader, more positive impact on companies overall. However, while cyber insurance is beneficial for companies, it is just one part of an effective risk mitigation strategy.

Companies still need to work on hardening their defenses. A cyberattack can have profound impacts for a company from both an operational and a reputational standpoint, and having cyber insurance doesn’t change that.”

Across the 5,000 IT and cybersecurity leaders surveyed, 99% of companies that improved their defenses for insurance purposes said they had also gained broader security benefits beyond insurance coverage due to their investments, including improved protection, freed IT resources and fewer alerts.

“Investments in cyber defenses appear to have a ripple effect in terms of benefits, unlocking insurance savings that organizations can be diverted into other defenses to more broadly improve their security posture. As cyber insurance adoption continues, hopefully, companies’ security will continue to improve. Cyber insurance won’t make ransomware attacks disappear, but it could very well be part of the solution,” said Wisniewski.

Data for the Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders report comes from a vendor-agnostic survey of 5,000 cybersecurity/IT leaders conducted between January and February 2024. Respondents were based in 14 countries across the Americas, EMEA and Asia Pacific. Organizations surveyed had between 100 and 5,000 employees, and revenue ranged from less than $10 million to more than $5 billion.

Read the full “Cyber Insurance and Cyber Defenses 2024: Lessons from IT and Cybersecurity Leaders,” on Sophos.com for additional global findings and data by sector.

According to the report, among organizations surveyed, 97% of those hit by ransomware over the past year engaged with law enforcement and/or official government bodies for help with the attack.

In addition, more than half (59%) of those organizations that did engage with law enforcement found the process easy or somewhat easy.

Only 10% of those surveyed said the process was very difficult.

Based on the survey, impacted organizations reached out to law enforcement and/or official government bodies for a range of assistance with ransomware attacks.

Sixty-one percent reported they had received advice on dealing with ransomware, while 60% received help investigating the attack.

Fifty-eight percent of those that had their data encrypted received help from law enforcement to recover their data from the ransomware attack.

“Companies have traditionally shied away from engaging with law enforcement for fear of their attack becoming public. If they are known to have been victimized it could impact their business reputation and make a bad situation worse. Victim shaming has long been a consequence of an attack, but we’ve made progress on that front, both within the security community and at the government level. New regulations on cyber incident reporting, for example, appear to have normalized engaging with law enforcement, and this survey data shows organizations are taking steps in the right direction,” said Chester Wisniewski, director, Field CTO, Sophos. “If the public and the private sectors can continue to galvanize as a group effort to help businesses, we can continue to improve our ability to recover quickly and gather intelligence to protect others or even potentially hold those conducting these attacks responsible.”

Recent in-the-field findings from Sophos X-Ops’ Active Adversary report highlighted the continued threat of ransomware to small-and-medium sized businesses.

Data from more than 150 incident response (IR) cases in 2023 found that ransomware was, for the fourth year running, the most frequently encountered attack type, occurring in 70% of IR cases Sophos X-Ops investigated.

“While improving cooperation and working with law enforcement after an attack are all good developments, we need to move from simply treating the symptoms of ransomware to preventing those attacks in the first place. Our most recent Active Adversary report showed that many organizations are still failing to implement key security measures that can demonstrably reduce their overall risk profile; this includes patching their devices in a timely manner and enabling multi-factor authentication. From the law enforcement side, while they have had some recent successes with takedowns and arrests from LockBit to Qakbot, these successes have proven to be more akin to temporary disruptions than longer term or permanent wins.

“Criminals are successful in part due to the scale and efficiency with which they operate. To beat them back, we need to match them in both these areas. That means that, going forward, we need even greater collaboration, both within the private and public sector—and we need it at a global level,” said Wisniewski.

“Today’s threat environment is constantly evolving—and it’s more severe and more complex than ever before. The bad guys aren’t constrained by international borders, so we shouldn’t be, either. \

“At the Bureau, we’ve been doubling down in particular on our work with the private sector, in their capacity as victims of cyberattacks, of course, because the mission of the FBI always has been—and always will be—victim-centric—but also as integral partners, who can share valuable information about threats and trends, and, increasingly, join in our operations themselves,“ said Christopher Wray, FBI director.

Data for the State of Ransomware 2024 report comes from a vendor-agnostic survey of 5,000 cybersecurity/IT leaders conducted between January and February 2024. Respondents were based in 14 countries across the Americas, EMEA and Asia Pacific.

Organizations surveyed had between 100 and 5,000 employees, and revenue ranged from less than $10 million to more than $5 billion.

Read the full State of Ransomware 2024 report on Sophos.com for additional global findings and data by sector.

https://www.youtube.com/channel/UCGFTUpJPqMl23UvPravjShg

The year 2023 was marked by persistence in the tactics of cybercriminals, with the predominance of ransomware, the exploitation of vulnerabilities, theft of credentials and even attacks targeting the supply chain.

The common point in all his attacks is their formidable effectiveness.

It is therefore essential to ask what trends will persist in 2024 and what strategies businesses should adopt to deal with these future cyber threats.

Between persistent trends and evolving cybercrime tactics

In 2024, the threat landscape is not expected to change radically, particularly with regard to attack typologies and criminal tactics and procedures.

Criminal groups still primarily focus their attention on financial gains and ransomware remains their weapon of choice.

These cybercriminals tend to take the easy way out by opportunistically attacking unpatched security vulnerabilities.

The recent Citrix Bleed attack demonstrated the agility of cybercriminals when it comes to quickly and effectively exploiting these new vulnerabilities.

However, once patches are applied to these vulnerabilities, cyberattackers tend to revert to more common strategies of stealing credentials or, failing that, cookies or session cookies, which, while slightly slower, constitute always a proven means that allows them to penetrate within a system.

In 2024, however, we should expect increased sophistication in defense evasion tactics, particularly due to the generalization of certain technologies such as multi-factor authentication.

These attacks will combine malicious proxy servers, social engineering techniques and repeated authentication request attacks or “fatigue attacks”.

AI and regulations will continue to shape cybersecurity

In 2024, the development of AI will have a positive impact on the efficiency of IT teams and cybersecurity teams by enabling them to strengthen defenses and work more efficiently, including through the processing of vast volumes of data in the aim of detecting anomalies. It should make it possible to respond more quickly in the event of an incident.

Indeed, analysis of attacks in 2023 showed a shortening of the time between network penetration and the triggering of a final attack – using malware or ransomware. The need for rapid detection and response tools to prevent costly incidents is therefore essential.

Finally, regulatory developments could have a major influence on measures taken against ransomware. The need to take more substantial measures could push some states to penalize the payment of ransoms, which would represent a brake on malicious actors and change the perspective of companies in the event of an attack.

Other stricter legislation, such as the implementation of the European NIS2 Directive, is also expected to force companies to take additional measures, particularly regarding their abilities to collect data sets.

To protect themselves against increasingly rapid, effective and costly attacks, companies will need to strengthen their defenses by equipping themselves with tools that allow them to detect and respond to incidents more quickly.

The worsening cybersecurity talent shortage does not appear to be as serious as some studies claim. On the contrary, companies have implemented more lax hiring criteria and more open-mindedness in the recruitment process.

From this perspective, to guarantee their survival in a constantly evolving threat landscape, companies have every interest in establishing partnerships with cybersecurity experts whose main mission is to make the hyperconnected world safer, to advise and assist them in setting up effective defenses.

Consequently, regardless of their size, industry, or geographic location, the vast majority of companies prioritize protection against these threats and primarily strive to implement robust cyber defense measures to counteract them.

However, given the difficulty of preventing and anticipating all current and future forms of threats, especially the methods attackers use to bypass defenses and introduce ransomware into a system, organizations worldwide also tend to adopt cyber insurance policies to safeguard their operations in the event of a successful intrusion.

According to a study conducted in early 2023, 91% of global companies have some form of cyber insurance.”

If 47% of companies declare having subscribed to an independent insurance policy, and 43% have opted for insurance integrated into broader coverage, independent and integrated cyber policies are the two main types in the market.

It is crucial for companies to choose coverage that aligns with their specific needs and risks, ensuring the best possible protection for their data and operations.

Before subscribing to insurance, conducting an audit of existing solutions is essential, questioning whether they benefit from top-notch first-line cybersecurity protection.

Indeed, this can impact their access to cyber insurance and the selection of a policy that best suits their particular needs.

The quality of cyber defenses significantly influences corporate coverage. First-line cybersecurity measures can notably affect the adoption and choice of a cyber insurance policy for companies.

According to the aforementioned study, 95% of respondents specifically cite that the quality of implemented cyber defenses has a direct impact on the insurance they subscribe to, affecting both the cost and terms of the policy, ensuring access to the coverage that suits them best.”

“According to the study, 60% of organizations with cyber insurance state that the quality of their existing defenses influenced their ability to secure coverage.

Furthermore, 62% mention its impact on the policy’s cost, and 28% note its effect on insurance contract terms. Ensuring the most comprehensive and robust protection layer is essential to save money and select insurance that best meets the business’s requirements.

Interestingly, cybersecurity measures play a more significant role in obtaining independent cyber insurance compared to integrated coverage.

Seventy-one percent (71%) of those with independent policies note that the quality of their protection influenced their coverage, while only 49% of those with integrated policies believe it impacted their ability to contract cyber insurance.

Conversely, the performance of security measures has a greater influence on the cost of integrated policies (67%) than independent insurance (58%).

Therefore, companies should prioritize assessing the effectiveness and robustness of their cybersecurity solutions before seeking cyber insurance tailored to their needs.

This approach enables them to select the most appropriate policy and negotiate favorable costs and terms.”

“The importance of cyber insurance in protecting against ransomware

The primary threat facing businesses today has a name: ransomware. This type of malicious software, designed to encrypt and steal organizational data, followed by a ransom demand, has become the top concern for Chief Information Security Officers (CISOs) in recent years.

Given that its introduction into a system can result from highly varied, often unpredictable, and constantly evolving tactics, techniques, and procedures (TTP), it is impossible to guarantee that a company will not experience a successful intrusion. Hence, it is crucial for organizations to have, in addition to traditional cybersecurity solutions, a tailored cyber insurance policy that allows them to protect against data encryption, theft, or deletion.

In the event of data encryption, companies with the support and assistance of their insurer during the data recovery process, and those who, to qualify for insurance, have implemented enhanced security measures such as secure backups or incident response plans, are more likely to recover their encrypted data.

According to the study, 98% of those with independent cyber insurance successfully restored their encrypted data, compared to 97% for those with integrated coverage, and only 84% for those without insurance.

It’s worth highlighting that beneficiaries of cyber insurance are more inclined to pay the ransom to retrieve their data. Thus, 58% of independent policyholders who fell victim.

“In conclusion, while cyber insurance is now an essential element of business protection, it is inseparable from the quality of solutions and security measures taken to safeguard information systems and organizational data. It is crucial for global stakeholders, regardless of their industry, to ensure they have the most comprehensive, robust, and effective first-line protection to best guard against ransomware attacks and all other types of threats.

It’s also noteworthy that some managed cybersecurity solution providers offer complementary insurance guarantees in the event of a successful attack to further strengthen business protection. These aspects only reinforce the quasi-symbiotic relationship between cyber insurance and cybersecurity solutions.”

Sophos, a global leader in innovating and delivering cybersecurity as a service, today shared findings from its sector survey report, “The State of Ransomware in Retail 2023,” which found that only 26% of retail organizations this past year were able to disrupt a ransomware attack before their data was encrypted.

This is a three-year low for the sector—a decline from 34% in 2021 and 28% in 2022—suggesting the sector is increasingly unable to halt ransomware attacks already in progress.

“Retailers are losing ground in the battle against ransomware. Ransomware criminals have been encrypting increasingly greater percentages of their retail victims in the last three years, as evidenced by the steadily declining rate of retailers stopping cybercriminal attacks in progress.

Retailers must up their defensive game by setting up security that detects and responds to intrusions earlier in the attack chain,” said Chester Wisniewski, director, global field CTO, Sophos.

In addition, the report found that, for those retail organizations that paid the ransom, their median recovery costs (not including the ransom payment) were four times the recovery costs of those that used backups to recover their data ($3,000,000 versus $750,000).

“Forty-three percent of retail victims paid the ransom according to our survey respondents, yet the median recovery cost to victims who paid the ransom was four times the cost to those who used backups and other recovery methods. There are no shortcuts in these situations and rebuilding systems is almost always required. It’s better to deprive the criminals of their spoils and build back better,” said Wisniewski.

Additional key findings from the report include:

• In line with a broader, cross-sector trend, the retail sector experienced its highest rate of encryption over the past three years, with 71% of those organizations targeted by ransomware stating that attackers successfully encrypted their data
• The percentage of retail organizations attacked by ransomware declined from 77% last year to 69% this year
• The percentage of retail organizations that recovered in less than a day decreased from 15% to 9% this year, while the percentage of retail organizations that took more than a month to recover increased from 17% to 21%

Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:

• Strengthen defensive shields with:
  • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-ransomware and anti-exploit capabilities
  • Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
  • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
  • 24/7 threat detection, investigation and response, whether delivered in-house or by a specialized Managed Detection and Response (MDR) provider
• Optimize attack preparation, including regularly backing up, practicing recovering data from backups and maintaining an up-to-date incident response plan
• Maintain security hygiene, including timely patching and regularly reviewing security tool configurations

To learn more about the State of Ransomware in Retail 2023, download the full report from Sophos.com.

The State of Ransomware 2023 survey polled 3,000 IT/cybersecurity leaders in organizations with between 100 and 5,000 employees, including 355 from the retail sector, across 14 countries in the Americas, EMEA and Asia Pacific.

Before the pandemic, cybersecurity started to be considered as a fundamental area in a company. But it’s really after the implementation of teleworking during confinement and the cyberattacks that many companies suffered, due to the exposure of their devices, that IT teams are increasingly focused on raising awareness among their workers.

The objective is clear, shield each access point to the business network and monitor it to avoid active threats, making remote work a secure and flexible option.

“At the time the health emergency arose, companies had to apply various measures to continue operating from home, but, although the crisis passed and companies returned to normality, teleworking has remained in many cases. In the first instance, it is the companies that are taking measures to increase their levels of cyber protection, but in addition to that, users can also take measures that accompany them and that allow them to telework from wherever they want while maintaining protection”,

explains Chester Wisniewski, Field Sophos CTO.

Flexibility or family reconciliation are some of the advantages offered by this modality, so it is not surprising that it is an option that many workers choose for the summer season. Although at an operational level changing workplaces seems simple, it is important to take into account a protocol for prior actions. Cybersecurity experts at Sophos, a global leader in innovation and delivery of cybersecurity as a service, offer five steps to take to avoid risk and concern in what should be a happy and pleasant time:

1. Previous preparation. Just as you must prepare your devices and materials to establish your office in the new destination, you cannot forget to condition them internally, for this, check that your devices have the appropriate security software installed and that they comply with the compliance policies and security of your organization. solutions are patched and protected.

2. Training. Most cyberattacks start with a vulnerability in the weakest link in the chain, that is, the users. Workers can be the gateway used by attackers to access the rest of the company’s devices. This makes it necessary that, as a worker, it is important to acquire basic knowledge to know how current and identify in time if you are being attacked, either by your company or by your own account.

3. Double check. If you receive an unexpected communication from a coworker or business that seems out of the ordinary, don’t respond directly, rather contact the person or organization using another communications method like phone or SMS to ensure they are who they say they are.

4. Apply updates as soon as they are available. This is easiest on our phones and computers as we are usually prompted to update them, but don’t forget your internet router and smart home things. It is a good practice to check them all for available updates at least once a quarter.

5. Don’t forget to keep the “essentials”. Finally, despite carrying out all the previous steps, we must not forget the most basic protection measures that represent the entry barrier. First, set unique passwords for all your accounts and use a password manager to help keep them long and secure. Ideally, use multi-factor or “two-step” authentication wherever available to provide additional protection.

“Today most devices are used when connected to the internet, so you have to maintain a mindset where devices are considered to be in a hostile environment at all times. The idea that the safe space is inside offices and the insecure one outside is outdated. Now, anywhere you can suffer an attack, but it is true that sometimes when we move along with our workplace we do not take the necessary tools with us, so it is important to be vigilant”,

adds Chester Wisniewski.

The technology world was on fire about the latest artificial intelligence demonstration by OpenAI in the waning months of 2022, ChatGPT.

It is truly a remarkable achievement, an artificial intelligence (AI) that you can have a conversation with and ask it to do everything from write essays to code computer programs.

As a computer security expert I immediately did what comes natural to people like me, I tried to hack it. Could I get it to do something bad, something malicious? Could this be abused by criminals or spies to enable new types of cybercrime?

The answer of course, like most tools, is yes. Someone with ill intent can abuse these miraculous scientific achievements into doing things that could likely cause harm. The surprising part however is that the danger lies in the social arena, not the technical one.

ALSO READ: Sophos is the Top Ranked, Sole Leader in Omdia Universe Report for Comprehensive XDR Solutions

While ChatGPT can be tricked into writing malicious computer code, that isn’t really all that scary. Computer code can be analyzed by computer security products in milliseconds and deemed to be malicious or safe with a high degree of certainty.

Technology can always counteract technology. The problems surface when what we are trying to detect isn’t computer code, but rather words and meaning that will be interpreted by humans, not machines.

There are two factors that make this dangerous. The first is that up until now it was not practical to have a computer create tempting lures for victims to be tricked into interacting with.

The technology is now not only available, but so easily accessible as to be cheap or even free. The second is that the primary way users keep themselves safe today is by noticing mistakes made by attackers in their grammar and spelling to detect that an email or communication may be from an intruder.

If we take away the last remaining sign that a malicious email or chat message was crafted carelessly by someone without a strong command of the language, how will we defend ourselves?

Here is an example of an existing spam lure. It is relatively unsophisticated and has few words of explanation. I asked ChatGPT to write a more informative letter of the same type and you can see its output in the second example.

Now I didn’t format this to add an appropriate mail services logo or make the button as pretty in my example, but it is trivial to add these small improvements compared with mastering the English language.

In fact, you could ask ChatGPT to generate the HTML code necessary to do so without any knowledge of email formatting or programming skills whatsoever.

In my eyes, this signals the end of most computer users’ ability to discern real mail from fake. Today these tools only work well for English language text, but that is a simple training issue. The ability to write fluently in any language in the world (including computer programming languages) is now here. We must rethink our approaches to user education and implement technical measures to prevent these messages from ever making it into their inboxes.

The good news here is that computers are quite good at detecting and potentially blocking most of this content. Ultimately a spam campaign always has some sort of call to action, they may want you to phone them, reply, click a link or open an attachment.

These are impossible to remove and can aid in detection. We can also train AI models to detect when text has been generated by ChatGPT and add a warning banner or perhaps block the message.

The problematic situations are when we fail to block them and they end up in someone’s inbox. It’s a reasonably small percentage, but it is not zero and therefore we must prepare a defence. Having defensive layers is essential and with humans having reduced ability to spot a scam it is even more important that users are connecting through firewalls and web protection that can detect and block threats.

User training will need to shift away from the “watch for spelling mistakes” type of messaging and more into risk-based approaches to verification of whom you’re talking to. Being asked to do something financial, with a password, or with sensitive data? Pick up the phone and confirm before proceeding.

As machine intelligence continues to advance, the work of separating fact from fiction will continue to get more and more difficult. We will need to be sure we build systems that are flexible enough to combat these messages, but also educate our staff on their need to take additional steps when receiving sensitive requests over email.

 Sophos, a global leader in next-generation cybersecurity, has published a new sectoral survey report, The State of Ransomware in Education 2022.

The findings reveal that education institutions – both higher and lower education – are increasingly being hit with ransomware, with 60% suffering attacks in 2021 compared to 44% in 2020.

Education institutions faced the highest data encryption rate (73%) compared to other sectors (65%), and the longest recovery time, with 7% taking at least three months to recover – almost double the average time for other sectors (4%).

Other key findings include:

• Education institutions report the highest propensity to experience operational and commercial impacts from ransomware attacks compared to other sectors; 97% of higher education and 94% of lower education respondents say attacks impacted their ability to operate, while 96% of higher education and 92% of lower education respondents in the private sector further report business and revenue loss
• Only 2% of education institutions recovered all of their encrypted data after paying a ransom (down from 4% in 2020); schools, on average, were able to recover 62% of encrypted data after paying ransoms (down from 68% in 2020)
• Higher education institutions in particular report the longest ransomware recovery time; while 40% say it takes at least one month to recover (20% for other sectors), 9% report it takes three to six months

“Schools are among those being hit the hardest by ransomware. They’re prime targets for attackers because of their overall lack of strong cybersecurity defenses and the goldmine of personal data they hold,” said Chester Wisniewski, principal research scientist at Sophos. “Education institutions are less likely than others to detect in-progress attacks, which naturally leads to higher attack success and encryption rates. Considering the encrypted data is most likely confidential student records, the impact is far greater than what most industries would experience. Even if a portion of the data is restored, there is no guarantee what data the attackers will return, and, even then, the damage is already done, further burdening the victimized schools with high recovery costs and sometimes even bankruptcy. Unfortunately, these attacks are not going to stop, so the only way to get ahead is to prioritize building up anti-ransomware defenses to identify and mitigate attacks before encryption is possible.”

Interestingly, education institutions report the highest rate of cyber insurance payout on ransomware claims (100% higher education, 99% lower education).

However, as a whole, the sector has one of the lowest rates of cyber insurance coverage against ransomware (78% compared to 83% for other sectors).

“Four out of 10 schools say fewer insurance providers are offering them coverage, while nearly half (49%) report that the level of cybersecurity they need to qualify for coverage has gone up,” said Wisniewski.

“Cyber insurance providers are becoming more selective when it comes to accepting customers, and education organizations need help to meet these higher standards. With limited budgets, schools should work closely with trusted security professionals to ensure that resources are being allocated toward the right solutions that will deliver the best security outcomes and also help meet insurance standards,” he added.

In the light of the survey findings, Sophos experts recommend the following best practices for all organizations across all sectors:

• Install and maintain high-quality defenses across all points in the environment. Review security controls regularly and make sure they continue to meet the organization’s needs
• Proactively hunt for threats to identify and stop adversaries before they can execute attacks – if the team lacks the time or skills to do this in-house, outsource to a Managed Detection and Response (MDR) team
• Harden the IT environment by searching for and closing key security gaps: unpatched devices, unprotected machines and open RDP ports, for example. Extended Detection and Response (XDR) solutions are ideal for this purpose
• Prepare for the worst, and have an updated plan in place of a worst-case incident scenario
• Make backups, and practice restoring from them to ensure minimize disruption and recovery time

The State of Ransomware in Education 2022 survey polled 5,600 IT professionals, including 320 lower education respondents and 410 high education respondents, in mid-sized organizations (100-5,000 employees) across 31 countries.