This year’s survey found that nearly 50% of companies paid the ransom to get their data back – the second highest rate of ransom payment for ransom demands in six years.

1. High Ransom Payments Persist: Nearly 50% of organizations paid a ransom—making it the second-highest rate in six years.
2. Negotiation Pays Off: 53% of those who paid, did so below the initial demand, with 71% negotiating the amount either directly or via third parties.
3. Median Ransom Dropped: While the median ransom demand was $1 million, this figure dropped 50% from the previous year.
4. Attack Entry Points Remain the Same: Exploited vulnerabilities were again the leading cause of attacks, continuing a three-year trend.
5. Lack of Visibility a Major Problem: 40% of victims were unaware of the security gaps exploited in their systems.
6. Staffing & Expertise Shortages: 63% of respondents cited internal resourcing challenges. Larger firms lacked expertise, while smaller ones lacked people.
7. Improved Attack Prevention: 44% of companies stopped the ransomware before data encryption occurred—a six-year high.
8. Backup Usage Falls: Only 54% of organizations used backups for recovery—the lowest in six years.
9. Recovery is Faster and Cheaper: Average recovery costs fell from $2.73 million to $1.53 million, and more than half recovered within a week.
10. Sector-Based Variance in Payments: State and local governments paid the most (median $2.5 million), while healthcare paid the least (median $150,000).

These insights highlight a growing maturity in response strategies—though prevention

Sophos recommends the following best practices to help organizations defend against ransomware and other cyberattacks:

• Take steps to eliminate common technical and operational root causes of attacks, such as exploited vulnerabilities. Tools like Sophos Managed Risk can help companies access their risk profile and minimize their exposure.
• Ensure all endpoints (including servers) are well-defended with dedicated anti-ransomware protection.
• Have an incident response plan in place and tested for when things go wrong. Have good backups and practice restoring data regularly.
• Companies need around-the-clock monitoring and detection. If they do not have the resources in-house for this, they can work with a trusted managed detection and response (MDR) provider.

Download the full State of Ransomware 2025 report on Sophos.com.

This is four times higher than the global cross-sector median. In addition, 49% of ransomware attacks against these two critical infrastructure sectors started with an exploited vulnerability.

Data for the State of Ransomware in Critical Infrastructure 2024 report comes from 275 respondents at energy, oil and gas, and utilities organizations, which fall under the Energy and Water sectors of CISA’s 16 defined critical infrastructure sectors.

The results for this sector survey report are part of a broader, vendor-agnostic survey of 5,000 cybersecurity/IT leaders conducted between January and February 2024 across 14 countries and 15 industry sectors.

“Criminals focus where they can cause the most pain and disruption so the public will demand quick resolutions, and they hope, ransom payments to restore services more quickly. This makes utilities prime targets for ransomware attacks. Because of the essential functions they provide, modern society demands they recover quickly and with minimal disruption,” said Chester Wisniewski, Sophos’ global Field CTO.

“Unfortunately, public utilities are not only attractive targets but vulnerable to attacks on many fronts, including the requirement for high availability and safety, as well as an engineering mindset focused on physical security. There’s a preponderance of older technologies configured to enable remote management without modern security controls like encryption and multifactor authentication. Like hospitals and schools these utilities are frequently operating with minimal staffing and without the IT staffing required to stay on top of patching, the latest security vulnerabilities and the monitoring required for early detection and response.”

On top of growing recovery costs, the median ransom payment for organizations in these two sectors jumped to more than $2.5 million in 2024—$500,0000 higher than the global cross-sector median.

The Energy and Water sectors also reported the second highest rate of ransomware attacks. Overall, 67% of the organizations in these sectors reported being hit by ransomware in 2024, in comparison to the global, cross-sector average of 59%.

Other findings from the report include:

• The energy and water sectors reported increasingly longer recovery times. Only 20% of organizations hit by ransomware were able to recover within a week or less in 2024, compared to 41% in 2023 and 50% in 2022. Fifty-five percent took more than a month to recover, up from 36% in 2023. In comparison, across all sectors, only 35% of companies took more than a month to recover
• These two critical infrastructure sectors reported the highest rate of backup compromise (79%) and the third highest rate of successful encryption (80%) when compared to the other industries surveyed

“This once again shows that paying ransom payments almost always works against our best interests. An increasing number (61%) paid the ransom as part of their recovery, yet the amount time it took to recover was extended. Not only do these high rates and amounts of ransoms encourage more attacks on the sector, but they are not achieving the claimed goal of shorter recovery times,” said Wisniewski.

“These utilities must recognize they are being targeted and take proactive action to monitor their exposure of remote access and network devices for vulnerabilities and ensure they have 24/7 monitoring and response capabilities to minimize outages and shorten recovery times. Incident response plans should be planned in advance, the same as for fires, floods, hurricanes and earthquakes, and be rehearsed on a regular schedule.”

Read the full State of Ransomware in Critical Infrastructure on Sophos.com.

Sophos, a global leader in innovating and delivering cybersecurity as a service, today shared findings from its sector survey report, “The State of Ransomware in Retail 2023,” which found that only 26% of retail organizations this past year were able to disrupt a ransomware attack before their data was encrypted.

This is a three-year low for the sector—a decline from 34% in 2021 and 28% in 2022—suggesting the sector is increasingly unable to halt ransomware attacks already in progress.

“Retailers are losing ground in the battle against ransomware. Ransomware criminals have been encrypting increasingly greater percentages of their retail victims in the last three years, as evidenced by the steadily declining rate of retailers stopping cybercriminal attacks in progress.

Retailers must up their defensive game by setting up security that detects and responds to intrusions earlier in the attack chain,” said Chester Wisniewski, director, global field CTO, Sophos.

In addition, the report found that, for those retail organizations that paid the ransom, their median recovery costs (not including the ransom payment) were four times the recovery costs of those that used backups to recover their data ($3,000,000 versus $750,000).

“Forty-three percent of retail victims paid the ransom according to our survey respondents, yet the median recovery cost to victims who paid the ransom was four times the cost to those who used backups and other recovery methods. There are no shortcuts in these situations and rebuilding systems is almost always required. It’s better to deprive the criminals of their spoils and build back better,” said Wisniewski.

Additional key findings from the report include:

• In line with a broader, cross-sector trend, the retail sector experienced its highest rate of encryption over the past three years, with 71% of those organizations targeted by ransomware stating that attackers successfully encrypted their data
• The percentage of retail organizations attacked by ransomware declined from 77% last year to 69% this year
• The percentage of retail organizations that recovered in less than a day decreased from 15% to 9% this year, while the percentage of retail organizations that took more than a month to recover increased from 17% to 21%

Sophos recommends the following best practices to help defend against ransomware and other cyberattacks:

• Strengthen defensive shields with:
  • Security tools that defend against the most common attack vectors, including endpoint protection with strong anti-ransomware and anti-exploit capabilities
  • Zero Trust Network Access (ZTNA) to thwart the abuse of compromised credentials
  • Adaptive technologies that respond automatically to attacks, disrupting adversaries and buying defenders time to respond
  • 24/7 threat detection, investigation and response, whether delivered in-house or by a specialized Managed Detection and Response (MDR) provider
• Optimize attack preparation, including regularly backing up, practicing recovering data from backups and maintaining an up-to-date incident response plan
• Maintain security hygiene, including timely patching and regularly reviewing security tool configurations

To learn more about the State of Ransomware in Retail 2023, download the full report from Sophos.com.

The State of Ransomware 2023 survey polled 3,000 IT/cybersecurity leaders in organizations with between 100 and 5,000 employees, including 355 from the retail sector, across 14 countries in the Americas, EMEA and Asia Pacific.