Sophos, a global leader of innova-tive security solutions for defeat-ing cyberattacks, today released its sixth annual State of Ransomware report, a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries that studies the impact of ransomware attacks on businesses.
This year鈥檚 survey found that nearly 50% of companies paid the ransom to get their data back 鈥 the second highest rate of ransom pay-ment for ransom demands in six years.
Despite the high percentage of companies that paid the ransom, over half 鈥 53% 鈥 paid less than the original demand.
In 71% of cases where the companies paid less, they did so through negotiation 鈥 either through their own negotiations or with help from a third party.
In fact, while the median ran-som demand dropped by a third between 2024 and 2025, the median ransom payment dropped by 50%, illustrating how companies are becoming more successful at min-imizing the impact of ransomware.
Overall, the median ransom payment was one million dollars, although the initial demand varied significantly depending on organi-zation size and revenue.
The median ransom demand for companies with over $1 bil-lion in revenue was five million dollars, while organizations with $250 million revenue or less, saw median ransom demands of less than $350,000.
For the third year in a row, ex-ploited vulnerabilities were the number one technical root cause of attacks, while 40% of ransom-ware victims said adversaries took advantage of a security gap that they were not aware of 鈥 highlight-ing organizations鈥 ongoing strug-gle to see and secure their attack surface.
Overall, 63% of organizations said resourcing issues were a fac-tor in them falling victim to the at-tack, with lack of expertise named as the top operational cause in or-ganizations with more than 3,000 people and lack of people/capacity most frequently cited by those with 251-500 employees.
鈥淔or many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many com-panies are arming themselves with resources to limit damage. This includes hiring incident re-sponders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,鈥 says Chester Wisniews-ki, Director, Field CISO, Sophos.
鈥淥f course, ransomware can still be 鈥榗ured鈥 by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We鈥檙e seeing more companies recognize they need help and moving to Managed De-tection and Response (MDR) ser-vices for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start,鈥 Wisniewski added.