Emma Okonji
Sophos, a global leader of innovative security solutions for defeating cyberattacks, has released its sixth annual State of Ransomware report, a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries.
The annual report studies the impact of ransomware attacks on businesses, and how organisations and companies respond when their systems are compromised by hackers.
This year鈥檚 survey, found that nearly 50 per cent of companies paid the ransom to get their data back, the second highest rate of ransom payment for ransom demands in six years.
According to the report, despite the high percentage of companies that paid the ransom, over half (53 per cent) paid less than the original demand.
The report however said: 鈥淚n 71 per cent of cases where the companies paid less, they did so through negotiation, either through their own negotiations or with help from a third party. In fact, while the median ransom demand dropped by a third between 2024 and 2025, the median ransom payment dropped by 50 per cent, illustrating how companies are becoming more successful at minimising the impact of ransomware.
鈥淥verall, the median ransom payment was one million dollars, although the initial demand varied significantly depending on organisation size and revenue. The median ransom demand for companies with over $1 billion in revenue was five million dollars, while organisations with $250 million revenue or less, saw median ransom demands of less than $350,000.鈥
The report further said that for the third year in a row, exploited vulnerabilities were the number one technical root cause of attacks. It explained that 40 per cent of ransomware victims said adversaries took advantage of a security gap that they were not aware of 鈥 highlighting organisations鈥 ongoing struggle to see and secure their attack surface. The report further explained that overall, 63 per cent of organisations said resourcing issues were a factor in them falling victim to the attack, with lack of expertise named as the top operational cause in organisations with more than 3,000 people and lack of people/capacity most frequently cited by those with 251-500 employees.
Analysing the report, the Director, Field CISO atSophos, Chester Wisniewski, said: 鈥淔or many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress.鈥
According to Wisniewski, 鈥淥f course, ransomware can still be 鈥榗ured鈥 by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We鈥檙e seeing more companies recognise they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.鈥
Additional key findings from the State of Ransomware 2025 Report, shows that more companies are stopping attacks in progress, as 44 per cent of companies were able to stop the ransomware attack before data was encrypted 鈥 a six-year high. Data encryption was also at a six-year low with only half of companies having their data encrypted.
For Backup Use only 54 per cent of companies used backups to restore their data 鈥 the lowest percentage in six years.
For Silver Lining, the report showed that the average cost of recovery dropped from $2.73 million in 2024, to $1.53 million in 2025. While ransom payments are high, they declined by 50 per cent from $2 million in 2024 to $1 million in 2025.
The report highlighted how state and local government reported paying the highest median amount ($2.5 million), while healthcare reported the lowest ($150,000).
Over half (53 per cent) of organisations fully recovered from a ransomware attack in a week 鈥 up from 35 per cent last year, while only 18 per cent took more than a month to recover, which is down from 34 per cent in 2024, the report findings further revealed.
Sophos however recommended some measures andpractices that would help organisations defend against ransomware and other cyberattacks to include:
Take steps to eliminate common technical and operational root causes of attacks, such as exploited vulnerabilities. Tools like Sophos Managed Risk can help companies access their risk profile and minimize their exposure.
Ensure all endpoints (including servers) are well-defended with dedicated anti-ransomware protection.
Have an incident response plan in place and tested for when things go wrong. Have good backups and practice restoring data regularly.
In the report, Sophos encouraged companies to implement around-the-clock monitoring and detection. It however said if companies do not have the resources in-house for this, they could work with a trusted managed detection and response (MDR) provider.