Sophos’ 2025 State of Ransomware report reveals that nearly 50% of businesses paid ransom demands, but organizations are negotiating lower payments and recovering faster. With exploited vulnerabilities still the top cause of attacks, companies are turning to proactive cybersecurity measures and managed detection services.
MALAYSIA, 27 JUNE 2025 – Despite ongoing efforts to prevent ransomware attacks, nearly half of all affected businesses paid ransoms in 2025, according to Sophos’ newly released State of Ransomware 2025 report. The global cybersecurity firm’s sixth annual survey highlights that while ransom payments remain high, the average amount paid and overall recovery costs are trending downward.
This year’s survey, which gathered responses from 3,400 IT and cybersecurity leaders in 17 countries, found that 46% of organizations paid a ransom to recover their data—marking the second-highest rate in six years. However, over half of these victims paid less than the initial ransom demand, often through negotiation. The median ransom demand decreased by a third since 2024, while the median payment plunged 50% to US$1 million.
“The ability to negotiate lower ransoms and the reduced time for recovery signal a shift in how companies are preparing for and responding to ransomware,” said Chester Wisniewski, Director and Field CISO at Sophos. “Many are turning to incident response professionals and managed detection and response (MDR) services to not only contain attacks but also minimize financial damage.”
Among larger enterprises with revenues exceeding US$1 billion, the median ransom demand was US$5 million. In contrast, smaller firms with revenues under US$250 million faced demands of less than US$350,000.
Key Findings from the 2025 Report:
- Exploited Vulnerabilities Still #1 Threat: For the third consecutive year, vulnerabilities in software and systems remain the most common entry point for attackers.
- Security Blind Spots Remain Prevalent: 40% of respondents admitted they were unaware of the exploited gaps until after the attack.
- Staff Shortages Fuel Cyber Risk: 63% of companies cited limited resources as a contributing factor to the breach. Larger firms struggled with skill shortages, while mid-sized firms faced capacity issues.
- Progress in Prevention and Recovery:
- 44% of companies successfully halted ransomware before data encryption—an all-time high.
- Only 50% of attacks resulted in encrypted data, the lowest in six years.
- 53% of companies restored full operations within a week, compared to 35% in 2024.
- Just 18% needed over a month to recover, down from 34% the previous year.
Notably, use of data backups declined to 54%—the lowest since 2019—raising concerns about over-reliance on ransom payments as a recovery method.
Industry-Specific Trends:
State and local governments paid the highest median ransoms (US$2.5 million), while the healthcare sector reported the lowest (US$150,000).
Sophos’ Recommendations:
- Patch vulnerabilities regularly and improve visibility across attack surfaces.
- Deploy anti-ransomware tools on all endpoints, including servers.
- Develop and rehearse incident response plans.
- Invest in 24/7 monitoring, either in-house or via a trusted MDR provider.
“Ransomware remains a persistent threat, but companies are learning to fight smarter,” Wisniewski noted. “With the right defenses, it’s possible not only to mitigate damage but also to stop attacks before they escalate.”
Sophos will publish industry-specific insights from the report throughout the year.
