Despite growing awareness and improved defences, nearly half of global organisations still opted to pay ransom to cybercriminals in 2025, a new report by cybersecurity firm Sophos has revealed.
The report, titled State of Ransomware 2025, released on Tuesday, found that 46 per cent of firms paid a ransom to regain access to their data, the second-highest rate in six years.
However, 53 per cent of those who paid were able to negotiate a lower amount than the initial demand. In most cases, this was achieved through direct negotiation or with support from third parties.
While the average ransom demand fell by a third year-on-year, the median payment dropped even more sharply by 50 per cent from $2m in 2024 to $1m in 2025, showing a growing ability among organisations to limit the financial blow of attacks.
“Thanks to increased awareness, many companies are now hiring incident responders who can reduce ransom payments and speed up recovery,” said Sophos’ Field Chief Information Security Officer, Chester Wisniewski.
The report also noted wide variations in ransom demands. Large firms with over $1 billion in revenue faced median demands of $5 million, while smaller organisations earning $250 million or less saw typical demands below $350,000.
For the third year running, attackers mostly gained access through exploited vulnerabilities. About 40 per cent of victims said hackers took advantage of a security gap they were unaware of.
A shortage of skilled staff remains a critical weakness. Sixty-three per cent of victims blamed resourcing issues, with larger firms citing lack of expertise, while mid-sized ones pointed to low manpower.
Despite the challenges, companies are showing resilience.
Sophos found that 44 per cent of attacks were stopped before data encryption, the highest rate in six years. Data encryption itself was also at a six-year low, with only half of attacks resulting in encrypted data.
The report said fewer companies are relying on backups to restore data, with only 54 per cent doing so, the lowest figure recorded in six years.
The average cost of recovery dropped significantly from $2.73 million in 2024 to $1.53 million in 2025. While ransom payments remain substantial, declining by half over the same period.
Ransom payment trends also varied by industry. State and local governments reported the highest median payments at $2.5 million, while healthcare organisations paid the lowest, at $150,000.
Companies are also bouncing back more quickly. Over half of affected firms recovered within a week, up from 35 per cent in 2024. Only 18 per cent took more than a month, compared to 34 per cent last year.
Wisniewski added: “Ransomware can still be ‘cured’ by addressing the core issues: patching vulnerabilities, increasing visibility into the attack surface, and boosting resources.”
Sophos advised firms to adopt proactive security strategies such as multi-factor authentication, timely patching, and investing in managed detection and response services.
The State of Ransomware 2025 report surveyed 3,400 IT and cybersecurity leaders across 17 countries between January and March. All respondents had experienced at least one ransomware attack in the past year.
The PUNCH
