Brian Sims
Editor

Sophos issues sixth annual State of Ransomware report

SOPHOS, THE producer of security solutions for defeating cyber attacks, has issued its sixth annual State of Ransomware report, itself a vendor-agnostic survey of IT and cyber security leaders across 17 countries that studies the impact of ransomware attacks on businesses.

This year’s study has found that nearly 50% of companies are paying ransoms to retrieve their data: the second highest rate of ransom payment for ransom demands in six years.

Despite the high percentage of companies that paid the requested ransom, over half (ie 53%) paid less than the original demand. In 71% of cases where the companies paid less, they did so through negotiation (either through their own negotiations or with help from a third party).

In fact, while the median ransom demand has dropped by one third between 2024 and 2025, the median ransom payment fell by 50%, thereby illustrating how companies are becoming more successful at minimising the impact of ransomware.

For the third year in a row, exploited vulnerabilities were the Number One technical root cause of attacks, while 40% of ransomware victims said adversaries took advantage of a security gap that they were not aware of, duly highlighting organisations’ ongoing struggle to see and secure their attack surface.

Overall, 63% of organisations said resourcing issues were a factor in them falling victim to an attack, with a lack of expertise named as the top operational cause in those organisations with more than 3,000 individuals on the books and lack of people/capacity most frequently cited by those with 251-500 employees.

Limiting the damage

“For many organisations,” explained Chester Wisniewski, director and Chief Information Security Officer at Sophos, “the chance of being compromised by ransomware actors is simply a part of doing business in 2025. The good news, though, is that all thanks to this increased awareness, many companies are arming themselves with the resources needed to limit the damage. This includes hiring incident responders who can not only lower ransom payments, but also speed up recovery and even stop attacks that are in progress.”

Wisniewski continued: “Of course, ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface and too few resources. We’re seeing more companies recognise that they need help and moving to Managed Detection and Response (MDR) services for defence. Coupled with proactive security strategies such as multi-factor authentication and patching, MDR can go a long way in preventing ransomware from the start.”

Additional key findings

More companies are stopping attacks in progress

44% of companies were able to stop the ransomware attack before data was encrypted: a six-year high. Data encryption was at a six-year low with only half of companies having their data encrypted

Back-up use is down

Only 54% of companies used back-ups to restore their data: the lowest percentage in six years 

Silver lining: ransomware payments and recovery costs on the decline

The average cost of recovery has dropped. While ransom payments are high, they declined by 50% between 2024 and 2025 

Companies are recovering faster

Over half (53%) of organisations fully recovered from a ransomware attack in just a week (up from 35% last year), while only 18% of them took more than one month to recover (down from 34% in 2024) 

Best Practice advice

Sophos recommends the following Best Practice techniques to help organisations defend against ransomware and other forms of cyber attack:

*take steps to eliminate common technical and operational root causes of attacks, such as exploited vulnerabilities

*ensure all endpoints (including servers) are well-defended with dedicated anti-ransomware protection

*have an Incident Response Plan in place and tested for when things go wrong, have good back-ups and practice restoring data regularly

*companies need 24/7 monitoring and detection and, if they don’t have the resources in-house for this, they can work with a trusted MDR provider

Data for the State of Ransomware 2025 report comes from a vendor-agnostic survey of 3,400 IT and cyber security leaders in organisations that were hit by ransomware in the previous year. Organisations surveyed ranged from those with 100 up to 5,000 employees and across 17 countries.

The survey was conducted between January and March 2025, with respondents asked about their experience of ransomware over the previous 12 months. Sophos will be releasing additional industry findings throughout the year.

*Download the full State of Ransomware 2025 report

Company Info

Western Business Media.

Dorset House
64 High Street
East Grinstead
RH19 3DE
UNITED KINGDOM

01342 31 4300

[email protected]

Login / Sign up