Sophos, a global leader in cybersecurity sixth annual State of Ransomware report, reveals a complex picture of growing cyber threats and evolving defense strategies. While nearly half of surveyed companies [49%] paid a ransom to recover their data the second highest rate in six years 53% of them paid less than the original demand, often by negotiating directly or with the help of third-party experts.
The report, based on insights from 3,400 IT and cybersecurity leaders across 17 countries, found that the median ransom payment has dropped by 50%, from $2 million in 2024 to $1 million in 2025, even as ransom demands remain high, especially for large enterprises. For instance, companies with over $5 billion in revenue reported median demands of $5.5 million, while smaller firms faced demands under $350,000.
“For many businesses, ransomware is now an expected risk. The positive shift is that organizations are responding more effectively negotiating lower payments, recovering faster, and embracing managed detection and response,” said Chester Wisniewski, Director, Field CISO at Sophos.
Despite some improvements, the report also emphasizes persistent vulnerabilities:
- Exploited vulnerabilities remain the top attack vector for the third consecutive year.
- 40% of victims fell prey due to security gaps they didn’t know existed.
- Lack of cybersecurity expertise and staffing shortages were top operational challenges.
Encouraging Trends in 2025
Ransomware attacks are being stopped earlier: 44% of companies intercepted the attack before data was encrypted the best result in six years.
- Data encryption fell to 50%, down from 70% in 2024.
- Recovery times improved: 53% of organizations fully recovered in under a week, compared to 35% in 2024.
- Recovery costs dropped 44% year-over-year, averaging $1.53 million per incident.
However, reliance on backups declined for the third straight year, with only 54% of organizations restoring data this way. Government entities reported the highest median ransom payments [$2.5 million], while healthcare organizations reported the lowest [$150,000].
Human Cost Still High
The Sophos report also highlights the toll ransomware takes on cybersecurity teams:
- 41% reported increased stress and anxiety about future attacks.
- 31% faced staff absences due to stress or mental health.
- In 25% of cases, the security team’s leadership was replaced post-incident.
Sophos Recommendations
To stay ahead of ransomware threats, Sophos urges organizations to:
- Patch known vulnerabilities and eliminate security blind spots.
- Protect endpoints with dedicated anti-ransomware defenses.
- Invest in 24/7 threat detection and response, ideally through an MDR provider.
- Develop and test an incident response plan, including reliable backup and restoration procedures.
