Key Takeaways:

• 46% of companies paid ransom demands, but over half negotiated lower payouts—dropping the median payment to $1 million

• Vulnerability exploitation remains the top root cause of attacks, with 40% of victims unaware of the exploited gap

• Recovery times are improving, with 53% of organizations fully recovering within a week, up from 35% the year prior

Sophos 2025 Ransomware Report: Nearly Half of Companies Pay the Ransom as Costs Drop and Recovery Speeds Up

Sophos has released its sixth annual State of Ransomware report, revealing that 46% of organizations paid a ransom following an attack in the past year—the second highest rate in six years. Despite the frequency of payments, organizations are paying less and recovering faster, suggesting that awareness, preparedness, and negotiation are beginning to shift ransomware economics.

We also learned that the UK has the highest ransomware cost as you can see below:

*Converted from £3.58?m using the current exchange rate (~1 GBP = 1.30 USD).

The median ransom payment declined by 50%, from $2 million in 2024 to $1 million in 2025. Notably, 71% of companies that paid less than the original demand did so through negotiation, either directly or via a third party. Median ransom demands also varied sharply by company size, from $5 million at billion-dollar firms to under $350,000 for companies with under $250 million in revenue.

Causes, Costs, and Gaps

For the third consecutive year, exploited vulnerabilities were the leading technical root cause of ransomware attacks. In 40% of incidents, attackers leveraged a security gap unknown to the organization at the time. This highlights a persistent issue across companies of all sizes: incomplete visibility into their attack surface and insufficient resources to monitor and protect it.

Larger enterprises (3,000+ employees) cited lack of expertise as their biggest operational challenge, while smaller firms (251–500 employees) most often blamed insufficient staffing. Across the board, 63% of organizations acknowledged that resource constraints contributed to the success of the attack.

Recovery Trends: Faster, Cheaper, Smarter

Despite the continued prevalence of ransomware, some metrics showed clear improvement:

• Recovery time: 53% of companies fully recovered in a week, up from 35% last year
• Recovery costs: Dropped from $2.73 million in 2024 to $1.53 million in 2025
• Data encryption: Fell to a six-year low, with just 50% of attacks resulting in encryption
• Use of backups: Also declined to a six-year low, with only 54% using backups to restore data

Industry Impact

State and local government organizations reported the highest median ransom payments at $2.5 million. In contrast, the healthcare sector paid the lowest median amount—just $150,000. These variations reflect differences in budget, response capabilities, and negotiation leverage across sectors.

Strategic Shifts in Defense

The report also noted a shift in organizational behavior. Companies are more likely to engage with incident responders to negotiate ransoms and manage recovery, and are increasingly adopting Managed Detection and Response (MDR) services to proactively monitor and contain threats.

Sophos recommends that organizations focus on core prevention areas: patching known vulnerabilities, improving attack surface visibility, and implementing 24/7 threat detection through MDR. Multifactor authentication, regular backup testing, and well-rehearsed incident response plans remain foundational to effective ransomware defense.

Conclusion
The 2025 State of Ransomware report paints a complex but cautiously optimistic picture. While ransomware remains a serious and widespread threat, organizations are learning to reduce its financial impact through faster recovery, smarter negotiations, and strategic partnerships with MDR providers. Still, the root causes—unpatched vulnerabilities, resource constraints, and lack of visibility—continue to expose organizations to unnecessary risk. Progress is measurable, but the challenge of ransomware in 2025 is no longer just about paying ransoms—it’s about building lasting resilience.