Cybercrime: Half Of Victims Paid Ransom In 2025

Despite global efforts to curb the spread of ransomware, cybercriminals continue to profit handsomely, with nearly half of all victimised organisations paying ransom demands in 2025.

This is according to the State of Ransomware 2025 report released by Sophos, a global leader in cybersecurity solutions.

The sixth annual edition of the report, which surveyed 3,400 IT and cybersecurity leaders across 17 countries, revealed that 49 per cent of organisations hit by ransomware attacks opted to pay the ransom to regain access to their encrypted data, the second-highest payment rate recorded by Sophos in the last six years.

While the median ransom demand decreased by a third compared to 2024, the median payment still stood at $1 million, underscoring the continued profitability of ransomware for cybercriminals. Notably, 53 per cent of organisations that paid a ransom were able to negotiate a lower settlement than initially demanded, often through third-party negotiators or internal efforts.

In his reaction, the director and field CISO at Sophos, Chester Wisniewski averred that for many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025, adding that the good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage.

Among those who paid less than the initial demand, 71 per cent successfully negotiated a lower figure. While this signals an increasing awareness and tactical response among victim organisations, the report also noted persistent challenges.

For the third consecutive year, exploited vulnerabilities were identified as the leading technical root cause of ransomware attacks. Alarmingly, 40 percent of victims said attackers exploited a security gap they were unaware of, underscoring a widespread lack of visibility into organizations’ digital infrastructure.

Additionally, 63 per cent of respondents cited resource constraints, including insufficient personnel or expertise, as contributing factors to their susceptibility. For large enterprises (3,000+ employees), lack of expertise topped the list, while mid-sized organisations (251–500 employees) most frequently cited a lack of personnel.

The use of data backups to restore information following an attack has fallen to its lowest point in six years, with only 54 per cent of companies relying on backups — a drop from previous years. Despite this, organisations are recovering faster: 53 per cent reported full recovery within one week, up from 35 per cent in 2024. Only 18 percent of firms took over a month to recover, a significant improvement from last year’s 34 per cent.

Sophos attributes these gains to better incident response capabilities and a growing trend toward using Managed Detection and Response (MDR) services. Such services help companies detect attacks early, respond effectively, and, in some cases, stop attacks in progress.

The report also found significant variation in ransom demands based on industry and company size, adding that organisations with over $1 billion in revenue faced median ransom demands of $5 million; those earning $250 million or less saw demands under $350,000; state and local governments reported the highest median ransom payments at $2.5 million and healthcare organisations paid the lowest, at a median of $150,000.

While attackers are still extracting sizable payments, the overall cost of ransomware recovery has dropped, from $2.73 million in 2024 to $1.53 million in 2025. Sophos credits increased preparedness, improved threat visibility, and wider use of professional response services for this decline.

To further reduce the risk and impact of ransomware, Sophos advises organisations to regularly patch known vulnerabilities and maintain updated security systems; employ multi-factor authentication (MFA) and anti-ransomware protection across all endpoints; use MDR services or maintain 24/7 internal security monitoring; test and maintain a robust incident response plan and ensure regular backups are not only taken but tested for restoration.

As ransomware evolves, so must corporate defenses. Though the profitability of ransomware remains alarmingly high, the increasing resilience among targeted organisations is a sign of hope and a call to action for those still behind the curve.