- Sophos surveys organizations which have suffered ransomware attacks
- On average, they paid 85% of the demands
- The average demand has dropped to $1.3 million this year so far
New research from Sophos has found as ransomware attacks have become more prolific than ever, more and more companies are caving to demands, with organizations in paying an average of 85% of the ransom.
The median ransom demand has dropped from $2 million in 2024, to $1.3 million in 2025. Around half (53%) of those who paid, gave over less than half of the initial demand, but worryingly, 18% paid more than was originally asked for – with the UK paying an average of 103%
Recently, ransomware attacks have been soaring to new highs and costing more than ever, not just in payments, but also in lost data, downtime, and regulatory fines – with Sophos’ survey revealing an average of $1.83 million in recovery costs for firms with between 1,00-5,000 employees.
Data at risk
Just under half (49%) of organizations surveyed chose to pay the ransom, a slight increase from the 56% in 2024.
This is despite some Governments implementing a ransomware payment ban, which forbids public sector organizations from handing any money over to ransom gangs – and private organizations are urged to do the same.
In a ransomware attack, the primary goal for criminals is data, and the survey found data encryption is at its lowest level in six years – with 50% of attacks resulting in data encryption, down from 70% in 2024.
If criminals get a hold of your data and encrypt it they can essentially hold your systems hostage and seriously disrupt your operations – so fewer encryptions the better.
It’s not all doom and gloom though, as 97% of organizations that had data encrypted were able to recover it.
The initial technical root of attacks was most commonly (32%) through exploited vulnerabilities, with malicious emails (23%) and compromised credentials (30%) close behind.
Unfortunately, a lack of expertise was the most common operational root cause – with 40% of respondents citing this – as well as unknown security gaps (40%) and a lack of necessary cybersecurity products or expertise (39%). This shows that organizations are fundamentally underprepared for the ever-growing threat of ransomware.
“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,” says Chester Wisniewski, director, field CISO, Sophos.
“Of course, ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We’re seeing more companies recognize they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”
You might also like
- Take a look at our picks for the best malware removal software around
- Check out our choice for the best AI tools on offer
- This new ransomware could be deadly for your most precious files – here’s how to stay protected