Nearly half of companies paid a ransom to get their data back last year, according to new research, but they’re taking a hard line with hackers to strike fair deals.
In its latest State of Ransomware report, Sophos said this was the second highest rate of ransom payments in six years. However, more than half (53%) paid less than the original demand.
In nearly three-quarters (71%) of these cases, the hackers were haggled down, either through the victims’ own negotiations, or with help from a third party.
Chester Wisniewski, director, field CISO at Sophos, said that for many organisations, the threat of falling victim to ransomware groups is now “just a part of doing business”.
What Sophos’ research shows, however, is that victims are taking a more pragmatic approach to the situation and are recovering at a quicker pace.
"The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage,” he said. “This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress."
Companies are getting better at negotiation, Sophos noted. The median ransom demand dropped by a third between 2024 and 2025, but the actual payment made also dropped by half.
Overall, the median ransom payment was a round one million dollars - this was also half the figure cited for the previous year.
Not all ransomware victims are successful
It's worth noting that 28% paid more than the initial ransom, largely due to extra demands from the hackers. Sophos said this usually happened because the attackers realized they could ask for more or they got frustrated.
Other causes included a lack of backups or a failure to pay up quickly enough.
Ransom payments varied by industry, with state and local government reporting paying the highest median amount at $2.5 million, while healthcare reported the lowest at $150,000.
Initial demands also varied significantly depending on the organization's size and revenue. The median ransom demand for companies with over $1 billion in revenue was $5 million, while those with $250 million revenue or less were asked for less than $350,000.
For the third year in a row, the number one technical root cause of attacks was exploited vulnerabilities, while 40% of ransomware victims said adversaries took advantage of a security gap that they hadn't been aware of.
Nearly two-thirds (63%) of organizations blamed resourcing issues as a major reason they fell victim to the attack.
Indeed, a lack of expertise was cited as the top operational cause in organizations with more than 3,000 people, and lack of people or capacity was most frequently cited by those with between 251 and 500 employees.
Enterprises are getting better at recovery
The good news is that 44% of companies were able to stop the ransomware attack before data was encrypted – a six-year high - with data encryption at a six-year low, with only half of companies having their data encrypted.
Only 54% of companies used backups to restore their data – the lowest percentage in six years.
However, the average cost of recovery dropped from $2.73 million in 2024 to $1.53 million in 2025.
Companies are getting faster at recovery, Sophos noted, which is a positive sign both in terms of preparedness and resilience. More than half (53%) fully recovered from a ransomware attack in a week, up from 35% last year.
Meanwhile, only 18% took more than a month to recover, down from 34% in 2024.
MORE FROM ITPRO
- The new ransomware groups worrying security researchers in 2025
- Ransomware missteps that can cost you
- Building ransomware resilience to avoid paying out
-
Google CEO Sundar Pichai is unfazed by AI job cutsAnalysis Google CEO Sundar Pichai is upbeat about the impact of AI on the workforce, but workers might not share the same optimism amid repeated waves of job cuts.
-
The top trends shaping the future of the channelNews As part of its 40th anniversary celebrations, Westcon-Comstor has outlined some of the key channel growth drivers it expects to see in Q2 2025 and beyond.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker groupNews An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabsNews An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operatorsNews A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attackNews A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
