Nearly half of companies paid a ransom to get their data back last year, according to new research, but they’re taking a hard line with hackers to strike fair deals.
In its latest State of Ransomware report, Sophos said this was the second highest rate of ransom payments in six years. However, more than half (53%) paid less than the original demand.
In nearly three-quarters (71%) of these cases, the hackers were haggled down, either through the victims’ own negotiations, or with help from a third party.
Chester Wisniewski, director, field CISO at Sophos, said that for many organisations, the threat of falling victim to ransomware groups is now “just a part of doing business”.
What Sophos’ research shows, however, is that victims are taking a more pragmatic approach to the situation and are recovering at a quicker pace.
"The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage,” he said. “This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress."
Companies are getting better at negotiation, Sophos noted. The median ransom demand dropped by a third between 2024 and 2025, but the actual payment made also dropped by half.
Overall, the median ransom payment was a round one million dollars - this was also half the figure cited for the previous year.
Not all ransomware victims are successful
It's worth noting that 28% paid more than the initial ransom, largely due to extra demands from the hackers. Sophos said this usually happened because the attackers realized they could ask for more or they got frustrated.
Other causes included a lack of backups or a failure to pay up quickly enough.
Ransom payments varied by industry, with state and local government reporting paying the highest median amount at $2.5 million, while healthcare reported the lowest at $150,000.
Initial demands also varied significantly depending on the organization's size and revenue. The median ransom demand for companies with over $1 billion in revenue was $5 million, while those with $250 million revenue or less were asked for less than $350,000.
For the third year in a row, the number one technical root cause of attacks was exploited vulnerabilities, while 40% of ransomware victims said adversaries took advantage of a security gap that they hadn't been aware of.
Nearly two-thirds (63%) of organizations blamed resourcing issues as a major reason they fell victim to the attack.
Indeed, a lack of expertise was cited as the top operational cause in organizations with more than 3,000 people, and lack of people or capacity was most frequently cited by those with between 251 and 500 employees.
Enterprises are getting better at recovery
The good news is that 44% of companies were able to stop the ransomware attack before data was encrypted – a six-year high - with data encryption at a six-year low, with only half of companies having their data encrypted.
Only 54% of companies used backups to restore their data – the lowest percentage in six years.
However, the average cost of recovery dropped from $2.73 million in 2024 to $1.53 million in 2025.
Companies are getting faster at recovery, Sophos noted, which is a positive sign both in terms of preparedness and resilience. More than half (53%) fully recovered from a ransomware attack in a week, up from 35% last year.
Meanwhile, only 18% took more than a month to recover, down from 34% in 2024.
MORE FROM ITPRO
- The new ransomware groups worrying security researchers in 2025
- Ransomware missteps that can cost you
- Building ransomware resilience to avoid paying out
-
More transparency needed on sprawling data center projects, activists claimNews Activists call for governments to be held accountable when data centers are pushed through without proper consultation
-
Red Hat eyes tighter data controls with sovereign support for EU customersNews The company's new offering will see support delivered entirely by EU citizens in the region
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber professionals are losing sleep over late night attacksNews Hackers are biding their time and launching attacks when businesses can’t respond
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
