Nearly half of companies paid a ransom to get their data back last year, according to new research, but they’re taking a hard line with hackers to strike fair deals.
In its latest State of Ransomware report, Sophos said this was the second highest rate of ransom payments in six years. However, more than half (53%) paid less than the original demand.
In nearly three-quarters (71%) of these cases, the hackers were haggled down, either through the victims’ own negotiations, or with help from a third party.
Chester Wisniewski, director, field CISO at Sophos, said that for many organisations, the threat of falling victim to ransomware groups is now “just a part of doing business”.
What Sophos’ research shows, however, is that victims are taking a more pragmatic approach to the situation and are recovering at a quicker pace.
"The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage,” he said. “This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress."
Companies are getting better at negotiation, Sophos noted. The median ransom demand dropped by a third between 2024 and 2025, but the actual payment made also dropped by half.
Overall, the median ransom payment was a round one million dollars - this was also half the figure cited for the previous year.
Not all ransomware victims are successful
It's worth noting that 28% paid more than the initial ransom, largely due to extra demands from the hackers. Sophos said this usually happened because the attackers realized they could ask for more or they got frustrated.
Other causes included a lack of backups or a failure to pay up quickly enough.
Ransom payments varied by industry, with state and local government reporting paying the highest median amount at $2.5 million, while healthcare reported the lowest at $150,000.
Initial demands also varied significantly depending on the organization's size and revenue. The median ransom demand for companies with over $1 billion in revenue was $5 million, while those with $250 million revenue or less were asked for less than $350,000.
For the third year in a row, the number one technical root cause of attacks was exploited vulnerabilities, while 40% of ransomware victims said adversaries took advantage of a security gap that they hadn't been aware of.
Nearly two-thirds (63%) of organizations blamed resourcing issues as a major reason they fell victim to the attack.
Indeed, a lack of expertise was cited as the top operational cause in organizations with more than 3,000 people, and lack of people or capacity was most frequently cited by those with between 251 and 500 employees.
Enterprises are getting better at recovery
The good news is that 44% of companies were able to stop the ransomware attack before data was encrypted – a six-year high - with data encryption at a six-year low, with only half of companies having their data encrypted.
Only 54% of companies used backups to restore their data – the lowest percentage in six years.
However, the average cost of recovery dropped from $2.73 million in 2024 to $1.53 million in 2025.
Companies are getting faster at recovery, Sophos noted, which is a positive sign both in terms of preparedness and resilience. More than half (53%) fully recovered from a ransomware attack in a week, up from 35% last year.
Meanwhile, only 18% took more than a month to recover, down from 34% in 2024.
MORE FROM ITPRO
- The new ransomware groups worrying security researchers in 2025
- Ransomware missteps that can cost you
- Building ransomware resilience to avoid paying out
-
Microsoft could be preparing for a crackdown on remote workNews The tech giant is the latest to implement stricter policies around hybrid working without requiring a full five days in the office
-
JetBrains CEO on how developers must transform with AIInterview There may still be a place for strong developer progression in the age of AI, if workers can adapt to rapid changes
-
Google cyber researchers were tracking the ShinyHunters group’s Salesforce attacks – then realized they’d also fallen victimNews In an update to an investigation on the ShinyHunters group, Google revealed it had also been affected
-
Nearly one-third of ransomware victims are hit multiple times, even after paying hackersNews Many ransomware victims are being hit more than once, largely thanks to fragmented security tactics
-
75% of UK business leaders are willing to risk criminal penalties to pay ransomsNews A ransom payment ban is a great idea - until you're the one being targeted...
-
The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employeesNews The group is using new ransomware variants and new social engineering techniques - including sneaking into corporate teleconferences
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crimeNews A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so farNews A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
