Nearly half of companies targeted by ransomware paid to regain access to their data in 2025, with many managing to negotiate lower payments, according to a new report by security solutions provider Sophos.
The company’s State of Ransomware 2025 report found that 46% of victimized organizations paid a ransom: the second-highest rate in six years. The median payment was $1 million, but more than half of the companies that paid were able to reduce the initial demand, often through negotiation.
Ransom amounts varied widely by industry, with state and local governments paying the most at a median of $2.5 million and healthcare the least at $150,000.
“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025,” said Chester Wisniewski, director and Field CISO at Sophos.
Sophos surveyed IT and cybersecurity leaders in 17 countries for its sixth annual report. Despite high ransom demands, the median amount paid dropped by 50% from $2 million in 2024 to $1 million this year.
However, only 54% of organizations used backups to restore their data, the lowest rate in six years, indicating a continuing reliance on paying attackers.
The report highlighted vulnerabilities as a persistent challenge. For the third straight year, exploited software flaws were the most common root cause of attacks, with 40% of victims saying attackers used weaknesses they had not identified. Nearly two-thirds cited lack of resources as a factor, with larger organizations blaming limited expertise and smaller ones pointing to insufficient staff.
“The good news is that thanks to this increased awareness, many companies are arming themselves with resources to limit damage,” Wisniewski said. “This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress.”
Sophos found that 44% of organizations stopped an attack before data was encrypted, the highest rate in six years. Data encryption also fell to a six-year low, affecting about half of the victims.
Recovery times are improving. About 53% of companies fully recovered within a week, up from 35% last year. The average cost of recovery dropped to $1.53 million, down from $2.73 million in 2024.
Get the latest before it trends. Follow Back End News on LinkedIn, Facebook, X, YouTube, and TikTok for updates and in-depth coverage across the tech and security landscape.