Companies are still paying up to get their data back after a ransomware incident – at almost 50%, this is the second-highest rate in the six years that Sophos has been running its annual State of Ransomware report.
The good news is that they are often paying less that the ransomware gangs demand initially.
Despite the high percentage of companies that paid the ransom, over half – 53% – paid less than the original demand. In 71% of cases where the companies paid less, they did so through negotiation – either through their own negotiations or with help from a third party. In fact, while the median ransom demand dropped by a third between 2024 and 2025, the median ransom payment dropped by 50%, illustrating how companies are becoming more successful at minimising the impact of ransomware.
Overall, the median ransom payment was $1-million dollars, although the initial demand varied significantly depending on organisation size and revenue. The median ransom demand for companies with over $1-billion in revenue was $5-million dollars, while organisations with $250-million revenue or less, saw median ransom demands of less than $350 000.
For the third year in a row, exploited vulnerabilities were the number one technical root cause of attacks, while 40% of ransomware victims said adversaries took advantage of a security gap that they were not aware of – highlighting organisations’ ongoing struggle to see and secure their attack surface.
Overall, 63% of organisations said resourcing issues were a factor in them falling victim to the attack, with lack of expertise named as the top operational cause in organisations with more than 3 000 people and lack of people/capacity most frequently cited by those with 251-500 employees.
“For many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,” says Chester Wisniewski, director: field CISO at Sophos.
“Of course, ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We’re seeing more companies recognize they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”
Additional key findings from the State of Ransomware 2025 Report include:
- More companies are stopping attacks in progress: 44% of companies were able to stop the ransomware attack before data was encrypted – a six-year high. Data encryption was also at a six-year low with only half of companies having their data encrypted.
- Backup use is down: Only 54% of companies used backups to restore their data – the lowest percentage in six years.
- Silver lining: ransomware payments and recovery costs are on the decline: The average cost of recovery dropped from $2,73-million in 2024, to $1,53-million in 2025. While ransom payments are high, they declined by 50% from $2-million in 2024 to $1-million in 2025.
- Ransom payments vary by industry: State and local government reported paying the highest median amount ($2,5-million), while healthcare reported the lowest ($150 000).
- Companies are getting faster at recovery: Over half (53%) of organisations fully recovered from a ransomware attack in a week – up from 35% last year. Only 18% took more than a month to recover – down from 34% in 2024.
Findings from South Africa
The study polled 154 companies in South Africa, and found that the payment to recover encrypted data was $452 000.00, against an initial average demand of $1-million.
In the local market, compromised credentials was the most common root cause of attacks, says Pieter Nel, country manager of Sophos South Africa.
“But criminals use whatever is available to find a way in,” he adds. “From the South African data, we can see that a lack of expertise the most common operational root cause, at 58% of incidents.”
The lack of skills also means organisations could take longer to recover from an attack.
Nel urges companies to ensure they are in a position to react quickly in case of an attack. “In most of the incidents we see, the first focus point is that attackers are going to disrupt backups so the victim can’t restore. “The sooner we can respond the quicker we can get them back up and running.”
Another area that organisations need to focus on is securing their data and workloads in the public cloud. “Based on the calls we get, a lot of organisations are neglecting security in the public cloud environment.”
The Sophos report shows encouraging signs that response times are improving, and many customers are looking to technology to help with predicting attacks.
Nel points out that the South African market for cybersecurity and services is about $700-million – substantially up from last year’s $600-million.