Sophos , a leading provider of cybersecurity solutions, has reased its sixth annual State of Ransomware Report , that studies the impact of ransomware attacks . This year’s survey found:

That nearly 50 percent of companies paid the ransom to get their data back – the second highest rate of ransom payment for ransom demands in six years.

53 percent paid less than the original demand. In 71 percent of cases where the companies paid less, they did so through negotiation – either through their own negotiations or with help from a third party.

While the median ransom demand dropped by one-third between 2024 and 2025, the median ransom payment dropped by 50 percent, illustrating how companies are becoming more successful at minimizing the impact of ransomware.

Overall, the median ransom payment was $1M, although the initial demand varied significantly depending on organization size and revenue. The median ransom demand for companies with $250 million revenue or less, saw median ransom demands of less than $350,000.

For the third year in a row, exploited vulnerabilities were the number one technical root cause of attacks, while 40 percent of ransomware victims said adversaries took advantage of a security gap of which they were not aware.

63 percent of organizations said resourcing issues were a factor in them falling victim to the attack, with lack of expertise named as the top operational cause by manufacturing organizations.

More companies are stopping attacks in progress, with 44 percent of companies stopping the ransomware attack before data was encrypted – a six-year high.

Backup use is down, with only 54 percent of companies using backups to restore their data – the lowest percentage in six years.

The average cost of recovery dropped from $2.73 million in 2024, to $1.53 million in 2025.

“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage," says Chester Wisniewski, director, field CISO, Sophos.