Median Ransom Payment is $1 Million; Yet 53% of Companies Negotiated a Lower Amount than the Initial Demand

OXFORD, U.K. — 六月 24, 2025 —

Sophos, a global leader of innovative security solutions for defeating cyberattacks, today released its sixth annual State of Ransomware report, a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries that studies the impact of ransomware attacks on businesses. This year’s survey found that nearly 50% of companies paid the ransom to get their data back – the second highest rate of ransom payment for ransom demands in six years.

Despite the high percentage of companies that paid the ransom, over half – 53% – paid less than the original demand. In 71% of cases where the companies paid less, they did so through negotiation – either through their own negotiations or with help from a third party. In fact, while the median ransom demand dropped by a third between 2024 and 2025, the median ransom payment dropped by 50%, illustrating how companies are becoming more successful at minimizing the impact of ransomware.

Overall, the median ransom payment was one million dollars, although the initial demand varied significantly depending on organization size and revenue. The median ransom demand for companies with over $1 billion in revenue was five million dollars, while organizations with $250 million revenue or less, saw median ransom demands of less than $350,000.

For the third year in a row, exploited vulnerabilities were the number one technical root cause of attacks, while 40% of ransomware victims said adversaries took advantage of a security gap that they were not aware of – highlighting organizations’ ongoing struggle to see and secure their attack surface. Overall, 63% of organizations said resourcing issues were a factor in them falling victim to the attack, with lack of expertise named as the top operational cause in organizations with more than 3,000 people and lack of people/capacity most frequently cited by those with 251-500 employees.

“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,” says Chester Wisniewski, director, field CISO, Sophos.

“Of course, ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We’re seeing more companies recognize they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”

Additional Key Findings from the State of Ransomware 2025 Report:

  • More Companies are Stopping Attacks in Progress: 44% of companies were able to stop the ransomware attack before data was encrypted – a six-year high. Data encryption was also at a six-year low with only half of companies having their data encrypted.
  • Backup Use is Down: Only 54% of companies used backups to restore their data – the lowest percentage in six years.
  • Silver Lining: Ransomware Payments and Recovery Costs are on the Decline: The average cost of recovery dropped from $2.73 million in 2024, to $1.53 million in 2025. While ransom payments are high, they declined by 50% from $2 million in 2024 to $1 million in 2025.
  • Ransom Payments Vary by Industry: State and local government reported paying the highest median amount ($2.5 million), while healthcare reported the lowest ($150,000).
  • Companies are Getting Faster at Recovery: Over half (53%) of organizations fully recovered from a ransomware attack in a week – up from 35% last year. Only 18% took more than a month to recover – down from 34% in 2024.

Sophos recommends the following best practices to help organizations defend against ransomware and other cyberattacks:

  • Take steps to eliminate common technical and operational root causes of attacks, such as exploited vulnerabilities. Tools like Sophos Managed Risk can help companies access their risk profile and minimize their exposure.
  • Ensure all endpoints (including servers) are well-defended with dedicated anti-ransomware protection.
  • Have an incident response plan in place and tested for when things go wrong. Have good backups and practice restoring data regularly.
  • Companies need around-the-clock monitoring and detection. If they do not have the resources in-house for this, they can work with a trusted managed detection and response (MDR) provider.

Data for the State of Ransomware 2025 report comes from a vendor-agnostic survey of 3,400 IT and cybersecurity leaders in organizations that were hit by ransomware in the previous year. Organizations surveyed ranged from 100 – 5,000 employees and across 17 countries. The survey was conducted between January and March 2025, and respondents were asked about their experience of ransomware over the previous 12 months. Sophos will be releasing additional industry findings throughout the year.

Download the full State of Ransomware 2025 report on Sophos.com.

Learn how MDR can neutralize attacks like ransomware in real-time by registering for the webinar Behind the Shield: Real-World Stories of Thwarted Ransomware Attacks.

关于 Sophos

Sophos 是全球领先的网络安全公司,凭借其人工智能驱动的平台和专家主导的服务,保护着全球 60 万家组织的安全。Sophos 根据各组织在不同安全成熟度的各式各样的需求提供支持,并与其共同成长,携手应对日益严峻的网络攻击。其解决方案结合机器学习、自动化、实时威胁情报以及来自 Sophos X-Ops 的前线真人专家的专业知识,提供 24/7 全天候高级威胁监控、侦测与响应服务。
Sophos 提供行业领先的托管式侦测与响应 (MDR) 服务,同时配备一整套全面的网络安全技术组合,包括端点、网络、电子邮件和云安全、扩展式侦测与响应 (XDR)、身份辨识威胁侦测与响应 (ITDR),以及下一代 SIEM。结合专家咨询服务,这些能力帮助组织主动降低风险,并更迅速地响应,提供力求在不断变化的威胁面前保持领先所需的可见性和可扩展性。
Sophos 通过全球合作伙伴生态系统进入市场,包括托管式服务提供商 (MSPs)、托管式安全服务提供商 (MSSPs)、经销商、分销商、市场集成商以及网络风险合作伙伴,为组织提供灵活的选择,使其能够在保护业务安全的同时建立值得信赖的合作关系。  Sophos 总部位于英国牛津。如欲了解更多信息,请访问 www.sophos.cn。