Sophos State of Ransomware 2025

Keypoints

• The report generally follows a structure consisting of an introduction, key findings, detailed analysis of attack causes, data impact, ransom demands and payments, business and human consequences, and recommendations for future defense strategies.
• A key statistic is that technical vulnerabilities are exploited in 32% of attacks, making them the most common root cause for the third consecutive year.
• Operational factors such as lack of expertise (40.2%), unrecognized security gaps (40.1%), and insufficient staffing (39.4%) are the primary organizational vulnerabilities contributing to ransomware incidents.
• Data encryption has decreased to 50% of attacks in 2025, the lowest in six years, though larger organizations remain more vulnerable with a 65% encryption rate.
• On average, ransom demands have dropped by 34% to approximately $1.3 million, while the median ransom payment decreased by 50% to $1 million.
• Most organizations pay around 85% of the initial ransom demand, often negotiating or reducing it based on external pressures or quick payments.
• Recovery costs have decreased significantly, with an average of $1.53 million spent to recover from attacks—down 44% from the previous year—while recovery times improve, with over half completing recovery within a week.
• The human impact includes increased stress, guilt, staff absence, and even leadership changes within cybersecurity teams impacted by ransomware events.