These days, 49% of companies that fall victim to ransomware pay ransom to their attackers. This represents the second highest ransom payment rate in the past six years.
This is just one of many interesting findings revealed in Sophos’ “The State of Ransomware 2025” study, in which an independent market research institute surveyed 3400 IT and cybersecurity leaders across 17 countries.
The attack vector most commonly employed for gaining access to ransomware victims’ systems was identified as exploited vulnerabilities (32%). Other prevalent technical root causes include compromised credentials (23%) and malicious emails, which 19% of ransomware victims identified as the root cause. Another 18% reported phishing as the vector used by attackers, underscoring the fact that powerful email security is now indispensable for companies.
Alongside these technical vectors, many other operational exposures were exploited by ransomware attackers. These included a lack of experience (40.2%), security gaps that the organization was not aware of (40.1%), and a lack of staff/capacity (39.4%).
Data was actually encrypted in “only” half of the cases (compared with 70% in the 2024 report). In 28% of ransomware cases, data was also exfiltrated from the organization. Thankfully, 97% of organizations that had their data encrypted were able to recover it. However, backups were only used to restore encrypted data in 54% of all cases.
The average (median) ransom demand fell by more than a third (34%) to US$1.32 million in a year-on-year comparison. Over the same period, the average (again median) ransom payment decreased from US$2 million to US$1 million. The main reason for this fall was a clear decline in the percentage of ransom payments exceeding US$5 million.
The bottom line shows that excluding the ransom paid, the costs associated with a ransomware attack have fallen – the average cost to recover from a ransomware attack decreased by 44%, from US$2.73 million in 2024 to US$1.53 million in the latest report. At the same time, the speed at which victims recover has improved, with 53% of companies recovering to full productivity within a week compared with 35% the previous year.
The full study is available for download from Sophos. Find out more about Retarus Email Security on our website or directly from your Retarus representative.