A new report reveals a complex reality in the world of cybersecurity. While the median ransom payment demanded by cybercriminals has reached a staggering $1 million, a significant number of businesses are successfully fighting back, not with code, but with conversation. The sixth annual State of Ransomware report from Sophos shows that savvy negotiation is becoming a critical tool for companies to mitigate the financial damage of these attacks.
The State of Ransom Payments in 2025
The 2025 report, which surveyed 3,400 IT and cybersecurity leaders, paints a detailed picture of the current ransomware landscape. While nearly half of the companies attacked paid a ransom to retrieve their data, the story is in the details of those payments.
A Tale of Two Numbers: Demands vs. Payments
Despite high initial demands from attackers, the actual amounts paid are often much lower. The median ransom payment dropped by 50% between 2024 and 2025, falling from $2 million to $1 million. This decline is steeper than the drop in initial ransom demands, which fell by a third in the same period, indicating that companies are becoming more effective at reducing the final payout.
The Power of Negotiation
The data strongly suggests that negotiation is a primary driver of this trend. Over half of the companies that paid a ransom (53%) managed to pay less than the initial demand. Of this group, a remarkable 71% achieved this reduction through direct negotiation or with the help of third-party incident response experts. This highlights a shift where businesses are no longer passive victims but active participants in controlling the financial outcome of an attack.
How Company Size and Industry Affect Ransom Demands
The price of a ransomware attack is not uniform. The report found a direct correlation between a company’s revenue and the ransom demanded.
- Organizations with over $1 billion in revenue faced a median demand of $5 million.
- Companies with $250 million or less in revenue saw median demands under $350,000.
Payment amounts also vary significantly by industry. State and local governments reported the highest median payments at $2.5 million, while the healthcare sector reported the lowest at $150,000.
Unpacking the Root Causes of Attacks
For the third consecutive year, the primary technical reason for successful ransomware attacks remains consistent, pointing to persistent challenges for security teams.
Exploited Vulnerabilities Remain the Top Entry Point
Attackers continue to rely on known but unpatched exploited vulnerabilities to breach networks. Worryingly, 40% of victims reported that the attack exploited a security gap they were not even aware of. This underscores the ongoing struggle organizations face in maintaining full visibility and control over their entire attack surface.
The Human Factor: Resourcing and Expertise Gaps
Technology is only part of the equation. The report reveals that human and resource limitations play a critical role, with 63% of organizations citing them as a factor in falling victim to an attack.
- For large organizations (over 3,000 employees), a lack of in-house expertise was the top operational cause.
- For smaller companies (251-500 employees), a general lack of people and capacity was the most frequently cited issue.
A Silver Lining? Positive Trends in Ransomware Defense
Amid the challenges, the report also uncovers several positive developments, suggesting that defensive strategies are maturing.
Proactive Defense and Faster Recovery
A significant 44% of companies were able to stop a ransomware attack before their data was encrypted, a six-year high. This indicates that modern security tools and proactive threat hunting are becoming more effective.
Furthermore, businesses are recovering much faster. Over half (53%) of organizations restored their operations within a week, a substantial improvement from 35% the previous year.
A Concerning Trend: The Decline in Backup Usage
In a surprising twist, the use of backups for data restoration has hit a six-year low, with only 54% of companies relying on them. This may suggest that in some cases, paying the ransom is perceived as a faster (though riskier) path to recovery than a full-scale backup restoration.
Expert Recommendations for Bolstering Your Defenses
Based on the report’s findings, Sophos recommends several best practices for organizations to defend against ransomware:
- Address Root Causes: Proactively identify and patch exploited vulnerabilities. Tools for managing risk can help companies find and minimize their exposure.
- Strengthen Endpoints: Ensure all computers and servers are protected with dedicated anti-ransomware technology.
- Plan and Practice: Develop a robust incident response plan and test it regularly. This includes having reliable backups and practicing data restoration.
- Implement 24/7 Monitoring: If internal resources are limited, partner with a Managed Detection and Response (MDR) provider to ensure around-the-clock threat monitoring and response.
