Ransomware Response Enhances Despite Lagging Preparedness

Sophos has recently unveiled its annual State of Ransomware report, shedding light on the evolving landscape of cybersecurity. A notable piece of good news within the report is the improved capability of organizations to thwart ransomware attacks before their data is compromised. However, the overall picture reveals that many organizations are still struggling with their preparations and preventive measures against these threats.

Progress in Ransomware Response

The report, which is based on feedback from 3,400 IT and cybersecurity leaders across 17 countries, highlights a significant finding: 44% of organizations successfully blocked ransomware attacks before any data was encrypted. This marks the highest success rate recorded since the survey began six years ago.

Interestingly, the data indicates that in half of the occurrences, data was ultimately encrypted—the lowest rate observed in the survey’s history. Additionally, 6% of organizations reported facing ransom demands even when their data remained intact.

Key Findings from the Report

• Among organizations that faced data encryption, 28% experienced data exfiltration in addition to the encryption.
• An impressive 97% of those with encrypted data managed to recover it.
• However, the reliance on backups to restore encrypted data has dropped significantly, with only 54% of incidents utilizing this method—marking a six-year low.
• Almost half of the victims, specifically 49%, opted to pay the ransom, which represents the second-highest rate of ransom payments recorded in the report’s history.

The trend between the successful recovery of data from backups and the rate of ransom payments is concerning. In the past year, the success rate for backup recovery fell dramatically from 73% to 54%, while the incidence of organizations paying ransoms has generally been on the rise.

Ransom Payment Trends

The average ransom payments have shown a drop, decreasing from $2 million in 2024 to approximately $1 million in 2025, largely due to a notable reduction in payments exceeding $5 million. On average, organizations paid 85% of the demanded ransom, where 29% matched the exact demand, 53% paid less, and 18% paid more than asked.

Even when excluding the cost of ransoms, the average expense of recovering from a ransomware incident fell from $2.73 million in 2024 to $1.53 million in 2025. More encouragingly, over half of the surveyed organizations—53%—were able to fully recover within a week, a significant increase from 35% last year.

The Underlying Causes of Ransomware Attacks

Identifying the technical weaknesses behind ransomware attacks, the report indicated that vulnerabilities were the most common root cause, exploited in 32% of cases. Compromised credentials followed closely, marking a decline from 29% in 2024 to 23% this year. Other notable attack vectors included malicious emails at 19% and phishing attempts at 18%.

Moreover, the lack of cybersecurity expertise contributed to 40.2% of the incidents, while unknown security gaps played a role in 40.1% of cases. Organizational factors such as insufficient personnel and resources were also cited in 39.4% of the attacks.

Overall, the findings underscore a pressing need for organizations to fortify their defenses against ransomware. Essential measures like vulnerability management, segmentation strategies, zero-trust models, and robust backups need significant enhancement. In addition, hardening infrastructure and continuous monitoring of endpoints remain vital to combating these persistent threats.

Related Insights