The sixth annual Sophos State of Ransomware report provides fresh insights into the factors that led organizations to fall victim to ransomware and the human and business impacts of an attack.
Based on insights from a vendor-agnostic survey of 3,400 IT and cybersecurity leaders across 17 countries whose organizations were hit by ransomware in the last year, the report combines year-on-year insights with brand new areas of study, including why ransom payments rarely match the initial demand, and the downstream impact of ransomware incidents on in-house teams.
Download the report to get the full findings and read on for a taste of some of the topics covered.
Why organizations fall victim to ransomware
It is rarely a single issue that leaves organizations exposed to ransomware; rather a combination of technological and operational factors contributes to organizations falling victim to attack.
Technical root causes
For the third year running, victims identified exploited vulnerabilities as the most common root cause of ransomware incidents, used to penetrate organizations in 32% of attacks overall. This finding highlights the importance of identifying and patching security gaps before adversaries can take advantage of them.
Compromised credentials remain the second most common perceived attack vector, although the percentage of attacks that used this approach dropped from 29% in 2024 to 23% in 2025. Email remains a major vector of attack, whether through malicious emails (19%) or phishing (18%).
Read the full report for insights into how attack vectors vary based on organization size.
Operational root causes
For the first time, this year’s report explores the organizational factors that left companies exposed to attacks. The findings reveal that victims are typically facing multiple operational challenges, with respondents citing 2.7 factors, on average, that contributed to them being hit by ransomware.
Overall, there is no single stand-out source, with the operational causes very evenly split across protection issues, resourcing issues, and security gaps.
Download the full report for a deeper dive, including insights into the individual factors behind these numbers, as well as a breakdown of operational challenges by company size and industry sector.
Recovery of encrypted data
The good news is that 97% of organizations that had data encrypted were able to recover it. Less encouraging is that data recovery through backups is at its lowest rate in six years.
Just under half (49%) paid the ransom and got their data back. While this represents a small reduction from last year’s 56%, it remains the second highest rate of ransom payments in the last six years.
Read the report to learn more about both data encryption rates and data recovery.
Ransoms: Demands and payments
There is good news on this front: both initial ransom demands and actual ransom payments dropped over the last year – largely driven by a reduction in the percentage of demands/payments of $5 million or more. While encouraging, it’s important to keep in mind that 57% of ransom demands and 52% of payments were for $1 million or more.
826 organizations that paid the ransom shared both the initial demand and their actual payment, revealing that they paid, on average, 85% of the initial ransom demand. Overall, 53% paid less than the initial ask, 18% paid more, and 29% matched the initial demand.
Read the full report to learn more, include details of why some organizations pay more than the demand and others are able to pay less.
The business and human consequences of ransomware
The data reveals that organizations are getting better at responding to attacks, reporting lower costs and faster recovery.
The average (mean) cost to recover from a ransomware attack (excluding any ransom payment) dropped by 44% over the last year, coming in at $1.53 million, down from $2.73 million in 2024. At the same time, over half of victims (53%) were recovered within a week, a significant jump from the 35% reported in 2024.
Having data encrypted in a ransomware attack has significant repercussions for the IT/cybersecurity team, with all respondents saying their team has been impacted in some way.
Read the report
Download the report to get the full findings together with recommendations on how to elevate your ransomware defenses based on the learnings from 3,400 organizations that fell victim in the last year. To learn more about how Sophos MDR and Sophos Endpoint Protection deliver world-leading ransomware protection, visit our website or speak with your Sophos adviser.
