Estimated reading time: 4 minutes
Ransomware Payments Persist Amid Decline in Demands
It’s a strange pact, new and yet as old as time. A deal with the devil. Not a deal forged in fire but in fiber optics. A deal with a digital devil, the ransom is paid, and business goes on. A new report from cybersecurity firm Sophos reveals that nearly 50% of organizations still choose to pay ransomware attackers. The State of Ransomware 2025 survey covers 3,400 IT and security professionals across 17 countries. It highlights evolving strategies, falling payment amounts, and the growing human consequences of cyber extortion.
“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025,” says Chester Wisniewski, director, field CISO, Sophos.
Cyber Insurance’s Quiet Influence
While the Sophos report doesn’t explicitly address cyber insurance, broader industry trends suggest its quiet influence. Many companies use third-party negotiators to manage ransom demands. These intermediaries, often law firms or incident response specialists, may be engaged by insurers to reduce liability and expedite resolution.
In the report, 71% of companies that paid less than the initial demand succeeded through negotiation. Though Sophos doesn’t name insurers directly, insurance carriers are known to facilitate these arrangements in practice.
For cyber insurers, these findings offer insight into the value of swift negotiation and recovery, key elements for underwriting strategies and policy development.
Ransom Demands Fall, But Payments Still Hurt
The median ransom demand fell by 34% this year, down to $1.3 million from $2 million in 2024. Median payments dropped even more, by 50% to $1 million. Sophos credits this trend to more substantial negotiation efforts and fewer high-value payments over $5 million.
Still, these payments remain a heavy burden. Only 29% of payments matched the initial demand. More than half of companies paid less, and 18% paid more. The latter often occurred when attackers saw victims as wealthy, delayed the process, or detected failed backup systems.
The Human Cost of Ransomware Payments
The most sobering findings relate to the toll on cybersecurity teams. Among those whose organizations had data encrypted:
- 41% reported increased stress and anxiety.
- 34% felt guilt for not stopping the attack.
- 31% reported staff absences due to mental health issues.
- 25% saw team leadership replaced post-incident.
These impacts ripple far beyond incident response. Burnout leads to talent loss. New hires require training. Teams operate under a cloud of fear that another breach is inevitable. Morale falters. These human consequences don’t show up in invoices or balance sheets, but they drain organizations just the same.
Watch – The Human Impact – 2 Min.
Industry-Specific Costs Vary Widely
Ransom payments varied by sector. State and local governments paid the highest median ransom; $2.5 million. Healthcare paid the least, at $150,000. These disparities may reflect budget constraints, the severity of the attack, or the negotiation capabilities.
Business Disruption and Recovery Costs
Excluding ransom payments, the average cost of recovery dropped 44% year-over-year, from $2.73 million in 2024 to $1.53 million in 2025. These figures include downtime, IT labor, and lost business.
Smaller firms reported lower costs ($638,000 for companies with 100–250 employees), while larger organizations plateaued around $1.8 million. Even with reduced costs, ransomware continues to cause severe financial disruptions.
Get The Cyber Insurance Upload Delivered
Every Sunday
Subscribe to our newsletter!
Faster Recovery Signals Progress
The report shows encouraging signs in recovery speed. More than half (53%) of companies fully recovered within a week, up from 35% in 2024. Only 18% needed over a month, down from 34%.
These improvements indicate enhanced incident preparedness and increased adoption of managed detection and response (MDR) services.
Backups Decline, Ransom Payments Rise
Only 54% of companies restored data from backups, the lowest rate in six years. In contrast, 49% paid the ransom to recover their data. The use of public decryption tools or other methods accounted for the rest.
Backup failure or insufficient planning continues to leave many organizations vulnerable to high-stakes decisions.
Exploited Vulnerabilities Remain the Primary Attack Vector
In 2025, 32% of ransomware attacks started with exploited vulnerabilities—the third consecutive year this was the top technical cause. Email-based attacks, including phishing, also increased.
Many victims (40%) reported that attackers exploited security gaps they were unaware of. A similar percentage lacked the staffing or expertise to prevent the breach.
Prevention Still the Best Cure
Sophos encourages companies to address the root causes of ransomware: vulnerabilities, lack of visibility, and resource shortages. Its top recommendations:
- Patch systems and close security gaps.
- Use anti-ransomware endpoint protection.
- Invest in 24/7 threat detection, preferably via MDR.
- Maintain strong, tested backup systems.
RELATED NEWS
