The sixth annual Sophos State of Ransomware report gives contemporary insights into the components that led organizations to fall sufferer to ransomware and the human and enterprise impacts of an assault.
Primarily based on insights from a vendor-agnostic survey of three,400 IT and cybersecurity leaders throughout 17 international locations whose organizations have been hit by ransomware within the final 12 months, the report combines year-on-year insights with model new areas of research, together with why ransom funds not often match the preliminary demand, and the downstream impression of ransomware incidents on in-house groups.
Obtain the report to get the total findings and skim on for a style of a number of the matters lined.
Why organizations fall sufferer to ransomware
It’s not often a single problem that leaves organizations uncovered to ransomware; slightly a mix of technological and operational components contributes to organizations falling sufferer to assault.
Technical root causes
For the third 12 months operating, victims recognized exploited vulnerabilities as the commonest root reason for ransomware incidents, used to penetrate organizations in 32% of assaults total. This discovering highlights the significance of figuring out and patching safety gaps earlier than adversaries can make the most of them.
Compromised credentials stay the second commonest perceived assault vector, though the proportion of assaults that used this strategy dropped from 29% in 2024 to 23% in 2025. E-mail stays a significant vector of assault, whether or not by way of malicious emails (19%) or phishing (18%).
Learn the total report for insights into how assault vectors differ primarily based on group dimension.
Operational root causes
For the primary time, this 12 months’s report explores the organizational components that left corporations uncovered to assaults. The findings reveal that victims are usually dealing with a number of operational challenges, with respondents citing 2.7 components, on common, that contributed to them being hit by ransomware.
Total, there isn’t any single stand-out supply, with the operational causes very evenly cut up throughout safety points, resourcing points, and safety gaps.
Obtain the total report for a deeper dive, together with insights into the person components behind these numbers, in addition to a breakdown of operational challenges by firm dimension and trade sector.
Restoration of encrypted information
The excellent news is that 97% of organizations that had information encrypted have been capable of recuperate it. Much less encouraging is that information restoration by way of backups is at its lowest fee in six years.
Slightly below half (49%) paid the ransom and bought their information again. Whereas this represents a small discount from final 12 months’s 56%, it stays the second highest fee of ransom funds within the final six years.
Learn the report to be taught extra about each information encryption charges and information restoration.
Ransoms: Calls for and funds
There may be excellent news on this entrance: each preliminary ransom calls for and precise ransom funds dropped over the past 12 months – largely pushed by a discount within the share of calls for/funds of $5 million or extra. Whereas encouraging, it’s essential to remember the fact that 57% of ransom calls for and 52% of funds have been for $1 million or extra.
826 organizations that paid the ransom shared each the preliminary demand and their precise fee, revealing that they paid, on common, 85% of the preliminary ransom demand. Total, 53% paid lower than the preliminary ask, 18% paid extra, and 29% matched the preliminary demand.
Learn the total report to be taught extra, embody particulars of why some organizations pay greater than the demand and others are capable of pay much less.
The enterprise and human penalties of ransomware
The information reveals that organizations are getting higher at responding to assaults, reporting decrease prices and sooner restoration.
The typical (imply) value to recuperate from a ransomware assault (excluding any ransom fee) dropped by 44% over the past 12 months, coming in at $1.53 million, down from $2.73 million in 2024. On the identical time, over half of victims (53%) have been recovered inside per week, a major soar from the 35% reported in 2024.
Having information encrypted in a ransomware assault has vital repercussions for the IT/cybersecurity workforce, with all respondents saying their workforce has been impacted indirectly.
Learn the report
Obtain the report to get the total findings along with suggestions on find out how to elevate your ransomware defenses primarily based on the learnings from 3,400 organizations that fell sufferer within the final 12 months. To be taught extra about how Sophos MDR and Sophos Endpoint Safety ship world-leading ransomware safety, go to our web site or converse along with your Sophos adviser.
