Nearly half of companies hit by ransomware in the past year paid the ransom to recover their data, according to cybersecurity firm Sophos. The company’s latest State of Ransomware 2025 report found that 46% of affected organizations chose to pay, one of the highest rates in six years.
However, most didn’t pay the full amount. The report shows that 53% of companies that paid were able to negotiate a lower ransom. In 71% of those cases, the discount came through direct talks or help from third-party negotiators. As a result, the median ransom payment dropped to $1 million in 2025, down from $2 million the year before.
Ransom demands varied by company size. Large companies with over $1 billion in revenue faced median demands of $5 million. Smaller firms with less than $250 million in revenue saw demands closer to $350,000.
The report also shows ongoing security gaps. For the third year in a row, attackers most often got in through known software vulnerabilities. In 40% of cases, companies said hackers used weaknesses they didn’t even know existed. Many also blamed staffing issues, larger firms cited a lack of expertise, while mid-sized ones pointed to limited capacity.
Other key findings:
- 44% of companies stopped the attack before data was encrypted, a six-year high.
- Only 54% used backups to recover data, the lowest rate in six years.
- Average recovery costs dropped from $2.73 million in 2024 to $1.53 million in 2025.
- State and local governments paid the highest median ransom ($2.5 million); healthcare paid the least ($150,000).
- 53% of companies recovered within a week, up from 35% last year.
The report is based on a global survey of 3,400 IT and cybersecurity leaders, conducted between January and March 2025.
