The average ransom payment is 1 million dollars, although more than half of the affected organizations negotiate for a lower amount than the original demand.
Sophos publishes its annual State of Ransomware report, which shows that 46 percent of surveyed organizations pay ransom to recover encrypted data. This is the second highest percentage in six years.
read also
Almost Half of Organizations Pay Ransom after Ransomware Attack
However, 53 percent of victims pay less than what attackers initially demanded, often after negotiations. The average payment was about 1 million dollars.
Ransom Amounts Decrease
The data is based on a global survey of 3,400 IT and security professionals. According to Sophos, the average ransom amount has decreased by 50 percent in one year. In 2024, it was still 2 million dollars. The average ransom demand also dropped, with a decrease of one-third.
The ransom amount demanded by attackers largely depends on the size of the victim. For large companies with annual revenues above 1 billion dollars, the demand averaged more than 5 million dollars. Small organizations received demands averaging 350,000 dollars or less.
Organizations seem to recover faster. More than half fully recovered from an attack within a week, compared to 35 percent in 2024. Only 18 percent took longer than a month. The average recovery costs also decreased: from 2.73 million dollars in 2024 to 1.53 million in 2025.
Vulnerabilities Remain the Biggest Gateway
In 40 percent of cases, attackers used a known vulnerability that had not yet been patched. The biggest stumbling block for many organizations remains insufficient visibility of the attack surface. Especially a lack of resources and expertise plays a role in this. For larger organizations, lack of knowledge is the main cause. Smaller companies more often struggle with a lack of capacity.
Notably (and actually incomprehensible) is that the use of backups is decreasing. Only 54 percent of affected organizations used backups for recovery: the lowest figure in six years. Furthermore, it appears that national and local governments pay the highest average ransom, with amounts around 2.5 million dollars. Healthcare institutions paid the least with an average of 150,000 dollars.
The report emphasizes the importance of structural measures such as patch management, backup strategy, and monitoring. Organizations that lack sufficient internal capacity for this are increasingly turning to MDR services.