Ransomware remains a harsh reality for large enterprises in 2025, despite falling ransom demands and faster recovery times.
Sophos’ report The State of Ransomware in Enterprise 2025 compiles insights from 1,733 IT and cybersecurity leaders worldwide. Each of them worked at organizations with over 1,000 employees that were hit by ransomware in the past year. The whitepaper reveals major shifts: attacks are being dealt with more professionally, but the pressure on teams and systems remains high.
New Trends, Familiar Threats
In 2025, only 49% of ransomware attacks resulted in data encryption — the lowest rate in five years. Organizations are getting better at detecting attacks early, indicating improved prevention and faster incident response. Still, the risk of data theft remains, with 30% of victims reporting exfiltration alongside encryption.
The average ransom demand dropped by 56% to $1.2 million. The median amount actually paid fell to $1 million. That may sound positive, but the numbers also show cybercriminals are getting smarter: they now often target ‘realistic’ mid-tier demands between $1 and $5 million to increase their chances of getting paid.
The pressure on IT teams is tangible. 40% of affected organizations reported increased pressure from senior leadership, while 39% experienced ongoing stress and workload increases. In more than a quarter of cases, the team’s leadership was replaced following the incident.
Notably, unknown security gaps were the most cited organizational cause of successful attacks, followed closely by lack of personnel and expertise. This underscores the need for strategic investments in both technology and human resources.
Want to understand why ransomware continues to pose a persistent threat, and how your organization can better defend itself? Download the full State of Ransomware in Enterprise 2025 whitepaper for insights that go beyond the headlines.