Ransomware in 2025: Key Trends and Shifting Threats for Enterprises
Sophos’ 2025 ransomware report, based on data from 1,733 enterprise organizations hit by attacks in 2024, reveals evolving tactics, operational vulnerabilities, and the financial and human toll of ransomware.
Root Causes of Attacks
Exploited vulnerabilities were the leading technical cause (29% of incidents), followed by phishing (21%) and compromised credentials (21%). Operational gaps played a major role, with 40% of victims citing unknown security weaknesses, while 39% pointed to understaffing or lack of expertise. Small and mid-sized businesses (SMBs) also struggled with resource constraints, with 42% attributing attacks to insufficient capacity.
Encryption and Recovery Trends
Data encryption rates dropped to a five-year low (49% in 2025 vs. 66% in 2024), while blocked encryption attempts surged to 47%, up from 22% in 2023 suggesting improved detection and response. Despite this, ransom payments remained steady at 48%, while backup reliance fell to 53%, its lowest in four years, signaling potential gaps in recovery confidence.
Financial and Human Impact
Ransom demands and payments declined sharply, with median demands dropping 56% to $1.2 million and payments falling to $1 million. Recovery costs also decreased, averaging $1.84 million in 2025, down from $3.12 million in 2024. However, the human cost persisted: 40% of IT teams reported increased pressure from leadership, while 39% faced heavier workloads, 37% saw shifting priorities, and 35% experienced guilt over failed prevention.
The report, based on a global survey of 3,400 IT/cybersecurity leaders conducted between January and March 2025, underscores the persistent challenges of ransomware despite progress in mitigation.
Source: https://www.sophos.com/en-us/blog/the-state-of-ransomware-in-enterprise-2025
Sophos cybersecurity rating report: https://www.rankiteo.com/company/sophos
"id": "SOP1769016314",
"linkid": "sophos",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': 'Global',
'size': ['Small', 'Mid-sized', 'Large'],
'type': 'Enterprise organizations'}],
'attack_vector': ['Exploited vulnerabilities',
'Phishing',
'Compromised credentials'],
'data_breach': {'data_encryption': '49% of incidents involved data '
'encryption'},
'date_publicly_disclosed': '2025',
'description': 'Sophos’ 2025 ransomware report, based on data from 1,733 '
'enterprise organizations hit by attacks in 2024, reveals '
'evolving tactics, operational vulnerabilities, and the '
'financial and human toll of ransomware.',
'impact': {'financial_loss': {'average_recovery_cost': '$1.84 million',
'median_ransom_demand': '$1.2 million',
'median_ransom_paid': '$1 million'}},
'lessons_learned': 'Persistent challenges of ransomware despite progress in '
'mitigation, including operational gaps, resource '
'constraints, and human impact on IT teams.',
'post_incident_analysis': {'root_causes': ['Exploited vulnerabilities (29%)',
'Phishing (21%)',
'Compromised credentials (21%)',
'Unknown security weaknesses (40%)',
'Understaffing or lack of '
'expertise (39%)',
'Insufficient capacity (42% for '
'SMBs)']},
'ransomware': {'data_encryption': '49% of incidents',
'ransom_demanded': '$1.2 million (median)',
'ransom_paid': '$1 million (median), 48% of victims paid'},
'references': [{'date_accessed': '2025',
'source': 'Sophos 2025 Ransomware Report'}],
'title': 'Sophos 2025 Ransomware Report: Key Trends and Shifting Threats for '
'Enterprises',
'type': 'Ransomware'}