The **Sophos State of Ransomware 2025** report highlights that **3,400 organizations** across 17 countries were hit by ransomware in the past year, with **97% recovering encrypted data** but facing severe operational and financial strain. **49% of victims paid ransoms** (down from 56% in 2024), with average payments at **85% of initial demands**, often exceeding **$1M**. While recovery costs dropped **44% to $1.53M**, **53% of attacks disrupted operations for a week or more**. Root causes included **exploited vulnerabilities (32%)**, **compromised credentials (23%)**, and **phishing (18%)**, compounded by **protection gaps, under-resourcing, and security flaws**. The attacks led to **IT team burnout, reputational damage, and prolonged downtime**, with some organizations losing critical data or facing **regulatory penalties**. Ransomware remained the dominant threat, leveraging **unpatched systems and human error** to cripple defenses, forcing costly remediation and eroding trust in cybersecurity postures.
Source: https://news.sophos.com/en-us/2025/06/24/the-state-of-ransomware-2025/
TPRM report: https://www.rankiteo.com/company/sophos
"id": "sop830090225",
"linkid": "sophos",
"type": "Ransomware",
"date": "6/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'location': ['17 countries (global)'],
'size': {'size_variations': 'analyzed in report '
'(unspecified here)',
'total_surveyed': 3400},
'type': ['organizations', 'enterprises']}],
'attack_vector': [{'percentage': 32, 'type': 'exploited vulnerabilities'},
{'percentage': 23, 'type': 'compromised credentials'},
{'percentage': 19, 'type': 'malicious emails'},
{'percentage': 18, 'type': 'phishing'}],
'data_breach': {'data_encryption': {'percentage_encrypted': None,
'recovery_rate': 97}},
'date_publicly_disclosed': '2025',
'description': 'The sixth annual Sophos State of Ransomware report provides '
'insights into factors leading organizations to fall victim to '
'ransomware and the human/business impacts of attacks. Based '
'on a survey of 3,400 IT/cybersecurity leaders across 17 '
'countries whose organizations were hit by ransomware in the '
'last year, the report highlights root causes (e.g., exploited '
'vulnerabilities, compromised credentials, phishing), '
'operational challenges, ransom payment trends, and recovery '
'metrics. Key findings include: 97% of encrypted data was '
'recoverable (though backup recovery rates declined), 49% of '
'victims paid ransom (down from 56% in 2024), and average '
'recovery costs dropped 44% to $1.53M. Ransom demands/payments '
'of $1M+ remained common (57% of demands, 52% of payments).',
'impact': {'data_compromised': {'backup_recovery_rate': 'lowest in six years '
'(unspecified exact '
'%)',
'data_exfiltration': None,
'encrypted_data_recovery_rate': 97},
'downtime': {'recovery_within_one_week': 53},
'financial_loss': {'average_recovery_cost': '$1.53M (excluding '
'ransom, down 44% from '
'2024)',
'ransom_payments': {'average_of_initial_demand': 85,
'demands_1M_or_more': 57,
'payments_1M_or_more': 52,
'percentage_paid': 49}},
'operational_impact': {'it_cybersecurity_team_impact': '100% of '
'respondents '
'reported '
'team '
'impact '
'(unspecified '
'details)',
'operational_challenges': {'average_factors_per_victim': 2.7,
'categories': ['protection '
'issues',
'resourcing '
'issues',
'security '
'gaps']}}},
'investigation_status': 'Completed (report published)',
'lessons_learned': ['Exploited vulnerabilities remain the top root cause (32% '
'of attacks); patching is critical.',
'Compromised credentials and phishing remain significant '
'vectors (23% and 18% respectively).',
'Operational challenges (e.g., protection/resourcing '
'gaps) are evenly distributed; no single dominant factor.',
'Ransom payments rarely match initial demands (only 29% '
'paid exact amount; 53% paid less).',
'Recovery costs and downtime improved (44% cost '
'reduction; 53% recovered within a week).',
'Backup recovery rates are declining, increasing reliance '
'on other recovery methods.'],
'motivation': ['financial gain', 'data exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Improve patch management '
'for vulnerabilities.',
'Enhance credential '
'security and phishing '
'defenses.',
'Address operational gaps '
'(e.g., resourcing, '
'protection layers).',
'Strengthen backup and '
'recovery strategies.',
'Develop ransomware '
'negotiation playbooks.'],
'root_causes': [{'details': ['Exploited '
'vulnerabilities (32% '
'of attacks)',
'Compromised '
'credentials (23%)',
'Malicious emails '
'(19%)',
'Phishing (18%)'],
'type': 'technical'},
{'details': ['Protection issues',
'Resourcing issues',
'Security gaps',
'Average of 2.7 '
'factors per victim'],
'type': 'operational'}]},
'ransomware': {'data_encryption': {'percentage_affected': None},
'ransom_demanded': {'average_initial_demand': None,
'demands_1M_or_more': 57,
'demands_5M_or_more': 'reduced (driving '
'overall decline)'},
'ransom_paid': {'average_payment': None,
'paid_exact_demand': 29,
'paid_less_than_demand': 53,
'paid_more_than_demand': 18,
'payments_1M_or_more': 52,
'percentage_of_initial_demand': 85}},
'recommendations': ['Prioritize vulnerability patching and credential hygiene '
'to mitigate top attack vectors.',
'Address operational gaps (protection, resourcing, '
'security) holistically.',
'Invest in backup solutions to reverse the decline in '
'backup recovery rates.',
'Prepare for ransomware negotiations, as payments often '
'deviate from initial demands.',
'Leverage the report’s sector-specific insights to tailor '
'defenses by organization size/industry.',
'Explore Sophos MDR and Endpoint Protection for '
'ransomware defense (as suggested in the report).'],
'references': [{'source': 'Sophos State of Ransomware 2025 Report',
'url': 'https://www.sophos.com/en-us/state-of-ransomware'}],
'response': {'recovery_measures': {'data_recovery_via_backups': 'declined to '
'six-year low',
'ransom_payments': '49% of victims paid '
'(down from 56% in '
'2024)'}},
'title': 'Sophos State of Ransomware 2025 Report Findings',
'type': ['ransomware', 'data breach', 'cyber attack'],
'vulnerability_exploited': 'Unspecified (32% of attacks involved exploited '
'vulnerabilities)'}