A recent global report from cybersecurity firm Sophos reveals that more than half of companies that paid ransoms following cyberattacks successfully negotiated the demand down. The findings come from Sophos’s sixth annual State of Ransomware report, which surveyed IT and security leaders across 17 countries to assess the scale and consequences of ransomware incidents in 2025.
According to the report, 46% of organisations reported paying a ransom to regain access to their data, while 53% of those who paid ultimately settled for less than what attackers initially demanded. In most cases, companies managed to lower the amount through negotiation, either conducted internally or with the help of third-party experts.
The median ransom payment fell to $1 million, representing a 50% drop from the previous year. This decline suggests that some organisations have become more adept at managing the aftermath of attacks, even as ransomware continues to pose a serious threat.
The initial ransom demands varied widely depending on company size, with median figures ranging from $350,000 for smaller firms to $5 million for those with annual revenues exceeding $1 billion. For the third consecutive year, the leading technical root cause of ransomware attacks was exploited software vulnerabilities. 40% of victims said attackers had taken advantage of security gaps that were previously unknown to them.
63% of organisations attributed their breach to resource constraints, including a lack of cybersecurity expertise or insufficient staffing. The report highlights the ongoing challenges organisations face in protecting themselves against ransomware attacks and the importance of developing effective cybersecurity strategies.
