The sixth annual Sophos State of Ransomware report provides fresh insights into the factors that led organizations to fall victim to ransomware and the human and business impacts of an attack.

Based on insights from a vendor-agnostic survey of 3,400 IT and cybersecurity leaders across 17 countries whose organizations were hit by ransomware in the last year, the report combines year-on-year insights with brand new areas of study. These insights include why ransom payments rarely match the initial demand and the downstream impact of ransomware incidents on in-house teams.

Why Organizations Fall Victim to Ransomware

It is rarely a single issue that leaves organizations exposed to ransomware; rather, a combination of technological and operational factors contributes to organizations falling victim to attack.

Technical Root Causes

For the third year running, victims identified exploited vulnerabilities as the most common root cause of ransomware incidents, used to penetrate organizations in 32% of attacks overall. This finding highlights the importance of identifying and patching security gaps before adversaries can exploit them.

Compromised credentials remain the second most common perceived attack vector, although the percentage of attacks that used this approach dropped from 29% in 2024 to 23% in 2025. Email remains a major vector of attack, whether through malicious emails (19%) or phishing (18%).

Operational Root Causes

For the first time, this year’s report explores the organizational factors that left companies exposed to attacks. The findings reveal that victims typically face multiple operational challenges, with respondents citing 2.7 factors, on average, that contributed to their being hit by ransomware.

Overall, there is no single stand-out source, with the operational causes evenly split across protection, resourcing and security gaps.

Recovery of Encrypted Data

The good news is that 97% of organizations that had data encrypted were able to recover it. Less encouraging is that data recovery through backups is at its lowest rate in six years.

Just under half (49%) paid the ransom and got their data back. While this represents a small reduction from last year’s 56%, it remains the second-highest rate of ransom payments in the last six years.

Ransoms: Demands and Payments

There is good news on this front: Initial ransom demands and actual ransom payments dropped over the last year — largely driven by a reduction in the percentage of demands/payments of $5 million or more. While encouraging, it’s important to keep in mind that 57% of ransom demands and 52% of payments were for $1 million or more.

The 826 organizations that paid the ransom shared both the initial demand and their actual payment, revealing that they paid, on average, 85% of the initial ransom demand. Overall, 53% paid less than the initial ask, 18% paid more and 29% matched the initial demand.

The Business and Human Consequences of Ransomware

The data reveals that organizations are getting better at responding to attacks, reporting lower costs and faster recovery.

The average cost to recover from a ransomware attack (excluding any ransom payment) dropped by 44% over the last year to $1.53 million, down from $2.73 million in 2024. At the same time, over half of the victims (53%) were recovered within a week, a significant jump from the 35% reported in 2024.

Having data encrypted in a ransomware attack has significant repercussions for the IT/cybersecurity team, with all respondents saying their team has been impacted in some way.

Download the full Sophos State of Ransomware report.