Sophos

62% of retailers who experienced attacks restored their data using backups in 2025, the lowest rate in four years

47% of retail IT/cybersecurity teams reported increased pressure after experiencing data encryption in 2025

The median ransom demand for retail ransomware attacks doubled to $2 million in 2025 compared to 2024

The average cost of recovering from a ransomware attack in retail, excluding any ransom payment, dropped by 40% to $1.65 million in 2025, the lowest point in three years

The proportion of retailers hit by extortion-only attacks tripled from 2% in 2023 to 6% in 2025

58% of retail organizations with encrypted data paid the ransom in 2025, marking the second highest payment rate in five years

26% of cases in retail saw leadership teams replaced as a result of data encryption in 2025

46% of retail ransomware incidents were traced to an unknown security gap in 2025

Healthcare reported the lowest median ransom payment at $150,000.

Only 18% took more than a month to recover from a ransomware attack, down from 34% in 2024

Over half (53%) of organisations fully recovered from a ransomware attack in a week, up from 35% last year.

Overall, 63% of organisations cited resourcing issues as a contributing factor to falling victim to a ransomwre attack.

Nearly 50% of companies paid a ransom to recover their data, which is the second highest rate of ransom payment for demands in six years.

44% of companies were able to stop the ransomware attack before data was encrypted, marking a six-year high.

Data encryption was at a six-year low, with only half of companies having their data encrypted in a ransomware attack.

The median ransom payment was $1 million.

Companies with over $1 billion in revenue faced a median ransom demand of $5 million.

Lack of people/capacity was most frequently cited factor for falling for a ransomware attack by those with 251-500 employees.

The average cost of recovery from a ransomware attack dropped from $2.73 million in 2024 to $1.53 million in 2025.

The median ransom demand decreased by a third between 2024 and 2025.

40% of ransomware victims stated that adversaries exploited a security gap they were unaware of, highlighting issues with attack surface visibility.

53% of companies that paid the ransom successfully negotiated a lower amount than the initial demand.

The median ransom payment dropped by 50% from $2 million in 2024 to $1 million in 2025.

In 71% of cases where companies paid a smaller ransom than the initial demand, negotiation played a role, either directly or with third-party assistance.

State and local government reported the highest median ransom payment at $2.5 million.

Organisations with $250 million revenue or less saw median ransom demands of less than $350,000.

For the third year in a row, exploited vulnerabilities were identified as the number one technical root cause of ransomware attacks.

Lack of expertise was the top operational cause of ransomware attacks in organisations with over 3,000 people.

Only 54% of companies used backups to restore their data after a ransomware attack, which is the lowest percentage in six years.

Compromised network edge devices account for a quarter of the initial compromises of businesses in cases that could be confirmed from telemetry.

Most active STAC campaigns tracked by Sophos MDR in 2024 were ransomware-related.

Use of remote ransomware increased 50 percent in 2024 over last year.

The Veeam vulnerability (CVE-2024-40711) and similar documented vulnerabilities played a role in nearly 15 percent of the cases Sophos MDR tracked involving malicious intrusions in 2024.

The use of remote ransomware increased 50 percent in 2024 over last year, and 141 percent since 2022.

Use of remote ransomware increased 141 percent since 2022.

Obsolete and unpatched hardware and software constitute an ever-growing source of security vulnerabilities.

The most frequently seen "EDR killer" in 2024 was EDRSandBlast.

Ransomware and data theft attempts accounted for nearly 30 percent of all Sophos Managed Detection and Response (MDR) tracked incidents (in which malicious activity of any sort was detected) for small and midsized businesses.

Over a third of all incidents involving intrusion into smaller organisations have systems on the network edge as the initial point of compromise.

The average price of "junk gun" ransomware obtained from an underground marketplace is $375.

EDRSandBlast variants were detected in waves of attempted ransomware attacks throughout 2024, including a dramatic peak around the US Thanksgiving holiday in November

Ransomware cases accounted for 70 percent of Sophos Incident Response cases for small business customers in 2024.

Ransomware cases accounted for over 90 percent of Sophos Incident Response cases for midsized organisations (from 500 to 5000 employees) in 2024.