Key Findings
Healthcare reported the lowest median ransom payment at $150,000.
Only 18% took more than a month to recover from a ransomware attack, down from 34% in 2024
Over half (53%) of organisations fully recovered from a ransomware attack in a week, up from 35% last year.
Overall, 63% of organisations cited resourcing issues as a contributing factor to falling victim to a ransomwre attack.
Nearly 50% of companies paid a ransom to recover their data, which is the second highest rate of ransom payment for demands in six years.
44% of companies were able to stop the ransomware attack before data was encrypted, marking a six-year high.
Data encryption was at a six-year low, with only half of companies having their data encrypted in a ransomware attack.
The median ransom payment was $1 million.
Companies with over $1 billion in revenue faced a median ransom demand of $5 million.
Lack of people/capacity was most frequently cited factor for falling for a ransomware attack by those with 251-500 employees.
The average cost of recovery from a ransomware attack dropped from $2.73 million in 2024 to $1.53 million in 2025.
The median ransom demand decreased by a third between 2024 and 2025.
40% of ransomware victims stated that adversaries exploited a security gap they were unaware of, highlighting issues with attack surface visibility.
53% of companies that paid the ransom successfully negotiated a lower amount than the initial demand.
The median ransom payment dropped by 50% from $2 million in 2024 to $1 million in 2025.
In 71% of cases where companies paid a smaller ransom than the initial demand, negotiation played a role, either directly or with third-party assistance.
State and local government reported the highest median ransom payment at $2.5 million.
Organisations with $250 million revenue or less saw median ransom demands of less than $350,000.
For the third year in a row, exploited vulnerabilities were identified as the number one technical root cause of ransomware attacks.
Lack of expertise was the top operational cause of ransomware attacks in organisations with over 3,000 people.
Only 54% of companies used backups to restore their data after a ransomware attack, which is the lowest percentage in six years.