2025-2026 Pub. 15 Issue 2

By Sally Adam, Vice President, Solution Marketing, Sophos The sixth annual Sophos State of Ransomware report provides fresh insights into the factors that led organizations to fall victim to ransomware and the human and business impacts of an attack. Based on insights from a vendor-agnostic survey of 3,400 IT and cybersecurity leaders across 17 countries whose organizations were hit by ransomware in the last year, the report combines year-on-year insights with brand new areas of study. These insights include why ransom payments rarely match the initial demand and the downstream impact of ransomware incidents on in-house teams. Why Organizations Fall Victim to Ransomware It is rarely a single issue that leaves organizations exposed to ransomware; rather, a combination of technological and operational factors contributes to organizations falling victim to attack. Technical Root Causes For the third year running, victims identified exploited vulnerabilities as the most common root cause of ransomware incidents, used to penetrate organizations in 32% of attacks overall. This finding highlights the importance of identifying and patching security gaps before adversaries can exploit them. Compromised credentials remain the second most common perceived attack vector, although the percentage of attacks that used this approach dropped from 29% in 2024 to 23% in 2025. Email remains a major vector of attack, whether through malicious emails (19%) or phishing (18%). Operational Root Causes For the first time, this year’s report explores the organizational factors that left companies exposed to attacks. The findings reveal that victims typically face multiple operational challenges, with respondents citing 2.7 factors, on average, that contributed to their being hit by ransomware. Overall, there is no single stand-out source, with the operational causes evenly split across protection, resourcing and security gaps. Recovery of Encrypted Data The good news is that 97% of organizations that had data encrypted were able to recover it. Less encouraging is that data recovery through backups is at its lowest rate in six years. Just under half (49%) paid the ransom and got their data back. While this represents a small reduction from last year’s 56%, it remains the second-highest rate of ransom payments in the last six years. Ransoms: Demands and Payments There is good news on this front: Initial ransom demands and actual ransom payments dropped over the last year — largely driven by a reduction in the percentage of demands/payments of $5 million or more. While encouraging, it’s important to keep in mind that 57% of ransom demands and 52% of payments were for $1 million or more. The 826 organizations that paid the ransom shared both the initial demand and their actual payment, revealing that they paid, on average, 85% of the initial ransom demand. Overall, 53% paid less than the initial ask, 18% paid more and 29% matched the initial demand. The State of Ransomware 2025 Colorado Banker 20

RkJQdWJsaXNoZXIy MTg3NDExNQ==