State of Ransomware 2025 Report Key Findings
With our global leading cyber security partner Sophos, we’re reviewing the key findings of their sixth annual report on the current landscape of cyber threats with a focus on the top threat ransomware. Speaking to organisations around the world, it provides a real, accurate view on what is affecting businesses and recommendations.
Root causes of attack
The root cause of attacks to organisations regardless of size or location remain the same. Findings from the 2025 survey identified that exploited vulnerabilities remains the most common technical root cause. Findings identified that 32% of those who experienced a ransomware incident identified that it was due exploitation of a vulnerability within their IT infrastructure.
From the survey, the top three root causes were:
- Exploited vulnerabilities
- Compromised credentials
- Malicious Email
Operational contributions to ransomware
Cyber security incidents affect operations but also can be a key factor when planning operations within an organisation and can also be a contributor to potential vulnerabilities.
When discussing challenges and those who have been impacted by ransomware incidents, the survey identified significant proportions where organisation staff and operational needs were areas requiring consideration.
From those surveyed, 40.2% of victims shared that a lack of expertise contributed to being impacted by ransomware, while 40.1% shared that unknown security gaps were also a contributor to attack.
Additionally, a lack of people/capacity was also shared as a cause for becoming victim to attack by 39.4% of those affected.
It highlights how resource in terms of headcount with expertise and security provision remains a fundamental part of where organisations continue to face challenges.
Impact and Recovery
Ransomware attacks continue to be a challenge to data security. Though there was a reduction based on previous figures, of those who were victims to attack, 28% of organisations who had data encrypted by attackers also experienced data theft. This does not suggest the rate and scale of ransomware attacks is lowering but demonstrates how wider measures are more effective.
The concerns of an incident and likelihood remain high with of those surveyed globally, 41% of IT/cybersecurity teams shared having increased anxiety or stress of future attacks.
Pace of Recovery and Impacts
Through range of processes, sources and planned outcomes, the speed of recovery following a ransomware attack improved globally with 59% of organisations in the UK reporting being fully recovered after a week. However, one contributor to the speed of recovery has been in part due to the response and size of payment for data retrieval.
Average recovery time for those surveyed were:
- Up to a week 59%
- Up to 1 month 28%
- 1-6 months 13%
In the UK, 51% of all organisations who paid the initial ransom not only paid promptly but 28% of those who paid the initial ransom, paid more than the initial demand. This is at a time where survey found that 89% of all ransom demands were for $1 million or more – an18% increase to 2024.
The median ransom payment in the UK has also doubled in the last year to $5.37 million. In addition to the ransom payments, the average costs to recover following a ransomware attack was $2.58 million – up 24% to that in 2024. This value includes the costs of downtime, resource, device and network costs and estimated loss such as lost opportunities such as sales.
Organisation Recommendations
As the latest survey findings highlight, ransomware remains one of the top threats to organisations. However, there are measures that organisations can implement to work to defend against them and plan to ensure should the worst happen, mitigate and recover quickly.
With continuing advancements in technology and approach, the risks will remain high but has proven by those who have been affected or were able to prevent attacks, there are effective options to implement to meet the needs and scale of organisations.
Prevention – Still the most successful defence against ransomware. Though auditing of current infrastructure, organisations can take more effective, regular measures to apply preventions. Seek to reduce the technical root causes and operational ones to maximise efforts to prevent attack.
Protection – Application at the foundation of infrastructure is essential. Endpoints (including servers) are the primary destination for ransomware actors, so ensure that they are well defended.
Detection and response – The sooner you stop an attack, the better the outcome. Investment in 24/7 detection and response is now essential through in-house provision or increasingly use of managed detection and response tools. Considerations of a combined approach for those able to do so can achieve the most comprehensive results if implemented well.
Planning and preparation – Incident response as part of wider disaster recovery planning and testing is essential to secure business continuity and remains a recognised key reason recovery times have improved. Clear and regular backup processes and data restoration practice also provides a more robust process for any size organisation.
How Information Solutions can help
As your dedicated outsourced IT services provider and Sophos partner, we can provide and implement globally recognised effective tools to help achieve the best protection and best practice advice for your organisation.
Sophos Endpoint Intercept X Advanced
Sophos Endpoint powered by Intercept X delivers unparalleled protection, stopping advanced attacks before they impact your systems. Delivering a comprehensive, prevention-first approach to security, Sophos Endpoint blocks threats without relying on any single technique.
Features of Sophos Endpoint Intercept X Advanced:
- Deep Learning AI for advanced malware detection
- Anti-Ransomware (CryptoGuard) to stop encryption-based threats
- Behavioural Analysis (HIPS) to detect suspicious actions
- Application Control to block unwanted apps
- Web Control for URL category-based filtering
- Device Control to manage USB and peripheral access
Sophos MDR
Real-world expertise delivered using a world-class platform. Sophos MDR combines security data from multiple technology sources in your environment and brings that together into one centralized AI-native platform, analysing and prioritising potential threat signals. Sophos MDR is a fully managed threat hunting, detection, and response service that uses Intercept X Advanced at its core, but with a 24/7 expert team monitoring your environment.
Key Benefits
- Everything in Intercept X Advanced
- Proactive threat hunting
- Human-led incident response
- Detailed investigations and threat neutralisation
- Optional “full response mode” (Sophos acts directly on your behalf)
To review your current IT infrastructure and security provision or to discuss how Information Solutions range of services could be beneficial to your organisation, speak to our team of experts today.