Almost 50% of companies choose to pay the ransom

Issue 3 2025 News & Events, Information Security

Sophos has released its sixth annual State of Ransomware report , a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries that studies the impact of ransomware attacks on businesses. This year’s survey found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Despite the high percentage of companies that paid the ransom, over half (53%) paid less than the original demand. In 71% of cases where companies paid less, they did so through negotiation, either through their own efforts or with assistance from a third party. In fact, while the median ransom demand dropped by a third between 2024 and 2025, the median ransom payment dropped by 50%, illustrating how companies are becoming more successful at minimising the impact of ransomware.

Overall, the median ransom payment was one million dollars, although the initial demand varied significantly depending on organisation size and revenue. The median ransom demand for companies with over $1 billion in revenue was $5 million, while organisations with $250 million or less in revenue saw median ransom demands of less than $ 350 000.

For the third year in a row, exploited vulnerabilities were the number one technical root cause of attacks, while 40% of ransomware victims said adversaries took advantage of a security gap that they were not aware of, highlighting organisations’ ongoing struggle to see and secure their attack surface. Overall, 63% of organisations said resourcing issues were a factor in them falling victim to the attack, with lack of expertise named as the top operational cause in organisations with more than 3000 people and lack of people/capacity most frequently cited by those with 251 - 500 employees.

South Africa figures

While the report is global, South Africa is also represented by 154 IT/cybersecurity leaders working in organisations that were hit by ransomware last year. The median ransom payment in SA over the last year was $452 000. The average cost to recover from an attack (excluding ransom payments, but including downtime, people time, device cost, network cost, lost opportunity, etc.) was $1,31 million. The global average was $2,73 million, about $1 million higher than in 2023. Interestingly, the sector reporting the biggest increase in overall recovery costs was the lower-revenue segments with a $2 million increase over 2023 ($885,018 versus $2,89 million in 2024).

In SA, compromised credentials were the most common technical root cause of attack, used in 34% of attacks. They are followed by exploited vulnerabilities, which were the start of 28% of attacks. Malicious emails were used in 22% of attacks.

When discussing the non-technical root cause of attacks, 58% of local companies noted a lack of expertise as the most common operational root cause, with 55% citing a “lack of protection”, and 53% putting the blame on weaknesses in their defences “that they were not aware of”.

Of the organisations that had data encrypted, 90% were able to get it back, below the global average of 98%. A full 71% of South African organisations paid the ransom and got their data back (versus 56% globally), a considerable increase from the 43% reported last year. Only 35% used backups to recover encrypted data (compared to 68% globally), a drop from the 72% last year. Furthermore, 26% of organisations that experienced data encryption used "other means" to recover their data, which could include working with law enforcement or using publicly available decryption keys.

Unusual business as usual

“For many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments, but also speed up recovery and even stop attacks in progress,” says Chester Wisniewski, director, field CISO, Sophos.

“Of course, ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We are seeing more companies recognise they need help and they are moving to Managed Detection and Response (MDR) services for defence. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”

Additional findings from the global report include:

More companies are stopping attacks in progress: 44% of companies were able to stop the ransomware attack before data was encrypted (a six-year high). Data encryption was also at a six-year low, with only half of the companies having their data encrypted.

Companies are getting faster at recovery: Over half (53%) of organisations fully recovered from a ransomware attack in a week, up from 35% last year. Only 18% took more than a month to recover, down from 34% in 2024.

South African organisations are also recovering faster from ransomware attacks, with 47% fully recovered within up to a week, an increase from the 41% reported last year. Around 19% took between one and six months to recover, a drop from last year’s 26%.

Sophos recommends the following best practices to help organisations defend against ransomware and other cyberattacks:

• Take steps to eliminate common technical and operational root causes of attacks, such as exploited vulnerabilities. Tools like Sophos Managed Risk can help companies assess their risk profile and minimise their exposure.

• Ensure all endpoints (including servers) are well-defended with dedicated anti-ransomware protection.

• Have an incident response plan in place and tested for when things go wrong. Have good backups and practice restoring data regularly.

• Companies need around-the-clock monitoring and detection. If they do not have the necessary resources in-house, they can work with a managed detection and response (MDR) provider.

Download the State of Ransomware 2025 report at tinyurl.com/mry6npt3

For more information contact Sophos SA, +27 11 444 4000, [email protected], www.sophos.com




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

SMARTpod talks to Sophos and Phishield
SMART Security Solutions Technews Publishing Sophos Videos Information Security News & Events
SMARTpod recently spoke with Pieter Nel, Sales Director for SADC at Sophos, and Sarel Lamprecht, MD at Phishield, about ransomware and their new cyber insurance partnership.

Read more...
Cybersecurity and insurance partnership for sub-Saharan Africa
Sophos News & Events Information Security Security Services & Risk Management
Sophos and Phishield Announce first-of-its-kind cybersecurity and insurance partnership for sub-Saharan Africa. The SMARTpod podcast, discussing the deal and the state of ransomware in South Africa and globally, is now also available.

Read more...
Nice unveils MyNice Smartgo
News & Events Access Control & Identity Management
Nice SA has announced the release of MyNice Smartgo, a compact access automation solution, designed specifically for the South African market, combining an easy-to-install device with a user-friendly smartphone application.friendly smartphone application.

Read more...
Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Corporate and academic teams can register for Kaspersky contest
Kaspersky News & Events Information Security
Kaspersky has announced the registration opening for its new Kaspersky{CTF} (Capture the Flag) competition, inviting academic and corporate teams from around the globe to compete in a battle of skill, strategy and innovation.

Read more...
SA businesses embrace GenAI, but strategy and skills lag
News & Events AI & Data Analytics
South African enterprises are rapidly integrating Generative AI (GenAI) into their operations, but most are doing so without formal strategies, dedicated leadership, or the infrastructure required to maximise value and minimise risk.

Read more...
Continuous security optimisation.
News & Events Information Security
Cymulate has announced its partnership with SentinelOne, a threat exposure validation and AI-powered cybersecurity platform. The collaboration delivers self-healing endpoint security that empowers businesses to increase protection for every endpoint on their network.

Read more...
Protect your smart home devices
Kaspersky IoT & Automation Information Security Smart Home Automation
Voice assistants, kitchen robots, smart lights and many other intelligent devices have become part of our everyday life. However, with the rise of smart technology comes the need for robust protection against potential vulnerabilities.

Read more...
ISPA’s take-down process protects from local scams
News & Events Information Security
During the recent school holidays, parents could rest a little easier knowing that ISPA, SA’s official internet industry representative body, is removing an average of three to four problematic websites from the local internet every week.

Read more...
The power of PKI and private sector innovation
Access Control & Identity Management News & Events Government and Parastatal (Industry)
At the recent ID4Africa 2025 Summit in Addis Ababa, the spotlight was firmly on building secure, inclusive, and scalable digital identity ecosystems for the African continent.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.