UK firms face rising ransomware costs but recover faster

Sophos has released its latest State of Ransomware report, detailing trends shaping the ransomware landscape for UK and global businesses.

According to the report, the most common technical root cause for ransomware attacks involving UK organisations remains exploited vulnerabilities, cited by 36% of affected businesses.

The findings also indicate several operational challenges that ransomware victims faced, with 42% identifying a lack of expertise, 40% pointing to unseen security gaps, and 38% attributing incidents to not having the necessary cybersecurity products or services in place.

The financial impact of ransomware also remains a significant concern. The average total cost of recovery for UK organisations rose to USD $2.58 million, compared to USD $2.07 million the previous year. However, recovery times have shown improvement, with 59% of UK businesses reporting full recovery within a week, up from 38% last year.

Data restoration methods are shifting, with fewer companies relying on backups. In the UK, 39% of companies used backups to restore their data, a drop from 48% in the previous year. A higher proportion—54%—paid the ransom to retrieve their data, typically paying 103% of the original ransom demand. This rate is notably higher than the global average of 85%.

Global trends

Globally, the survey found that nearly half of businesses opted to pay the ransom, marking the second highest rate in six years. The median ransom payment was USD $1 million, while the initial demand often varied according to company size and revenue. For those with over USD $1 billion in revenue, the median demand reached USD $5 million, whereas companies with USD $250 million or less faced median demands of less than USD $350,000.

Ransom payments were often negotiated below the initial demand. 53% of organisations managed to negotiate a lower sum, with negotiations occurring in 71% of those cases, either directly by the victim or with the assistance of a third party. The report also found the median ransom demand decreased by a third and the median payment by half year-on-year, indicating growing success in minimising ransomware impact.

Root causes and resourcing

For the third consecutive year, exploited vulnerabilities were the leading technical root cause for attacks. Security gaps that victims were previously unaware of were cited by 40% of those surveyed, suggesting ongoing challenges around attack surface visibility. Resource constraints also featured prominently, with 63% referencing such factors as contributing to attacks. Larger businesses most frequently attributed incidents to a lack of expertise, whereas organisations with 251–500 employees most often identified personnel and capacity limitations.

"For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress," says Chester Wisniewski, Director, Field CISO, Sophos.

Chester Wisniewski continued: "Of course, ransomware can still be 'cured' by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We're seeing more companies recognize they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start."

Additional findings

The research also highlighted a six-year high in the proportion of companies interrupting attacks before encryption could occur, with 44% achieving this outcome. Data encryption as a result of ransomware fell to a six-year low, impacting only half of all surveyed companies. The use of backups dropped to its lowest level in six years, with only 54% of global respondents using backups for data restoration.

The average cost of recovery worldwide decreased from USD $2.73 million in 2024 to USD $1.53 million in 2025. Although ransom payments remain substantial, they have declined by 50% globally: from USD $2 million in 2024 to USD $1 million in 2025. Ransom payment amounts also varied by industry, with state and local government reporting the highest median payment at USD $2.5 million, and healthcare organisations the lowest at USD $150,000.

Businesses are also recovering faster. More than half—53%—reported complete recovery from ransomware attacks within a week, compared to 35% in the prior year. The number of organisations taking more than a month to recover dropped to 18%, down from 34% in 2024.

Best practices

Sophos has recommended several measures for businesses to boost their defence against ransomware and other cyber threats. These include actions to remove common technical and operational root causes—such as addressing exploited vulnerabilities—along with maintaining robust endpoint protection, testing incident response plans, and ensuring reliable and regularly tested backups. Sophos emphasises the importance of 24/7 monitoring, either in-house or via a trusted Managed Detection and Response provider.

The State of Ransomware 2025 report is based on survey responses from 3,400 IT and cybersecurity leaders in organisations with 100 to 5,000 employees across 17 countries. The data reflects the experiences of organisations affected by ransomware within the past 12 months.