ChannelLife UK - Industry insider news for technology resellers
United Kingdom

Guides

#
cloud services
#
cybersecurity
#
distributors
#
microsoft
#
partner programmes

Search

Stressed businessman locked computer shadowy figures ransomware uk office
#
Ransomware
#
Cybersecurity
#
Sophos

UK firms pay higher ransoms as recovery costs from attacks rise

Today
Author image
By Jed Nykolle Harme, Editor

New data from Sophos highlights changing patterns in how UK businesses are experiencing and responding to ransomware attacks.

The State of Ransomware 2025 report from Sophos draws on a survey of IT and cybersecurity leaders from 17 countries, including the UK, examining incidents over the last year and exploring both the operational causes of breaches and the strategies used by organisations to recover.

Main reasons for attacks

The report identifies lack of expertise as the top operational reason for organisations in the UK falling victim to ransomware, cited by 42% of respondents. Unidentified security gaps were reported by 40%, and 38% admitted not having the necessary cybersecurity products and services in place when they were attacked. In terms of technical root causes, exploited vulnerabilities took first place for the third year running, with many organisations unaware of their security weaknesses until after an incident had occurred.

Globally, resourcing issues were noted as a factor by 63% of organisations. The survey found distinctions in causes based on company size: larger organisations (more than 3,000 employees) highlighted lack of expertise, while companies with 251-500 employees pointed to a lack of personnel or capacity.

Ransom payment trends

The study reveals that nearly half of affected companies opted to pay the ransom in the hope of retrieving their data, with 54% of UK victims admitting to paying, which is notably higher than the global average of 47%. The median ransom payment made was USD $1 million, down from USD $2 million last year, despite a median initial demand of USD $1 million. State and local government had the highest median payment at USD $2.5 million, while healthcare organisations reported the lowest at USD $150,000.

"For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress," says Chester Wisniewski, director, field CISO, Sophos.

Negotiation and payment reduction

The report finds that 53% of companies ultimately paid less than what attackers originally demanded. In seven out of ten such cases, lower payments were achieved either through direct negotiation or assistance from third parties. This signals a climate where negotiation is becoming an established component of incident response, with the average UK company paying 103% of the ransom demand, slightly above the global average of 85%.

Change in recovery and backup use

Despite rising costs associated with recovery—the average total cost reported by UK organisations was USD $2.58 million, up from USD $2.07 million the previous year—companies are recovering more quickly. This year, 59% of organisations fully recovered within a week, compared to 38% the previous year. Only 18% of respondents globally reported taking more than a month to recover, down sharply from 34% the prior year.

The use of backups as a primary recovery method has decreased. Only 39% of UK companies used backups to restore data, down from 48% the previous year. Globally, just 54% of companies relied on backups, the lowest in six years. This corresponds with a broader trend where more companies are able to halt attacks in progress.

Proactive security strategies

Sophos highlights the importance of addressing root causes, such as exploited vulnerabilities and visibility into attack surfaces, to reduce the chance of further attacks. There is also a noted increase in companies shifting to Managed Detection and Response (MDR) services as a defence mechanism, alongside efforts to implement multifactor authentication and rigorous patching schedules.

"Of course, ransomware can still be 'cured' by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We're seeing more companies recognize they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start."

Impact on IT staff

The report also touches on the wider impact of ransomware attacks, noting effects on the well-being of IT employees tasked with incident response and recovery efforts. The need for appropriate resourcing, support, and planning is indicated as essential for maintaining cyber resilience.

Survey background

The findings are based on responses from 3,400 IT and cybersecurity leaders in organisations ranging from 100 to 5,000 employees, who had experienced ransomware attacks in the previous year. The survey provides sector-level insights and will be expanded with additional findings over the year.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Veeam named Leader in Gartner 2025 backup & data report
OPSWAT adds SentinelOne AI to boost Metascan malware defence
ReliaQuest launches GreyMatter automation to speed threat response
Eftsure acquires Sis ID to create global payment protection giant
Titan OS expands with Vestel deal & new TV ad measurement tools

Top stories

Hundreds of printers at risk after security flaws uncovered
Kia Connect adds driver risk scores to app for smarter insurance
UK credit card balances rise to GBP £1,875, payments fall
Ecommpay wins award for innovative secure payouts solution
Forterro expands industrial software with TARGIT acquisition