Picture this: you walk into your office, fire up your computer... and—surprise!—you’re locked out, your data encrypted, and a single message flashes: "Pay us or lose everything." This nightmare is all too real in 2025. A fresh Sophos survey - highlighted by ChannelVision Magazine - found that nearly 50% of companies end up paying the ransom just to get back online.
Why are so many companies paying?
More businesses are starting to treat ransomware as an inevitable part of doing business. According to Sophos, this year marks the second-highest ransom-payment rate in six years. And even when companies do pay, many negotiate to reduce the demand—53% managed to cut a deal.
That said, lower ransom amounts don’t necessarily mean less risk. The median payment fell from $2 million in 2024 to about $1 million this year. But that drop just reflects better negotiation, not fewer attacks or less damage.
Bigger Target, Bigger Bill
The size of your company often determines how much attackers ask for. Large enterprises - those bringing in over $1 billion annually - face median ransom demands around $5 million. Smaller firms, with under $250 million in revenue, typically face lower demands - around $350,000. The criminals aren't stupid - they scale their expectations based on your perceived ability to pay.
Why This Keeps Happening
So what’s causing this steady stream of ransomware incidents? The biggest technical cause remains the same: exploitation of known vulnerabilities. Many businesses - nearly 40% of victims - weren’t even aware they had a security gap until after the attack.
It often comes down to resources. Many companies don’t have the staff, time, or expertise to stay on top of security updates, monitoring, and proactive protection. Chester Wisniewski, Field CISO at Sophos, summed it up well: being compromised is starting to feel like just another budget line item.
Signs of Progress
Still, not all the news is bad. Companies are getting better at defense and recovery. For the first time in six years, fewer than half of all victims suffered full data encryption. About 44% of companies stopped the attack before any data was encrypted at all. Recovery times are improving too. More than half of victims were back online within a week. And recovery costs have dropped from $2.73 million to $1.53 million.
These are encouraging signs that investments in planning, detection, and incident response are starting to pay off.
What You Can Do
If you're a small or midsize business, the good news is that you don’t need a massive budget to make a difference. Start by making sure all systems are regularly patched. Implement multifactor authentication to reduce the risk of account takeovers. Make frequent backups and test your recovery process so you’re not guessing when it matters most. Also note that security is a layered thing. You can't just install antivirus software and assume you're safe.
Also, know who you’ll call if things go sideways. Having a plan in place, and the right partners on speed dial, can drastically reduce both the damage and the downtime. And if there is a real problem, having good cybersecurity insurance, or a cybersecurity warranty, can help you get cleaned up and back on your feet. (But you have to be able to demonstrate your security posture.)
Ransomware isn’t going away. But with the right preparation, you can make sure your company doesn’t end up among those who are forced to pay.