53% of companies negotiated for lower ransom: Sophos report

More than half of companies that paid ransoms following cyberattacks succeeded in negotiating the demand down, according to a new global report from cybersecurity firm Sophos. 

The findings come from the company's sixth annual State of Ransomware report, which surveyed IT and security leaders across 17 countries to assess the scale and consequences of ransomware incidents in 2025.

According to a press release by Sophos, while 46% of organisations reported paying a ransom to regain access to their data, 53% of those who paid ultimately settled for less than what attackers initially demanded. In the majority of these cases, companies managed to lower the amount through negotiation, either conducted internally or with the help of third-party experts.

The report notes that the median ransom payment fell to $1 million, representing a 50% drop from the previous year. This decline suggests that some organisations have become more adept at managing the aftermath of attacks, even as ransomware continues to pose a serious threat. 

The initial ransom demands varied widely depending on company size, with median figures ranging from $350,000 for smaller firms to $5 million for those with annual revenues exceeding $1 billion, as per Sophos.

For the third consecutive year, the leading technical root cause of ransomware attacks was exploited software vulnerabilities. 40 percent of victims said attackers had taken advantage of security gaps that were previously unknown to them. 63 percent organisations attributed their breach to resource constraints, including a lack of cybersecurity expertise or insufficient staffing, states the press release.