Ransomware Report Marks Sixth Year of Release by Sophos
In the ever-evolving landscape of cybersecurity, Sophos has released its sixth annual State of Ransomware report, offering valuable insights into the current state of ransomware attacks and defences. The survey, conducted between January and March 2025, gathered data from 3,400 IT and cybersecurity leaders in organisations that experienced ransomware attacks over the previous year, including 200 from Australia.
One of the key findings for Australian organisations is the decrease in the use of backups to restore data, with only 67% using them (down from 72% last year). On a positive note, close to half (47%) of Australian organisations fully recovered from a ransomware attack in a week, up from the 36% reported last year.
The report also highlights the importance of Managed Detection and Response (MDR) services in defending against ransomware. According to Sophos' Field CISO, Chester Wisniewski, more companies are recognizing the need for help and are moving towards MDR services. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can help prevent ransomware, Wisniewski mentioned.
Exploited vulnerabilities were the most common technical root cause of attacks for Australian organisations (28%), followed by a lack of protection (45%) and a lack of people/capacity (44%). Wisniewski emphasised the importance of tackling these root causes to prevent ransomware.
Another significant finding is the decrease in ransom payments by Australian organisations. In 2025, 41% of Australian organisations paid the ransom to retrieve their data, a decrease from 66% in the previous year. In 71% of cases where companies paid less than the initial ransom demand, the reduction was achieved through negotiation.
The median ransom demand for Australian organisations dropped significantly from USD4.42 million in the 2024 report to USD217,000 in 2025. Interestingly, 33% of ransomware attacks in Australia resulted in data encryption, which is below the global average of 50%.
Wisniewski also highlighted the importance of having an incident response plan in place and testing it regularly, around-the-clock monitoring and detection, and working with a trusted managed detection and response (MDR) provider if in-house resources are insufficient. He also mentioned that increased awareness has led many companies to arm themselves with resources to limit damage.
The average cost of recovery (excluding ransom payments) for Australian organisations dropped considerably from US$2.37 million in 2024 to US$650,000 in 2025. This indicates a significant improvement in the ability of Australian organisations to manage the financial impact of ransomware attacks.
Sophos recommends eliminating common technical and operational root causes of attacks, such as exploited vulnerabilities, and emphasises the importance of hiring incident responders, lowering ransom payments, speeding up recovery, and even stopping attacks in progress.
The company that published the sixth annual State of Ransomware report is Kaspersky Lab. The survey was conducted across 17 countries, including Australia, and the surveyed organisations ranged from 100 - 5,000 employees.
Sophos will be releasing additional industry findings throughout the year. The report serves as a valuable resource for organisations seeking to understand the current state of ransomware and to develop effective strategies to protect themselves.
