Looking back at the State of Ransomware over the last 6 years

Sophos

By Chester Wisniewski; Director, Global Field CISO


There is a lot of noise in information security—few topics generate more of it than ransomware. Headlines focus on who was hacked, who paid, how much it cost, and how it happened. While that makes for clickable news, it doesn’t always help us understand how to defend ourselves better or prevent future attacks.

Six years ago, we at Sophos set out to cut through the noise by launching a global, unbiased ransomware survey. Our goal was to gather a statistically significant dataset from organizations across multiple countries and industries. We wanted to move beyond headlines and understand the real state of ransomware from those who lived through it. It has been a huge success, and we’re proud to share this year’s findings. I encourage everyone to read the full report, but I also want to highlight a few insights and trends that I found particularly noteworthy.

Let’s start with the bad news. Nearly half—49%—of organizations that experienced data encryption chose to pay the ransom, with the median payment hitting $1 million USD. This shows there is still strong financial motivation for cybercriminals to continue these attacks. If I can pull the handle on the ransomware one-armed bandit and get a million dollars every other time, why would I stop?

That’s why we need to do more to strengthen defenses: prevention, detection, and response. But there is some good news. 44% of attacks were stopped before encryption, and only 50% of all ransomware incidents resulted in encrypted data. This shows progress. We're getting better at early detection using tools like XDR and at building around-the-clock monitoring and response capabilities.

From my perspective, there are three key approaches to tackling ransomware:

Disruption by law enforcement is increasing. While arrests remain difficult due to geopolitical barriers, international policing is making meaningful strides through infrastructure takedowns and ecosystem disruption.

Don’t pay the ransom unless absolutely necessary. Recovery is rarely complete, and ransom payments fuel the cycle. Instead, harden your environment: maintain robust backups (avoid SSO for backups), encrypt sensitive data, use phishing-resistant MFA, and update your incident response plans.

Early detection is the most effective tactic. When encryption was prevented, only 6% of organizations were extorted. Stopping attacks before data is stolen or locked up drastically reduces harm and costs.

The top three root causes for successful attacks? Lack of expertise, unknown security gaps, and resource limitations. These are all solvable. Whether through in-house investment or trusted security partners, help is available.

This report requires a significant effort to produce, but we believe it’s worth it. By tracking year-over-year trends, we can measure progress and help organizations make smarter security decisions. I hope you take the time to read it, share it, and use its insights to guide your next steps in defending against ransomware.


www.sophos.com

Sustaining Partners