British businesses are suffering significantly more damaging losses from ransomware attacks compared to the rest of the world, where things appear to be moving in a more positive direction, according to Sophos’ latest annual State of ransomware report, now in its sixth edition.
The study of 3,400 ransomware victims in 17 countries, just over 200 of them in the UK, found that worldwide, nearly half of businesses that fell victim to cyber criminal ransomware attacks still opted to pay a ransom to regain control of their data and systems, despite all professional advice to the contrary.
Globally, this quandary has now contributed to a situation where median ransom payments have actually halved over the past 12 months to approximately $1m (£740,000) worldwide, a fact that is more appropriately attributed to companies becoming more successful at minimising the impact of ransomware, said Sophos.
“For many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025,” said Sophos director and field chief information security officer (CISO), Chester Wisniewski.
“The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress.”
However, whereas in the rest of the world, 53% of victims paid less than the sum demanded by the attackers – generally a result of engagement and negotiation with the cyber criminals, which is also in general not advisable, in the UK, organisations not only paid higher median ransoms year-on-year – $5.20m (£3.94m), up from $2.54m last year – but a total of 28% of UK victims somehow managed to get themselves into a situation where they paid more than was asked for.
Root causes
For UK businesses, exploited vulnerabilities were the most common technical root cause of ransomware attacks, seen in 36% of cases, compared to phishing and other malicious emails, seen in 26% of attacks, and compromised credentials, used in 19%.
In terms of operational root causes, Brits tended to blame a lack of security expertise for ransomware attacks, cited by 42% of victims, followed by previously unknown security gaps, reported by 40%. Additionally, 38% lamented that they had not had the right products and services in place to prevent themselves from falling victim.
“Ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources,” said Wisniewski.
“We’re seeing more companies recognise they need help and moving to Managed Detection and Response (MDR) services for defence. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”
Among the British respondents, 70% of ransomware attacks resulted in data encryption – well above the global average of 50%, and even higher than the 46% reported by Brits last year. In a signal that messaging around ransomware resilience measures is getting through in the UK, in 99% of cases victims were able to recover encrypted data, 39% of them said they used backups to do so.
Interestingly, data was actually stolen in only 26% of cases, way down on 49% in 2023-4, and of those victims who paid a ransom, 54% got their data back, up from 51% last year.
Business impact
Excluding ransom payments, the average (mean) cost borne by UK businesses in recovering from a ransomware attack also increased last year, hitting $2.58m, up from $2.07m in 2004 – including costs of network downtime, device costs, lost sales and so on. The good news is that UK organisations are getting faster at recovering, with almost 60% now back on their feet in a week, way up from 38% last year.
Respondents also shared new insight on the impact of ransomware on their security teams, with 43% reporting an increased workload, 41% reporting increased anxiety and stress about the possibility of future attacks, 29% describing feelings of guilt, and 26% reporting absences due to stress and mental health issues following an attack. Unfortunately, in 24% of cases, security team leaders were let go and replaced after a ransomware incident.