The Sophos State of Ransomware Report 2025 report highlights an evolving threat landscape that remains a major risk to organisations worldwide. While there is some positive news — costs and recovery times are trending down — the report makes it clear that ransomware is still as much a people problem as it is a technical one. For leaders, the findings underscore that cyber resilience requires more than strong defences; it demands investment in people, processes, and culture.
Ransomware remains technically sophisticated, with exploited vulnerabilities the most common entry point into organisations. However, what stands out in this year’s research is the prominence of operational weaknesses. More than 40% of organisations pointed to a lack of in-house expertise or capacity, and a similar proportion cited unknown security gaps, as key factors behind successful attacks.
This is a critical shift in the conversation. Boards are often presented with ransomware as a purely technical problem, solved by firewalls, backups, and endpoint tools. The reality is that operational resilience — staffing levels, skills development, and proactive risk identification — is just as important as patching software or updating systems.
One of the more encouraging findings is that only half of ransomware attacks in 2025 resulted in data encryption, the lowest rate in six years and a significant drop from almost 70% in 2024. Organisations are becoming better at disrupting attacks before they achieve their final objective. Recovery is also improving: 97% of organisations that did suffer encryption were able to get their data back.
However, the report notes a concerning trend — fewer businesses are relying on backups for recovery. Just over half used backups, down from previous years. This raises questions about over-reliance on decryption keys or ransom payments, which carry their own risks. Leaders should be asking whether their backup strategies are not just in place but actively tested and trusted.
The financial toll of ransomware appears to be moderating. Median ransom demands fell by around a third, to £970,180 ($1.32 million), and actual ransom payments dropped even more sharply to roughly £750,000 ($1 million). Recovery costs excluding ransom also fell by more than 40% year-on-year. Equally important, recovery times are faster: more than half of organisations were able to fully restore operations within a week, up from just over a third in 2024.
These improvements reflect the maturing of incident response practices and investment in resilience. Yet leaders should resist complacency. A single million-dollar event can still devastate cash flow, damage reputation, and consume executive focus for months. Falling averages do not make ransomware a tolerable risk.
Perhaps the most striking element of the report is the focus on human impact. Behind every incident are individuals and teams carrying the burden of detection, recovery, and blame. The study found that 41% of IT and security staff experienced increased anxiety and stress following an attack, while 40% faced heightened pressure from senior leadership. A third reported feelings of guilt for not preventing the incident, and nearly a third of organisations saw staff absences linked to stress or mental health issues.
This human toll translates into organisational fragility. Some firms (25%) reported changes in team leadership after an attack, highlighting the longer-term disruption ransomware can cause beyond technical downtime. Leaders need to recognise that recovery is not just about systems, but also about people — and that burnout, guilt, and loss of talent can be as damaging as financial loss.
The 2025 findings make it clear that ransomware is a leadership challenge. The boardroom cannot treat it as a technical detail delegated entirely to IT. Building true resilience means investing in operational capacity, ensuring mental health support is available to staff, and holding regular crisis simulations that include executives as well as engineers.
Cybersecurity is no longer measured only in firewalls and backups, but in trust, culture, and leadership readiness. As the threat evolves, so too must the way boards understand and respond to it.
entrustIT are a Sophos Gold Partner, specialising in security services for mid-market and multi-site organisations. For more on entrustIT's security packages - view here
Read the full Sophos State of Ransomware Report here