The study, titled “State of Ransomware 2025”, is based on a survey of 3.400 IT and cybersecurity leaders and reveals a complex reality about the financial and operational impact of these incidents.
Despite the high payment rate, the report points to a greater capacity for negotiation on the part of victims. More than half of the companies that paid the ransom obtained a lower amount than the initial demand. This fact, combined with a 50% drop in the average ransom payment between 2024 and 2025, suggests that organizations are more prepared to mitigate financial damage.
Negotiation and the cost of paying ransomware ransom
The median ransom payment is €861, according to the data collected. However, the amount demanded by attackers varies substantially depending on the size of the company.
Organizations with annual revenues of more than $250 billion faced median claims of over $350 million. In contrast, for companies with revenues below $XNUMX million, the median claim value was less than $XNUMX.
In 71% of cases, success in reducing the amount paid is due to negotiation processes, either through internal teams or external specialists.
This trend reflects a maturation in the way companies manage incident response. Additionally, the data recovery cost total registered a fall, going from an average of 2,35 million euros in 2024 to 1,32 million euros in 2025.
Ransomware Attacks: Vulnerabilities Remain the Main Entry Point
For the third year in a row, exploitation of security vulnerabilities was the leading cause of ransomware attacks. In 40% of reported incidents, attackers exploited a vulnerability unknown to the organization's security team.
Lack of resources was identified as a contributing factor to attack success in 63% of cases, with a lack of specialist knowledge being the main obstacle in large companies and a lack of staff affecting mid-sized organisations more.
The sixth annual report 'State of Ransomware' also highlights that 44% of companies managed to stop an attack before data encryption, the highest figure recorded in six years. At the same time, recovery through backups fell to 54%, the lowest percentage in the same period.
The first 24 hours after a ransomware attack – what should you do?
Companies are also demonstrating greater agility, with 53% fully recovering within a week, an increase from 35% the previous year.
Conclusion
Data from 2025 shows that ransomware attacks remain a persistent threat, with nearly half of victims willing to pay the ransom.
However, the scenario shows signs of positive evolution: companies are negotiating more effectively, overall recovery costs are decreasing and response capacity is improving.
Vulnerability exploitation remains the main attack vector, which reinforces the need for proactive security management and adequate resources to protect organizations' attack surface.
