Nearly half of Australian companies opt to pay ransoms: report

Sophos has released its sixth annual State of Ransomware report, a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries that studies the impact of ransomware attacks on businesses. This year’s survey found that 41% of Australian organisations paid the ransom to get their data back — a considerable decrease from last year (66%).

Overall, the Australian median ransom demand was US$217,000, a substantial drop from the US$4.42 million reported in Sophos’s 2024 report.

Australian organisations typically paid 88% of the ransom demand — just above the global average of 85% — and 52% paid less than the initial ransom demand (global average: 53%).

Globally, in 71% of cases where the companies paid less, they did so through negotiation — either through their own negotiations or with help from a third party. In fact, while the median ransom demand dropped by a third between 2024 and 2025, the median ransom payment dropped by 50% globally, illustrating how companies are becoming more successful at minimising the impact of ransomware.

Exploited vulnerabilities were the number one technical root cause of attacks for Australian organisations (28%), followed by phishing, which was the start of 24% of attacks, and compromised credentials, which were used in 21% of attacks.

A lack of protection was the most common operational root cause, cited by 45% of Australian respondents. This was followed by a lack of people or capacity cited by 44% of organisations. 41% said that both known and unknown security gaps played a factor in their organisation falling victim to ransomware.

“For many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,” said Chester Wisniewski, director, field CISO, Sophos.

“Of course, ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We’re seeing more companies recognise they need help and moving to Managed Detection and Response (MDR) services for defence. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”

Additional key findings from the report were:

• Backup use is down: Only 67% of Australian companies used backups to restore their data — a drop from the 72% reported last year.
• 33% of attacks resulted in data being encrypted: This is well below both the global average of 50% and the 49% reported by Australian respondents in 2024, with 98% of Australian organisations that had data encrypted able to get it back, above the global average.
• Recovery costs are on the decline: The average cost of recovery (excluding any ransom payments) for Australian organisations dropped considerably from US$2.37 million in 2024, to US$650,000 in 2025.
• Companies are getting faster at recovery: Close to half (47%) of Australian organisations fully recovered from a ransomware attack in a week — up from the 36% reported last year. Only 13% took between one and six months to recover — down from 33% in 2024.
   

Image credit: iStock.com/Just_Super