In recent years, ransomware has evolved from a marginal phenomenon of cybercrime to one of the greatest threats to businesses, government agencies, and critical infrastructure. The latest State of Ransomware Report 2025, based on an international survey of 3,400 IT and security managers in 17 countries, paints a nuanced picture: The number of affected organizations that pay ransom after a successful attack remains high. At the same time, however, more and more companies are managing to limit the financial damage and mitigate the consequences of attacks through better security strategies.

Ransom payments remain high – sums are falling noticeably

In 2025, one in two affected companies worldwide paid ransom to regain access to encrypted data and systems. Although this rate of around 50 percent is slightly below the previous year’s figure of 56 percent, it remains at a historically high level. It is particularly noteworthy that Germany, with a payment rate of 63 percent, and Switzerland, with 54 percent, are well above the international average.

Despite these figures, there are signs of a paradigm shift. Although many companies continue to bow to pressure from extortionists, the actual sums transferred are falling. The attackers’ demands have fallen by an average of one-third, while the amounts actually paid have shrunk by as much as half. Behind this is a new self-confidence: more than half of the victims were able to successfully negotiate the demanded sums down. This trend is particularly pronounced in Switzerland, where almost two-thirds of the organizations affected paid less than was originally demanded.

This development is due in no small part to increased professionalism in the area of incident response. Many companies have now set up specialized crisis teams or rely on external experts who take over negotiations and initiate immediate technical measures in the event of an emergency. This not only reduces the damage, but also improves the negotiating position vis-à-vis the perpetrators.

Unpatched vulnerabilities as the greatest risk

While ransom amounts are falling, the causes of successful attacks remain largely unchanged. As in previous years, exploited vulnerabilities in software and systems are the most common entry vector. Around 40 percent of global ransomware incidents are attributable to security gaps that were unknown to companies. In Germany, this figure is even higher at 45 percent, and in Switzerland, at 42 percent, it is also well above the international average.

The figures show that despite modern security tools such as endpoint detection systems and zero-trust architectures, many organizations fail due to a fundamental problem: the consistent management and closure of security gaps. Attackers often exploit known vulnerabilities within days of their publication, while companies often need weeks or even months to roll out the appropriate patches. During this time, a vulnerability remains open and is exploited.

Resource scarcity as a systemic weakness

In addition to technical deficits such as unpatched systems, a structural problem is becoming increasingly apparent: the lack of skilled personnel and resources. Worldwide, 63 percent of the companies surveyed stated that a lack of capacity contributed significantly to the success of the attackers. In Germany, this figure was 67 percent, and in Switzerland it was as high as 72 percent.

Interestingly, the severity of these weaknesses varies depending on the size of the company. While large organizations with more than 3,000 employees cite the lack of specific expertise as a key weakness, medium-sized companies with 251 to 500 employees tend to suffer from chronic understaffing of their IT teams. The result is the same in both cases: security gaps remain open for longer, responses to attacks are delayed, and necessary investments in protective measures are postponed.

Attack strategies are becoming more sophisticated

The professionalization of ransomware groups is further exacerbating the situation. Classic data encryption is no longer the only weapon. Increasingly, perpetrators are combining different tactics to increase the pressure on their victims. These include data theft followed by threats to publish sensitive information, so-called double or even triple extortion attacks, in which targeted DDoS attacks or threats against customers and partners are used in addition to encryption and publication.

Technically, the groups use a wide arsenal of attack methods. Phishing emails with prepared attachments or links remain a common initial point of access, as do compromised remote desktop protocols (RDP). In addition, there are supply chain attacks that exploit vulnerabilities in third-party software or service providers to gain access to otherwise well-protected corporate networks.

Strategies for strengthening resilience

Despite the ongoing threat situation, the report’s findings show that companies are increasingly relying on a broader range of defensive measures. In addition to traditional protection mechanisms such as firewalls and antivirus software, holistic concepts such as Managed Detection and Response (MDR) are gaining in importance. Here, external experts monitor the IT infrastructure around the clock, analyze suspicious activities, and respond in real time in the event of an emergency.

In addition, proven measures such as the introduction of multi-factor authentication, systematic patch and vulnerability management, and regular employee training are once again coming into focus. After all, people remain one of the most critical factors in a company’s security structure.

Backups remain a key component of resilience. Only those who have functioning, regularly tested backup copies can avoid paying ransom in an emergency. More and more companies are therefore relying on redundant systems and geo-redundant storage solutions so that they can restore business-critical systems within the shortest possible time in an emergency.

Conclusion: Playing for time

The Ransomware Report 2025 makes it clear that the threat situation remains serious despite positive developments. Although many companies are able to limit the financial damage through better crisis management, the high number of ransom payments shows that cybercriminals are successfully continuing their business model.

The key challenge is to deprive attackers of the time advantage they repeatedly gain through undetected vulnerabilities and slow response times. Only through consistent patch management, strengthening internal and external security resources, using MDR services, and practicing a culture of security can resilience be increased in the long term.

The survey makes it clear that ransomware is no longer an exception, but a calculable risk for many companies that must be included in strategic planning. The key is not to wait until an emergency to react, but to proactively reduce vulnerabilities and continuously sharpen defense mechanisms.

Ransomware Report: https://www.sophos.com/en-gb/content/state-of-ransomware?cmp=701aJ00000H8QegQAF