The State of Ransomware 2025: A Cyber Security Director’s Perspective

By James Holton, Trustmarque Cyber Security Practice Director

The State of Ransomware 2025 report highlights progress in resilience, evolving attacker tactics, and the need for proactive, people-first cyber strategies - areas where Trustmarque helps organisations turn insight into action.

Ransomware continues to evolve. So must our response.

The State of Ransomware 2025 report from Sophos offers more than a snapshot of current threats. It reflects the strides organisations have made in building cyber resilience, while also underscoring the challenges that remain. Drawing on insights from 3,400 IT and cybersecurity leaders across 17 countries, the report presents a detailed account of the causes, consequences, and recovery strategies linked to ransomware incidents.

At Trustmarque, we view cyber security not simply as a defensive measure, but as a strategic enabler. This report affirms that perspective and highlights the opportunity for organisations to take ownership, strengthen their posture, and lead with confidence.

Momentum is building

For the third consecutive year, exploited vulnerabilities emerged as the leading technical cause of ransomware attacks, responsible for 32% of cases . Yet the most revealing insights lie in operational shortcomings. A shortage of expertise, unidentified security gaps, and limited capacity were the most frequently cited reasons for falling victim.

These findings do not point to failure, they signal a shift. Organisations are beginning to understand that cyber security is not just a technical function. It is a strategic imperative. At Trustmarque, we work with clients who are transitioning from reactive defence to proactive readiness. They are investing in talent, not just tools. That is progress.

Data defence is strengthening

The proportion of attacks resulting in data encryption has dropped to 50%, marking the lowest rate in six years. This decline suggests that organisations are becoming more adept at intercepting threats before they escalate.

However, adversaries are adjusting their tactics. Extortion-style attacks, where data remains unencrypted but ransom demands persist, have doubled. 

Incidents involving data exfiltration are also on the rise. These developments reinforce the need for robust data governance and well-practised incident response plans.

Encouragingly, many organisations are responding with agility. They are implementing layered security, enhancing visibility, and preparing for a broader spectrum of threats. At Trustmarque, we help clients build environments that are not only secure but resilient.

Ransom payments are falling, but not far enough

The median ransom demand has decreased by 34% to $1.32 million, while the median payment has halved to $1 million.

Although nearly half of victims still opted to pay, the downward trend is promising.

This is the time to accelerate that momentum. Organisations that negotiate effectively, act swiftly, or engage external support are reducing their exposure. Those with reliable backup systems and rehearsed recovery protocols are avoiding payments altogether.

We encourage our clients to build confidence in their ability to recover independently. Paying a ransom should never be the default. With the right preparation, it becomes unnecessary.

Recovery is quicker and more efficient

The average cost of recovery, excluding ransom payments, has dropped by 44% to $1.53 million.

More than half of affected organisations were fully operational within a week, a significant improvement from 35% the previous year. 

This acceleration reflects the value of investing in resilience. Organisations that plan, test, and refine their response strategies are bouncing back faster and with greater control.

At Trustmarque, we support clients in building recovery-ready infrastructures. Our approach goes beyond technology deployment. We empower teams to respond with clarity and precision.

Cyber Security is a human challenge

Every organisation that experienced data encryption reported a direct impact on their IT and cybersecurity teams. Increased stress, staff absences, and leadership changes were common outcomes. 

This is a vital reminder. Cyber security is not just about systems, it is about people. The emotional toll of an attack can be significant. Yet there is also recognition. 31% of teams received increased support and visibility from senior leadership. 

We advocate a people-first approach. Our clients benefit from not only technical expertise but also empathetic guidance. When teams feel supported, they perform at their best.

Strategic Priorities for Leadership

The report identifies four essential focus areas: prevention, protection, detection and response, and planning and preparation.

These are not optional enhancements. They are foundational elements of a modern cyber strategy.

• Prevention: Proactively identify and address vulnerabilities. This demands continuous assessment and a culture of vigilance.
• Protection: Deploy robust endpoint security and anti-ransomware solutions. A multi-layered defence is critical.
• Detection and Response: Ensure round-the-clock monitoring. Consider Managed Detection and Response (MDR) services to enhance speed and accuracy.
• Planning and Preparation: Develop and regularly test your incident response plan. Validate backup processes and understand your legal responsibilities.

At Trustmarque, we help organisations embed these principles into their operations. We do more than advise. We implement, enable, and support.

Looking ahead

The State of Ransomware 2025 report confirms that meaningful progress is underway. Organisations are becoming more agile, informed, and resilient. Recovery times are improving. Costs are decreasing. Awareness is growing. That is momentum worth building on.

Cyber security is not merely about avoiding risk. It is about enabling innovation, safeguarding people, and earning trust. At Trustmarque, we are proud to help organisations transform insight into action and resilience into results.

Download the full report to explore the findings in depth and discover how you can strengthen your defences, accelerate recovery, and support your teams.

If you would like to explore how Trustmarque can help you apply these insights to your organisation, we would be delighted to talk.