Ransomware in 2025: Organisations at Risk & Making Headlines
From headline-grabbing attacks on retailers like M&S and Co-Op to breaches at European airports, cyber threats are dominating the news cycle.
The latest Sophos report, State of Ransomware 2025, offers a sobering snapshot of the global ransomware landscape. Based on insights from 3,400 IT and cyber security leaders across 17 countries, the findings reveal a complex picture of progress, pressure, and persistent risk. Using these findings, we explore what’s driving today’s risks and why it’s time for businesses to reassess their cyber strategies before they become the next headline.
In This Blog
Cyber Attacks in 2025: Frequently Asked Questions
What is ransomware?
Ransomware is a type of malicious software that encrypts data on a victim’s system, rendering it inaccessible until a ransom is paid to the attacker. In recent years, attackers have also adopted tactics such as data theft and extortion, even if files are not encrypted.
Are ransomware attacks still common?
Yes, ransomware attacks continue to pose a substantial risk. Cyber attacks are popping up frequently in headlines, with M&S, Transport for London, Jaguar Land Rover, and European Airports cyber attacks all making the headlines this year.
However, it’s not all doom and gloom. There are positive trends, including a reduction in successful data encryption during attacks and a decrease in ransom demands and payments compared to previous years.
Who is most at risk from ransomware attacks?
Unfortunately, no organisation is safe from cyber crime. Larger organisations remain the primary targets for both data encryption and data theft, as they often have the budgets to pay ransoms.
However, smaller organisations are still appealing to cyber criminals as they often have weaker cyber defences and can be lucrative for cyber criminals at scale.
What is driving cyber attacks in 2025?
Despite growing awareness, exploited vulnerabilities remain the top technical root cause of ransomware attacks for the third year running (32%).
But the real story lies in operational weaknesses:
Lack of expertise (40.2%)
Many organisations do not have the necessary expertise or staff to identify, prevent, or respond to cyber threats efficiently. This lack of resources makes them vulnerable to data breaches and cyber attacks, which can result in significant financial losses, reputational damage, and disruption to business operations.
Unknown security gaps (40.1%)
Undetected or unaddressed weaknesses in an organisation’s cyber defences.
Organisations looking to remedy this should consider mapping their attack surface and conducting a cyber posture review.
Insufficient capacity (39.4%)
This can manifest as too few cyber security professionals, outdated or incomplete security tools, or gaps in incident response planning. As a result, organisations with insufficient capacity are more vulnerable to cyber attacks, as they may struggle to identify and address threats swiftly or comprehensively.
Building greater capacity often involves investing in staff training, upgrading technology, and developing robust cyber defence strategies to enhance overall resilience against ransomware threats.
“These aren’t just technical failures, they’re organisational blind spots. To keep secure, organisations need to treat cyber security as a business-wide priority, not just an IT concern.”
Gavin Wood, CyberLab CEO
Positive Cyber Trends in 2025
While the threat of ransomware remains ever-present, it’s important to recognise that not all developments are negative. Recent trends have revealed several encouraging signs, offering hope that the tide may be turning in favour of organisations strengthening their cyber resilience. Let’s explore some of the positive changes shaping the cyber security landscape in 2025.
Data Encryption and Ransom Demands Are Down
Encouragingly, only 50% of attacks resulted in data encryption, which is the lowest rate in six years. But don’t celebrate just yet as 28% of encrypted victims also suffered data theft, and 6% faced extortion-style attacks without encryption, which is double last year’s rate.
Smaller organisations are more likely to stop attacks before encryption, while larger ones remain prime targets for both encryption and exfiltration.
The median ransom demand dropped 34% to $1.32M, and actual payments fell 50% to $1M. Yet 57% of demands still exceed $1M. Interestingly:
• Only 29% of payments matched the initial demand.
• 53% paid less, often through negotiation or external pressure.
• 18% paid more, usually due to failed backups or delayed responses.
How Quickly do Businesses Recover from Ransomware?
In the 2025 report, we find that organisations are bouncing back quicker with 53% fully recovered within a week (up from 35%), and 97% recovered within three months. These figures are looking positive but should be noted with caution.
After the well-publicised cyber attack on M&S, it took the company five months to bring its online ordering system back into full operation, underscoring the lingering impact such breaches can have on business continuity and customer trust.
The average recovery cost (excluding ransom) remains high at $1.53M. For smaller firms, it’s around $638K, a figure that could cripple operations.
How to Stop Ransomware – Best Practices
At CyberLab, we recommend organisations follow a cyber defence strategy called Defence in Depth. This is a layered approach to cyber security, where multiple security measures are implemented across different areas of an organisation to reduce risk. This strategy ensures that if one line of defence is breached, others remain in place to protect critical assets.
• Investing in 24/7 threat monitoring can help organisations maintain continuous defence against cyber threats.
• Conducting regular penetration testing and proactively managing vulnerabilities contributes to maintaining effective cyber security over time.
• Maintaining backups and routinely testing them, as well as rehearsing responses to cyber incidents, can assist in identifying and addressing gaps in defences.
By combining these layers, organisations can better detect, prevent, and respond to cyber threats, minimising the likelihood and impact of successful attacks.
Detect. Protect. Support.
Find Your Data on the Dark Web
Data breaches happen every day, at companies large and small, with stolen credentials commanding a premium on the Dark Web.
With over 24 billion sets of usernames and passwords currently for sale on the dark web, it has never been more important to keep control of your credentials.
Our advanced scanning software crawls the dark web for your compromised business credentials.
Where it finds stolen data, we identify the source of the breach, alert you instantly, and provide advice on how to keep your accounts secure.
You may be surprised how much of your information is already out there.
Leave a Reply
You must be logged in to post a comment.