In today’s bulletin, Charlie gives an insight into the latest trends in ransomware data and how this has changed in the last few years.

It has been three years since I published a bulletin on the facts and figures of cyber ransomware attacks, and I thought I would look at what the latest data says, especially around:

1. The percentage of people paying a ransom
2. How much data you get back if you pay a ransom
3. Are people paying more or less than the ransom asked?
4. How quickly do people recover?

I have reviewed several reports from Coveware, Veeam, IBM, Databarracks, and Sophos for information. They all cover different timeframes, so sometimes the data conflicts, and some information is a year old, while the Coveware quarterly report extends to the end of 2025. I suspect quarterly reports do not use the same full data sets as the yearly review reports, so it is likely that the data will be different.

For me, the importance of this information is that it serves as a useful reference for crisis management teams when they are deciding whether to pay a ransom or not. If 90% of organisations are paying, then you are simply following what everyone else is doing. If the percentage is 25%, then an organisation must consider the impact of not paying, as most are choosing to endure the pain and not pay.

Here are a few of the facts and figures I found:

1. The average time it took to detect a data breach was 181 days and the average time to contain the breach was 60 days. This is down from 2024. [1]
2. Attackers targeted PII customer data, which accounted for 53% of the data they targeted. This was followed by employee data, then intellectual property, and other corporate data. [1]
3. Among the organisations that had fully recovered, 76% said the recovery took longer than 100 days. Roughly a quarter (26%) said recovery took more than 150 days. Only 2% said recovery was possible within as little as 50 days. It must be noted that recovery included reputation as well as the technical recovery. [1]
4. More and more organisations are not paying a ransom – 63% didn’t pay. [1]
5. Only 40% of organisations involved law enforcement. [1]
6. Q3 2025: 23% paid a ransom, while cases of data exfiltration – where only those paying – amounted to 19%. [2]
7. In the Databarracks survey, only 17% admitted to paying a ransom. [3]
8. The average ransom payment has gone up, but the number of ransom payments has gone down. [4]
9. Data encryption is at the lowest level in six years, with 50% of attacks now resulting in data encryption, down from 70% in 2024. [5]
10. When comparing demands vs. payments, only 29% said their payment matched the initial demand. 53% paid less than the initial ask while 18% paid more. [5]
11. Of those who had their data encrypted, 29% said they used ‘other means’ to restore their data, which is likely to include decryption keys that had previously been made public. [5]
12. The data reveals that organisations are getting faster at recovering from attacks with 16% fully recovered in a day, up from 7% in 2024 and 8% in 2023. Over half (53%) were recovered within a week, a significant jump from the 35% reported in 2024. Overall, almost all victims (97%) were fully recovered three months on from the attack. [5]
13. For organisations that paid a ransom, 69% were attacked more than once. [6]

References

[1] IBM Security & Ponemon Institute. (2025). Cost of a Data Breach Report 2025, The AI Oversight Gap. IBM.

[2] Siegel, B. (2025, October 24). Insider Threats Loom while Ransom Payment Rates Plummet, Coveware Blog.

[3] Databarracks (2025). Data Health Check 2025, Databarracks

[4] Veeam Software, (2025). From Risk to Resilience: 2025 Ransomware Trends and Proactive Strategies, Veeam Insights.

[5] Sophos. (2025). The State of Ransomware 2025, Sophos Whitepaper, June 2025.

[6] Veeam Software. (2025). The SMB Guide to Ransomware Recovery. Veeam Software.