Ransomware report: Encryption rates down, but human toll remains high

The latest edition of Sophos’ annual State of Ransomware report offers a mixed bag for defenders. Based on a survey of 3,400 cybersecurity leaders across 17 countries, the report reveals that ransomware remains a pervasive threat—though organizations are seeing modest wins in prevention and recovery.

Only 50% of attacks led to data encryption in 2024, the lowest figure in six years and a sharp drop from 70% the previous year . Recovery speeds are also improving: 53% of affected organizations fully recovered within one week, up from 35% in 2024. Yet troubling patterns persist. Nearly half (49%) of respondents still paid the ransom, and just 54% used backups—marking a new low for recovery via internal means .

Interestingly, median ransom payments fell 50% year-over-year, dropping from $2 million to $1 million. This decline is attributed to fewer multi-million dollar payouts. Still, 57% of ransom demands exceeded $1 million, reinforcing the continued financial pressure attackers exert .

Behind these numbers are persistent gaps in security posture. The top operational causes of ransomware success included lack of expertise (40.2%), unaddressed security gaps (40.1%), and understaffing (39.4%)—indicators of strained or overburdened cyber teams across industries .

Cyber teams bear the psychological brunt of ransomware incidents

Beyond financial and operational impact, the report explores the toll on human defenders—a first for the annual study. Among those whose organizations suffered encrypted data, 41% of IT and cybersecurity professionals reported heightened stress and anxiety, while 31% cited mental health–related absences .

In one in four incidents, security team leadership was replaced after the attack.

This growing emotional and organizational strain underscores that ransomware is not just a technical problem—it’s a workforce resilience issue. Sophos concludes that while technology can improve defenses, staffing, expertise, and psychological readiness remain weak links in the security chain.

As ransomware continues to evolve, so too must the organizations defending against it—not only in their tooling, but in how they support the people behind the keyboard.