Median Ransom Payment is $1.33 Million; Yet 30% of Companies Negotiated a Lower Amount than the Initial Demand
Dubai, United Arab Emirates – June 26, 2025 – Sophos, a global leader of innovative security solutions for defeating cyberattacks, today released its sixth annual State of Ransomware report, a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries that studies the impact of ransomware attacks on businesses. This year’s survey found that nearly 50% of companies globally paid the ransom to get their data back, the second highest rate of ransom payment for ransom demands in six years.
While 43% of organizations in the UAE that had data encrypted paid the ransom, 30% of them paid less than the original demand. Globally, in 71% of cases where the companies paid less, they did so through negotiation, either through their own negotiations or with help from a third party. In fact, while the median global ransom demand dropped by a third between 2024 and 2025, the median global ransom payment dropped by 50%, illustrating how companies are becoming more successful at minimizing the impact of ransomware.
Overall, the median ransom payment in the UAE was 1.33 million dollars, although the initial demand varied significantly depending on organization size and revenue. Across the globe, the median ransom demand for companies with over $1 billion in revenue was five million dollars, while organizations with $250 million revenue or less saw median ransom demands of less than $350,000.
Exploited vulnerabilities were the number one technical root cause of attacks in the UAE, while 49% of ransomware victims said adversaries took advantage of a security gap that they were not aware of, highlighting organizations’ ongoing struggle to see and secure their attack surface. Overall, 54% of UAE organizations said resourcing issues were a factor in them falling victim to the attack, with one-third citing a lack of expertise and 30% reporting a shortage of expertise.
Additionally, the report reveals that the impact of ransomware attacks on data in the UAE remains significant. In 55% of the attacks, data was successfully encrypted, surpassing the global average (50%). In 43% of those cases, data was also stolen, much higher than the 28% global rate. Despite this, 98% of affected organizations recovered their data, with 68% using backups and 43% opting to pay the ransom, highlighting both strong recovery strategies and ongoing challenges.
“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,” says Chester Wisniewski, director, field CISO, Sophos.
“Of course, ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We’re seeing more companies recognize they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”
Additional Key UAE Findings from the State of Ransomware 2025 Report:
· Exploited vulnerabilities were the most common technical root cause of attack, used in 42% of attacks. They are followed by malicious emails, which were the start of 23% of attacks. Compromised credentials were used in 18% of attacks
· Business impact of ransomware
– Excluding any ransom payments, the average (mean) bill incurred by organizations in the UAE to recover from a ransomware attack in the last year came in at $1.41 million, below the $1.53 million global average. This includes costs of downtime, people time, device cost, network cost, lost opportunity, etc.
– Organizations in the UAE recovered swiftly from ransomware attacks, with 63% fully recovered up to a week, notably above the 53% global average. 15% took between one and six months to recover, below the 18% global average.
· Human impact of ransomware on IT/cybersecurity teams
In organizations where data was encrypted:
– 40% reported increased pressure from senior leaders.
– 37% say the team’s workload has increased since the attack.
– 42% report increased anxiety or stress about future attacks.
– 18% have experienced team member absence due to stress/mental health issues.
Ransomware remains a major threat to organizations in the UAE. As adversaries continue to iterate and evolve their attacks, it’s essential that defenders and their cyber defenses keep pace. Sophos recommends the following best practices to help organizations defend against ransomware and other cyberattacks:
· Take steps to eliminate common technical and operational root causes of attacks, such as exploited vulnerabilities. Tools like Sophos Managed Risk can help companies assess their risk profile and minimize their exposure.
· Ensure all endpoints (including servers) are well-defended with dedicated anti-ransomware protection. · Have an incident response plan in place and tested for when things go wrong. Have good backups and practice restoring data regularly.
· Companies need around-the-clock monitoring and detection. If they do not have the resources in-house for this, they can work with a trusted managed detection and response (MDR) provider.
Data for the State of Ransomware 2025 report comes from a vendor-agnostic survey of 3,400 IT and cybersecurity leaders in organizations that were hit by ransomware in the previous year. Organizations surveyed ranged from 100 to 5,000 employees and across 17 countries
The survey was conducted between January and March 2025, and respondents were asked about their experience of ransomware over the previous 12 months.
Sophos will be releasing additional industry findings throughout the year. Download the full State of Ransomware 2025 report here.
Learn how MDR can neutralize attacks like ransomware in real-time by registering for the webinar Behind the Shield: Real-World Stories of Thwarted Ransomware Attacks here.
# # #
Learn More About · Attacker behavior and techniques in the 2025 Sophos Active Adversary Report · Ransomware groups vying for dominance · Ransomware groups using email bombing and vishing to launch attacks · How Sophos successfully stopped an MSP “supply chain attack” from the ransomware group DragonForce · Sophos X-Ops and its threat research by subscribing to the Sophos X-Ops blogs
About Sophos
Sophos is a global leader and innovator of advanced security solutions for defeating cyberattacks. The company acquired Secureworks in February 2025, bringing together two pioneers that have redefined the cybersecurity industry with their innovative, native AI-optimized services, technologies, and products. Sophos is now the largest pure-play Managed Detection and Response (MDR) provider, supporting more than 28,000 organizations. In addition to MDR and other services, Sophos’ complete portfolio includes industry-leading endpoint, network, email, and cloud security that interoperate and adapt to defend through the Sophos Central platform. Secureworks provides the innovative, market-leading Taegis XDR/MDR, identity threat detection and response (ITDR), next-gen SIEM capabilities, managed risk, and a comprehensive set of advisory services. Sophos sells all these solutions through reseller partners, Managed Service Providers (MSPs), and Managed Security Service Providers (MSSPs) worldwide, defending more than 600,000 organizations worldwide from phishing, ransomware, data theft, and other everyday and state-sponsored cybercrimes. The solutions are powered by historical and real-time threat intelligence from Sophos X-Ops and the newly added Counter Threat Unit (CTU). Sophos is headquartered in Oxford, U.K. More information is available at www.sophos.com.
