Disclosure: TheBestVPN is reader-supported. When you buy a VPN through links on our site, we may earn commissions. Learn more.

What Percentage of Ransomware Victims Pay the Ransom?

Last updated:
What Percentage of Ransomware Victims Pay the Ransom?

 

Key Takeaways

  • 49% of organizations with encrypted data paid the ransom to get it back
  • That’s down from 56% in 2024, but still the second-highest rate in six years
  • 97% of organizations with encrypted data eventually recovered it – paid or not
  • Backup-based recovery is at its lowest rate in six years

The Story Behind the Numbers

When ransomware locks your files (encryption – essentially a digital lock only the attacker can open), victims face a hard choice: pay up or try to recover another way.

In 2025, 49% of organizations whose data was encrypted paid the ransom to get it back. That’s just under half. It’s a slight drop from 56% in 2024, but it’s still the second-highest payment rate recorded in six years of data.

Why are organizations still paying at such high rates? The answer is backups – or rather, the lack of reliable ones. Data recovery through backups alone is at its lowest point in six years. Only 29% of victims with encrypted data said they used “other means” to restore it, which often means previously leaked decryption keys rather than a clean backup process.

The good news: paying isn’t the only path to recovery anymore. 97% of organizations that had data encrypted eventually got it back – whether they paid, restored from backups, or used other methods. Recovery is happening. It’s just not always free.

Why This Data is Important

This isn’t an abstract statistic – it reflects a real decision facing nearly half of all ransomware victims. If your backups aren’t solid, you may end up choosing between paying criminals or losing your data permanently.

It also points to where the real risk starts. According to the same report, most attacks begin with exploited software vulnerabilities, stolen login credentials, or phishing emails – not random targeting. That means patching software promptly and using strong, unique passwords matter more than almost anything else.

The network connection itself is also a common weak point – especially on public or unsecured Wi-Fi. Setting up a VPN at the router level encrypts traffic across every device on the network, which helps close one of the doors attackers use to intercept credentials. It’s not a fix for unpatched software, but it’s one more barrier between attackers and your login data.

Looking Ahead: Future Outlook

The payment rate is trending down, but slowly. As attackers shift toward data theft and extortion (rather than just encryption), expect payment decisions to get more complicated – paying may stop data leaks even when backups can restore the files themselves.

Stronger backup practices and faster detection will likely keep pushing this number down in future reports.

Source & Methodology

Data sourced from the Sophos State of Ransomware 2025 report. The findings are based on an independent, vendor-agnostic survey of 3,400 IT and cybersecurity leaders across 17 countries, conducted between January and March 2025. All financial figures are in U.S. dollars.