Name: Under Siege: The State of Ransomware in 2025
Uploaded: 2025-09-04T19:14:20.839Z
Duration: 58 min 56 s
Description: Under Siege: The State of Ransomware in 2025

Transcript for "Under Siege: The State of Ransomware in 2025": Hello, everyone. And, thank you for joining us for today's webinar on insights from the state of ransomware 2025 report. We are joined by Sally Adam, vice president of product marketing at Sophos, and John Shire, field c sophos at Intelligent at Sophos. They will walk us through the findings from this year's report. Before we begin, a quick reminder that this session is being recorded, and you'll receive the recording by mail within the week of this webinar. But you can also access the report in the resources section of this, webinar and in your follow-up email. During the session, if you have any questions, feel free to submit them in the q and a panel, and we'll do our best to address them during the session. With that, let's dive in. Thank you, and welcome everybody to this webinar, Under Siege, the State of Ransomware in 2025. In this session, we're going to share the findings from our latest research into how ransomware is impacting businesses in 2025, hearing straight from the IT and cybersecurity leaders themselves. We're gonna provide insights and context into the attack experiences based on hundreds of instance that the SOPHOS MDR team and the SOPHOS emergency incident response teams have neutralized. I'm gonna give you guidance to help you optimize your ransomware defense strategies and investments. But first, let's I'd have a brief introduction to to John and myself. I'm Sally Adam, vice president of product marketing here at Sophos. I've been at Sophos for seventeen years, and so I've had many years of experience with both the research and also the threat, mitigation strategies. Yes. And hi. I'm John Shire, field CISO at SOHOS, and I've been here one more year than you, Sally. So I've been just across the eighteen year, boundary. And, you know, my group is responsible for for looking at all that research that you just talked about and trying to coalesce it into some information that makes sense for not only the internal folks that need to use those statistics and that research, but also so that the outside world understands what it is that we're seeing and under what context and and have them take that information and hopefully make better security decisions out of it. Yeah. In talking about research, so, before we go into the findings, let us share with you where the data that we're gonna be talking to is from. So we commissioned an independent vendor agnostic survey of 3,004 organ 400 organizations that have been hit by ransomware in the last year. So really representative sample. The respondents came from 17 countries across EMEA, Americas, and Asia Pacific. And they were all in organizations of between a 105,000 employees. Now as you may know, this is the sixth year that we've been running this research, which enables us to have a lot of year on year on year trending insights that we can share with you today. So let us jump into the data, and we're gonna start off by looking at why organizations fall victim to ransomware. And we've split this into two areas, the the technical root causes and then also the operational root causes as well. So, John, let's start with the the technical root causes. And what we have here is the, the root causes of ransomware as reported by the organizations that fell victim for the last three years. And we can see that exploited vulnerabilities three years in a row have come out as the most common root cause followed quite closely by compromised credentials and with email, attack vectors shortly behind. Why do you think it this is? You know, what's behind these numbers? Yeah. You know, if we look at these numbers specifically this year, year on year, and then we compare them to a lot of the other statistics around root causes of causes that I've seen, they're the same old things that come back over and over again. And I think it's because a lot of, you know, specifically if you look at compromised credentials and exploiting vulnerabilities, those are easy wins. They're they're what you know, the criminals are gonna use whatever works. And because a lot of the victims tend to be opportunistically generated, if you will, You know, there there are targeted, you know, attacks out there, but the vast majority are opportunistic. As you're scanning through the Internet, you're looking for vulnerable services, vulnerable devices that are exposed to the Internet, as well as buying credentials off the dark web and and trying them against some exposed, VPN devices, for example. So those two things being near the top, I think, makes a lot of sense. If we compare this to the active adversary report, which is a study of the incident response investigations, we're seeing the same thing, except it's flipped. It's compromised credentials are higher and exploiting vulnerabilities are the second in in second place. But the top two are still the same. And then we look at things like, the Verizon's data breach investigation report. Right? They have compromised creds and exploit vulnerability, whereas Google's Mtrans report has it again the other way around. So that just tells me that compromised creds and exploiting vulnerabilities is something that organizations really have to make get a good handle on. And if you look at the the statistics further down the line, right, you look at things like brute force attacks and phishing, right, those are ways in which you either abuse credentials or gather credentials. Right? So, again, you're talking about the same sort of things down the line, just a bit more specific. So when I look at these, I think of them as let's call them opportunities. Right? I was gonna say preventable mistakes, but they're opportunities. They're opportunities to strengthen your authentication. They're opportunities to make sure that you limit the amount of exposed services, and those services that you do have exposed, you make sure that they're fully patched. And I know there are reasons why sometimes you can't do that, and that's why you gotta think about the architecture of your environment and are there things you can do to potentially protect some of these unprotectable services or devices through things like, ZTNA. Great. So lots of, actual, things we can take away from this data. So that's fantastic. So we said the the other side of the coin and the other side of this, you know, root cause piece is, you know, what are the internal factors, the operational factors that left organizations exposed to attacks? We asked them, you know, why did you fall victim? And generally speaking, the the causes fell into three buckets. You know, sixty three percent of the the victims said that they've had challenges with their protection technologies. Either they were missing technologies or the the the protection capabilities they had didn't do the job. They they didn't stop the attack. A similar percentage said that they had resourcing challenges, and this could be either a a lack of resource. They they didn't have the enough people to to cover it, or they didn't have the skills. So, you know, resourcing also featuring heavily. And then the third big bucket that it all fell into is the security gap, whether that was a a known security gap that hadn't been remediated or an unknown one. John, really interesting data here, and I think some good learnings too. Yeah. I do think that this aspect of it is where you think it'd be interesting because it's as as it says on the slide, there's two points that around three factors, so like 2.7 contributed to these attacks. And it so it's just never one thing. Right? It's not one big thing that goes wrong, and if you had only caught that, then everything would've been fine. It's the fact that there are, a lot of times, little things that are happening, and you string them together, and then you have an attack. And getting it all right isn't easy. Nobody said doing security was easy. So when we look at things like protection challenges, right, a lot of times teams don't have the tools necessary to provide them with the protection and the prevention that they need. But also, the lack of tools means missing telemetry. And so missing telemetry to me is a signal that you're not seeing the entire picture, and you might be missing a critical step within the attack chain that might have gotten your attention, might have gotten you to respond sooner and therefore kick the bad guys out. A lot of times when I talk to, you know, some of our customers or, you know, the prospects I talk to or just people out out in a while, You know, they don't know everything that their tools can do, and that's another aspect of protection challenges is using the tools you already have to the best of their abilities. Right? Using all the features, using all the ability of that tool to prevent things. You know, we've got a a feature called application control, which I think is great for preventing things like, you know, criminals loading up all sorts of remote access tools, and and some customers don't know that they have access to that. And so that's a that's something you wanna think about is what tools do I already have, and am I using them at, you know, the the the full capacity? And then we look at resource challenges. Right? What a lot of security teams and IT teams are trying to do is they're trying to execute on a specific strategy. And when you're having to fight all these fires all the time, when you're responding reactively to everything that happens and you're overloaded with alerts, you don't have the time to execute on that strategy, which might mean better architecting your environment, which might mean procuring and and installing, you know, newer tools. And the extension of that is if you don't have you know, if you're challenged by the number of resources that you have, you may be unable to act on telemetry as well. So I mentioned not having the telemetry in the first place. But if you have the telemetry but can't act on it, that can be just as bad as well. And then finally, with the security gaps, you know, I mentioned the preventable preventable mistakes or the opportunities. Right? There are known and unknown security gaps here. The known security gaps obviously are the ones that you wanna concentrate on limiting if you can, through things like, obviously, a comprehensive patching program, but things like, you know, attack surface management, both internal and external. And and knowing those gaps and mitigating against them, sometimes it might not be just getting rid of them, it might might mean just putting protective technology around it, gives you time then to start to go into the the unknown parts of things. But the things that you haven't discovered yet that might be a problem down the road. So being able to shore up your defenses, get a a stronger footing possible first, and then start to explore into the into the unknown, is is a is probably a good strategy for a lot of organizations. Yeah. Absolutely. Absolutely. And then we can actually go a little bit deeper on these numbers. So we have here a lot of data points on this chart, but, this is where we've broken down the operational root cause of attacks both by company size and and more granularly into the into the, courses. And you can see here on screen, you know, the the different, factors that are influencing different size organizations. One of the things that's most interesting to me when I look at this is how the most commonly cited, weakness varies quite significantly based on organization size. You know, we see over on the, the left with the smaller organizations, it's it's having, you know, known security gaps that they, have not been able to to address, whereas, you know, when we over on the on the right side, we see lack of expertise. So, you know, do take this data, use it to to support you as you're building out your ransomware mitigation strategies, learning from peers in in your segment. Now moving on to the next section, you know, we've we've seen the the, that these rates there, the causes of, attacks. But what happens, you know, what happens to the data is is the big question. So, first up, we're pleased to share the the data encryption rate. So this here is the the percentage of attacks that have resulted in data being encrypted. And as you can see, there's been quite significant, 29% drop from 2024 into 2025, down from 70% of attacks to 50% of attacks. So any any drop, particularly significant drop like this, is is very, very welcome. Now we can actually go a little bit deeper again here. So what we have here is the the data encryption rate in attacks for the last six years. That purple bar there is the percentage of attacks that resulted in data being encrypted. The green, the percentage of attacks where, we're able to stop the adversary before the data is encrypted. And that that blue bar there is the percentage of attacks where data wasn't encrypted, but then it's still held to ransom anyway, what we might call an extortion style attack. Now, John, I've got a couple of things that I'd like to dive into on this slide. The first is, you know, why do you think that encryption rate is coming down? You know, and, conversely, the the stopping attack rate is going up. You know, both of those are at the the best level is in six years. And if I can throw a second question at you, you know, what do you think about that extortion rate? Although it's a at the lower column, it's actually doubled in the last year. So couple of questions for you there. Alright. Yeah. So I I love celebrating positive results, and it's great that we're seeing it in the data this year. You know, that data grips rate going down, fantastic. Right? And I think to answer your question directly, there are a few contributing factors here. Better technology is is one of them. I think we're we just have better technology available to be able to prevent these attacks, to prevent to detect, anomalous activity and suspicious activity in the network, and be able to then mount that quick response and kick the attackers out. And that earlier detection is just is is so crucial. Right? You really wanna get from wherever you can. You wanna get earliest detection possible because early detection, again, means it means faster response. I I can give you an example with specifically with Silver technology because that's that's the one I know, with things like CryptoGuard where, you know, there's something called remote ransomware, which has been on the rise over the last few years. And remote ransomware is very quickly is where the attackers, they establish a point of persistence on an unmanaged unprotected host. They fetch files across the network, bring them to that unprotected host, encrypt them locally there, and then push them back. CryptoGuard, you know, these kinds of that kind of evolution of ransomware strategy of how they encrypt files, has led to more success at times. But because technology at CryptoGUARD can actually prevent that, when you think about it, that's pretty amazing that we can prevent remote ransomware from happening. It means that we're gonna have fewer ransomware events within the network. And so so that that to me is is really what's contributing to that decline is we've got better technology, we've got more proactive monitoring, and and that better technology is is evidenced by things like CryptoGuard. Now as far as the extortion piece is concerned, what we often see now is that when some criminals, when they're in your network and their goal is to deploy ransomware, if they're frustrated by your technology or by your people that are constantly stopping them, they're still gonna wanna do something. And sometimes that just means copying a boat bunch of files off your network and then holding you for ransom for just the extortion piece. And we've seen some gangs that have switched from doing both the encryption and the the day of theft to just doing the data theft. Because I think in their minds, it's a little bit quieter because silently exfiltrating files is a lot quieter than all of a sudden detonating ransomware on a bunch of servers. And the ultimate goal is is very similar, if not the same, which is they've got your data and they're threatening to do something with it. In this case, it's not threatening to prevent you from accessing it. It's threatening to give everybody else access to that data. And so I think that factors into some of that extortion piece as well. But at the end of the day, when we look at this, you know, the things that we do collectively as a secure in a cybersecurity community do contribute to results like this, and the more that we keep pushing for better technologies, better operational, capacities within organizations, we're gonna see more results like this. Yeah. And so and and as you say, let's celebrate this win. That's a, you know, really great, great movement over the last year. At the same time, we need to acknowledge 50% of attacks are resulting in data being encrypted. So so, you know, still much work to be done, but, hopefully, you know, the the trend is looking in the right direction. Now talking about 50% of attacks resulting in data being encrypted, you know, what happens next? You know, the reality is pretty much everyone gets their their data back, but the question is how are they getting their their data back. And what we can see here is that just under half, 49% paid the ransom to get their data back, and just over half, 54% used backups to restore their data. And 29% said they used, other means, which could be, say, for example, a public decryption creep decryption key. Now these numbers clearly add up to to more than, a 100%, and, actually, we're seeing many organizations trying multiple methods in parallel to to get their data back to accelerate their recovery. But I think where we really get some interesting insights is when we look at the trending here. So what we've got on this slide is the, ways that the percentage of organizations that used, backups, which is that turquoise line on the top, and the percentage that paid the ransom, the LoomLine underneath to to get their data back. And we can see it over the last six years. And this for me is actually quite an alarming slide because what we can see there is, that the extension of organizations using backups to recover their encrypted data is at the lowest rate in the six years that we've been doing this study. And conversely, the, the ransom payment rate, while it is slightly down on last year, it's still, you know, almost 50%. So, John, I'd love your thoughts on this. Yeah. Well, if you draw that trend line on the ransomware payment, it's it's up into the right. Right? So it it is increasing year on year, which is, which is somewhat concerning. I know that the payment rates, while they are down and they're only at, you know, half, that's still high. I think that half of organization of one one of the two organizations that gets, ransom demand are paying, signals that there's not only opportunities for prevention, but also opportunities, to improve your ability to recover. And that sort of segues into that top line of backups declining now year on year. So actually, if we draw the trend line from the very first study to to the end, then we see that it actually is down. And part of that reason is that criminals are actually going after the backups. Right? They they know that backups are your that that's the one thing that if if nothing else, you can use to really recover quite, quite handily from a from a ransomware attack. If you have confidence in your backups, meaning that you're taking them, you're testing them, and you know how to recover quickly from them, I'm not gonna say ransomware should be no big deal. It's gonna be a big deal. But at least you have the confidence that you can just roll those backups into your environment, and then you can be up and running sooner. And so the criminals know this, and so if they have access to those backups, then they will go after them, and they will make them unavailable. So that's why we always stress that if you do have some backups, at least one copy of them should be completely, inaccessible to the cyber criminals. And as far as those those fallback mechanisms, right, the using a lead decryption key, that's sort of the the other means. What I was gonna say is that should be a fallback. Right? If you do have encrypted data and you are going to recover it, maybe the recovery for some reason isn't 100% from your backups. So maybe you just keep that encrypted copy and down the road, if one of these groups decides to benevolently, you know, release their their decryption keys, or there's a law enforcement action against that group and they release the decryption keys, maybe you can go back and and get some of that data back as well, but it should not be a primary method. So yeah, I do see a lot of companies doing the different, you know, going through and using different methods, but at the end of the day, a really strong comprehensive backup strategy that includes testing and and recovery recoverability testing as well, is is what's required here. And the fact is that a lot of these criminals, when they're going through your network, as they're doing so, they're assessing your ability to pay. And part of that is if they can delete your your backups, they'll know that you're more likely to pay. Sometimes, you know, they'll associate that with having cyber insurance. I'm not drawing a link here between cyber insurance and payment. I'm just saying that is part of their calculus. That's the kinds of things they think about when they're in your network and going, okay. What's the likelihood that these this victim is going to pay us? And they're gonna do everything in their in their power to increase that likelihood wherever they can. Yeah. So, actually, a tool for them to, you know, to to to turn the screws, you know, even further. So, yeah, clearly an important area, you know, a good, good kind of warning for everyone that backups is a is a really important area to be focusing on. Now we've been talking here about, you know, recovering data and and paying the ransoms. Let's take a little look at some of those financial aspects there. You know, what are ransom demands like now? You know, what sort of numbers can you expect to to receive in that ransom demand, and and what are people actually paying? So got some really good insights here from the the research. And gonna start off with another positive. So the the positive here is that the median ransom demand dropped by more than a third over the last year. In our 2024 research, that median ransom demand was coming in at $2,000,000. This year, it's coming up to 1,320,000.00. So a really good drop. John, I show you you share my enthusiasm for this reduction. Yeah. I do. And, again, still some big numbers. Right? I I I would wish that these numbers were a lot smaller, but the decrease is great. And and seeing that organizations aren't having to pay, or at least are that the criminals aren't demanding as much means that those organizations who, for for whatever reason, are forced to pay then aren't having to pay as much, and that means that obviously the the overall impact isn't as huge. As far as the decrease goes, I think, you know, we're seeing that a lot of analysts and and research organizations are seeing, the same thing, like Chainalysis, which is one of these, blockchain analysis, organizations. They've seen a decrease. I think it was, like, 35%, in 2024. So across the board, people are seeing that that these demands and and also the you know, if if you follow that through, the payment is also declining. And I think it's driven by a few things. Right? I think that increased law enforcement actions are are taking some of these actors out of the game, which is dropping or causing the demand to decrease. Improved inter international collaboration between, the different law enforcement agencies as well as the private sector companies that are feeding intelligence to these law enforcement agencies and cooperating with them to make sure that, that there's, you know, that there's something we can do. Right? And then finally, just I think a lot more organizations now refuse to pay. Right? They they they finally gotten to the point where they're like, you know, we are feeding money to criminals and we're just not gonna do that anymore. I know that there are certain countries that are toying with the idea of banning ransom, payments and all that kind of stuff that might be contributing to it, but I think the contribution from the increased cooperation between law enforcement, private sector, and then finally just the we're just not gonna pay these criminals, attitude, I think is is is, is contributing to this. And and that to me just means that this disruption is working. Right? The more we can keep these groups, destabilized, looking over their shoulder, keeping them from having the comfort of hiding in their little, you know, dark corners because no, we're we're gonna hunt you down and we're gonna we're gonna stop you, I think is having an effect. We saw a a few high profile gangs get, get caught out last year. Black Cat did a little exit scam. Right? So some of these guys are seeing the writing on the wall, and they're just choosing to leave, which is great. But at at the end of the day, yeah, if we keep pushing, if we keep trying to disrupt, it's gonna have an impact, and I think we're see starting to see in the numbers. Yeah. Yeah. Absolutely. Now let's give everyone a little bit more granularity because that 1,320,000.00, that is a median across 800 plus organizations of of very different sizes. So, you know, if you wanna get a a good idea of the the typical ransom demands that, organizations in in your size segment are are receiving, we've got a breakdown here. And what you can see is that, you know, within those, those smaller organizations, this is split by revenue, You know, the, the ransom demands are smaller, you know, going up, to, the highest demands for, unsurprisingly, the, highest revenue organizations. And, John, I think this ties into what you were saying a little bit before about how, you know, cyber criminals are scoping you out when they're in your environment looking to see, well, how much could you pay? Yeah. So there's not only are they assessing the likelihood of you paying, but they're assessing the amount that you're going to pay as well. You know, they do tend, as has been evidenced, not only from this chart, but from, you know, anecdotally when we when we look at some of the demands that we're hearing about in the news, they do tailor their demands to the perceived ability to pay in in what amount. The the reality is when you think about it, a a lot of these groups, you know, they're they're quite skilled. They've been doing ransomware has been around for, you know, nearly twelve years now. Right? So they've been doing eleven years. They've been doing this for a fairly long time. And so, unfortunately, practice does make somewhat, maybe not perfect, but makes them, you know, more perfect than they were. And so they're they've got all your data when they're in there. They they're looking at everything. They're opening files. You know, when I'm looking at incident response cases, they're using things like Excel and Wordpad and Notepad and Word and PowerPoint because they're opening your documents and they're trying to figure out what is in there, and part of that is your financials. Right? They'll open the they'll go to the finance share, they'll open the spreadsheet the the Excel spreadsheet with all your financials on it, and they'll do, you know, some arithmetic and then go, alright. Well, based on this, we think we should we should charge that. Right? And so at the end of the day, you know, they're doing their research, but they're also trying to get whatever they can. Right? So, negotiations do work with these criminals, to bring in some of these prices down, but they're still gonna try to squeeze as much money out of you as possible. And so part of this also is that, you know, refusing to pay is driving down demands. Right? But it's also gonna drive down everything else as well. So I think that when we look at this, you know, small organizations, are in effectively in the same boat as large organizations in in in in the equivalency of, like, looking at the percentage of which their demands are growing, but or or shrinking. But, yeah, I I I think this alone says, again, if we can start if we can shut off the spigot, then it's just gonna keep driving that demand down, hopefully. And and then at the end of the day, the the the outcomes are just gonna be more positive. Yeah. Absolutely. Absolutely. And, you know, to your point there, you know, so, yes, it it may look, you know, here the the data showing that, you know, the smaller revenue organizations have those those lower demands, but proportionally, you know, it is still a massive, massive impact for them just as it is for for the larger organizations. So this is how much the the cyber criminals are asking for. In terms of how much it is actually paid, what those respondents whose organization paid the ransom shared the amount, and the median this year has dropped by half. It's gone down from, $2,000,000 that was reported in our 2024 research to $1,000,000 here. So, John, again, another, welcome reduction. Yeah. I I think that part of this is is down to better incident response and and we'll I know we'll speak to that a little bit later on as well. But, you know, they they are responding to a shrinking market if you think about it. So if we if we start thinking about now to the fact that there there is better ability to protect and prevent. There is better there is a refusal to pay. As your market shrinks, you're probably gonna start demanding less and therefore, you start you're gonna you're gonna get less revenue out of it. Right? So I mean, I this is another positive result. I don't want to go too long on it because I think, when we look at this, it's like, alright, it's it's it's positive, but it's still high, and and we need to keep pushing and do more. But there are opportunities here again that that that's gonna keep driving this stuff down. And if I think back to one of the earlier slides when we were talking about just how these things, transpire and some of the challenges. Right? One of my jobs is to research and and write the active adversary report. And so I get a lot of insights into how organizations fare during an attack, and we actually added some MDR, managed detection response data to our last report. And what we found was that a lot more attacks were resulting in what we called network breaches. And that's just somebody was in your network, but they never got to the ransomware bit, which we think a very you know, a big portion of those network breaches would have been ransomware, so pre ransomware attacks. And so just being able to to to stop them in their tracks, again, is going to drive some of those payments or those demands and payments down because if they get caught, they're just gonna scramble, do whatever they can. Right? But they won't be able to do the maximal damage, won't have maximal impact. So all all this links to a positive impact down the road. I know it's still ransomware and a lot of organizations are still struggling. But collectively, I think is how we we fight this and and how we make it better. Yeah. Absolutely. Absolutely. And, you know, they say $1,000,000 is still a huge, huge amount of money for for any organization. Now this is a median across all of the respondents, across all of the sectors. We have got a bit of a breakdown here into the the median ransom payments as reported by the different industry sectors that were covered in the report. Those in state and local government reported the highest average ransom payments, 2 and a half million dollars. Health care this year reported the lowest. So there is sector variation too and, you know, do use this data to to form your own ransomware strategies for for your particular industry. Now we've looked at the the, the ransom demand. We've also looked at the the payment. You know, obviously, those numbers were different. Let's dive into into the the the differences, a little bit more. So there were 826 organizations that, received a ransom demand and made a payment and who shared with us, that that information. Now 85% of the ransom demand was paid on average. Within within the cohort who, who paid the ransom, they paid on average 85% of the demand that they had received, but just over half of their payments were for less than the initial ransom demand. 29% of the payments matched the initial ransom demand, and 18% of people actually paid more than the initial ransom demand. Now in a moment, we're going to dive into why some organizations paid more and why some organizations paid less than the initial demand. So it's really interesting insights there. But first, just want to kind of share with you here. We have this data analysis comparing how the the ransom demand and the the ransom payment, compares, split again by organization revenue. And what you can see here is that as we move over to the right hand side of the chart, as organization revenue increases, we see much greater, percentage drop in the, demand versus payment. So those organizations, $5,000,000,000 plus, they are getting the highest demands, but they are proportionally able to reduce it, far more than so there's smaller organizations receiving those smaller payments and likely reflects, the, the resources, those skills that they can call on both internally and externally to to help them with those negotiations and and remediation activities. But I said we're going to dive into why some people pay less and and why some people pay more. So I think this is a really interesting insight. So 445 organizations, explained why they were able to pay less than the initial ransom demand. Just under half, 47% said they negotiated a lower amount, and we see 45% saying that external pressures force the attackers to to reduce their demand. This could be, for example, press coverage, particularly for, health care style organizations. We also see adversaries wanting to speed up payments. You know, taking steps to to encourage organizations to to quickly get on and and pay. They want to see money, in their in their accounts, and 45% said that they actually had a reduction in, demand to encourage them to to speed up. And similarly, 43% said that they they paid quickly. And then we're also talking about negotiation. You know, we saw 47% saying that they negotiated a lower amount. 40% said that they got a third party to negotiate a lower amount, and that could be a a breach coach, could be someone working on behalf of an of an insurance provider as well. So lots of different strategies that are just deployed to to reduce the payment. But there are, quite a few organizations, in fact, 151, who paid the ransom and actually paid more than their initial demand. And, 50% said that it's because the attackers thought they could pay more. You're really talking to to that point you were making earlier about how adversaries are scoping out, your propensity to pay, but also how much you can afford. So as they've gone on with the the attack, they've realized they can likely, you know, get more money from the organization. Similarly tying into the second one here when the adversaries realized they're a high value target. We can see other behavioral elements within the adversaries coming through. 38% of respondents saying the attacker got frustrated. And tying into the the backup conversation we were having, 38% saying their backups failed, which forced them to pay more. So a really good proof point to to support the the need to spend time, spend effort focusing on on making sure you've got backups that are strong and solid, that you're not going to be one of this 38% with the with the malfunctioning. And then, again, the time thing coming in again, 32% saying they didn't pay quickly enough, so the adversary increased the, the the, bill. So that's a lot of financial side. Let's have a look at the the business impact because, you know, really the the business and the the people that, you know, those impacts are really what it all comes down to at the end of the day. Now we have here the, the average, cost to recover from a ransomware attack. And this is looking at all the different, factors that contribute, including downtime, you know, recovery cost, that type of thing, But it does exclude ransom payments. I know we've talked about ransom payments. These numbers exclude ransom payments. So what we can see here is that that, average recovery cost, and it's come down significantly over 44% over the last year from 2,730,000.00 last year to just over 1 and a half million, this year. So, John, another welcome reduction. Absolutely. And I think, when we look at the the landscape of both the the ransomware threat actors, but also the ability to, respond to those ransomware actors. And we've gotten better as well. Right? They not only have they been more practiced, but unfortunately, because of this ransomware onslaught that we've been living through for so many years, it means that we've had more practice at being at recovery. And so when you think about the way that a lot of organizations recover today, one of the ways is to have your own incident response plan and team, ready to to activate in the event of, of of a ransomware attack. A lot more organizations now are taking the time to do things like tabletop exercises. They're they're they're going through the exercise of simulating a ransomware attack and then simulating the response so that they can understand where some of the gaps are. What pieces are they missing for a a quick and effective recovery? Then, some other organizations will, call their cyber insurance company who will then, bring in some incident response specialists. Right? So Sophos has some great relationships with a lot of cyber insurance vendors out there, and we also provide a service that anybody can consume, for incident response. And, again, we we do this, unfortunately, every single day. We've gotten very good at pinpointing, the activities that the cyber criminals are doing on the network, cutting those off, neutralizing the threat, and then helping the the organizations recover. And and unfortunately, because we've had to do this so many times, I mean, fortunately, we've gotten better at it, we've gotten more efficient, but unfortunately, the organizations are still being hit. So all of that contributes to reduced costs. Right? So the faster you can get to, from the attack to the recovery means, less downtime means less lost revenue for a lot of organizations, but it also means, the the the the quicker downtime means that you're not spending as much for external consultancy, if you will. For things like maybe the external PR to have to do do crisis PR, those kinds of things. If you can limit the blast radius and recover quickly, the cost just simply go down. Mhmm. K. Yeah. Yeah. Absolutely. Absolutely. Now we have got this, 1,530,000.00, broken down also by organization size. So, you know, you can see here how the, you know, the cost, you know, start the the lower for the the smaller organizations, but then kind of go on to to plateau about 1,830,000.00. So, you know, giving this data here is, for is to everyone. You know, showing that there's a different recovery cost, but also, you know, John, you mentioned cyber insurance. You know, if you're looking to take out a cyber insurance policy, be sure that you have sufficient coverage in the event that you get hit by a ransomware attack. Now you can see here with the organizations with the the 500 to to a thousand employees, you know, you're looking at 1,500,000.0 plus, you know, if there's any ransom payment. So, you know, do use this data to to make sure that you have sufficient coverages in your insurance policy. But also, you know, it's a really great, you know, way to justify why it makes so much more sense to to spend time spent efforts, spend investments, preventing the the instance, preventing the attacks getting to to, an advanced stage. Yeah. I was gonna say, Kelly, that this is this evidence, as you say, that there is going to be some cost to an attack. So if we can prevent them in the first place, then that drastically alters this, this this bar chart. Yeah. Absolutely. Now this is a a cost slide. You know, another impact, we wanna look at here is is time. You know? How, how long were you you you down for? How long did it take you to recover? So we've got here again some some year on year trends. We've actually got data here for, for four years, going back to 2022. You can see the percentage that recovered in less than a day, up to a week, up to a a month, and so on. And and, you know, actually, there's been quite a lot of good news in in this this update, in in this year's research. And another good news point is that organizations are getting faster. But, John, you were saying we're we're unfortunately, you know, getting more experience because there are just so many attacks. How do you how does this tie in with your experiences? Yeah. It's it's it's just that. It's that when we have an incident that we're responding to, we can just many times, if we know let let's say that an organization comes to us and says, we've been hit by Acura. Right? We know the Acura playbook. Now to be to be, you know, to be, more accurate, Acura is is a ransomware as a service. It's it's an a conglomeration of a lot of different actors that are working under the same brand, but they use very similar tactics at times and and the the some of them have brand affinity. Right? They they will use the ransomware as a service brand that that is more comfortable and and they feel, you know, is more trusted for them. So when we when we see that, there's a lot of things that we know to look at. Right? First, we we can look at certain, types of activity. We can look for that. And then we can pivot off those that activity and those behaviors to then find other things. And so just that that repeated exposure to not only ransomware writ large, but also the different ransomware brands out there, the different tactics of specific groups. We have what we call threat activity clusters. Again, it's just a way of looking at the, the way that the attacks unfold and and wrapping some, some commonality around those attacks. If we see a little bit a couple indicators here and there, we can then go, oh, yeah. Okay. They did a a and b. Well, c, d, e, and f. We're probably gonna be the the next set of tactics. And and that's not only the way we can go at about it from an instant response perspective, but that's how we can go at it from a prevention perspective as well from the MDR, managed detection response, side of things. Right? We can see a couple of little indicators here and there and go, oh, wait a minute. Those two right there, that's, you know, that that's chaos ransomware. Right? Just to pick a brand new one. And so we know that the next thing is they're gonna they're gonna dump credentials on your active directory server or whatever. They're they're gonna do something we need to get in in between that activity, and the threat actor. So so the recovery time simply, I think, is a it it's it's just a an indication of all that time that we and the community have spent responding to these attacks, and we've just gotten really good. Right? A cyber insurance company, you call them up. You said I've been attacked. They're gonna say, okay. We're we're gonna, you know, if it's an on-site thing, we're gonna send Joe. He's gonna go in there, and he's gonna do these things, and he's gonna request that. And in the meantime, I need you to do this, this, this, and this. Right? And so they already have that playbook. At criminal actors have their playbooks, we have ours. Right? And that just, in essence, reduces that time that is required to, to recover from an attack. Yep. K. Great insights. Thank you. Yep. This here is looking at the, you know, the the business operate actually, operational, impacts of an attack. The the final area of data we wanna look at is actually the human impact of ransomware, because it it really does have significant consequences. And this is a new area of research for us in our our 2025 report. So we asked those IT leaders whose organization had data encrypted, You know, what were the impacts on the the IT team, on the cybersecurity team? And every single, respondent said that there had been impact. You know? And nobody said, you know, nothing has changed. But, you know, the top of the list, most commonly cited was increased stress or anxiety about future attacks. So, you know, really putting a a a burden, a a mental burden, on on the people at the front line together with with pressure. You know, 40% saying they've seen increased pressure. And actually, when we go down to the the bottom of the list, you know, twenty five percent of the the respondents who use the organization had data encrypted said our team's leadership was replaced. So, John, I think we got a, you know, a pretty broad range. You know, that there are some some some positives in here, you know, increased recognition from senior leaders, but also, you know, quite a lot of negative repercussions for the for the team involved. Yeah. I I think that we spend a lot of time talking about the technical aspects of a lot of these attacks with ransomware. You know, how did they get in? What tools did they use? How long were they in the network? All these kinds of things. You know, how much was the ransom demand? And and we often forget that there are humans at the other end of these attacks. Then there there are humans at both end of the attacks, really, but the the ones that are being impacted, the victims, you know, there are humans at the end of this attack. And it's going to have a toll. I've spoken to people who have been through this, and they they talk you know, they they they express a lot of the different things that we see on this slide here. But it was just it was the for the the humans that that are dealing with security within an organization, they they do care. They care about protecting the organization and and some of them really take that, you know, it hits them personally when when the organization's attacked. Because then more than sometimes the rest of the organization who's not having to deal with the the brunt of it, They're also seeing the impacts down the line. I was speaking to somebody somebody not too long ago who was talking about how, you know, one of the impacts was to payroll. And he was all he could think about when this attack happened was how are we how can we get the people paid? Right? The the the the the rest of the employees, because I I didn't really care in the moment about anything else, but making sure that the people that were relying on their paychecks were gonna get them. And that's the first thing the organization did was say, okay. You know what? We've got we've got some money over here in the bank. Let's just make sure we make payroll. Other things were happening in the background, but that was of paramount importance. And he said, you know, he was losing sleep over that, making sure that his peers weren't gonna be you know, we're gonna be able to buy groceries that that week or that month depending on the pay period. Right? So, so it really needs to be included in the in your incident response plans. And and when you're doing the, you know, the the arithmetic about how are we gonna do this thing, how are we gonna make this all add up in the end to a positive outcome, don't forget the humans. Don't forget that there are people that are gonna be disproportionately impacted by this. And and if you can identify those people ahead of time through your tabletop exercises and and through, you know, organizational surveys and just your knowledge of how the organization works, and prioritizing that, you know, that prioritizing that you're going to make sure those people are being being taken care of, I think is of paramount importance. So let's not get just bogged down into the technical aspects of things, but remember that at the end of the day, it's humans that are being impacted, it's humans that are responding to this, and let's make sure that they're okay too. Yeah. Very well said. Very well said. So that brings us to the end of the the research that we want to share. We have, some recommendations to to leave you with based on the the findings that that we have here, on the insights into to how, ransomware attacks are are playing out. So, John, I wonder if you wanted to to talk to these. Yeah. I'm not gonna so I'm not gonna go through the the exact bullet points here, but I think I'm gonna just abstract it a little bit and then give people an idea of of when I look at, you know, protecting against ransomware attacks, what I think about. And so the first two for me, prevention and protection. Right? That that speaks to when we're talking about earlier with respect to having the tooling. It's making sure that you do have the tools at your, you know, at your fingertips to not only prevent attacks, but also respond. But also tools that are gonna be that you're using to their maximal, efficiency and and efficacy, but that are also gathering as much telemetry as possible. Right? In order to move to that next step of detection and response, you have to have an ability to discover an attack in progress. Prevention and protection is gonna make sure that the the vast majority of low hanging easy to, you know, to sort of shove aside attacks are being, are being prevented or being mitigated, which allows you to focus on a more narrow set of signals. Right? And we we probably heard the term of burning down the haystack from the old analogy of, you know, the the metaphor of like, you know, the honeypot and needle in a haystack. Well, you burn it down. Right? And so that's what prevention does. It helps reduce the size of that haystack and helps you, focus in more on what's important. And part of that strategy is is doing things like making sure that only approved applications are being used, Because now I'm only having to monitor a smaller subset of information to determine whether is it an attacker that's using my TeamViewer or is it an administrator that's using my TeamViewer. Right? And and having that constrained helps you detect those signals better. And so then that leads into the detection and response piece, which is you have to have the telemetry, but you also need to know what you're looking at. And that ties into resources. Right? Knowing what you're looking at, knowing that that that that thing that's happening now is a bad thing is important. How do you know that? You have to know your baseline. You have to understand what the network that, you know, the normal operating parameters of your business are from a technical perspective, so that you can spot those spikes. We talked we talked earlier about extortion where the criminals, instead of encrypting things, are simply just stealing the data and then extorting you later. Well, in a lot of cases, they're stealing small amounts of data, but in some cases, they're stealing very large amounts of data, and that's going at the front door. So you should have an idea of what, like, egress traffic looks like, right, what the outbound traffic looks like so that you can know when there's a spike of activity. Maybe that's happening in the middle of the night when it shouldn't. Maybe that's happening to a, you know, a cloud provider that you never usually deal with. That should be a signal as well. And then the planning and preparation kind of wraps all this up. If you've got all the telemetry, if you've got all the prevention technology, if you know what you're looking at and you know how to act on it and you've got plans in place and you've rehearsed them. Right? Then the planning and preparation makes a lot of the response much easier. And it makes it so that iteratively, right, as you go around this circle of of trying to prevent, respond, defend and detect, respond, do better. Right? Fill in those gaps, and you keep going around. I'm gonna go back to it. Like, security doing security right is not easy. There are things you can do that make it easier, and there's no there's no endpoint. Right? There there's no point where you can say, okay, job done. We we our security is tight, and we're we're good to go. Right? Because there's gonna be a vulnerability next week in a system that you use, and that's gonna present an opportunity to the cyber criminals. So you need to think in terms of that life cycle of cybersecurity, that life cycle of prevent, detect, respond. And over the the, you know, the weeks and months that you're doing this, you're going to get better, but you have to be willing to put in the time. K. Great. Thank you. So, you know, as you're doing those things easier, you're looking at your your run to our mitigation strategies. So if you want to to learn more about the the data points that we've been sharing these insights, you know, we do have a PDF report you can access, softos.com/ransomware2020five. So you do get that report. We also have got individual country reports for the, the 17 countries that participated in the the survey so you can access them too. And, of course, you have a full SOTLs team that's here to help you if you want to discuss any aspects of your your cyber defenses and how we can help you. So with that, thank you so very much for your time. Really appreciate you spending it with us to to learn about the findings from the research. Really hope that you've got some some actual insights and some learning points that will support you in your cybersecurity journey. So with that, I think, John, we wish everyone, you know, really happy, really successful rest of your day.