Nearly Half of Australian Companies Opt to Pay the Ransom, Sophos Report Finds

Cyber Resilience | Leadership | Reports & Predictions | Security Operations

Australian median ransom demand is US$217,000; yet 52% of Australian companies negotiated a lower amount than the initial demand

Posted: Wednesday, Jun 25

KBI.Media
$
Nearly Half of Australian Companies Opt to Pay the Ransom, Sophos Report Finds

Nearly Half of Australian Companies Opt to Pay the Ransom, Sophos Report Finds

Sophos, a global leader of innovative security solutions for defeating cyberattacks, today released its sixth annual State of Ransomware report, a vendor-agnostic survey of IT and cybersecurity leaders across 17 countries that studies the impact of ransomware attacks on businesses. This year’s survey found that 41% of Australian organisations paid the ransom to get their data back – a considerable decrease from last year (66%).

Overall, the Australian median ransom demand was US$217,000, a substantial drop from the US$4.42 million reported in Sophos’ 2024 report.

Australian organisations typically paid 88% of the ransom demand, just above the global average of 85% – 52% paid less than the initial ransom demand (global average: 53%).

Globally, in 71% of cases where the companies paid less, they did so through negotiation – either through their own negotiations or with help from a third party. In fact, while the median ransom demand dropped by a third between 2024 and 2025, the median ransom payment dropped by 50% globally, illustrating how companies are becoming more successful at minimising the impact of ransomware.

Exploited vulnerabilities were the number one technical root cause of attacks for Australian organisations (28%), followed by phishing which was the start of 24% of attacks, and compromised credentials which were used in 21% of attacks.

A lack of protection was the most common operational root cause, cited by 45% of Australian respondents. This was followed by a lack of people/capacity cited by 44% of organisations. Forty-one per cent said that both known and unknown security gaps played a factor in their organisation falling victim to ransomware.

“For many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,” says Chester Wisniewski, director, field CISO, Sophos.

“Of course, ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We’re seeing more companies recognise they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long way in preventing ransomware from the start.”

Additional key findings for Australia from the State of Ransomware 2025 Report

Backup use is down: Only 67% of Australian companies used backups to restore their data – a drop from the 72% reported last year.
33% of attacks resulted in data being encrypted: This is well below both the global average of 50% and the 49% reported by Australian respondents in 2024 with 98% of Australian organisations that had data encrypted able to get it back, above the global average.
Silver lining: recovery costs are on the decline: The average cost of recovery (excluding any ransom payments) for Australian organisations dropped considerably from US$2.37 million in 2024, to US$650,000 in 2025.
Companies are getting faster at recovery: Close to half (47%) of Australian organisations fully recovered from a ransomware attack in a week – up from the 36% reported last year. Only 13% took between one and six months to recover – down from 33% in 2024.

Sophos recommends the following best practices to help organisations defend against ransomware and other cyberattacks:

Take steps to eliminate common technical and operational root causes of attacks, such as exploited vulnerabilities. Tools like Sophos Managed Risk can help companies access their risk profile and minimise their exposure.
Ensure all endpoints (including servers) are well-defended with dedicated anti-ransomware protection.
Have an incident response plan in place and tested for when things go wrong. Have good backups and practice restoring data regularly.
Companies need around-the-clock monitoring and detection. If they do not have the resources in-house for this, they can work with a trusted managed detection and response (MDR) provider.

Data for the State of Ransomware 2025 report comes from a vendor-agnostic survey of 3,400 IT and cybersecurity leaders in organisations that were hit by ransomware in the previous year. Organisations surveyed ranged from 100 – 5,000 employees and across 17 countries. 200 Australian respondents feature in the report.

The survey was conducted between January and March 2025, and respondents were asked about their experience of ransomware over the previous 12 months.

Sophos will be releasing additional industry findings throughout the year.