While ransom demands have gone down, nearly one-in-four organizations still pay ransoms after a data breach. According to our recent Security Week survey, we find ourselves in a paradoxical landscape characterized by security vulnerabilities and attacker ingenuity, which remains rampant. Our findings tell a mixed story about the downward trend of ransom amounts in contrast to the alarming reality of data recovery practices.

Decrease in Ransom Demands and Payments

According to Sophos’ state of ransomware report for 2024, it seems like cybercriminals are dialing back the ransom demands by about a third since 2024. The median ransom payment, meanwhile, has dropped a whopping 50 percent.

Despite these reductions, the survey of 3,400 IT professionals in early 2025 indicates that 49 percent of companies chose to pay ransoms to recover their stolen data. This figure, although some improvement from last year’s 56 percent, is still a staggeringly high percentage of organizations.

Security Gaps and Exploited Vulnerabilities

A concerning revelation from the survey is that 40 percent of victims acknowledged that attackers exploited security gaps they were not aware of. This underscores the urgent imperative for companies to take an offensive approach in discovering and rectifying vulnerabilities in their systems.

"For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025." - Chester Wisniewski, SOPHOS field CISO.

Additionally, the report identified that 32 percent of ransomware attacks were caused by attackers exploiting known vulnerabilities. This is a clear reiteration of the need for timely patching and vulnerability management as a whole.

Declining Use of Backups for Data Recovery

Backups are increasingly underutilized for data restoration, hitting a six-year low. Moreover, only 54 percent of these companies choose to restore from backups—not pay the ransom. This drop off is especially concerning since restore from backup is the most secure and cost-effective method of recovery compared to paying a ransom to a cyber criminal.

"The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage." - Chester Wisniewski, SOPHOS field CISO.

Organizations should prioritize maintaining robust backup and recovery strategies to minimize the impact of ransomware attacks and avoid the need to pay ransoms.

Emerging Vulnerabilities and Attack Vectors

Besides the broader trends Sophos has pointed out, there are a handful of specific vulnerabilities and attack vectors that have been increasing. CVE-2024-51978, CVSS 9.8-rated Vulnerability Lets Attackers Steal Default Admin. Since MFPs are often used in business environments, default administrator passwords are a common target for attackers. This vulnerability is affecting 689 known models of Brother multifunction printers (MFP). It’s considered unfixable because Brother hard-coded default passwords based on the device’s serial number.

Varonis has detected a novel phishing campaign that abuses Direct Send, targeting approximately 70 organizations without compromising any accounts. This #CyberAware campaign reminds you to specifically look at email headers to spot phishing emails, especially those coming from outside IPs.

As of this writing, CISA is warning of active exploitation of a CVSS 10.0-rated vulnerability in AMI MegaRAC firmware. This vulnerability is a critical risk to vulnerable systems and should be patched urgently.

Other News

Smart suggestions will be available to Android users with Google’s new Gemini AI assistant starting July 7, providing faster, more powerful features and deeper integration into the OS. Trezor, the other popular hardware wallet provider has similarly warned users to be on the lookout for these scams, urging users to guard their wallet backups.

"NEVER share your wallet backup — it must always stay private and offline." - Trezor.

"Trezor will never ask for your wallet backup." - Trezor.