A new report from Sophos reveals that nearly 50% of companies globally paid the ransom to recover their data after a cyberattack, marking the second-highest rate of ransom payments in six years. In the UAE specifically, 43% of organizations whose data was encrypted chose to pay the ransom, with 30% of them successfully negotiating a lower amount than initially demanded.
The “State of Ransomware 2025” report, Sophos’ sixth annual vendor-agnostic survey, highlights a global trend where the median ransom payment dropped by 50% between 2024 and 2025, even as the median demand decreased by a third. This indicates that companies are becoming more effective at minimizing the financial impact of ransomware attacks. In the UAE, the median ransom payment was $1.33 million.
Exploited vulnerabilities were identified as the primary technical root cause of attacks in the UAE. Almost half (49%) of ransomware victims in the UAE were unaware of the security gap that adversaries exploited. Furthermore, 54% of UAE organizations cited resourcing issues as a contributing factor to falling victim, with one-third pointing to a lack of expertise and 30% reporting a shortage of expertise.
The report also found that the impact of ransomware attacks on data in the UAE remains significant. Data was successfully encrypted in 55% of attacks, exceeding the global average of 50%. Additionally, data was stolen in 43% of these cases, a figure considerably higher than the global rate of 28%. Despite this, 98% of affected organizations managed to recover their data, with 68% utilizing backups and 43% paying the ransom.
“For many organizations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,” said Chester Wisniewski, director, field CISO, Sophos. He added, “Of course, ransomware can still be ‘cured’ by tackling the root causes of attacks: exploited vulnerabilities, lack of visibility into the attack surface, and too few resources. We’re seeing more companies recognize they need help and moving to Managed Detection and Response (MDR) services for defense. MDR coupled with proactive security strategies, such as multifactor authentication and patching, can go a long long way in preventing ransomware from the start.”
Malicious emails initiated 23% of attacks, while compromised credentials were used in 18% of attacks. The average cost for UAE organizations to recover from a ransomware attack, excluding ransom payments, was $1.41 million, lower than the global average of $1.53 million. This cost includes downtime, personnel time, device costs, network costs, and lost opportunities.
UAE organizations recovered quickly from ransomware attacks, with 63% achieving full recovery within a week, notably above the global average of 53%. Only 15% took between one and six months to recover.
The human impact on IT/cybersecurity teams in organizations where data was encrypted was also significant:
- 40% reported increased pressure from senior leaders.
- 37% noted an increased team workload since the attack.
- 42% reported increased anxiety or stress about future attacks.
- 18% experienced team member absence due to stress or mental health issues.
Sophos recommends several best practices to defend against ransomware, including eliminating common technical and operational root causes like exploited vulnerabilities, ensuring endpoints are protected with anti-ransomware solutions, having a tested incident response plan, maintaining good backups, and implementing around-the-clock monitoring and detection, potentially through a managed detection and response (MDR) provider.
The “State of Ransomware 2025” report is based on a survey conducted between January and March 2025, involving 3,400 IT and cybersecurity leaders from organizations across 17 countries that experienced ransomware attacks in the past year.
