Median
Ransom Payment in India Fell to $481,636; a 79% drop from the previous year
Sophos - a global
leader of innovative security solutions for defeating cyberattacks, today
released its sixth annual The State of Ransomware 2025 report, a
vendor-agnostic survey of 3,400 IT and cybersecurity leaders across 17
countries, including 378 organisations in India that were hit by ransomware in
the last year. This year’s survey found that nearly 53% of Indian companies
paid the ransom to get their data back, which is a considerable drop from the
65% reported last year.
In India, ransomware payment dynamics shifted notably over the past year. The
median ransom demand fell by 52%, from US$2 million to US$961,289, while the
median payment dropped even more sharply by 79% to US$481,636. Although 41% of
Indian organisations paid less than the original demand, nearly half paid the
full amount, and 12% paid even more, underscoring the unpredictable outcomes
many face during ransomware incidents. Beyond ransom payments, organisations
also spent an average of US$1.01 million on recovery highlighting the broader
financial toll of ransomware attacks.
Exploited
vulnerabilities were the most common technical root cause of attack, used
in 29% of attacks. They are followed by compromised credentials, which were the
start of 22% of attacks. Malicious emails were used in 21% of attacks.
From an operational perspective, 41% of organisations cited a lack of people or
capacity and/or poor-quality protection
as common root causes while 39% acknowledged that not having the necessary
cybersecurity products or services played a factor in their organisation
falling victim to ransomware. The findings underline how both technical
weaknesses and internal constraints continue to leave businesses open to
attack.
“Ransomware continues to be a harsh reality for many Indian businesses. Even as awareness improves, organisations are still grappling with challenges like unpatched vulnerabilities, limited cybersecurity resources, or simply not having the right support in place when an attack strikes. The pressure on IT teams is immense, and often, paying the ransom feels like the only option to get operations back on track,” said Sunil Sharma, Vice President - Sales (India and SAARC), Sophos.
“The positive shift we’re beginning to see is that more Indian organisations now understand the value of preparedness. At Sophos, we’re supporting this change by helping companies strengthen their defences through MDR, advanced endpoint protection, and real-time threat intelligence. The focus is steadily moving from reacting to incidents to building long-term cyber resilience, and that’s a change worth encouraging,” Sunil added.
Additional Key Findings for India from the State of Ransomware 2025 Report:
Data Theft Continues Despite Lower Encryption Rates: Among attacks where data was encrypted, 31% of Indian organisations also had data stolen down slightly from 34% the previous year.
Fewer High Ransom Demands, but Amounts Remain Substantial: 49% of the ransom demands made to Indian organisations were for US$1 million or more, a drop from 62% last year.
Mental Health and Team Strain Are on the Rise: 46% of Indian respondents reported increased stress or anxiety about future attacks, and 42% said pressure from senior leadership had intensified.
Organisations Rely on Multiple Recovery Approaches: While 53% of organisations that had data encrypted paid the ransom to get it back, 51% used backups showing that many are employing multiple strategies for resilience.
Sophos recommends the following best practices to help Organizations defend against Ransomware and other Cyberattacks:
· Take steps to eliminate common technical and operational root causes of attacks, such as exploited vulnerabilities. Tools like Sophos Managed Risk can help companies access their risk profile and minimize their exposure.
· Ensure all endpoints (including servers) are well-defended with dedicated anti-ransomware protection.
· Have an incident response plan in place and tested for when things go wrong. Have good backups and practice restoring data regularly.
· Companies need around-the-clock monitoring and detection. If they do not have the resources in-house for this, they can work with a trusted managed detection and response (MDR) provider.
The survey was conducted between January and March 2025, and respondents were asked about their experience of ransomware over the previous 12 months.
Sophos will be releasing additional industry findings throughout the year.
Learn how
MDR can neutralize attacks like ransomware in real-time by registering for the
webinar Behind the Shield: Real-World Stories of
Thwarted Ransomware Attacks here.
National, India – July 2, 2025
