Ransomware attacks on UK organisations are becoming more costly and disruptive, according to new research from cybersecurity firm Sophos. The company’s latest State of Ransomware in the UK 2025 report reveals that the average cost to recover from an attack—excluding any ransom paid—has risen to $2.58 million (£2.04 million), while ransom demands themselves have more than doubled over the past year.
The study, based on a survey of 201 UK IT and cybersecurity leaders whose organisations were hit by ransomware between January and March 2025, shows a median ransom demand of $5.37 million (£4.24 million). Actual payments averaged $5.20 million (£4.11 million)—103% of the initial demand and significantly higher than the global average of 85%.
Sophos found that 70% of UK ransomware attacks resulted in data being encrypted, well above the global average of 50% and up from 46% in the UK the previous year. More than half of affected organisations chose to pay the ransom, while only 39% were able to recover data using backups—a decline from 48% in 2024.
The human toll on IT and security teams was also evident. Among those who experienced data encryption, 43% reported increased workloads, 41% experienced heightened stress or anxiety, and over a quarter said a team member had taken leave due to mental health concerns. In 24% of cases, leadership within the security team was replaced following the incident.
The report identifies exploited vulnerabilities (36%) and phishing emails (20%) as leading technical causes of attack. Operational failings such as lack of cybersecurity expertise (42%) and unidentified security gaps (40%) were also widely cited.
“For many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025. The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage. This includes hiring incident responders who can not only lower ransom payments but also speed up recovery and even stop attacks in progress,” says Chester Wisniewski, director, field CISO at Sophos (pictured).
This growing complexity is also increasing reliance on MSPs to deliver advanced threat protection and cyber resilience. While the UK-specific report doesn’t quantify MSP involvement directly, the global Sophos data shows that nearly two-thirds of mid-sized organisations are now outsourcing some or all of their cybersecurity operations. Sophos notes a rising demand for managed detection and response (MDR) services—particularly among organisations that lack in-house 24/7 coverage.
This trend is echoed by other recent findings. According to the UK government's Cyber Security Breaches Survey 2025, 54% of medium-sized businesses now use an external IT provider for their cybersecurity needs. Adoption of endpoint detection and response (EDR), Zero Trust architectures, and incident response planning is also growing—albeit unevenly across sectors.
Despite the growing threat, there are signs of resilience. Nearly six in ten UK organisations now recover from attacks within a week—up from just 38% a year ago.
Sophos urges organisations to focus on prevention and preparation, recommending strong endpoint protection, continuous threat detection, and rehearsed incident response plans. For many, especially SMEs, this increasingly involves strategic partnerships with MSPs who can deliver both technology and expertise.
