Paying attackers a ransom to recover from ransomware attacks fails 41% of the time, and even when recovery keys work, ransomware victims don’t always recover all of their data.
That’s one of the findings from cyber insurer Hiscox’s Cyber Readiness Report 2025, which is based on interviews with 5,750 organizations in seven countries. The report found that 27% of those organizations had experienced a ransomware attack in the preceding 12 months.
Among the organizations that paid a ransom, 60% recovered “some or all of their data,” the report said, but 41% “were given a recovery key, but still had to rebuild their systems.”
It gets worse.
For 31% of ransomware victims who paid a ransom, attackers demanded more money, the report found. And additional attacks were sustained by 27% of those who paid a ransom, “though not necessarily an attack from the same entity.”
“No company enjoys rewarding bad players for hijacking their data, but when it comes to ransomware attacks, it is common for organisations to make every effort to recover what could be lost,” Hiscox said. “That includes paying the ransom where that is demanded.”
“Paying a ransom does not always solve the problem,” the report noted.
IoT Devices Most Common Attack Vector
Vulnerabilities are a key initial attack vector noted by the report. Internet of Things (IoT) devices owned by the organizations were the most common point of entry for cyberattacks (33%), followed by supply chain vulnerabilities (28%), and cloud-based corporate servers (27%). AI tools and software were attackers’ initial point of entry for 15% of organizations.
Ransomware victims aren’t the only ones at risk of multiple cyberattacks, as the report found that one cyberattack significantly raise the risk for multiple cyberattacks.
Of the organizations surveyed, 59% had experienced at least one cyberattack in the preceding 12 months. Among those organizations, larger companies or those with higher revenue were more likely to experience additional incidents. Companies with more than $1 million in revenue that had experienced an attack in the last year had more averaged six cyberattacks, compared to four for those businesses with less than $1 million in revenue.
Businesses with 50-249 employees had an average of seven attacks in the last year compared to companies with 11-49 employees, which averaged five attacks.
Nonprofits were the hardest hit sector, averaging eight incidents, while organizations in the chemical, property, and media sectors averaged three cyberattacks.
Most Favor Ransomware Payment Exposure
The report noted that a new law in Australia requires companies to disclose the amount of ransoms paid, and 71% of respondents agree that such disclosures should be mandatory. However, 53% believe that private companies should not be obligated to disclose ransomware payments.
While the report paints a challenging picture for cybersecurity defenders, there was one bright spot: 83% of respondents reported improved cyber resilience at their company in the last 12 months.
