Semperis 2025 Ransomware Study

 

Research by identity security pioneer, Semperis reveals that a survey of 1,500 organizations reveals 69% of companies who have been victimized by ransomware have paid a ransom (with 50% of firms saying they have paid between $500,000 to $1 million, and 42% reporting that they have paid $500,000 or less), whilst a further 55% say that they have been attacked multiple times.  This figure rises sharply to 83% among UK government and public sector organizations.

Of those that were attacked 55% of companies who had paid multiple times over the last 12 months found that in 15% of cases they did not receive decryption keys or received corrupted keys, with an additional 3% reporting that although they received usable keys the attackers had published or otherwise illegally used their stolen data even though they say they would not.

The Semperis 2025 Ransomware Risk Report study also found alarming tactics being used by attackers to pressure victims including threat actors threatening physical harm to executives if ransomware demands were not met (in 40% of attacks), while in 47% of cases, hackers threatened to file regulatory complaints against them if they didn’t report the incident.
 
Looking at data across the US, UK, France, Germany, Spain, Italy, Singapore, Canada, Australia and New Zealand across a variety of industries, the Semperis’ 2025 Global Ransomware Risk Report shows hackers are relentless and ransomware is still a global epidemic.  Organizations in the UK are being targeted more than most other countries (84%), and around half of those attacks (49%) are successful.  

While data erasure and release of sensitive data are the most common threats, 47% of attacked companies in the US, UK, France, Germany, Spain, Italy, Singapore, Canada, Australia and New Zealand also report that hackers threatened to file regulatory complaints against them if they didn’t report the incident.
 
In comparing results from last year’s ransomware study, Semperis found slight decreases year -over-year in companies paying ransoms.  Still, 69% of companies that were victimized by ransomware paid a ransom (a drop of 10 percentage points).  However, UK government and public sector organizations are alarmingly more likely to pay: An overwhelming 83% paid the ransom, ahead of the planned ransomware payment ban.  Globally, 38% of companies paid multiple ransoms and 11% of companies paid three times or more.
 
Former US National Cyber Director and Semperis Strategic Advisor Chris Inglis says, “Now is not the time for complacency.  True regret isn’t knowing what you should have done; it’s not having done what you knew was needed and had the means to do.”
 
“Paying ransoms should never be the default option,” says Mickey Bresman, CEO, Semperis.  “While some circumstances might leave the company in a non-choice situation, we should acknowledge that it’s a downpayment on the next attack.  Every dollar handed to ransomware gangs fuels their criminal economy, incentivizing them to strike again.  The only real way to break the ransomware scourge is to invest in resilience, creating an option to not pay ransom.”

Semperis is committed to assisting global organizations in protecting their hybrid identity systems, such as Active Directory and Entra ID, from cyberattacks.