Spanish organizations seem to have taken a decisive turn in their ability to face ransomware: now, they not only recover faster after an attack, but the associated costs have struck in the last year. This is revealed by the latest report THE STATE OF RANSOMWARE 2025prepared by Sofos.
Far from the generalized alarms starring the headlines in previous exercises, the study points to a positive evolution both in terms of resilience and efficiency in the response. Almost half of the Spanish companies affected by Ransomware managed to recover completely in less than a week, a remarkable leap from 27% recorded in 2024. In addition, the average cost of recovery without including the payment of the rescue has been reduced by 66%, located at 1.15 million dollars.
The improvement of these indicators does not mean that the threat has disappeared. 30%of the attacks in Spain originated through exploited vulnerabilities, followed by the use of compromised credentials (21%) and malicious emails (17%). At the operational level, the known gaps (42%), the lack of personnel (41%) and the shortage of experience (39%) appear as the main exposure factors.
“This year’s data shows that Spanish companies are improving their capacity for response and recovery against ransomware, even above the global average,” says Álvaro Fernández, sales director of Sofos Iberia. “However, the fact that almost four out of ten organizations continue paying bailouts indicates that there is still much to do.”
Less payments, more backups
One of the most substantial changes is the fall in rescue payments. Only 36% of Spanish companies ended up paying for recovering their data, compared to 56% of the previous year. In parallel, the use of backups is consolidated as a key strategy: 70% used them after an encryption, with a 64% success rate.
Half of Spanish companies attacked by ransomware recovered in a week
The decrease in the average rescue demand is equally significant. While in 2024 it was around 4.24 million dollars, in the last year it stood around $ 911,600. And most importantly: the paid average figure fell to only 322,500 dollars, reflecting a better preparation to negotiate or, directly, resist blackmail.
The human price of ransomware
Beyond the financial damage, the emotional and organizational impact of the ransomware continues to make a dent. In organizations that suffered encryption, 36% reported continuing increase in the workload, 33% declared to have experienced more anxiety against future attacks, and one in four reported low or absences in their cybersecurity team.
Chester Wisniewski, director for fissos in Sofos, highlights that “ransomware can still ‘cure’ addressing the root causes of attacks: exploited vulnerabilities, lack of visibility and shortage of resources.” As he adds, many companies are resorting to managed detection and response services (MDR) as a way to strengthen their cyber -defense.
Towards a more mature defense
Faced with ransomware, Sofos underlines the importance of strengthening cyber -defense in four key areas:
- Prevention: Reduce both the technical and operational causes of the attacks, prioritizing vulnerability management and personnel training. Tools such as Sophos Managed Risk can help companies access their risk profile and minimize their exposure.
- Protection: Implement advanced terminal and servers protection solutions, including specific anti-Ransomware technologies capable of stopping and reversing encryption.
- Detection and response: Adopt a 24/7 detection and response strategy, either with internal resources or through collaboration with contrasted providers of managed detection and response services (MDR).
- Planning and preparation: Have an response plan against well -tested incidents and robust backups, with regular recovery tests.
