.
A new study has found that 41% of ransomware victims who paid the ransom were unable to recover their data because the decryption key did not work. And that’s not the only problem.
Even when victims pay attackers in hopes of recovering from a ransomware attack, 41% of those payments fail to result in successful restoration. Moreover, even when a decryption key does work, victims may still be unable to recover all of their data.
This finding comes from Hiscox’s “Cyber Readiness Report 2025”, based on interviews with 5,750 organizations across seven countries. Of those surveyed, 27% reported having suffered a ransomware attack within the past 12 months.
According to the report, 60% of organizations that paid the ransom were able to recover some or all of their data, while 41% said that although they received a decryption key, they still needed to rebuild their systems.
But the situation gets even worse.
The survey revealed that 31% of victims who paid the ransom were subsequently asked to make additional payments by the attackers. Furthermore, 27% of organizations that paid the ransom were attacked again later, although not necessarily by the same attackers.
Hiscox commented:
“No company wants to reward malicious actors who have taken its data hostage. However, when faced with a ransomware attack, organizations often do whatever they can to recover what may be lost — and that sometimes includes paying the ransom if demanded.”
However, the report also stresses that “paying the ransom does not necessarily solve the problem.”
IoT Devices Identified as the Most Common Attack Vector
The report found that exploited vulnerabilities remain the main initial point of intrusion. Among them, Internet of Things (IoT) devices owned by organizations were the most common entry vector (33%), followed by supply chain vulnerabilities (28%) and cloud-based corporate servers (27%).
In addition, 15% of organizations reported that AI tools or software served as the initial entry point for attackers.
The report also found that once an organization suffers a cyberattack — ransomware or otherwise — it faces a heightened risk of being attacked multiple times afterward.
Among those surveyed, 59% had experienced at least one cyberattack in the past year. Larger and higher-revenue organizations were more likely to face repeat attacks:
・Companies with annual revenue above $1 million were attacked an average of six times in the past year.
・Those earning less than $1 million experienced an average of four attacks.
By organization size, companies with 50–249 employees were attacked an average of seven times, compared to five times for those with 11–49 employees.
The most frequently targeted organizations were nonprofits, experiencing an average of eight attacks per year, while chemical, real estate, and media organizations averaged just three.
Growing Calls for Mandatory Disclosure of Ransom Payments
The report also highlights new legislation in Australia requiring companies to disclose the amount of ransom payments made to attackers.
While 71% of respondents believe such disclosure should be mandatory, 53% argue that private companies should not be subject to mandatory reporting.
Despite the grim picture of current cybersecurity defenses, there is some optimism:
83% of respondents said their organization’s cyber resilience has improved over the past 12 months.