Nearly half of companies in the UAE chose to pay ransoms to cybercriminals in 2024, according to Sophos’s sixth annual State of Ransomware report.
The cybersecurity firm’s vendor-agnostic survey of IT and cybersecurity leaders across 17 countries reveals that 43 per cent of UAE organisations with encrypted data paid the ransom, with the median payment reaching $1.33 million.
The report, which surveyed 3,400 IT and cybersecurity leaders in organisations hit by ransomware over the previous year, shows that 30 per cent of UAE companies that paid ransoms negotiated amounts lower than the initial demand.
Most UAE firms recover ransomware data
Globally, 71 per cent of companies that paid reduced amounts achieved this through negotiation, either independently or with third-party assistance.
“For many organisations, the chance of being compromised by ransomware actors is just a part of doing business in 2025,” said Chester Wisniewski, director of field CISO at Sophos. “The good news is that, thanks to this increased awareness, many companies are arming themselves with resources to limit damage.”
Exploited vulnerabilities emerged as the primary technical root cause of ransomware attacks in the UAE, accounting for 42 per cent of incidents. Malicious emails initiated 23 per cent of attacks, whilst compromised credentials were used in 18 per cent of cases.
The report highlights that 49 per cent of ransomware victims said adversaries exploited security gaps they were unaware of, demonstrating organisations’ ongoing struggle to identify and secure their attack surface.
Resource constraints affected 54 per cent of UAE organisations that fell victim to attacks, with one-third citing lack of expertise and 30 per cent reporting staff shortages.
The impact on data remains severe in the UAE, with 55 per cent of attacks successfully encrypting data, surpassing the global average of 50 per cent. In 43 per cent of these cases, data was also stolen, significantly higher than the global rate of 28 per cent.
Despite these challenges, 98 per cent of affected organisations recovered their data. Recovery methods included using backups (68 per cent of cases) and paying ransoms (43 per cent of cases).
Ransomware recovery costs below global average
Excluding ransom payments, the average cost for UAE organisations to recover from ransomware attacks reached $1.41 million, below the global average of $1.53 million. These costs encompass downtime, personnel time, device replacement, network restoration, and lost opportunities.
UAE organisations demonstrated swift recovery capabilities, with 63 per cent achieving full recovery within one week, notably above the global average of 53 per cent. Only 15 per cent required between one and six months to recover, below the global average of 18 per cent.
The attacks significantly affected cybersecurity personnel in organisations where data was encrypted. The survey found that 40 per cent reported increased pressure from senior leadership, whilst 37 per cent experienced increased workloads following attacks.
Stress levels rose substantially, with 42 per cent reporting increased anxiety about future attacks and 18 per cent experiencing team member absences due to stress or mental health issues.
Whilst median global ransom demands dropped by one-third between 2024 and 2025, median payments fell by 50 per cent, indicating companies’ growing success in minimising ransomware impact.
Ransom demands varied significantly based on organisation size, with companies exceeding $1 billion in revenue facing median demands of $5 million, whilst organisations with $250 million revenue or less saw median demands below $350,000.
Wisniewski emphasised that ransomware can be prevented by addressing root causes: “exploited vulnerabilities, lack of visibility into the attack surface, and too few resources.” He noted increasing adoption of Managed Detection and Response (MDR) services for defence.
Sophos recommends several practices to defend against ransomware:
- Eliminating common technical and operational root causes such as exploited vulnerabilities
- Ensuring all endpoints have dedicated anti-ransomware protection
- Maintaining tested incident response plans and regular backup restoration practices
- Implementing round-the-clock monitoring and detection capabilities
Follow us on
