Three Out of Four Are Saying No
For years, the ransomware story has been relentlessly grim. Hospitals paralyzed. Schools shuttered. Businesses bankrupted. Every headline reinforced the same terrifying message: the criminals are winning, and there’s nothing you can do about it.
That story is no longer true. Things are getting better.
In the third quarter of 2025, incident response firm Coveware reported that only 23 percent of ransomware victims paid—the lowest rate ever recorded. That means more than three out of four organizations were able to restore operations and manage the crisis without funding the criminals.
This isn’t luck. It’s the result of organizations partnering with managed IT providers who implemented the fundamentals: tested backups, 24/7 monitoring, and incident response plans that actually work.
Take Our 2-Minute Security Assessment
The Numbers Tell the Story
The ransomware economy is in serious trouble—and not because criminals stopped trying.
In Q3 2025, the average ransom payment dropped 66 percent from the previous quarter to $376,941. The median payment fell 65 percent to $140,000. For attacks involving only data theft—no encryption—the payment rate dropped to just 19 percent.
Blockchain analysis firm Chainalysis reported that total ransomware payments fell from $1.1 billion in 2023 to $813.6 million in 2024—a 35 percent drop. This happened even as the number of attacks increased. More victims, less money. The criminals’ business model is breaking.
Meanwhile, Sophos found that 97 percent of organizations whose data was encrypted were able to recover it. The days when encryption meant certain doom are ending—for organizations that prepared.
What Changed: The Rise of Managed Security
Three forces have converged to shift the balance of power—and all three point to the value of professional IT management.
Managed Backup and Disaster Recovery
- For years, “we have backups” was the answer organizations gave when asked about ransomware resilience. The problem was that many of those backups didn’t actually work when needed. They were connected to the same network the ransomware encrypted. They hadn’t been tested. They couldn’t be restored quickly enough to matter.
- Organizations working with managed IT providers changed that equation. Professional backup solutions include air-gapped storage, immutable backups that can’t be encrypted, and—crucially—regular restoration testing. When ransomware hits, these organizations can actually recover. The criminals’ leverage disappears.
- This is exactly the kind of backup infrastructure that managed service providers have been building for clients for years. The organizations that listened are the ones refusing to pay today.
24/7 Monitoring and Early Detection
The average ransomware attack doesn’t announce itself. It starts with a quiet intrusion—a compromised credential, a phishing email that worked, an unpatched vulnerability. What happens next depends entirely on whether anyone is watching.
Organizations with 24/7 security monitoring—the kind provided by managed IT and security operations centers—catch attacks in hours instead of weeks. That’s the difference between a contained incident and a full-blown catastrophe. When you detect the intrusion before the ransomware deploys, you’ve already won.
Small and mid-sized businesses can’t staff a security operations center themselves. But they can partner with providers who do it for them.
Incident Response Planning That’s Actually Been Tested
When ransomware hits, the first 60 minutes determine everything. Who gets called? What gets shut down? Where are the backups? Who has authority to make decisions?
Organizations that work with managed IT providers have answers to these questions before they need them. They’ve documented their response plans. They’ve tested them. They know exactly what to do when the call comes at 3 AM—and they have a partner who answers that call.
There’s also growing awareness that paying rarely delivers what victims hope for. According to Halcyon’s Q4 2024 research, 84 percent of organizations that paid ransoms still failed to fully recover their data. The promise of “pay and get your data back” has proven to be largely false.
A State That Refused to Pay
In late 2024, the state of Nevada discovered that ransomware had infiltrated its systems. The attack had actually begun months earlier, when an employee accidentally downloaded malicious software. By the time it was discovered, the attackers had established a significant presence.
Nevada didn’t pay.
“Nevada’s teams protected core services, paid our employees on time, and recovered quickly—without paying criminals,” Governor Joe Lombardo said. “This is what disciplined planning, talented public servants, and strong partnerships deliver.”
The state spent approximately $1.5 million on recovery—real money, but a fraction of what ransom payments typically cost. More importantly, they didn’t fund the criminals who attacked them or paint a target on their back for future attacks.
This is what preparation looks like in practice. Not immunity from attack—that doesn’t exist—but the ability to survive without surrendering.
The Real Lesson
The organizations refusing to pay aren’t the ones with unlimited budgets or armies of in-house security staff. They’re the ones who partnered with the right IT providers and took the fundamentals seriously before the attack happened.
They implemented managed backup solutions that actually work—and tested them regularly. They invested in monitoring that catches threats around the clock. They built incident response plans with their IT partners and practiced them. They made the hard decisions about what systems were critical and how to protect them.
None of this is glamorous. It doesn’t make headlines until it saves an organization from disaster. But it’s the difference between being a victim who pays and a victim who recovers.
What This Means for Your Organization
The data is clear: preparation works. Organizations that invested in professional IT management and resilience are successfully refusing to pay ransoms. The criminals know this—which is why they’re increasingly targeting the organizations that haven’t prepared.
Ask yourself: If ransomware hit your systems tonight, would you have a choice? Or would paying be the only option?
If you’re not sure, that’s your answer.
The good news is that it’s not too late. The same investments that are helping organizations refuse to pay are available to you: managed backup with tested restoration, 24/7 monitoring, incident response planning. None of it requires building an in-house security team—just a decision to work with partners who take this seriously.
The tide is turning. The question is whether you’ll be ready to swim with it.
Take Our 2-Minute Security Assessment
Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/
centrexIT has helped organizations build ransomware resilience since 2002. If you want to be among the organizations that can refuse to pay, let’s find out where you stand.
Sources
Coveware: Q3 2025 Ransomware Report – Payment rate and payment amount statistics (October 2025)
Chainalysis: 2025 Crypto Crime Report – Annual ransomware payment totals (February 2025)
Sophos: The State of Ransomware 2025 – Recovery and encryption statistics
Halcyon: Q4 2024 Ransomware Report – Post-payment recovery statistics
SecurityWeek: “Ransomware Payments Dropped in Q3 2025: Analysis” (October 27, 2025)
Carrier Management: “Nevada Ransomware Attack” (November 2025)