According to UK-based cybersecurity firm Sophos’ annual “State of Ransomware” study, ransomware attacks are happening more often, succeeding more often and costing more.

Last year, ransomware attacks hit 66% of organizations surveyed by Sophos, up sharply from 37% in 2020. Adversaries succeeded in encrypting data in 65% of attacks in 2021, up from 54% in 2020.

What’s more, the average ransom payment almost quintupled last year to $812,360, versus $170,000 in 2020. That’s driven upward by the 11% of organizations who said they paid ransoms of $1 million or more, up from 4% in 2020. But the share of organizations paying less than $10,000 shrank as well, to 21% from 34% in 2020.

The ransomware threat is worsening in part because hacker gangs are stepping up their game, Sophos senior threat researcher Sean Gallagher told Dark Reading. “Over the past couple of years, there has been a massive transition from ransomware to ransomware-as-a-service,” Gallagher said. “There are very well-established [groups] that are doing these attacks, and as a result, the number of attacks companies are seeing has gone up.”

Of organizations who said their data was encrypted in an attack, 46% said they paid the ransom to retrieve their data. And 26% said they paid a ransom despite being able to restore the data from backups.

Sophos principal research scientist Chester Wisniewski told CNET that companies may choose to pay up because their backups aren’t complete or because they don’t want hackers leaking their data. He added that paying hackers to decrypt the data carries the risks of backdoors being added or passwords copied.

The study is based on contributions from 5,600 IT professionals across 31 countries. Details on ransom payments made came from 965 participants.