Approximately half of the companies that paid a ransom to hackers last year ended up paying less than the criminals originally asked for, according to new Sophos data. That’s good news for companies worried about devastating losses from data-encrypting ransomware attacks. Even if hackers are getting paid less, they’re still getting paid. Half of the 3,400 IT and cybersecurity leaders surveyed — all of whom faced ransomware attacks in the last year — said their companies paid hackers a ransom. Law enforcement and security experts warn that paying hackers could further embolden them. It’s also not a guarantee that hackers will follow through with their promises to decrypt systems or delete stolen data. 3% of ransomware victims said their companies ultimately ended up paying less than the initial asking price. The median ransom demand dropped by one-third to about $1.3 million last year, down from $2 million the previous year. Meanwhile, the median ransom payment was cut in half in the last year, according to the data. Companies paid a median of $1 million, down from $2 million. Organizations bringing in more than $5 billion in annual revenue faced steeper price tags: Their average ransom demand was about $5.5 million. Of the companies that paid less, 47% said they did so by actively negotiating with the hackers. Another 45% said the attackers also reduced their demands due to external pressures, such as law enforcement actions and bad press. The percentage of companies that recovered from a ransomware attack after just one week grew to 53%, up from 35% in the previous year’s data.