Healthcare organizations are facing evolving ransomware tactics as data extortion attacks are on the rise. Cyber attackers are taking advantage of the sensitive data held by healthcare providers to launch quicker and easier attacks, according to Sophos, a cybersecurity software and security services company.
Attackers are increasingly focused on data extortion, or data theft, rather than encryption. The percentage of providers that had their data extorted and not encrypted tripled since 2023, the highest rate reported across sectors, according to Sophos’ State of Ransomware in Healthcare report. Data encryption fell to the lowest level in five years, to just 34%. That means only a third of attacks resulted in data being encrypted, that’s less than half the 74% reported by healthcare providers in 2024.
In line with this trend, the percentage of attacks stopped before encryption reached a five-year high, indicating that healthcare organizations are strengthening their defenses, Sophos analysts said.
But, adversaries also are adapting. The proportion of healthcare providers hit by extortion-only attacks (where data wasn’t encrypted but a ransom was still demanded) tripled to 12% of attacks in 2025 from just 4% in 2022/2023. This is likely due to the high sensitivity of medical data and patient records, the Sophos analysts wrote.
The report’s findings are based on the real-world frontline experiences of 292 IT and cybersecurity leaders from the healthcare sector, across 17 countries whose organizations were hit by ransomware in the last year.
The analysis found that the rate of healthcare organizations paying ransoms has declined sharply. In 2025, just 36% of healthcare providers paid the ransom — down from 61% in 2022 — placing the sector among the four least likely to recover data this way. At the same time, backup use has also fallen (51%, down from 72%). Collectively, these findings point to stronger resistance to demands but possible weaknesses or a lack of confidence in backup resilience.
Healthcare ransomware economics also shifted sharply in 2025, with ransom demands plummeting 91% to $343,000, compared to $4 million in 2024. Ransom payments dropped from $1.47 million to just $150,000 — the lowest of any sector reported in this year’s survey, Sophos said.
The decline reflects a steep fall in multimillion-dollar demands and payouts, though mid-range demands ($1 million – $5 million) and sub-$1 million payments rose, the report found.
The mean cost of recovery, excluding any ransoms paid, also has fallen to its lowest point in three years, dropping by 60% over the past year to $1.02 million, down from $2.57 million in 2024.
“Collectively, the findings point to a sector that is harder to extract large sums from and more efficient in its recovery, even as smaller-value cases become more common,” the Sophos analysts wrote.
Multiple factors contribute to healthcare providers falling victim to ransomware, the Sophos report found, with the most common (42%) being a lack of people and capacity as many healthcare organizations reported having an insufficient number of cybersecurity experts monitoring systems at the time of an attack. It is followed in very close succession by known security gaps, which were a contributing factor in 41% of attacks.
For the first time in three years, healthcare providers identified exploited vulnerabilities as the most common technical root cause of attack, used in 33% of incidents. This overtakes credential-based attacks, which were the top reported root cause in 2023 and 2024.
Over the past twelve months, Sophos X-Ops has observed ransomware activity across leak sites and found that 88 distinct threat groups targeted healthcare organizations. The most prominent groups targeting healthcare organizations based on leak site observations are: GOLD FEATHER (Qilin), GOLD IONIC (INC Ransom) and GOLD HUBBARD (RansomHub). Sophos Incident Response and MDR cases reveal vulnerability exploitation as a primary vector in addition to the following: phishing, social engineering, brute force, drive by downloads and stolen credentials.
“Healthcare continues to face steady and persistent ransomware activity. Over the past year, Sophos X-Ops identified 88 different groups targeting healthcare organizations, showing that even moderate levels of threat activity can have serious consequences. It’s also encouraging to see signs of stronger resilience. In the study, nearly 60% of providers reported they recovered within one week, up from just 21% last year, which reflects real progress in preparedness and recovery planning. In a sector where downtime directly affects patient care, faster recovery is critical, but prevention remains the ultimate goal,” said Alexandra Rose, director of the Sophos Counter Threat Unit (CTU), in a statement.
Publisher: Source link
