Ransomware in healthcare drops sharply in 2025 but human toll grows — Sophos
Data encryption incidents dropped sharply to 34%, the lowest level in five years and less than half the rate reported in 2024.
Healthcare providers worldwide reported faster recovery times and lower financial losses from ransomware attacks in 2025, but the human and operational strain inside hospitals continues to intensify. The findings come from a global survey of 292 IT and cybersecurity leaders across 17 countries, conducted between January and March this year, showing a sector that is strengthening its defenses yet still facing relentless attacks.
For the first time in three years, exploited vulnerabilities emerged as the most common technical root cause of attacks, responsible for 33% of incidents. Malicious emails accounted for 22%, while attacks using compromised credentials declined significantly to 18% from 34% the previous year. Behind the technical failures, deeper structural issues continue to expose healthcare networks. A shortage of cybersecurity professionals was the leading operational factor, cited by 42% of respondents. Known security gaps followed at 41%, and unknown weaknesses at 40%, reflecting the combined pressure of outdated systems, staffing shortages and high patient-care demands.
Falling encryption rates and a rise in extortion
Data encryption incidents dropped sharply to 34%, the lowest level in five years and less than half the rate reported in 2024. Successful early detections rose to 53%, suggesting more attacks were stopped before significant damage occurred. Yet cybercriminals appear to be shifting tactics. Extortion-only attacks — where data is stolen but not encrypted — tripled to 12%, the highest across all sectors surveyed. Healthcare’s sensitive information, particularly medical records, is driving attackers toward data theft, with 27% of organizations that faced encryption also reporting exfiltration.
The financial burden of ransomware has changed dramatically. Median ransom demands fell from $4 million in 2024 to just $343,000 in 2025, a 91% decline. Median payments dropped from $1.47 million to $150,000, the lowest among all industries surveyed. The drop largely reflects a steep reduction in multimillion-dollar demands, alongside increasing resistance from victims. Only 36% of healthcare organizations that suffered encryption chose to pay, down from 61% in 2022, and more than half of those who paid managed to negotiate for a lower amount. Despite the shrinking payouts, activity from threat groups is increasing. Sophos X-Ops tracked 88 distinct ransomware groups targeting healthcare over the past year, including active clusters such as GOLD FEATHER (Qilin), GOLD IONIC (INC Ransom) and GOLD HUBBARD (RansomHub).
Faster recoveries but ongoing human impact
Healthcare providers are recovering faster than in previous years. Fifty-eight percent restored operations within one week of an attack, more than doubling last year’s 21%. Recovery costs fell to $1.02 million, marking a 60% year-on-year decline and the lowest figure in three years. However, backup usage dropped to 51%, its lowest rate in four years, suggesting the sector may be increasingly reliant on alternative methods and partial restorations. Even with these improvements, the human impact on IT and cybersecurity teams remains severe. Every organization that experienced encryption reported direct repercussions. Increased anxiety and stress were cited by 37% of teams, and 24% reported staff absences tied to mental health strain. Nearly one in five organizations replaced their cybersecurity leadership following an incident.
Healthcare organizations continue to operate in high-pressure environments where downtime directly affects patient care. While improved defenses, faster responses and lower ransom exposure are positive signs, the findings show a sector still strained by workforce shortages, persistent vulnerabilities and expanding attacker groups. Sophos recommends an increased focus on prevention through stronger security foundations, continuous monitoring and well-rehearsed incident response plans. The report notes that resilience is rising, but the long-term challenge remains the balance between operational demand, limited personnel and the evolving sophistication of ransomware actors.
————————————————————————-
WATCH TECHSABADO ON OUR YOUTUBE CHANNEL:
WATCH OUR OTHER YOUTUBE CHANNELS:
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
