IT and cybersecurity leaders cite workforce capacity gaps and known security weaknesses as key contributors to attacks.
Sophos’ latest annual report explores the real-world ransomware experiences of 292 healthcare providers hit by ransomware in the past year. The report examines how the causes and consequences of these attacks have evolved over time.Â
This year’s edition also sheds new light on previously unexplored areas, including the organizational factors that left providers exposed and the human toll ransomware takes on IT and cybersecurity teams.
“Healthcare continues to face steady and persistent ransomware activity. Over the past year, Sophos X-Ops identified 88 different groups targeting healthcare organizations, showing that even moderate levels of threat activity can have serious consequences,” says Alexandra Rose, director of Sophos Counter Threat Unit. “It’s also encouraging to see signs of stronger resilience. In the study, nearly 60% of providers reported they recovered within one week, up from just 21% last year, which reflects real progress in preparedness and recovery planning. In a sector where downtime directly affects patient care, faster recovery is critical, but prevention remains the ultimate goal.” Â
Exploited Vulnerabilities and Capacity Challenges Underpin the Main Root Causes of Attacks
For the first time in three years, healthcare providers identified exploited vulnerabilities as the most common technical root cause of attack, used in 33% of incidents. This overtakes credential-based attacks, which were the top reported root cause in 2023 and 2024.
Multiple organizational factors contribute to healthcare providers falling victim to ransomware, with the most common being a lack of people/capacity (ie, an insufficient number of cybersecurity experts monitoring systems at the time of the attack) named by 42% of victims. It is followed in very close succession by known security gaps, which were a contributing factor in 41% of attacks.
Organizational root cause of attacks in healthcare. Graphic provided: Sophos
Data Encryption Sharply Declines, but Extortion Rates Soar
Data encryption in healthcare has dropped to its lowest level in five years, with only a third (34%) of attacks resulting in data being encrypted—the second lowest percentage recorded in this year’s survey and less than half the 74% reported by healthcare providers in 2024. In line with this trend, the percentage of attacks stopped before encryption reached a five-year high, indicating that healthcare organizations are strengthening their defenses.
However, adversaries are adapting: The proportion of healthcare providers hit by extortion-only attacks (where data wasn’t encrypted but a ransom was still demanded) tripled to 12% of attacks in 2025 from just 4% in 2022/3 – the highest rate reported in this year’s survey. This is likely due to the high sensitivity of medical data (patient records, etc.).
Ransom Payment Rates Decline While Backup Confidence Slips
In 2025, just 36% of healthcare providers paid the ransom—down from 61% in 2022—placing the sector among the four least likely to recover data this way. At the same time, backup use has also fallen (51%, down from 72%). Collectively, these findings point to stronger resistance to demands but possible weaknesses or a lack of confidence in backup resilience.
Recovery of encrypted data in healthcare | 2021 – 2025. Graphic provided: Sophos
Ransom Demands, Payments, and Attack Recovery Costs Plummet
Healthcare ransomware economics shifted sharply in 2025, with ransom demands plummeting 91% to $343K (from $4M in 2024) and ransom payments dropping from $1.47M to just $150K—the lowest of any sector reported in this year’s survey. The decline reflects a steep fall in multimillion-dollar demands and payouts, though mid-range demands ($1M – $5M) and sub-$1M payments rose.
At the same time, the mean cost of recovery (excluding any ransoms paid) has fallen to its lowest point in three years, dropping by 60% over the past year to $1.02 million, down from $2.57 million in 2024. Collectively, the findings point to a sector that is harder to extract large sums from and more efficient in its recovery, even as smaller-value cases become more common.
Ransomware Attacks Place Significant Pressure on Healthcare IT/Cybersecurity Teams from Senior Leadership
The survey makes clear that having data encrypted in a ransomware attack has significant repercussions for IT/cybersecurity teams in the retail sector, with increased pressure from senior leaders cited by 39% of respondents. Other repercussions include (but are not limited to):
- Increased anxiety or stress about future attacks—cited by 37%.
- A change of team priorities/focus—cited by 37%.
- Feelings of guilt that the attack was not stopped—cited by 32%.
ID 316214927 © Andrey Popov | Dreamstime.com
