Sophos’ latest annual study explores the real-world ransomware experiences of 292 healthcare providers hit by ransomware in the past year. The report examines how the causes and consequences of these attacks have evolved over time. This year’s edition also sheds new light on previously unexplored areas, including the organizational factors that left providers exposed and the human toll ransomware takes on retail IT and cybersecurity teams.
Download the report to explore the full findings →.
Exploited vulnerabilities and capacity challenges underpin the main root causes of attacks
For the first time in three years, healthcare providers identified exploited vulnerabilities as the most common technical root cause of attack, used in 33% of incidents. This overtakes credential-based attacks, which were the top reported root cause in 2023 and 2024.
Multiple organizational factors contribute to retail organizations falling victim to ransomware, with the most common being a lack of people/capacity (i.e., an insufficient number of cybersecurity experts monitoring systems at the time of the attack) named by 42% of victims. It is followed in very close succession by known security gaps, which were a contributing factor in 41% of attacks.
Organizational root cause of attacks in healthcare
Data encryption sharply declines but extortion rates soar
Data encryption in the healthcare has dropped to its lowest level in five years with only a third (34%) of attacks resulting in data being encrypted — the second lowest percentage recorded in this year’s survey and less than half the 74% reported by healthcare providers in 2024. In line with this trend, the percentage of attacks stopped before encryption reached a five-year high, indicating that healthcare organizations are strengthening their defenses.
However, adversaries are adapting: The proportion of healthcare providers hit by extortion-only attacks (where data wasn’t encrypted but a ransom was still demanded) tripled to 12% of attacks in 2025 from just 4% in 2022/3 – the highest rate reported in this year’s survey. This is likely due to the high sensitivity of medical data (patient records, etc.).
Data encryption in healthcare | 2021 – 2025
Ransom payment rates decline while backup confidence slips
In 2025, just 36% of healthcare providers paid the ransom — down from 61% in 2022 — placing the sector among the four least likely to recover data this way. At the same time, backup use has also fallen (51%, down from 72%). Collectively, these findings point to stronger resistance to demands but possible weaknesses or a lack of confidence in backup resilience.
Recovery of encrypted data in healthcare | 2021 – 2025
Ransom demands, payments and attack recovery costs plummet
Healthcare ransomware economics shifted sharply in 2025, with ransom demands plummeting 91% to $343K (from $4M in 2024) and ransom payments dropping from $1.47M to just $150K — the lowest of any sector reported in this year’s survey. The decline reflects a steep fall in multimillion-dollar demands and payouts, though mid-range demands ($1M – $5M) and sub-$1M payments rose.
At the same time, the mean cost of recovery (excluding any ransoms paid) has fallen to its lowest point in three years, dropping by 60% over the past year to $1.02 million, down from $2.57 million in 2024. Collectively, the findings point to a sector that is harder to extract large sums from and more efficient in its recovery, even as smaller-value cases become more common.
Ransomware attacks place significant pressure on healthcare IT/cybersecurity teams from senior leadership
The survey makes clear that having data encrypted in a ransomware attack has significant repercussions for IT/cybersecurity teams in the retail sector, with increased pressure from senior leaders cited by 39% of respondents. Other repercussions include (but are not limited to):
- Increased anxiety or stress about future attacks — cited by 37%.
- A change of team priorities/focus — cited by 37%.
- Feelings of guilt that the attack was not stopped — cited by 32%.
Download the full report for more insights into the human and financial impacts of ransomware on the healthcare sector.
About the survey
The report is based on the findings of an independent, vendor-agnostic survey commissioned by Sophos of 3,400 IT/cybersecurity leaders across 17 countries in the Americas, EMEA, and Asia Pacific, including 292 from the healthcare sector. All respondents represent organizations with between 100 and 5,000 employees. The survey was conducted by research specialist Vanson Bourne between January and March 2025, and participants were asked to respond based on their experiences over the previous year.
Source link
