How Healthcare Ransomware Attacks Shifted in 2025

Healthcare organizations have experienced a marked shift in ransomware tactics during 2025, with data extortion emerging as a dominant threat vector and traditional encryption attacks declining significantly. According to Sophos’ State of Ransomware in Healthcare report, attackers have increasingly focused on the theft of sensitive medical data, leveraging its value to pressure providers without relying on the more complex encryption mechanisms used in previous years. The share of organizations subjected to extortion without encryption tripled to 12% of attacks, up from 4% in 2022/2023. Over the same period, data encryption fell to 34%, compared with 74% reported by providers in 2024.

Sophos analysts attributed the decrease in successful encryption events to strengthened defensive measures, noting that the percentage of attacks stopped before encryption reached a five-year high. However, adversaries have adapted to these improvements by shifting toward quicker, lower-effort extortion techniques. The report draws on responses from 292 IT and cybersecurity leaders across 17 countries whose organizations were hit by ransomware within the last year.

A decline in ransom payments also featured prominently in the 2025 landscape. Only 36% of providers paid a ransom, down from 61% in 2022, placing healthcare among the least likely sectors to use payments as a recovery mechanism. Backup use also fell to 51% from 72%, highlighting increased resistance to ransom demands but suggesting potential concerns about backup reliability.

Economic dynamics around ransomware shifted sharply as well. Average ransom demands dropped 91% to $343,000 from $4 million in 2024. Actual payments decreased from $1.47 million to $150,000, the lowest across all sectors surveyed. Sophos reported a steep decline in multimillion-dollar demands and payouts, with growth instead in mid-range demands and lower-value payments. The mean cost of recovery, excluding ransom, dropped 60% year over year to $1.02 million, down from $2.57 million.

The report also examined the underlying factors contributing to attacks. The most frequently cited issue was insufficient staffing, with 42% of organizations reporting a lack of cybersecurity personnel. Known security gaps contributed to 41% of incidents. For the first time in three years, exploited vulnerabilities became the most common technical root cause, involved in 33% of cases, surpassing credential-based attacks.

Sophos X-Ops observed activity from 88 distinct threat groups targeting healthcare organizations over the past year, naming GOLD FEATHER (Qilin), GOLD IONIC (INC Ransom), and GOLD HUBBARD (RansomHub) as prominent groups. Attack vectors included vulnerability exploitation, phishing, social engineering, brute force techniques, drive-by downloads, and stolen credentials.

“Healthcare continues to face steady and persistent ransomware activity. Over the past year, Sophos X-Ops identified 88 different groups targeting healthcare organizations, showing that even moderate levels of threat activity can have serious consequences. It’s also encouraging to see signs of stronger resilience. In the study, nearly 60% of providers reported they recovered within one week, up from just 21% last year, which reflects real progress in preparedness and recovery planning. In a sector where downtime directly affects patient care, faster recovery is critical, but prevention remains the ultimate goal," said Alexandra Rose, director of the Sophos Counter Threat Unit (CTU), in a statement.

Click here for the original news story.