Sophos’ newest annual research explores the real-world ransomware experiences of 292 healthcare suppliers hit by ransomware previously 12 months. The report examines how the causes and penalties of those assaults have advanced over time. This 12 months’s version additionally sheds new gentle on beforehand unexplored areas, together with the organizational elements that left suppliers uncovered and the human toll ransomware takes on retail IT and cybersecurity groups.
Obtain the report back to discover the complete findings →.
Exploited vulnerabilities and capability challenges underpin the primary root causes of assaults
For the primary time in three years, healthcare suppliers recognized exploited vulnerabilities as the most typical technical root reason behind assault, utilized in 33% of incidents. This overtakes credential-based assaults, which have been the highest reported root trigger in 2023 and 2024.
A number of organizational elements contribute to retail organizations falling sufferer to ransomware, with the most typical being an absence of individuals/capability (i.e., an inadequate variety of cybersecurity consultants monitoring programs on the time of the assault) named by 42% of victims. It’s adopted in very shut succession by identified safety gaps, which have been a contributing consider 41% of assaults.
Organizational root reason behind assaults in healthcare
Knowledge encryption sharply declines however extortion charges soar
Knowledge encryption within the healthcare has dropped to its lowest stage in 5 years with solely a 3rd (34%) of assaults leading to knowledge being encrypted — the second lowest share recorded on this 12 months’s survey and fewer than half the 74% reported by healthcare suppliers in 2024. Consistent with this pattern, the share of assaults stopped earlier than encryption reached a five-year excessive, indicating that healthcare organizations are strengthening their defenses.
Nonetheless, adversaries are adapting: The proportion of healthcare suppliers hit by extortion-only assaults (the place knowledge wasn’t encrypted however a ransom was nonetheless demanded) tripled to 12% of assaults in 2025 from simply 4% in 2022/3 – the very best price reported on this 12 months’s survey. That is probably because of the excessive sensitivity of medical knowledge (affected person data, and so on.).
Knowledge encryption in healthcare | 2021 – 2025
Ransom cost charges decline whereas backup confidence slips
In 2025, simply 36% of healthcare suppliers paid the ransom — down from 61% in 2022 — putting the sector among the many 4 least prone to get better knowledge this manner. On the identical time, backup use has additionally fallen (51%, down from 72%). Collectively, these findings level to stronger resistance to calls for however doable weaknesses or a insecurity in backup resilience.
Restoration of encrypted knowledge in healthcare | 2021 – 2025
Ransom calls for, funds and assault restoration prices plummet
Healthcare ransomware economics shifted sharply in 2025, with ransom calls for plummeting 91% to $343K (from $4M in 2024) and ransom funds dropping from $1.47M to only $150K — the bottom of any sector reported on this 12 months’s survey. The decline displays a steep fall in multimillion-dollar calls for and payouts, although mid-range calls for ($1M – $5M) and sub-$1M funds rose.
On the identical time, the imply value of restoration (excluding any ransoms paid) has fallen to its lowest level in three years, dropping by 60% over the previous 12 months to $1.02 million, down from $2.57 million in 2024. Collectively, the findings level to a sector that’s tougher to extract giant sums from and extra environment friendly in its restoration, whilst smaller-value instances turn out to be extra widespread.
Ransomware assaults place important strain on healthcare IT/cybersecurity groups from senior management
The survey makes clear that having knowledge encrypted in a ransomware assault has important repercussions for IT/cybersecurity groups within the retail sector, with elevated strain from senior leaders cited by 39% of respondents. Different repercussions embrace (however aren’t restricted to):
- Elevated anxiousness or stress about future assaults — cited by 37%.
- A change of group priorities/focus — cited by 37%.
- Emotions of guilt that the assault was not stopped — cited by 32%.
Obtain the complete report for extra insights into the human and monetary impacts of ransomware on the healthcare sector.
In regards to the survey
The report is predicated on the findings of an unbiased, vendor-agnostic survey commissioned by Sophos of three,400 IT/cybersecurity leaders throughout 17 nations within the Americas, EMEA, and Asia Pacific, together with 292 from the healthcare sector. All respondents symbolize organizations with between 100 and 5,000 workers. The survey was carried out by analysis specialist Vanson Bourne between January and March 2025, and individuals have been requested to reply primarily based on their experiences over the earlier 12 months.
