Sophos’ newest annual research explores the real-world ransomware experiences of 292 healthcare suppliers hit by ransomware prior to now 12 months. The report examines how the causes and penalties of those assaults have developed over time. This 12 months’s version additionally sheds new gentle on beforehand unexplored areas, together with the organizational elements that left suppliers uncovered and the human toll ransomware takes on retail IT and cybersecurity groups.
Obtain the report back to discover the complete findings →.
Exploited vulnerabilities and capability challenges underpin the primary root causes of assaults
For the primary time in three years, healthcare suppliers recognized exploited vulnerabilities as the commonest technical root reason for assault, utilized in 33% of incidents. This overtakes credential-based assaults, which have been the highest reported root trigger in 2023 and 2024.
A number of organizational elements contribute to retail organizations falling sufferer to ransomware, with the commonest being an absence of individuals/capability (i.e., an inadequate variety of cybersecurity specialists monitoring methods on the time of the assault) named by 42% of victims. It’s adopted in very shut succession by recognized safety gaps, which have been a contributing consider 41% of assaults.
Organizational root reason for assaults in healthcare
Knowledge encryption sharply declines however extortion charges soar
Knowledge encryption within the healthcare has dropped to its lowest degree in 5 years with solely a 3rd (34%) of assaults leading to knowledge being encrypted — the second lowest share recorded on this 12 months’s survey and fewer than half the 74% reported by healthcare suppliers in 2024. According to this development, the share of assaults stopped earlier than encryption reached a five-year excessive, indicating that healthcare organizations are strengthening their defenses.
Nevertheless, adversaries are adapting: The proportion of healthcare suppliers hit by extortion-only assaults (the place knowledge wasn’t encrypted however a ransom was nonetheless demanded) tripled to 12% of assaults in 2025 from simply 4% in 2022/3 – the very best price reported on this 12 months’s survey. That is seemingly because of the excessive sensitivity of medical knowledge (affected person data, and so forth.).
Knowledge encryption in healthcare | 2021 – 2025
Ransom fee charges decline whereas backup confidence slips
In 2025, simply 36% of healthcare suppliers paid the ransom — down from 61% in 2022 — inserting the sector among the many 4 least prone to get well knowledge this fashion. On the identical time, backup use has additionally fallen (51%, down from 72%). Collectively, these findings level to stronger resistance to calls for however doable weaknesses or a insecurity in backup resilience.
Restoration of encrypted knowledge in healthcare | 2021 – 2025
Ransom calls for, funds and assault restoration prices plummet
Healthcare ransomware economics shifted sharply in 2025, with ransom calls for plummeting 91% to $343K (from $4M in 2024) and ransom funds dropping from $1.47M to simply $150K — the bottom of any sector reported on this 12 months’s survey. The decline displays a steep fall in multimillion-dollar calls for and payouts, although mid-range calls for ($1M – $5M) and sub-$1M funds rose.
On the identical time, the imply price of restoration (excluding any ransoms paid) has fallen to its lowest level in three years, dropping by 60% over the previous 12 months to $1.02 million, down from $2.57 million in 2024. Collectively, the findings level to a sector that’s tougher to extract massive sums from and extra environment friendly in its restoration, whilst smaller-value circumstances turn out to be extra widespread.
Ransomware assaults place important strain on healthcare IT/cybersecurity groups from senior management
The survey makes clear that having knowledge encrypted in a ransomware assault has important repercussions for IT/cybersecurity groups within the retail sector, with elevated strain from senior leaders cited by 39% of respondents. Different repercussions embrace (however will not be restricted to):
- Elevated anxiousness or stress about future assaults — cited by 37%.
- A change of staff priorities/focus — cited by 37%.
- Emotions of guilt that the assault was not stopped — cited by 32%.
Obtain the complete report for extra insights into the human and monetary impacts of ransomware on the healthcare sector.
Concerning the survey
The report is predicated on the findings of an unbiased, vendor-agnostic survey commissioned by Sophos of three,400 IT/cybersecurity leaders throughout 17 nations within the Americas, EMEA, and Asia Pacific, together with 292 from the healthcare sector. All respondents characterize organizations with between 100 and 5,000 workers. The survey was carried out by analysis specialist Vanson Bourne between January and March 2025, and individuals have been requested to reply based mostly on their experiences over the earlier 12 months.
