Sophos’ newest annual research explores the real-world ransomware experiences of 292 healthcare suppliers hit by ransomware up to now yr. The report examines how the causes and penalties of those assaults have advanced over time. This yr’s version additionally sheds new gentle on beforehand unexplored areas, together with the organizational elements that left suppliers uncovered and the human toll ransomware takes on retail IT and cybersecurity groups.
Obtain the report back to discover the complete findings →.
Exploited vulnerabilities and capability challenges underpin the principle root causes of assaults
For the primary time in three years, healthcare suppliers recognized exploited vulnerabilities as the most typical technical root explanation for assault, utilized in 33% of incidents. This overtakes credential-based assaults, which had been the highest reported root trigger in 2023 and 2024.
A number of organizational elements contribute to retail organizations falling sufferer to ransomware, with the most typical being an absence of individuals/capability (i.e., an inadequate variety of cybersecurity specialists monitoring methods on the time of the assault) named by 42% of victims. It’s adopted in very shut succession by recognized safety gaps, which had been a contributing consider 41% of assaults.
Organizational root explanation for assaults in healthcare
Information encryption sharply declines however extortion charges soar
Information encryption within the healthcare has dropped to its lowest stage in 5 years with solely a 3rd (34%) of assaults leading to information being encrypted — the second lowest proportion recorded on this yr’s survey and fewer than half the 74% reported by healthcare suppliers in 2024. In keeping with this pattern, the proportion of assaults stopped earlier than encryption reached a five-year excessive, indicating that healthcare organizations are strengthening their defenses.
Nevertheless, adversaries are adapting: The proportion of healthcare suppliers hit by extortion-only assaults (the place information wasn’t encrypted however a ransom was nonetheless demanded) tripled to 12% of assaults in 2025 from simply 4% in 2022/3 – the very best charge reported on this yr’s survey. That is possible as a result of excessive sensitivity of medical information (affected person information, and so forth.).
Information encryption in healthcare | 2021 – 2025
Ransom cost charges decline whereas backup confidence slips
In 2025, simply 36% of healthcare suppliers paid the ransom — down from 61% in 2022 — inserting the sector among the many 4 least more likely to get well information this manner. On the identical time, backup use has additionally fallen (51%, down from 72%). Collectively, these findings level to stronger resistance to calls for however attainable weaknesses or a insecurity in backup resilience.
Restoration of encrypted information in healthcare | 2021 – 2025
Ransom calls for, funds and assault restoration prices plummet
Healthcare ransomware economics shifted sharply in 2025, with ransom calls for plummeting 91% to $343K (from $4M in 2024) and ransom funds dropping from $1.47M to simply $150K — the bottom of any sector reported on this yr’s survey. The decline displays a steep fall in multimillion-dollar calls for and payouts, although mid-range calls for ($1M – $5M) and sub-$1M funds rose.
On the identical time, the imply value of restoration (excluding any ransoms paid) has fallen to its lowest level in three years, dropping by 60% over the previous yr to $1.02 million, down from $2.57 million in 2024. Collectively, the findings level to a sector that’s tougher to extract massive sums from and extra environment friendly in its restoration, at the same time as smaller-value circumstances grow to be extra frequent.
Ransomware assaults place vital stress on healthcare IT/cybersecurity groups from senior management
The survey makes clear that having information encrypted in a ransomware assault has vital repercussions for IT/cybersecurity groups within the retail sector, with elevated stress from senior leaders cited by 39% of respondents. Different repercussions embody (however will not be restricted to):
- Elevated anxiousness or stress about future assaults — cited by 37%.
- A change of workforce priorities/focus — cited by 37%.
- Emotions of guilt that the assault was not stopped — cited by 32%.
Obtain the complete report for extra insights into the human and monetary impacts of ransomware on the healthcare sector.
Concerning the survey
The report is predicated on the findings of an impartial, vendor-agnostic survey commissioned by Sophos of three,400 IT/cybersecurity leaders throughout 17 nations within the Americas, EMEA, and Asia Pacific, together with 292 from the healthcare sector. All respondents characterize organizations with between 100 and 5,000 staff. The survey was carried out by analysis specialist Vanson Bourne between January and March 2025, and members had been requested to reply based mostly on their experiences over the earlier yr.
