Ransomware in the healthcare sector: Extortion at all-time high, ransom demands down, stress among teams
In the latest annual study „State of Ransomware Healthcare 2025“, cyber security provider Sophos examined the experiences of 292 healthcare providers worldwide with ransomware. The report sheds light on the causes, consequences and development of these attacks.
The healthcare sector is repeatedly the target of cyberattacks - partly because the high sensitivity of the data or the smooth 24/7 operation is the basis for high ransom and extortion sums for cybercriminals. Reason enough for the IT security service provider Sophos to compile the annual „State of Ransomware Healthcare 2025“ report. The results of the study are alarming: vulnerabilities are the most common cause of attacks and the number of extortions is at an all-time high. The study is based on the results of an independent survey conducted by Sophos among 3,400 IT/cybersecurity executives in 17 countries in the Americas, EMEA and Asia Pacific, including 292 from the healthcare sector.
Vulnerabilities and capacity issues are the main causes of attacks
For the first time in three years, respondents in the healthcare sector named exploited vulnerabilities as the most common technical cause of attacks (33%). This type of attack thus overtakes attacks due to compromised credentials (18%), which was the most common cause in 2023 and 2024.
Several organizational factors contribute to healthcare providers falling victim to ransomware. At 42 percent, the most common reason is a lack of staff or an insufficient number of cyber security experts monitoring systems at the time of the attack. This is closely followed by known security vulnerabilities, which played a role in 41% of attacks.
Data encryption at five-year low, attack stops at five-year high
Encryption of healthcare data by cybercriminals has fallen to its lowest level in five years. Only 34 percent of attacks resulted in data being encrypted - the second-lowest figure in this year's survey and less than half the 74 percent recorded in 2024. At the same time, the proportion of attacks that were stopped before encryption reached a five-year high of 53 percent. This suggests that healthcare organizations are stepping up their defenses.
Extortion at an all-time high
However, attackers are adapting: The proportion of healthcare organizations affected by pure extortion attacks, where no data was encrypted but a ransom was demanded, tripled from just 4 percent in 2022/23 to 12 percent. This is the highest figure ever recorded in the study - presumably because medical data (e.g. patient data) is particularly sensitive.
Ransom payments fall, trust in backups dwindles
In 2025, only 36% of healthcare organizations paid the ransom demanded. This is a significant decline overall; in 2022, for example, this figure was still 61 percent. This makes this sector one of the four least likely to recover their data via ransom payments. At the same time, the use of backups for data reconstruction after an attack also fell to 51 percent. This could indicate greater resilience but also a lack of confidence in backup resilience.
Ransom demands, payments and recovery costs fall drastically
The level of ransoms in the healthcare sector has changed drastically:
- The average ransom demand fell by 91 percent to 295,000 euros compared to 3.4 million euros in the previous year's study.
- The amounts actually paid have fallen from just under 1.5 million euros to only 129,000 euros. This is the lowest figure of all the sectors included in the study.
The decline reflects a sharp drop in receivables and payments in the multi-million euro range. At the same time, receivables in the mid-range of EUR 860,000 to 4.3 million increased.
Average recovery costs (excluding ransom payments) are at their lowest level in three years, falling by 60 percent to around €877,000, compared to around €2.2 million in last year's study. Overall, the results indicate a more robust and efficient healthcare system that is more difficult to exploit, even if smaller cases are more common.
Pressure from management, fear, stress, feelings of guilt
The survey also makes it clear that the encryption of data in the event of a ransomware attack also has a significant impact on cyber security teams in the healthcare sector. 39% of respondents stated that pressure from senior management has increased. Other impacts include increased anxiety or stress about future attacks (37%), changes in priorities or focus (37%) and feelings of guilt for not being able to prevent the attack (32%).
Source: Sophos
This article originally appeared on m-q.ch - https://www.m-q.ch/de/ransomware-im-gesundheitswesen-erpressungen-auf-hoechststand-loesegeldforderungen-gesunken-stress-bei-den-teams/
