Ransomware Report Highlights Vulnerabilities in Healthcare Sector

The recent report by Sophos on the state of ransomware in healthcare for 2025 reveals a concerning shift in the dynamics of cyber attacks. According to the study, which surveyed 292 healthcare providers, exploited vulnerabilities have emerged as the leading technical cause of ransomware incidents, accounting for 33% of attacks. This change highlights the ongoing challenges faced by healthcare organizations as they strive to enhance their cybersecurity measures.

Shifting Causes of Ransomware Attacks

The findings indicate a significant evolution in both the technical and organizational factors that contribute to ransomware incidents. For the first time in three years, the report identifies exploited vulnerabilities as the most common technical root cause of attacks. This shift underscores the necessity for healthcare providers to fortify their defenses against such threats.

From an organizational perspective, the study found that 42% of victims cited a lack of personnel and capacity as the foremost factor contributing to attacks. This shortage of cybersecurity experts monitoring systems was closely followed by known security gaps, acknowledged by 41% of respondents as weaknesses they had not yet addressed.

Extortion Attacks on the Rise

Despite improvements in defenses against data encryption, the report indicates that adversaries are increasingly exploiting the sensitive nature of medical data. Notably, the rate of data encryption in ransomware incidents dropped to its lowest level in five years, with only 34% of attacks resulting in encrypted data, a significant decrease from a peak of 74% in 2024.

Conversely, extortion-only attacks—where data is stolen but not encrypted—have seen a striking increase. The proportion of healthcare providers affected by such attacks has tripled, rising to 12% in 2025.

The financial landscape of ransomware has also shifted dramatically, making it a more challenging environment for cybercriminals. The average ransom demand plummeted by 91% over the past year, dropping from $4 million in 2024 to just $343,000 in 2025. Similarly, the median ransom paid by healthcare organizations fell from $1.47 million to a mere $150,000, the lowest reported across all surveyed industries. Recovery costs also decreased significantly, with the mean recovery expense falling by 60% to $1.02 million, down from $2.57 million in 2024.

Impact on Healthcare Providers

The report emphasizes the human toll associated with ransomware incidents. Every healthcare provider that experienced data encryption reported direct repercussions for their IT and cybersecurity teams. Increased pressure from senior management was reported by 39% of respondents, while 37% expressed heightened anxiety regarding potential future attacks.

Despite these challenges, healthcare providers are demonstrating improved recovery capabilities. In 2025, 58% of organizations reported recovering from ransomware attacks within a week, a significant increase from just 21% in 2024. However, the use of backups to restore encrypted data has declined, falling to 51%—down from 72% in 2022. This trend raises concerns about the resilience of backup systems and the confidence organizations have in their recovery strategies.

The findings from the Sophos report highlight the evolving landscape of ransomware in healthcare. As organizations face increased pressure and shifting attack patterns, the need for robust cybersecurity measures and adequate staffing is more critical than ever.