Sophos, a global leader in cybersecurity solutions, has released its State of Ransomware in Healthcare 2025 report, highlighting notable improvements in the sector’s defenses against ransomware attacks. The survey, conducted with 292 IT and cybersecurity leaders across 17 countries, focused on healthcare organizations impacted by ransomware over the past year.
The findings indicate that healthcare providers are now recovering faster, with 58 percent able to restore operations within a week—more than double the 21 percent reported in 2024. Median ransom demands fell sharply by 91 percent to $345,000, while average recovery costs dropped to $1.02 million, the lowest in three years. Data encryption rates hit a five-year low at 34 percent, and only 36 percent of providers paid the ransom, down from 61 percent in 2022.
Exploited vulnerabilities emerged as the leading technical cause of attacks, responsible for 33 percent of incidents, followed by malicious emails (22 percent) and compromised credentials (18 percent). Organizational challenges, including insufficient cybersecurity personnel and unaddressed security gaps, contributed to 42 percent and 41 percent of attacks, respectively.
The State of Ransomware in Healthcare 2025 report also notes a decline in the severity of attacks. Data exfiltration occurred in 27 percent of encrypted incidents, but 97 percent of organizations successfully recovered their data. Use of backups to restore data decreased to 51 percent, reflecting growing confidence in alternative recovery methods. Ransom payments have shifted toward smaller amounts, with sub-$1 million payouts now representing 81 percent of payments, signaling that healthcare is becoming a tougher target for cybercriminals.
Recovery Times:
58 percent of healthcare organizations recovered within a week (2025), up from 21 percent in 2024.
Only 12 percent took 1–6 months to recover, down from 36 percent in 2024.
97 percent fully recovered within three months.
Ransom Demands and Payments:
Median ransom demand: $343K in 2025, down from $4M in 2024.
77 percent decrease in demands over $5M (from 34 percent to 8 percent).
Median ransom paid: $150K, down from $1.47M in 2024.
53 percent of organizations paid less than the initial demand; 22 percent matched it; 25 percent paid more.
Proportion of demand paid dropped to 85 percent in 2025 from 111 percent in 2024.
Data Encryption and Theft:
34 percent of ransomware attacks resulted in data encryption (5-year low).
27 percent of encrypted data incidents involved data exfiltration.
12 percent of attacks involved extortion without data encryption (tripled since 2023).
51 percent of incidents used backups to recover data, down from 72 percent in 2024.
Organizational and Human Factors:
Lack of cybersecurity personnel or capacity cited by 42 percent of victims.
Known security gaps contributed to 41 percent of attacks; unknown gaps 40 percent.
37 percent of IT/cybersecurity teams reported increased stress or anxiety.
32 percent experienced guilt or organizational changes; 31 percent had increased workload.
24 percent had staff absences due to stress; 19 percent saw leadership changes after attacks.
Industry Comparisons:
Lower education providers had the lowest data encryption rate (29 percent) and strongest early detection.
IT, tech, and telecom sectors had highest data theft when data was encrypted (42 percent).
Financial services and central/federal government faced only 2 percent extortion-only attacks.
Costs:
Average recovery cost (excluding ransom): $1.02M, down 60 percent from $2.57M in 2024.
Lower education providers had highest recovery costs at $2.28M; IT/tech and higher education lowest at $0.90M.
Despite these improvements, challenges remain. Extortion-only attacks, where data is stolen but not encrypted, have tripled to 12 percent of attacks. Workforce stress is a significant concern, with 37 percent of IT teams reporting increased anxiety about future attacks and nearly a quarter experiencing staff absences due to stress.
Alexandra Rose, Director of the Sophos Counter Threat Unit, said: “Nearly 60 percent of healthcare providers recovered within one week, reflecting real progress in preparedness and recovery planning. In a sector where downtime directly affects patient care, faster recovery is critical, but prevention remains the ultimate goal.”
The report recommends proactive vulnerability management, 24/7 threat detection and response, strong multi-factor authentication, robust phishing defenses, improved credential hygiene, and maintaining encrypted offline backups. Continuous cybersecurity training and staff readiness are also key to sustaining resilience.
Overall, the Sophos 2025 findings reveal that while ransomware continues to challenge healthcare providers, measurable progress in recovery speed, reduced ransom demands, and stronger defensive strategies indicate a sector increasingly capable of withstanding cyber threats.
Rajani Baburajan
