Sophos: The Shift in Cyber Attacks on Healthcare

Healthcare providers are experiencing a notable shift in ransomware tactics, with attackers increasingly favouring data extortion over traditional encryption, according to the latest annual State of Ransomware in Healthcare report from Sophos.

The proportion of healthcare organisations subjected to extortion without file encryption has tripled since 2023, reaching the highest incidence recorded across all sectors surveyed.

Data encryption incidents have dropped to their lowest level in five years, now accounting for just 34% of ransomware attacks.

This change signals a shift in attacker strategy, leveraging the highly sensitive patient and operational data held by healthcare entities. By demanding ransom solely through the threat of data exposure, cybercriminals achieve considerable leverage with less technical effort.

The report analysed ransomware activity in healthcare over the past year, revealing persistent threats despite advancements in organisational resilience and incident response.

Healthcare organisations dramatically cut ransom payments

The share of healthcare providers paying ransoms has halved, plummeting from 61% in 2022 to 36% in 2025.

This nearly 50% reduction reflects growing adoption of alternative recovery methods and backup strategies.

Among those who did pay, more than half successfully negotiated reduced settlement amounts.

While ransom payments are falling, the overall financial burden remains high due to recovery costs, operational downtime, and resources required to restore critical healthcare systems and data.

About the ransomware groups targeting healthcare

Sophos X-Ops monitoring of leak sites over the last year uncovered 88 distinct ransomware groups actively pursuing healthcare targets. The most prevalent groups include GOLD FEATHER (Qilin), GOLD IONIC (INC Ransom) and GOLD HUBBARD (RansomHub).

Analysis of incident response data highlights exploited vulnerabilities as the primary attack vector, supplemented by phishing, social engineering, brute force attacks, drive-by downloads and stolen credentials. This array of entry points underscores the broad threat landscape facing healthcare networks.

Healthcare remains attractive to threat actors because of the critical nature of its data and services, which they believe pressures organisations into paying ransoms quickly.

How staffing shortages amplify cybersecurity challenges

A lack of personnel and capacity was identified by 42% of respondents as the leading factor behind ransomware success in healthcare. The brieffall in cybersecurity professionals available to monitor systems coincides with widespread healthcare staffing shortages.

The competition for skilled cybersecurity talent is intense, and healthcare organisations often struggle against better-funded commercial sectors, resulting in gaps that attackers exploit.

The human cost of these attacks is tangible: 37% of healthcare respondents reported elevated anxiety and stress about future attacks among staff, and nearly 25% recorded ransomware-related workforce absences. These issues compound ongoing retention challenges across the sector.

The resiliency of healtchare organisations

Nearly 60% of healthcare providers reported full recovery from ransomware attacks within one week, a substantial increase from 21% the previous year.

“Healthcare continues to face steady and persistent ransomware activity. Over the past year, Sophos X-Ops identified 88 different groups targeting healthcare organisations, showing that even moderate levels of threat activity can have serious consequences,” says Alexandra Rose, Director at Sophos Counter Threat Unit.

“It’s also encouraging to see signs of stronger resilience. In the study, nearly 60% of providers reported they recovered within one week, up from just 21% last year, which reflects real progress in preparedness and recovery planning. In a sector where downtime directly affects patient care, faster recovery is critical, but prevention remains the ultimate goal.”