Healthcare ransomware payments fall sharply as attackers shift to data theft
Hospitals may be seeing fewer screens locked by ransomware this year, but the threat is getting harder to manage. Attackers are breaking in through unpatched systems, stealing sensitive patient information, and turning to smaller, faster extortion demands, according to a new Sophos analysis.
The 2025 edition of the company’s annual survey tracks 292 healthcare organizations worldwide and offers one of the clearest snapshots yet of how ransomware is evolving. Attackers are now exploiting unpatched systems and prioritizing rapid data theft over the slower, riskier process of encryption.
Vulnerabilities drive a new wave of attacks
One of the clearest shifts in this year’s report is the rise of exploited software vulnerabilities as the top cause of attacks. Sophos found that vulnerabilities were responsible for 33 percent of healthcare ransomware incidents. Many hospitals and clinics continue to rely on legacy systems that cannot be easily patched or removed from service without affecting patient care, allowing vulnerabilities to linger for months, sometimes years.
Industry-wide data supports this trend. The 2025 Verizon Data Breach Investigations Report noted a sharp rise in vulnerability exploitation across multiple sectors following several well-publicized zero-day incidents. Verizon found that attackers have increasingly automated the process of scanning for exposed systems and weaponizing new flaws within hours. Healthcare is particularly exposed because many organizations maintain complex networks made up of older operating systems, highly customized clinical applications, and medical devices that depend on outdated software and cannot tolerate frequent updates.
Security researchers have also highlighted the role of widely used third-party tools that become single points of failure when vulnerabilities emerge. Sophos did not cite specific incidents, but the broader pattern resembles recent attacks in which file-transfer tools, remote-monitoring utilities, or access-management platforms were compromised and then used to infiltrate multiple organizations at once. For hospital systems that share vendors or cloud services, these attacks can cascade across networks before local security teams have time to respond.
Encryption declines as attackers shift toward data theft
The Sophos report shows that attackers are encrypting data far less than before. Only 34 percent of healthcare victims experienced encryption this year, down sharply from 74 percent in 2024 and the lowest rate the industry has seen in five years. The decline suggests a meaningful pivot away from locking systems and toward stealing information directly, which reflects a broad shift in attacker strategy.
Encryption takes time and can trigger alerts as attackers move laterally across networks. Data theft, by contrast, can be rapid and difficult to detect. In healthcare, the value of the data itself reinforces the trend. Medical records can be used for tax fraud, insurance fraud, account takeovers, and targeted scams, making them more valuable on criminal marketplaces than credit card numbers.
Extortion-only attacks have grown rapidly. These incidents, in which data is stolen but operations continue uninterrupted, have tripled since 2023 and now represent 12 percent of healthcare ransomware cases. Sophos reports that this is the highest rate of any sector in the study.
The Department of Health and Human Services’ breach portal shows a similar national trend. Since 2020, the proportion of hacking incidents involving theft or exposure rather than encryption has steadily increased, particularly in events tied to third party vendors or cloud managed file transfer tools.
Ransom payments and recovery costs continue to fall
While attacker tactics are becoming more varied, the financial dynamics of ransomware are moving in the opposite direction, and healthcare had the lowest ransom payments of any sector included in the report. The average ransom demand in healthcare fell dramatically from $4 million in 2024 to $343,000 in 2025, according to Sophos. Actual payments also dropped, averaging $150,000 compared with $1.47 million the previous year.
The decline in payments may reflect several overlapping trends. More healthcare organizations have adopted policies discouraging payment, and insurers have placed stricter conditions on reimbursement. Law enforcement agencies have also become more vocal in urging organizations not to pay.
Only 36 percent of healthcare organizations that experienced encryption reported paying a ransom this year, compared with up to 61 percent in past Sophos surveys. While encryption events are less common, the drop in payment rate suggests a broader shift in organizational posture.
Recovery costs have moved in a similar direction. Excluding ransom payments, the average cost of recovery fell to approximately $1.02 million, the lowest level in three years, down from $2.57 million in 2024. Sophos notes that many organizations restored operations more quickly, though fewer relied on backups. Only 51 percent restored data using backups, compared with 72 percent in prior years. The decrease may reflect the rise in extortion only attacks or the growing use of cloud replicas and vendor assisted rebuilds.
Delaying defense is riskier than ever
The overall threat picture remains complex. Federal breach data from the Office for Civil Rights shows that hacking incidents now dominate reporting and often involve multiple stages of compromise through third-party vendors, cloud services, or shared infrastructure that individual organizations struggle to control.
Hospitals and clinics face different risks depending on their size. Smaller facilities may benefit from reduced recovery costs and lower ransom demands, but they also have limited staff to monitor for silent data exfiltration. Meanwhile, larger systems operate sprawling networks where vulnerabilities accumulate quickly and lateral movement can be difficult to detect. Verizon’s 2025 analysis found that even mature organizations often struggle to identify early signs of compromise before attackers steal data.
Security strategies will need to evolve as ransomware continues to shift from encryption to data exploitation. Strengthening patch management, modernizing asset inventories, restricting privileged access, and preparing for extortion events without encryption are becoming essential parts of a modern defense. Sophos emphasizes that ransomware is now part of a broader and more fluid ecosystem of data driven threats, and healthcare organizations must adapt as quickly as their attackers.