Sophos: Healthcare Ransomware Attacks Shift to Data Theft

Healthcare providers are facing a shift in ransomware tactics as attackers increasingly focus on data extortion rather than encryption, according to Sophos’ annual State of Ransomware in Healthcare report. The percentage of providers that had their data extorted without encryption has tripled since 2023: the highest rate reported across any sector surveyed.

Data encryption has fallen to its lowest level in five years, reaching just 34% of incidents. The findings point to a change in attacker behaviour, with cybercriminals taking advantage of the sensitive patient and operational data held by healthcare organisations to launch attacks that require less technical effort whilst still generating significant leverage for extortion.

The report examined ransomware activity across the healthcare sector over the past year, revealing persistent threats despite some progress in organisational resilience and response capabilities.

Healthcare organisations reduce ransom payments by half

The rate of healthcare providers paying ransoms has declined sharply, falling from 61% in 2022 to just 36% in 2025. This represents a near 50% reduction in organisations choosing to meet attacker demands. For those providers that did pay, more than half negotiated settlements below the initial ransom amount requested.

The reduction in payment rates comes as organisations develop alternative recovery strategies and backup systems. However, the financial impact of attacks remains significant when factoring in recovery costs, operational disruption and the resources required to restore systems and data.

Sophos X-Ops identifies 88 distinct ransomware groups targeting healthcare

Sophos X-Ops monitoring of leak sites over the past twelve months identified 88 separate threat groups actively targeting healthcare organisations. The three most prominent groups based on leak site observations are GOLD FEATHER (Qilin), GOLD IONIC (INC Ransom) and GOLD HUBBARD (RansomHub).

Analysis of Sophos Incident Response and MDR cases reveals that vulnerability exploitation serves as a primary attack vector. Additional common entry points include phishing, social engineering, brute force attacks, drive-by downloads and stolen credentials. The variety of attack vectors demonstrates that healthcare organisations face threats across multiple potential entry points into their networks.

The number of distinct groups targeting the sector indicates that healthcare remains an attractive target for ransomware operators. The sensitive nature of healthcare data and the critical operational requirements of medical facilities create conditions that attackers believe will generate pressure to pay ransoms quickly.

Healthcare staffing shortages contribute to security vulnerabilities

The most common factor contributing to healthcare providers falling victim to ransomware attacks, cited by 42% of respondents, was a lack of people and capacity. This reflects an insufficient number of cybersecurity professionals monitoring systems at the time attacks occurred, a situation directly linked to the chronic healthcare staffing shortage affecting the sector.

The staffing challenges extend beyond general healthcare workers to include specialised cybersecurity roles. Healthcare organisations compete with other sectors for limited cybersecurity talent whilst often lacking the budget flexibility of commercial enterprises. This creates gaps in monitoring and response capabilities that attackers can exploit.

The human cost of ransomware attacks manifests in multiple ways. The report found that 37% of healthcare respondents mentioned increased anxiety or stress about future attacks amongst staff. Nearly a quarter of organisations experienced staff absence directly attributable to stress related to ransomware incidents. These factors compound existing workforce retention challenges facing the healthcare sector.

Recovery times improve as healthcare resilience strengthens

Nearly 60% of healthcare providers reported recovering from ransomware attacks within one week, a significant increase from just 21% in the previous year.

“Healthcare continues to face steady and persistent ransomware activity. Over the past year, Sophos X-Ops identified 88 different groups targeting healthcare organisations, showing that even moderate levels of threat activity can have serious consequences,” says Alexandra Rose, Director at Sophos Counter Threat Unit.

“It’s also encouraging to see signs of stronger resilience. In the study, nearly 60% of providers reported they recovered within one week, up from just 21% last year, which reflects real progress in preparedness and recovery planning. In a sector where downtime directly affects patient care, faster recovery is critical, but prevention remains the ultimate goal.”