Sophos announced the findings of its State of Ransomware in Healthcare 2025 report, revealing that the global healthcare sector is making measurable progress in strengthening its defences against ransomware. The study highlights significant improvements in recovery times, a reduction in ransom demands, and a decline in both data encryption and the number of organisations paying ransoms.
This year’s report shows that recovery timelines improved substantially, with 58% of healthcare organisations able to recover within a week more than double the 21% reported in 2024. At the same time, the median ransom demand fell sharply by 91% to $345,000, and recovery costs dropped to their lowest level in three years. Data encryption rates also hit a five-year low at 34%, and only 36% of providers opted to pay the ransom in the last year, compared with 61% in 2022.
Despite this progress, ransomware remains a persistent challenge for the sector. Resource constraints—stemming from chronic healthcare staffing shortages—continue to impact security operations, with 42% of providers citing lack of personnel or capacity as the primary reason for falling victim to attacks. Extortion-only attacks are increasing as well, with the rate of data theft without encryption tripling since 2023—now the highest across all sectors. The human toll is also evident: 37% of respondents reported heightened stress or anxiety about future attacks, and nearly a quarter indicated staff absences linked to this strain.
Alexandra, Rose, Director, Sophos Counter Threat Unit (CTU) said “Healthcare continues to face steady and persistent ransomware activity. Over the past year, Sophos X-Ops identified 88 different groups targeting healthcare organisations, showing that even moderate levels of threat activity can have serious consequences. It’s also encouraging to see signs of stronger resilience. In the study, nearly 60% of providers reported they recovered within one week, up from just 21% last year, which reflects real progress in preparedness and recovery planning. In a sector where downtime directly affects patient care, faster recovery is critical, but prevention remains the ultimate goal.”
Further to strengthen cyber resilience across the healthcare sector, the report recommends that organisations adopt a more proactive approach to vulnerability management, given that exploitation continues to be a primary root cause of attacks. It also highlights the importance of investing in 24/7 threat detection and response capabilities whether built internally or delivered through managed services—to better counter the growing number of ransomware groups targeting healthcare. Additionally, the report urges providers to implement strong MFA, phishing defences, and improved credential hygiene to reduce exposure to common attack vectors. Maintaining encrypted, offline, and regularly tested backups is also emphasised to ensure rapid and reliable recovery without the need to pay ransoms. Finally, the report calls for enhanced staff readiness and continuous cybersecurity training, especially as workforce-related stress and shortages remain a significant challenge. Together, these recommendations reflect the sector’s progress while reinforcing the need for ongoing vigilance against persistent ransomware threats.