Perhaps an encouraging sign that cyber messaging is becoming more popular among healthcare providers is that the sector appears to be becoming increasingly resistant to ransomware and cyber extortionwhile fewer victims are subject to data encryption, fewer payments are made and the average recovery time is reduced in accordance with new Sophos report.
Based on global data collected Vanson Born As part of a broader study, Sophos found that only 36% of healthcare victims paid a ransom this year, compared with 61% in 2022, and more than half of those who paid handed over less than what was asked of them.
Demand from ransomware groups also fell sharply over the period observed, falling 91% to $343,000 (£260,800) on average this year, with average payouts falling from $1.47 million to just $150,000, the lowest of any sector recorded in the wider data set.
The average cost of recovery – excluding ransom – also fell 60% to $1.02 million. And 58% of healthcare respondents said they recovered within a week, a significant improvement from 21% last year.
“It's encouraging to see signs of increased resilience. In the study, almost 60% of providers reported that they recovered within one week, up from 21% last year, reflecting real progress in preparedness and recovery planning. In a sector where downtime directly impacts patient care, faster recovery is critical, but prevention remains the ultimate goal,” said Alexandra Rose, director of Sophos Counter Threat Unit (CTU). formerly a division of Secureworks.
However, improvements in some metrics should not be taken as a sign that the ransomware ecosystem is shrinking or the threat landscape is becoming less volatile; Ransomware remains as pervasive a threat as ever, and the healthcare sector is no more or less immune to it than any other.
“The healthcare industry continues to face consistent and persistent ransomware activity. Over the past year, Sophos X-Ops has identified 88 different groups targeting healthcare organizations, showing that even moderate levels of threat activity can have serious consequences,” Rose said.
Over the past 12 months, the X-Ops team has reported that the most prominent ransomware gangs The target of the healthcare industry was QilinINC Ransom and RansomHub, which are tracked as Gold Feather, Gold Ionic and Gold Hubbard respectively.
The data also shows that while data encryption through ransomware has fallen to its lowest level since 2020, with only a third of attacks resulting in this scenario, the share of healthcare providers affected by ransomware attacks, where data is not encrypted but rather stolen and a ransom is demanded, has tripled to 12% of attacks this year, up from 4% a couple of years ago. The Cl0p/Clop gang, which last week announced a ransomware attack. against an unidentified NHS bodyis a great example of this tactic.
Root Causes
The Sophos data also provides some insight into the root causes of cyber extortion and ransomware attacks in healthcare: For the first time since 2022, exploitable vulnerabilities became the most common technical cause, seen in 33% of incidents, overtaking credential-based attacks, which topped the list in 2023 and 2024.
Respondents also described “multiple organizational factors” that contributed to them becoming victims of such attacks: 42% described a lack of sufficiently skilled cybersecurity professionals or overall capacity, and 41% described known but unaddressed security gaps.
