In a possibly encouraging sign that cyber messaging is cutting through among healthcare providers, the sector appears to be becoming increasingly resilient to ransomware and cyber extortion, with fewer victims experiencing data encryption, fewer paying up and average time to recovery dropping according to a new Sophos report.
Based on global data collected by Vanson Bourne for a wider study, Sophos found that that this year, just 36% of victims in the healthcare industry paid a ransom, down from 61% in 2022, and over half of those that paid handed over less than what was demanded of them.
Demands from ransomware gangs also plummeted during the observed period, down 91% to $343,000 (£260,800) on average this year, with average payments dropping from $1.47m to just $150,000, the lowest of any sector reported in the wider dataset.
The mean cost of recovery – excluding any ransoms – was also down by 60% to $1.02m. And 58% of healthcare respondents said they recovered within a week, a strong improvement from 21% last year.
“It’s … encouraging to see signs of stronger resilience. In the study, nearly 60% of providers reported they recovered within one week, up from just 21% last year, which reflects real progress in preparedness and recovery planning. In a sector where downtime directly affects patient care, faster recovery is critical, but prevention remains the ultimate goal,” said Alexandra Rose, director at the Sophos Counter Threat Unit (CTU) – formerly a Secureworks unit.
However, improvement against some metrics should not be taken as a sign that the ransomware ecosystem is dwindling or the threat landscape becoming any less volatile; ransomware remains as pervasive a threat as ever and the healthcare sector is no more or less immune than any other.
“Healthcare continues to face steady and persistent ransomware activity. Over the past year, Sophos X-Ops identified 88 different groups targeting healthcare organisations, showing that even moderate levels of threat activity can have serious consequences,” said Rose.
In the past 12 months, the X-Ops team said that the most prominent ransomware gangs targeting the health industry were Qilin, INC Ransom and RansomHub – which it tracks as Gold Feather, Gold Ionic and Gold Hubbard respectively.
The data also reveal that although data encryption from ransomware has dropped to its lowest level since 2020, with only a third of attacks resulting in this scenario, the proportion of healthcare providers hit by extortion-only attacks, where data is not encrypted but rather stolen and a ransom demanded has tripled to 12% of attacks this year, from 4% a couple of years ago. The Cl0p/Clop gang, which last week claimed to have conducted a ransomware attack against an unspecified NHS body, is a great exponent of this tactic.
Root causes
Sophos’ data also reveal some insight into the root causes of cyber extortion and ransomware attacks in the healthcare industry, finding that for the first time since 2022, exploited vulnerabilities were the most common technical cause, seen in 33% of incidents, overtaking credential-based attacks, which topped the list in 2023 and 2024.
Respondents also described “multiple organisational factors” that contributed to their falling victim to such attacks, with 42% describing a lack of suitably qualified cyber security people or overall capacity, and 41% describing known but unaddressed security gaps.