Healthcare Sector Shows Rising Resilience Against Ransomware
Category:Threat Actors & Campaigns
Ransomware activity in the healthcare sector shows increasing resilience according to a new Sophos report, with significant reductions in ransom payments and shortened recovery windows. Although the sector remains a persistent target, the report highlights measurable improvements in response readiness and continuity planning. MITRE ATT&CK observations include T1490 (Inhibit System Recovery), T1486 (Data Encryption), and T1565.002 (Data Manipulation: Stored Data). Healthcare organizations reported fewer successful encryption events and improved containment speed compared to previous years. The study found that only 36% of healthcare victims paid a ransom in 2025, compared to 61% in 2022. Average ransom demands dropped 91% year-over-year, and recovery times improved dramatically, with 58% of providers restored within one week. Despite this progress, the threat landscape remains volatile: Sophos X-Ops tracked 88 distinct ransomware groups targeting healthcare, including Qilin, INC Ransom, and RansomHub. The growth of extortion-only attacks—where data is stolen without encryption—rose threefold, highlighting evolving attacker strategies. The business impact includes ongoing risk to clinical operations, patient data confidentiality, and regulatory exposure under HIPAA, GDPR, and national healthcare frameworks. While improved resilience reduces operational downtime, extortion-only attacks raise long-term reputational and compliance concerns. Vulnerability exploitation surpassed credential attacks for the first time since 2022, underscoring the urgency of patch management and surface reduction. Mitigation requires continued investment in cyber hygiene, rapid patching, credential hardening, and improved IR preparedness. Healthcare providers should adopt zero-trust segmentation, ensure frequent backup validation, and implement security orchestration to reduce recovery times. SOCs should prepare for growth in extortion-only attacks by expanding data loss detection monitoring and deploying multi-layered email and endpoint protection.
CORTEX Protocol Intelligence Assessment
Business Impact: Improved resilience measurably reduces downtime, but rising extortion-only attacks pose significant patient-data and compliance risks. Healthcare operations remain sensitive to even short disruptions. Technical Context: Trends show fewer successful encryptions and faster recovery. MITRE techniques include T1490, T1486, and T1565.002. Vulnerability exploitation now leads as a primary intrusion vector.
Strategic Intelligence Guidance
- Implement zero-trust segmentation and validate critical backups regularly.
- Prioritize patching of externally exposed systems and medical infrastructure.
- Strengthen credential management to reduce lateral movement opportunities.
- Adopt automated IR workflows to accelerate containment and recovery.
Vendors
Threats
Targets
Intelligence Source: Healthcare Sector Shows Rising Resilience Against Ransomware | Nov 19, 2025