Ransomware continues to present a considerable threat to U.S. healthcare providers, though many ransomware groups no longer encrypt data and only conduct extortion attacks. Cybersecurity company Sophos’ new report shows that only 50% of ransomware attacks in 2025 included file encryption.
The threat of exposing stolen information is usually enough to compel victims to give a ransom payment, because encrypted files could generally be retrieved from backups. Sophos likewise remarks that companies are better at discovering and blocking attacks prior to the deployment of a ransomware payload. In 2024, around 70% of ransomware attacks included file encryption. The drop in using ransomware is likely to go on.
Based on the report, ransomware was more often used in attacking big businesses, 65% of which implemented file encryption. Sophos states that file encryption is more successful to use in bigger organizations since the size of the company makes it more difficult to identify and stop encryption efforts promptly. File encryption is not common in smaller companies, with just 3% of businesses having 3,001 to 54,000 staff members encountering file encryption. While 13% of companies with 100 to 250 staff members encounter file encryption..
Sophos additionally reports a decrease in ransom demands and payments. There is 34% less average ransom demands year over year and 50% less ransom payments. There is also more opportunity for negotiation. 30% of victims stated that they paid the same amount as the initial ransom demand, while 53% of victims stated they paid less. Negotiation doesn’t always work in favor of the victims, as 18% of them paid more than the initial ransom demand. The increase in the demand is because of the opinion of 50% of the attackers that the victim could pay more, while 48% of the attackers realized they had found a high-value target. In 38% of cases, the attackers increased the initial ransom demand because they were annoyed with the negotiations, and another 38% said the attackers increased the demand when backup recovery failed.
Sophos stated that 57% of ransom demands were above $1 million, while 53% of payments were above $1 million. In 2025, the average demand was $1,324,439, which is less than the $2 million average in 2024. The average payment in 2025 was $1 million, which is less than the $2 million average in 2024.
The report was according to a survey participated by 3,400 entities that encountered a ransomware attack in 2024. The survey showed the following access vectors:
- Vulnerability exploitation accounted for 32% of attacks
- Breached credentials accounted for 23% of attacks
- Malicious emails (malware) accounted for 19% of attacks
- Phishing attacks to get credentials accounted for 18% of attacks
Regarding vulnerability to ransomware attacks, survey participants mentioned an average of 2.7 factors that contributed to the attack, which were a combination of the following:
- security problems (63%), for example, an insufficient or poor security solution
- resourcing problems (63%), for example, not enough competent personnel, expertise, or capability
- safety gaps (65%)
In medical care, 42% of healthcare respondents cited that one major problem was insufficient cybersecurity specialists monitoring systems during the attack, which reflects an issue in HIPAA compliance.
Of all ransomware victims that suffered data encryption, 97% recovered their data, while 49% of survey participants said they paid the ransom. In the last 6 years, 2025 had the lowest percentage (54%) of victims getting back their data from backups.
The total cost of a ransomware attack has dropped significantly year over year. Not including the ransom payment, recovery expenses dropped by 44% to $1.53 million in 2025 from $2.83 million in 2024. The decrease in costs is partly attributable to quicker recovery periods. 16% of victims fully recovered in one day, while 53% fully recovered in one week. 97% of victims fully recovered in three months, which indicates that companies seem to be ready for cyberattacks, having better incident response plans.