Ransomware Groups Increasingly Conducting Extortion-Only Attacks
Ransomware still poses a significant threat to U.S. healthcare organizations; however, many ransomware groups have abandoned data encryption and are instead conducting extortion-only attacks. A new report from the cybersecurity firm Sophos indicates that only half of the attacks conducted by ransomware groups in 2025 involved file encryption, which is the lowest level of file encryption in the past six years.
The threat of publication of stolen data is often sufficient to get victims to pay ransom demands, as encrypted files can often be recovered from backups. Sophos also suggests that organizations are better able to identify and block attacks before the ransomware payload is deployed. Last year, approximately 70% of attacks by ransomware groups involved file encryption, and the decline in ransomware use is expected to continue.
According to the report, ransomware was more commonly used in attacks on large organizations, 65% of which involved file encryption. Sophos suggests that file encryption is more likely to succeed at larger organizations, as the size of the organization makes it harder to detect and block encryption attempts in time. File encryption is least likely in smaller organizations, with only 3% of companies with between 3,001 and 54,000 employees experiencing file encryption, and 13% of companies with 100-250 employees.
Sophos also reports that ransom demands and payments are reducing, with average ransom demands down 34% year over year and ransom payments down 50%. There also appears to be significant scope for negotiation, with less than one-third of victims saying the amount they paid was the same as the initial demand, and 53% of victims ended up paying less. Negotiation does not always work, however, as 18% of victims ended up paying more than the initial demand. The main reason for the increase in the demand was that the attackers believed the victim could afford to pay more (50%), and the attackers realized they had attacked a high-value target (48%). In 38% of cases, the initial demand was increased because the attackers got frustrated with the negotiations, and the same percentage said the demand was increased when recovery from backups failed.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Sophos reports that 57% of ransom demands were in excess of $1 million, and 53% of payments were over $1 million. The average demand in 2025 was $1,324,439, compared to $2 million in 2024, and the average payment was $1 million in 2025, down from $2 million in 2024.
The report was based on a survey of 3,400 organizations that experienced a ransomware attack in the past year. The survey revealed vulnerability exploitation was the leading initial access vector, accounting for 32% of attacks, the same percentage as in 2024. Compromised credentials were the second most common initial access vector, accounting for 23% of attacks, down from 29% in 2024. Malicious emails (malware) were behind 19% of attacks, down from 23% last year, and there has been an increase in phishing attacks to obtain credentials, which was the initial access vector in 18% of attacks, up from 11% in 2024.
As for vulnerability to ransomware attacks, survey respondents cited an average of 2.7 factors that contributed to the attack, which were a combination of protection issues (63%) such as a lack of or poor protection solutions, resourcing issues (63%) such as a lack of skilled staff, expertise, or capacity, and security gaps (65%). In healthcare, one of the main issues was a lack of cybersecurity experts monitoring systems at the time of the attack, cited by 42% of respondents in the sector, which is not surprising given the difficulty healthcare organizations have in recruiting and retaining cybersecurity staff.
The vast majority of ransomware victims (97%) who had data encrypted were able to recover their data, with 49% of respondents choosing to pay the ransom, down from 56% last year. Of concern is that 2025 has seen the lowest percentage of victims recovering data from backups in the past 6 years, with only 54% of respondents saying they used backups to recover their data.
The overall cost of a ransomware attack has fallen considerably year over year. Excluding the ransom payment, recovery costs fell by 44% from $2.83 million in 2024 to $1.53 million in 2025. The fall in costs is due, in part, to faster recovery times. 16% of victims recovered fully within a day, up from 7% in 2024, and 53% managed a full recovery within a week, compared to 35% in 2024. 97% of victims said they had fully recovered within 3 months, suggesting organizations are much better prepared for cyber incidents and have effective incident response plans.
