RANSOMWARE attacks against hospitals and health care systems have entered a new phase in 2025, marked by fewer multimillion-dollar ransom demands, faster recovery times, and shifting intrusion techniques. Yet health care remains one of the most heavily targeted sectors, according to the latest annual State of Ransomware in Healthcare 2025 report by Sophos, based on a survey of 292 IT and cybersecurity leaders in 17 countries.

The report, reflecting incidents that occurred throughout the previous year, shows a sector under constant pressure despite measurable improvements. Hospitals continue to face overlapping risks: technical vulnerabilities, staffing shortages, and increasingly aggressive extortion methods that threaten patient services and sensitive medical records.

For the first time in three years, exploited vulnerabilities became the leading root cause of ransomware attacks in health care, accounting for 33 percent of incidents. Malicious emails followed at 22 percent, and compromised credentials at 18 percent.

HEALTH CARE ATTACK Findings mirror shortcomings across many Asian health care systems, including the Philippines, where hospitals often rely on legacy infrastructure and face a persistent shortage of cybersecurity expertise. AI-GENERATED GRAPHICS

Operational weaknesses remained equally significant. Forty-two percent of health care organizations said they lacked sufficient cybersecurity personnel or monitoring capacity during the attack. Known security gaps contributed to 41 percent of incidents, while previously unknown gaps contributed to 40 percent.

These findings mirror shortcomings across many Asian health care systems, including the Philippines, where hospitals often rely on legacy infrastructure and face a persistent shortage of cybersecurity expertise.

Encryption declines while extortion surges

Sophos reported a sharp decline in successful data encryption. Only 34 percent of attacks resulted in data being encrypted in 2025, a steep drop from 74 percent the previous year. The percentage of providers able to stop an attack before encryption rose to 53 percent.

However, extortion-only attacks — where no encryption occurs — are on the rise. Twelve percent of health care organizations reported being held to ransom even without encrypted data, the highest level recorded in the study’s five-year history. Sensitive medical information remains highly valuable on the criminal market, fueling a shift toward data theft and blackmail. Among organizations that did suffer encryption, 27 percent also experienced data exfiltration.

The median ransom demand dropped from $4 million in 2024 to $343,000 in 2025, a 91 percent decline. Actual ransom payments fell from a median of $1.47 million to $150,000, the lowest across all industries covered by the study.

This downturn reflects a significant reduction in demands exceeding $5 million, although mid-range demands between $1 million and $5 million increased slightly. While only 36 percent of healthcare providers chose to pay ransoms, most of those who did paid less than the initial amount demanded.

These patterns align with broader ransomware activity in 2025, where attackers increasingly target overstretched organizations and favor smaller but more frequent payouts.

Recovery costs — excluding ransom payments — fell sharply. Health care organizations spent an average of $1.02 million to recover from an attack, down from $2.57 million the year before. Faster detection and improved response capability played a major role in this drop.

Fifty-eight percent of health care providers recovered within a week, compared to 21 percent the previous year. Nearly all recovered within three months. Despite these improvements, the financial burden remains substantial, particularly for hospitals in developing countries that operate under resource constraints.

Heavy human toll on cybersecurity teams

Every health care provider that experienced data encryption reported consequences for their IT and cybersecurity teams. Thirty-nine percent said senior leadership increased pressure on their teams after the attack. Thirty-seven percent reported higher anxiety or fear of future incidents. Thirty-two percent experienced structural or staffing changes, and nearly one in five saw leadership replaced.

In healthcare, where digital systems support life-critical services, these psychological and organizational impacts can be severe.

The 2025 ransomware landscape suggests that healthcare organizations are becoming more resilient but remain high-value targets. Attackers are shifting from large-scale encryption toward more targeted intrusions focused on data theft and extortion. Lower ransom demands may reflect reduced leverage, but the overall threat remains persistent.

For healthcare systems in the Philippines and across Asean, the findings underscore the urgent need to modernize hospital IT systems, expand cyber-resilience programs, strengthen detection and response capabilities, and address critical staffing shortages. As ransomware groups continue to evolve, the pressure on the region’s healthcare infrastructure remains intense.