The cybersecurity company Semperis has published a new report indicating a slight decrease in ransomware attacks year-over-year. The ransomware risk report indicates that ransomware groups continue to target the healthcare industry, with 77% of organizations in this sector experiencing attacks over the last 12 months. 53% of ransomware attacks succeeded.
Semperis analyzed information from a Censuswide survey involving 1,500 IT and security experts across various industries. Although attacks declined slightly, the report of 60% of attacked healthcare companies indicates encountered multiple attacks. 30% of reports state that they suffered more than one attack in 30 days, 35% suffered more than one attack in one week, 14% suffered multiple attacks on the same day, and 12% experienced concurrent attacks.
A common trend recently is that fewer ransomware attack victims pay ransoms, though 81% of attacked companies in the U.S. paid the ransom. Ransom payment was less common among healthcare organizations with only 53% of healthcare sector victims paying a ransom, according to Semperis’ report. 55% of ransomware attack victims paid less than $500,000, 39% paid $500,000 to $1 million, and 5% paid over $1 million.
The reduced rate of ransom payment in the healthcare sector may be because of considerations that the attackers won’t keep their end of the bargain after payment. The Change Healthcare ransomware attack last year is an example. The BlackCat ransomware group received $22 million ransom payment to delete the data it stole; then, after its exit, the affiliate responsible for the attack kept a copy of the information and tried to extort again from a different group called RansomHub. Law enforcement campaign against LockBit determined the group lied about deleting the data. Copies of the stolen information were found on servers after paying the ransom. Paying the ransom does not guarantee that the information can be retrieved. 15% of organizations that paid the ransom didn’t get decryption keys, while 3% discovered that their information was published or misused even after ransom payment.
Ransomware groups were seen implementing more aggressive strategies to pressure victims because of low ransom payments. Some groups started calling patients directly to pressure the attacked healthcare provider to pay the ransom. In some instances, patients have been extorted. As per Semperis, 47% of attacks involved regulatory complaint threats, and 41% involved attacks on healthcare companies. In 62% of healthcare cyberattacks, the attacker frightened the victim into exposing personal or proprietary information. Sometimes, the attackers issue threats to hurt staff members, which happened in 40% of cases across all industries, and 31% of attacks on healthcare companies.
With the recent arrival of generative AI and the quick launch of agentic AI attacks, it is easier to make more sophisticated tools that have a more damaging impact. Thus, threat actors do not require a lot of cash and resources to produce those tools. The decline in ransom payments will not stop ransomware groups from conducting more effective and regular attacks.
Semperis discovered that companies are becoming good at discovering and stopping attacks. However, when attacks happen, they could cause substantial damage. For 53% of healthcare patients, it takes up to a week to recover, as 31% of attacked healthcare companies need a week to a month to restore regular operations. The disruptions encountered by companies include data loss/breach, reputational damage, and loss of jobs. One ransomware attack in 2025 resulted in the permanent shutdown of a healthcare company.
The biggest problems experienced in healthcare include the frequency and complexity of threats, identity system attacks, and compliance with laws like HIPAA. 78% of victims suffered breaches of their identity systems from attacks, but only 61% invested in a dedicated AD-specific backup program. Semperis recommends that companies use technology to secure IAM infrastructure since this is the primary target. It is necessary to document and review systems and processes to improve attack response, since an attack is bound to happen. Including HIPAA training, these should be done every six months. Even the security of associates and supply chain providers should be reviewed to avoid exploitation.