MedCity News reports on the evolving cat and mouse game between ransomware criminals and health care organizations.
The Changing Landscape of Ransomware: Why Healthcare Organizations Are Paying Less
Threat actors continue to refine their strategies, and the financial incentives for cybercrime persist. However, the combination of stronger defenses, regulatory pressure, and industry collaboration is starting to shift the balance in favor of defenders. By Chris Henderson
"Ransomware has long been a persistent and costly threat to healthcare organizations, which hold vast amounts of sensitive patient data and operate under critical, time-sensitive conditions. The disruption caused by these attacks can have life-threatening consequences, delaying essential treatments and compromising patient safety. Historically, the urgency of restoring services quickly and avoiding disruptions compelled many victims to pay ransoms. But that’s starting to change. As healthcare organizations boost their cybersecurity investments — with IT budget allocations rising from 10% in 2020 to 14%(Opens in a new window) in 2024 — fewer victims are paying ransoms, thanks to stronger defenses and heightened regulatory scrutiny.
Overall, ransomware payments in the U.S. dropped 35%(Opens in a new window) in 2024, totaling $813 million, down from $1.25 billion in 2023. The median ransom payment also fell 45%(Opens in a new window) in Q4 2024 to $110,890, as payments remain largely a last-resort option for those without alternatives to recover critical data. Healthcare Information and Management Systems Society (HIMSS) researchers also noted a decline in the number of ransomware victims reporting(Opens in a new window) ransom payments
...
"One of the most effective deterrents to paying ransomware demands is having a robust backup and disaster recovery strategy. In the past, many healthcare organizations lacked adequate redundancy, leaving them with few options beyond paying attackers to restore access to their systems. However, the industry has made significant progress by investing in modern backup solutions, including immutable storage, air-gapped backups, and real-time data replication. Restoration from backups is rarely instantaneous, though. This makes having documented and practiced continuity plans critical for maintaining operations without key technology.
These measures significantly reduce the leverage attackers hold. With reliable, easily restorable backups, and rehearsed continuity plans, healthcare providers can refuse ransom demands and recover systems independently. Additionally, security tools that improve organizations security posture, like endpoint detection and response (EDR), managed detection and response (MDR), and zero-trust architectures, are making it harder for ransomware to gain a foothold in the first place.
...
"At the same time, government regulations are increasing the risks associated with making payments. In the U.S., the Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued warnings that organizations paying ransoms to groups linked to sanctioned entities could face legal consequences. Given that many ransomware groups have ties to sanctioned regions, healthcare providers face significant liability if they choose to pay.
...
"As direct ransomware payments decline, cybercriminals are adapting their tactics. Many groups have shifted away from traditional encryption only attacks toward data exfiltration and extortion. Instead of only locking organizations out of their systems, attackers steal sensitive patient records, financial data, and proprietary information, threatening to release it publicly if their demands aren’t met.
This strategy allows cybercriminals to bypass traditional defenses such as backups and file encryption protection, which are ineffective against data leaks. While organizations may recover their infrastructure without paying, the risk of exposing protected health information (PHI) creates a new pressure point for victims."
Posts
