Ransomware Pivot: From Hospitals to High Street

Last year, headline news of staggering ransomware attacks was inescapable. But according to new research by Comparitech, those numbers may be slowing down.

By studying 211 ransomware attacks on the healthcare sector in H1 2025, the firm noted only a 4% increase year-over-year. While this still represents a modest improvement, figures for other “easier/more lucrative” industries were much higher, coming in at an average of 50% more than last year. 

The most highly targeted were:

• Retail (85%)

• Technology (85%)

• Legal (71%)

• Transportation (66%)

• Manufacturing (64%)

• Government (60%)

Why Fewer Healthcare Ransomware Attacks? 

Major Warning Shots

Possible reasons for the decline in healthcare ransomware attack figures may include a heightened awareness – and preparedness – following major cyberattacks last year. High-impact attacks on Synnovis and Change Healthcare may have served as a wakeup call for the industry. 

The June 2024 ransomware debacle involving Synnovis ended up costing the provider over $44 million dollars and disrupted thousands of outpatient procedures and appointments over the course of last year. The devastating ransomware strike on Change Healthcare exposed 190 million patient records, making it the largest healthcare data breach in history. 

Many healthcare providers affected by that breach are still struggling to repay emergency loans (offered to keep them afloat during ensuing service disruptions) to this day. 

Lower Ransomware Demands

Another possible reason for the decline is that attackers, for whatever reason, feel they can no longer get high ransomware payouts from healthcare firms. The average ransomware demand on healthcare during H1 was $479,000; the average demand across all other industries was $1.6 million – over three times higher. 

In addition, the report notes that there were zero confirmed payments during the first half of this year, with ten entities specifically stating they hadn’t complied with hackers’ demands. 

Slow Reporting – Or No Reporting

Yet another cause could be delays in reporting, as Comparitech notes that many of the breaches covered in their report only became public a full four months after they originally occurred. For instance, a November 2024 incident involving Ahold Delhaize USA, which resulted in the loss of health-related data, among other things, was not formally disclosed until June 26th of this year. 

If healthcare ransomware attacks do not create noticeable downtime, if the ransom is paid, or if a technicality means the organization does not need to notify patients of the incident, many breaches may also go unreported.

Retail Ransomware on the Rise

While ransomware gains in healthcare are decelerating, retail ransomware attacks surged by 58% during Q2, according to data from BlackFog. 

Clustered with cyberattacks on high-street retailers Marks & Spencer and Harrods, Co-operative Group, a third UK retailer, was the target of a major ransomware attack by a group called DragonForce. In May, the group stole the personal data of up to 20 million current and former members, contacting the BBC with proof of their “successful” large-scale attack. 

Unfortunately, powerful new ransomware strains such as AiLock , alongside decentralized ransomware gangs like Scattered Spider, are putting industries of all types on the run, and hitting sectors like retail and technology especially hard. 

Preventing these threats is as much a matter of strategy as it is of standards. And this comes with reassessing priorities. As noted by Josh Davies, Principal Marketing Strategist at Fortra, “[security] shouldn’t be left to the mercy of ‘what’s left over’ after other areas have been addressed. Instead, it should come first in boardroom budget decisions, as cybersecurity is the most reliable ‘insurance’ in business today.”