Ransomware's Multi-Extortion Evolution Hits Healthcare and Finance Hard

Ransomware has moved well beyond simple file encryption. The double-extortion model—exfiltrate data first, then encrypt—renders backup-only defenses obsolete, since attackers can leak stolen records regardless of whether the ransom is paid. Triple extortion escalates further by directly pressuring victims’ customers and partners. Publicly disclosed attacks jumped 49% year-over-year in 2025, with 124 active ransomware groups identified, 73 of them newly emerged. AI tooling is accelerating this by lowering the technical floor for entry-level threat actors.

The operational damage is no longer abstract. A February 2026 attack on the University of Mississippi Medical Center took down Epic EHR systems across 35 clinics and 200-plus telehealth sites, canceling chemotherapy sessions and forcing staff back to paper workflows. The same month, payment processor BridgePay lost its APIs and payment terminals entirely. Healthcare is particularly exposed: 93% of U.S. healthcare organizations reported at least one cyberattack in 2025, with 72% saying an incident directly disrupted patient care.

The defensive posture required has shifted accordingly. Perimeter controls and backup strategies alone can’t neutralize multi-extortion leverage. The focus is moving toward rendering exfiltrated data unreadable at rest—so that even successfully stolen files carry no usable value—combined with process-level access controls that block ransomware from touching encrypted folders in the first place. Note: this article is sponsored content from Penta Security promoting their D.AMO platform.