Dorapepe

A NEW RANSOMWARE DEPLOYS HUMAN-OPERATED ATTACKS AGAINST HEALTHCARE SECTOR

Last updated: June 19, 2025, 20:24 | Written by: Changpeng Zhao

A New Ransomware Deploys Human-Operated Attacks Against Healthcare Sector
A New Ransomware Deploys Human-Operated Attacks Against Healthcare Sector

The healthcare sector, already grappling with immense pressures, faces a growing and insidious threat: human-operated ransomware.This isn't the automated, spray-and-pray approach of traditional ransomware. On top of that, approximately 16 percent of recent successful human-operated ransomware attacks involved both encryption and exfiltration, while a 13 percent used exfiltration only. Ransomware operators are also increasingly exploiting vulnerabilities in less common software, making it more difficult to predict and defend against their attacksInstead, it involves sophisticated cybercriminals who actively infiltrate networks, meticulously plan their attacks, and deploy ransomware strategically.This targeted approach is proving particularly devastating, and several new strains are emerging to exploit vulnerabilities in healthcare systems. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors use of cryptocurrency to demand ransoms.The increasing digitization of medical records, reliance on interconnected devices, and the critical nature of healthcare services have made hospitals and clinics prime targets for financially motivated cybercriminals.The U.S. The effects of just two major ransomware attacks this year - one against the hospital system Ascension and the other against a payment processor, Change Healthcare - are hard to quantify. But tensDepartment of Health and Human Services (HHS) and cybersecurity agencies are raising alarms about emerging threats like Rhysida and Trinity ransomware, along with activity from groups such as Vanilla Tempest utilizing the INC ransomware.These attacks not only encrypt sensitive patient data but can also disrupt essential services, potentially endangering lives.Understanding the evolving landscape of these threats is crucial for healthcare organizations to fortify their defenses and protect their patients.

The Rising Threat of Human-Operated Ransomware in Healthcare

Unlike automated ransomware attacks, human-operated ransomware involves attackers actively navigating a victim's network, identifying valuable data, and strategically deploying the ransomware for maximum impact. Conti Ransomware and the Health Sector TLP: WHITE, IDThis allows them to demand larger ransoms and inflict more significant damage.Microsoft has highlighted the growing prevalence of this type of attack, noting a 2.75x year-over-year increase in human-operated ransomware encounters across their customer base.

Why is the Healthcare Sector a Prime Target?

Several factors contribute to the healthcare sector's vulnerability:

  • Sensitive Data: Healthcare organizations store vast amounts of personally identifiable information (PII) and protected health information (PHI), making them attractive targets for data theft and extortion.
  • Critical Services: Disruptions to healthcare services can have life-threatening consequences, increasing the likelihood that organizations will pay ransoms to restore operations quickly.
  • Complex IT Environments: Hospitals often have complex and interconnected IT systems, including legacy systems and medical devices, which can create vulnerabilities for attackers to exploit.
  • Limited Resources: Many healthcare organizations, particularly smaller clinics and rural hospitals, may lack the resources and expertise to implement robust cybersecurity measures.

Emerging Ransomware Threats Targeting Healthcare

Several new ransomware families and threat actors are actively targeting the healthcare sector.Understanding their tactics, techniques, and procedures (TTPs) is essential for effective defense.

Rhysida Ransomware

The HHS recently issued an alert about Rhysida, a ransomware-as-a-service (RaaS) group that has been actively targeting healthcare organizations since May.The FBI, CISA, and MS-ISAC have also issued warnings about this group.Rhysida is believed to be behind a recent cyberattack on Prospect Medical Holdings, which resulted in a system-wide outage impacting 17 hospitals and 166 clinics.

Trinity Ransomware

Trinity ransomware is another emerging threat targeting healthcare and public health organizations.First seen in May 2025, Trinity encrypts files and adds the .trinitylock extension. Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S. The tech giant's threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832).It shares similarities with other ransomware families, indicating a potential evolution or collaboration among cybercriminals.

INC Ransomware and Vanilla Tempest

Microsoft has identified a financially motivated cybercriminal group, Vanilla Tempest (formerly DEV-0832), using a new ransomware strain called INC to target healthcare organizations in the U.S. Microsoft has identified that Vanilla Tempest is a financially motivated cybercriminal group and has been found to be using a new ransomware strain dubbed INC to target healthcare organizations in the US.This highlights the continuous emergence of new threats and the need for constant vigilance.

PonyFinal Ransomware

Microsoft previously unveiled PonyFinal, a human-operated ransomware that deploys its payload manually.It often uses brute force attacks against a target company's systems management server and primarily targeted the healthcare sector during the COVID-19 crisis.

Common Tactics and Techniques Used by Attackers

Understanding the methods attackers use to gain access to healthcare networks is crucial for preventing ransomware attacks. A recently published analysis by Comparitech has revealed the extent to which ransomware groups have been breaching networks, encrypting files, and An end-of-year analysis by Comparitech found ransomware groups claimed 5,461 successful attacks in 2025, with 1,204 of those attacks confirmed by victims. In terms of breached records, 5 healthcare organizations made the top ten and a healthcareHere are some common TTPs:

  • Phishing: Attackers use deceptive emails or messages to trick employees into clicking malicious links or providing sensitive information.
  • Remote Desktop Protocol (RDP) Exploitation: Attackers exploit vulnerabilities in RDP to gain unauthorized access to systems.According to Shodan, a search engine for internet-connected devices, a simple search for port 3389 reveals a significant number of exposed Microsoft Remote Desktop services, presenting easy targets.
  • Exploiting Software Vulnerabilities: Attackers leverage known vulnerabilities in software applications and operating systems to gain access to networks.This includes vulnerabilities in less common software, making proactive patching essential.
  • Brute Force Attacks: Attackers use automated tools to guess passwords and gain access to accounts.
  • Supply Chain Attacks: Attackers target vendors and suppliers that provide services to healthcare organizations to gain access to their networks.

The Impact of Ransomware Attacks on Healthcare

The consequences of ransomware attacks on healthcare organizations can be devastating.Beyond the financial costs associated with ransom payments and recovery efforts, these attacks can:

  • Disrupt Patient Care: Ransomware can disrupt access to medical records, imaging systems, and other critical applications, leading to delays in treatment, canceled appointments, and potentially life-threatening situations.
  • Compromise Patient Data: Sensitive patient data, including medical histories, insurance information, and social security numbers, can be stolen and exposed, leading to identity theft and other forms of fraud.
  • Damage Reputation: Ransomware attacks can damage the reputation of healthcare organizations, leading to a loss of trust from patients and the community.
  • Lead to Legal and Regulatory Penalties: Healthcare organizations that fail to adequately protect patient data may face legal and regulatory penalties under laws such as HIPAA.

The effects of major ransomware attacks, such as those against Ascension and Change Healthcare, are difficult to fully quantify, highlighting the widespread impact on the healthcare ecosystem.

How to Protect Your Healthcare Organization from Ransomware

Protecting your healthcare organization from ransomware requires a multi-layered approach that includes proactive security measures, employee training, and incident response planning.

Proactive Security Measures

Implement the following security measures to reduce your risk of ransomware attacks:

  • Regularly Back Up Data: Create regular backups of critical data and store them offline or in a secure cloud location.Ensure that backups are tested regularly to verify their integrity.Approximately 20.6% of healthcare organizations reportedly restored data from backups after a ransomware attack.
  • Patch Systems Promptly: Patch software vulnerabilities as soon as updates are available. Skip to main content Bitcoin Insider. MenuPrioritize patching critical systems and applications.
  • Implement Strong Access Controls: Use strong passwords, multi-factor authentication (MFA), and least privilege access to limit access to sensitive data and systems.
  • Segment Your Network: Segment your network to isolate critical systems and prevent attackers from moving laterally within your network.
  • Implement Intrusion Detection and Prevention Systems: Use intrusion detection and prevention systems to monitor network traffic and detect malicious activity.
  • Employ Endpoint Detection and Response (EDR) Solutions: Deploy EDR solutions on all endpoints to detect and respond to threats in real-time.
  • Conduct Regular Security Audits and Penetration Tests: Regularly assess your security posture and identify vulnerabilities through security audits and penetration tests.

Employee Training and Awareness

Educate your employees about the risks of ransomware and how to identify and avoid phishing attacks. Thunderbolt flaws affect millions of computers even locking unattended devices won't help https:// zdnet.com/article/thunde rbolt-flaws-affect-millions-ofConduct regular training sessions and provide employees with resources to stay informed about the latest threats.

Incident Response Planning

Develop a comprehensive incident response plan that outlines the steps to take in the event of a ransomware attack.The plan should include:

  • Identification and Containment: Procedures for identifying and containing the attack to prevent further spread.
  • Data Recovery: Procedures for restoring data from backups.
  • Communication: Procedures for communicating with stakeholders, including patients, employees, and law enforcement.
  • Legal and Regulatory Compliance: Procedures for complying with legal and regulatory requirements, such as HIPAA.

The Role of Cryptocurrency in Ransomware Attacks

Many ransomware attackers demand payment in cryptocurrency, such as Bitcoin, because it offers a degree of anonymity.Some North Korean (DPRK) cyber actors have been known to use cryptocurrency to demand ransoms. Human-Operated Ransomware. Ransomware has emerged as a dominant cyber threat and one of the most expensive types of cyberattacks that an organization can fall victim to. However, not all ransomware attacks are created equal. Human-operated ransomware has emerged as a more dangerous and expensive alternative to the traditional ransomware attack.Healthcare organizations should be aware of this and consider how they would respond to a ransom demand involving cryptocurrency.

Key Takeaways and Future Outlook

The threat of human-operated ransomware to the healthcare sector is significant and growing.Healthcare organizations must take proactive steps to protect their networks, data, and patients.By implementing strong security measures, educating employees, and developing comprehensive incident response plans, healthcare organizations can reduce their risk of falling victim to these devastating attacks.

Looking Ahead

The ransomware landscape is constantly evolving, with new threats and tactics emerging regularly. RDP Exposure Measured by Shodan (Matherly, J, 2025). In addition, by performing a Shodan search using the search string port: '3389', it is evident that there are currently over 4,493,357 exposedHealthcare organizations must stay informed about the latest threats and adapt their security measures accordingly.Collaboration and information sharing between healthcare organizations, cybersecurity vendors, and government agencies are crucial for staying ahead of the attackers. Microsoft refrained from naming the healthcare provider(s) targeted in this attack. It is also unclear if the threat actor has made any ransom demands to date and received or were denied any payment.As ransomware operators increasingly exploit vulnerabilities in less common software, healthcare systems must broaden their detection methods and threat mitigation strategies to encompass this new attack vector.

The digital transformation of healthcare presents both opportunities and challenges. A New Ransomware Deploys Human-Operated Attacks Against Healthcare Sector Cryptocurrency CryptocurrencyNewsWhile technology can improve patient care and efficiency, it also creates new vulnerabilities that cybercriminals can exploit. Broadening the scope beyond healthcare, among its customer base, Microsoft also reported a 2.75x increase in YoY human-operated ransomware-linked encounters, which was defined by having at least one device targeted within a network.By prioritizing cybersecurity and investing in robust security measures, healthcare organizations can harness the benefits of technology while protecting themselves and their patients from the growing threat of ransomware.

Frequently Asked Questions (FAQ)

What is human-operated ransomware?

Human-operated ransomware is a type of cyberattack where attackers actively infiltrate a victim's network, explore the environment, identify valuable data, and strategically deploy ransomware for maximum impact.It's more targeted and sophisticated than automated ransomware attacks.

Why is the healthcare sector a prime target for ransomware?

The healthcare sector is attractive to cybercriminals because it stores vast amounts of sensitive patient data, provides critical services, and often has complex IT environments with limited resources for cybersecurity.

What are some of the emerging ransomware threats targeting healthcare?

Emerging threats include Rhysida, Trinity, and INC ransomware, as well as groups like Vanilla Tempest.These groups are constantly evolving their tactics and techniques to evade detection and maximize their impact.

What can healthcare organizations do to protect themselves from ransomware attacks?

Healthcare organizations should implement proactive security measures such as regular data backups, prompt patching of software vulnerabilities, strong access controls, network segmentation, and employee training and awareness programs.A comprehensive incident response plan is also essential.

What is the role of cryptocurrency in ransomware attacks?

Many ransomware attackers demand payment in cryptocurrency because it offers a degree of anonymity.Healthcare organizations should be prepared to address ransom demands involving cryptocurrency.

By staying vigilant, investing in robust cybersecurity measures, and fostering collaboration, the healthcare sector can strengthen its defenses against the ever-evolving threat of human-operated ransomware and protect the critical services it provides to communities worldwide. Sources have told BleepingComputer that Rhysida is behind a recent cyberattack on Prospect Medical Holdings, which still experiences a system-wide outage impacting 17 hospitals and 166 clinicsPrioritize cybersecurity – your patients are counting on it.

Changpeng Zhao can be reached at [email protected].

Articles tagged with "Bitcoin Maxis Call Out DOGE as Security, Co-Founder Comes to" (0 found)

No articles found with this tag.

← Back to article

Related Tags

medcitynews.com › 2025 › 08HHS Warns Providers About a New Cybercriminal Gang Attacking www.aha.org › advisory › -new-ransomwareNew Ransomware Threat: Rhysida Group Targets Hospitals, Puts www.securityweek.com › healthcare-organizationsHealthcare Organizations Warned of Trinity Ransomware Attacks cybersecuritynews.com › vanilla-tempest-hackersMicrosoft Warns Of Vanilla Tempest Hackers Attacking www.bleepingcomputer.com › news › securityRhysida ransomware behind recent attacks on healthcare www.cisa.gov › news-events › cybersecurityStopRansomware: Ransomware Attacks on Critical - CISA mednetconcepts.com › mednetconnect › a-newA New Ransomware Deploys Human-Operated Attacks against www.btcethereum.com › blog › A New Ransomware Deploys Human-Operated Attacks Against www.bitcoininsider.org › article › A New Ransomware Deploys Human-Operated Attacks Against www.facebook.com › planetkrypto › postsPlanetKrypto - A New Ransomware Deploys Human-Operated www.investing.com › news › cryptocurrency-newsA New Ransomware Deploys Human-Operated Attacks Against www.reddit.com › r › mrcryptoliveA New Ransomware Deploys Human-Operated Attacks Against www.sharecast.com › post › cryptocurrenciesA New Ransomware Deploys Human-Operated Attacks Against www.cisa.gov › news-events › cybersecurityRansomware Activity Targeting the Healthcare and Public www.facebook.com › CryptoStop › postsA New Ransomware Deploys - CryptocurrencyStop - Facebook www.hhs.gov › conti-ransomware-health-sectorConti Ransomware and the Health Sector - HHS.gov www.hipaajournal.com › was-another-bad-year2025 Was Another Bad Year for Healthcare Ransomware Attacks news.un.org › en › storyCyberattacks on healthcare: A global threat that can t be twitter.com › CyberTrebuchetTrebuchet Cyber Security s Tweets - Twitter thehackernews.com › 2025 › 09Microsoft Warns of New INC Ransomware Targeting U.S

Comments