Dorapepe

A NEW RANSOMWARE DEPLOYS HUMAN-OPERATED ATTACKS AGAINST HEALTHCARE SECTOR

Last updated: June 20, 2025, 00:09 | Written by: Raoul Pal

A New Ransomware Deploys Human-Operated Attacks Against Healthcare Sector
A New Ransomware Deploys Human-Operated Attacks Against Healthcare Sector

The healthcare sector, already grappling with immense pressures, faces a growing and insidious threat: human-operated ransomware. The US Department of Health and Human Services (HHS) is raising the alarm on Trinity ransomware attacks targeting healthcare and public health organizations. First seen in May 2025, Trinity is a fairly new ransomware family that adds the .trinitylock extension to the encrypted files and which shares similarities with the 2025Lock andThis isn't the automated, spray-and-pray approach of traditional ransomware. Microsoft refrained from naming the healthcare provider(s) targeted in this attack. It is also unclear if the threat actor has made any ransom demands to date and received or were denied any payment.Instead, it involves sophisticated cybercriminals who actively infiltrate networks, meticulously plan their attacks, and deploy ransomware strategically.This targeted approach is proving particularly devastating, and several new strains are emerging to exploit vulnerabilities in healthcare systems. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors use of cryptocurrency to demand ransoms.The increasing digitization of medical records, reliance on interconnected devices, and the critical nature of healthcare services have made hospitals and clinics prime targets for financially motivated cybercriminals.The U.S. Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S. The tech giant's threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832).Department of Health and Human Services (HHS) and cybersecurity agencies are raising alarms about emerging threats like Rhysida and Trinity ransomware, along with activity from groups such as Vanilla Tempest utilizing the INC ransomware. A New Ransomware Deploys Human-Operated Attacks Against Healthcare Sector Microsoft unveiled a new human-operated ransomware called PonyFinal that deploys the attack by launching manually aThese attacks not only encrypt sensitive patient data but can also disrupt essential services, potentially endangering lives.Understanding the evolving landscape of these threats is crucial for healthcare organizations to fortify their defenses and protect their patients.

The Rising Threat of Human-Operated Ransomware in Healthcare

Unlike automated ransomware attacks, human-operated ransomware involves attackers actively navigating a victim's network, identifying valuable data, and strategically deploying the ransomware for maximum impact.This allows them to demand larger ransoms and inflict more significant damage. The rapid digitization of the healthcare sector has made it increasingly susceptible to cyber threats, with ransomware being a particularly damaging form of malware. Our research focuses on the changing landscape of ransomware attacks on healthcare institutions, aiming to identify attack patterns and improve detection methods. These attacks specifically target healthcare organizations due toMicrosoft has highlighted the growing prevalence of this type of attack, noting a 2.75x year-over-year increase in human-operated ransomware encounters across their customer base.

Why is the Healthcare Sector a Prime Target?

Several factors contribute to the healthcare sector's vulnerability:

  • Sensitive Data: Healthcare organizations store vast amounts of personally identifiable information (PII) and protected health information (PHI), making them attractive targets for data theft and extortion.
  • Critical Services: Disruptions to healthcare services can have life-threatening consequences, increasing the likelihood that organizations will pay ransoms to restore operations quickly.
  • Complex IT Environments: Hospitals often have complex and interconnected IT systems, including legacy systems and medical devices, which can create vulnerabilities for attackers to exploit.
  • Limited Resources: Many healthcare organizations, particularly smaller clinics and rural hospitals, may lack the resources and expertise to implement robust cybersecurity measures.

Emerging Ransomware Threats Targeting Healthcare

Several new ransomware families and threat actors are actively targeting the healthcare sector.Understanding their tactics, techniques, and procedures (TTPs) is essential for effective defense.

Rhysida Ransomware

The HHS recently issued an alert about Rhysida, a ransomware-as-a-service (RaaS) group that has been actively targeting healthcare organizations since May. Across all 374 attacks, approximately 1 in 5 (20.6%) health care organizations were reportedly able to restore data from backups ().For 59 ransomware attacks (15.8%), there was evidence that ransomware actors had made some or all of the stolen PHI public, typically by posting it on dark web forums where stolen data are advertised for sale by including a subset of records.The FBI, CISA, and MS-ISAC have also issued warnings about this group.Rhysida is believed to be behind a recent cyberattack on Prospect Medical Holdings, which resulted in a system-wide outage impacting 17 hospitals and 166 clinics.

Trinity Ransomware

Trinity ransomware is another emerging threat targeting healthcare and public health organizations.First seen in May 2025, Trinity encrypts files and adds the .trinitylock extension.It shares similarities with other ransomware families, indicating a potential evolution or collaboration among cybercriminals.

INC Ransomware and Vanilla Tempest

Microsoft has identified a financially motivated cybercriminal group, Vanilla Tempest (formerly DEV-0832), using a new ransomware strain called INC to target healthcare organizations in the U.S.This highlights the continuous emergence of new threats and the need for constant vigilance.

PonyFinal Ransomware

Microsoft previously unveiled PonyFinal, a human-operated ransomware that deploys its payload manually. The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) today issued a warning about Rhysida, a ransomware-as-a-service group that since May has predominantly deployed its ransomware variant against the health care, education, manufacturing, information technology andIt often uses brute force attacks against a target company's systems management server and primarily targeted the healthcare sector during the COVID-19 crisis.

Common Tactics and Techniques Used by Attackers

Understanding the methods attackers use to gain access to healthcare networks is crucial for preventing ransomware attacks. This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.Here are some common TTPs:

  • Phishing: Attackers use deceptive emails or messages to trick employees into clicking malicious links or providing sensitive information.
  • Remote Desktop Protocol (RDP) Exploitation: Attackers exploit vulnerabilities in RDP to gain unauthorized access to systems.According to Shodan, a search engine for internet-connected devices, a simple search for port 3389 reveals a significant number of exposed Microsoft Remote Desktop services, presenting easy targets.
  • Exploiting Software Vulnerabilities: Attackers leverage known vulnerabilities in software applications and operating systems to gain access to networks.This includes vulnerabilities in less common software, making proactive patching essential.
  • Brute Force Attacks: Attackers use automated tools to guess passwords and gain access to accounts.
  • Supply Chain Attacks: Attackers target vendors and suppliers that provide services to healthcare organizations to gain access to their networks.

The Impact of Ransomware Attacks on Healthcare

The consequences of ransomware attacks on healthcare organizations can be devastating. A New Ransomware Deploys Human-Operated Attacks against Healthcare Sector admin 0 Comments Microsoft s security team revealed a new ransomware that is deployed in human-operated attacks.Beyond the financial costs associated with ransom payments and recovery efforts, these attacks can:

  • Disrupt Patient Care: Ransomware can disrupt access to medical records, imaging systems, and other critical applications, leading to delays in treatment, canceled appointments, and potentially life-threatening situations.
  • Compromise Patient Data: Sensitive patient data, including medical histories, insurance information, and social security numbers, can be stolen and exposed, leading to identity theft and other forms of fraud.
  • Damage Reputation: Ransomware attacks can damage the reputation of healthcare organizations, leading to a loss of trust from patients and the community.
  • Lead to Legal and Regulatory Penalties: Healthcare organizations that fail to adequately protect patient data may face legal and regulatory penalties under laws such as HIPAA.

The effects of major ransomware attacks, such as those against Ascension and Change Healthcare, are difficult to fully quantify, highlighting the widespread impact on the healthcare ecosystem.

How to Protect Your Healthcare Organization from Ransomware

Protecting your healthcare organization from ransomware requires a multi-layered approach that includes proactive security measures, employee training, and incident response planning.

Proactive Security Measures

Implement the following security measures to reduce your risk of ransomware attacks:

  • Regularly Back Up Data: Create regular backups of critical data and store them offline or in a secure cloud location.Ensure that backups are tested regularly to verify their integrity.Approximately 20.6% of healthcare organizations reportedly restored data from backups after a ransomware attack.
  • Patch Systems Promptly: Patch software vulnerabilities as soon as updates are available. Microsoft has identified that Vanilla Tempest is a financially motivated cybercriminal group and has been found to be using a new ransomware strain dubbed INC to target healthcare organizations in the US.Prioritize patching critical systems and applications.
  • Implement Strong Access Controls: Use strong passwords, multi-factor authentication (MFA), and least privilege access to limit access to sensitive data and systems.
  • Segment Your Network: Segment your network to isolate critical systems and prevent attackers from moving laterally within your network.
  • Implement Intrusion Detection and Prevention Systems: Use intrusion detection and prevention systems to monitor network traffic and detect malicious activity.
  • Employ Endpoint Detection and Response (EDR) Solutions: Deploy EDR solutions on all endpoints to detect and respond to threats in real-time.
  • Conduct Regular Security Audits and Penetration Tests: Regularly assess your security posture and identify vulnerabilities through security audits and penetration tests.

Employee Training and Awareness

Educate your employees about the risks of ransomware and how to identify and avoid phishing attacks. Royal Ransomware . Executive Summary Royal is a human-operated ransomware that was first observed in 2025 and has increased in appearance. It has demanded ransoms up to millions of dollars. Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimizingConduct regular training sessions and provide employees with resources to stay informed about the latest threats.

Incident Response Planning

Develop a comprehensive incident response plan that outlines the steps to take in the event of a ransomware attack. Thunderbolt flaws affect millions of computers even locking unattended devices won't help https:// zdnet.com/article/thunde rbolt-flaws-affect-millions-ofThe plan should include:

  • Identification and Containment: Procedures for identifying and containing the attack to prevent further spread.
  • Data Recovery: Procedures for restoring data from backups.
  • Communication: Procedures for communicating with stakeholders, including patients, employees, and law enforcement.
  • Legal and Regulatory Compliance: Procedures for complying with legal and regulatory requirements, such as HIPAA.

The Role of Cryptocurrency in Ransomware Attacks

Many ransomware attackers demand payment in cryptocurrency, such as Bitcoin, because it offers a degree of anonymity.Some North Korean (DPRK) cyber actors have been known to use cryptocurrency to demand ransoms.Healthcare organizations should be aware of this and consider how they would respond to a ransom demand involving cryptocurrency.

Key Takeaways and Future Outlook

The threat of human-operated ransomware to the healthcare sector is significant and growing.Healthcare organizations must take proactive steps to protect their networks, data, and patients.By implementing strong security measures, educating employees, and developing comprehensive incident response plans, healthcare organizations can reduce their risk of falling victim to these devastating attacks.

Looking Ahead

The ransomware landscape is constantly evolving, with new threats and tactics emerging regularly.Healthcare organizations must stay informed about the latest threats and adapt their security measures accordingly. {{item.textCollaboration and information sharing between healthcare organizations, cybersecurity vendors, and government agencies are crucial for staying ahead of the attackers. A New Ransomware Deploys Human-Operated Attacks Against Healthcare Sector Cryptocurrency CryptocurrencyNewsAs ransomware operators increasingly exploit vulnerabilities in less common software, healthcare systems must broaden their detection methods and threat mitigation strategies to encompass this new attack vector.

The digital transformation of healthcare presents both opportunities and challenges. Human-Operated Ransomware. Ransomware has emerged as a dominant cyber threat and one of the most expensive types of cyberattacks that an organization can fall victim to. However, not all ransomware attacks are created equal. Human-operated ransomware has emerged as a more dangerous and expensive alternative to the traditional ransomware attack.While technology can improve patient care and efficiency, it also creates new vulnerabilities that cybercriminals can exploit. Conti Ransomware and the Health Sector TLP: WHITE, IDBy prioritizing cybersecurity and investing in robust security measures, healthcare organizations can harness the benefits of technology while protecting themselves and their patients from the growing threat of ransomware.

Frequently Asked Questions (FAQ)

What is human-operated ransomware?

Human-operated ransomware is a type of cyberattack where attackers actively infiltrate a victim's network, explore the environment, identify valuable data, and strategically deploy ransomware for maximum impact.It's more targeted and sophisticated than automated ransomware attacks.

Why is the healthcare sector a prime target for ransomware?

The healthcare sector is attractive to cybercriminals because it stores vast amounts of sensitive patient data, provides critical services, and often has complex IT environments with limited resources for cybersecurity.

What are some of the emerging ransomware threats targeting healthcare?

Emerging threats include Rhysida, Trinity, and INC ransomware, as well as groups like Vanilla Tempest. HHS issued an alert warning providers about Rhysida, a ransomware gang that recently begun launching attacks on healthcare organizations. The group deploys its ransomware primarily throughThese groups are constantly evolving their tactics and techniques to evade detection and maximize their impact.

What can healthcare organizations do to protect themselves from ransomware attacks?

Healthcare organizations should implement proactive security measures such as regular data backups, prompt patching of software vulnerabilities, strong access controls, network segmentation, and employee training and awareness programs. RDP Exposure Measured by Shodan (Matherly, J, 2025). In addition, by performing a Shodan search using the search string port: '3389', it is evident that there are currently over 4,493,357 exposedA comprehensive incident response plan is also essential.

What is the role of cryptocurrency in ransomware attacks?

Many ransomware attackers demand payment in cryptocurrency because it offers a degree of anonymity.Healthcare organizations should be prepared to address ransom demands involving cryptocurrency.

By staying vigilant, investing in robust cybersecurity measures, and fostering collaboration, the healthcare sector can strengthen its defenses against the ever-evolving threat of human-operated ransomware and protect the critical services it provides to communities worldwide. Microsoft unveiled a new human-operated ransomware called PonyFinal that deploys the attack by launching manually a payload. Microsoft's security team revealed a new ransomware that is deployed in human-operated attacks. It uses brute force against a target company's systems management server, and mainly has targeted the healthcare sector amid the COVID-19 crisis. According to a MorePrioritize cybersecurity – your patients are counting on it.

Raoul Pal can be reached at [email protected].

Articles tagged with "Cardano Price Predictions: How High Can the ADA Crypto Go in" (0 found)

No articles found with this tag.

← Back to article

Related Tags

medcitynews.com › 2025 › 08HHS Warns Providers About a New Cybercriminal Gang Attacking www.aha.org › advisory › -new-ransomwareNew Ransomware Threat: Rhysida Group Targets Hospitals, Puts www.securityweek.com › healthcare-organizationsHealthcare Organizations Warned of Trinity Ransomware Attacks cybersecuritynews.com › vanilla-tempest-hackersMicrosoft Warns Of Vanilla Tempest Hackers Attacking www.bleepingcomputer.com › news › securityRhysida ransomware behind recent attacks on healthcare www.cisa.gov › news-events › cybersecurityStopRansomware: Ransomware Attacks on Critical - CISA mednetconcepts.com › mednetconnect › a-newA New Ransomware Deploys Human-Operated Attacks against www.btcethereum.com › blog › A New Ransomware Deploys Human-Operated Attacks Against www.bitcoininsider.org › article › A New Ransomware Deploys Human-Operated Attacks Against www.facebook.com › planetkrypto › postsPlanetKrypto - A New Ransomware Deploys Human-Operated www.investing.com › news › cryptocurrency-newsA New Ransomware Deploys Human-Operated Attacks Against www.reddit.com › r › mrcryptoliveA New Ransomware Deploys Human-Operated Attacks Against www.sharecast.com › post › cryptocurrenciesA New Ransomware Deploys Human-Operated Attacks Against www.cisa.gov › news-events › cybersecurityRansomware Activity Targeting the Healthcare and Public www.facebook.com › CryptoStop › postsA New Ransomware Deploys - CryptocurrencyStop - Facebook www.hhs.gov › conti-ransomware-health-sectorConti Ransomware and the Health Sector - HHS.gov www.hipaajournal.com › was-another-bad-year2025 Was Another Bad Year for Healthcare Ransomware Attacks news.un.org › en › storyCyberattacks on healthcare: A global threat that can t be twitter.com › CyberTrebuchetTrebuchet Cyber Security s Tweets - Twitter thehackernews.com › 2025 › 09Microsoft Warns of New INC Ransomware Targeting U.S

Comments