Dorapepe

A NEW RANSOMWARE DEPLOYS HUMAN-OPERATED ATTACKS AGAINST HEALTHCARE SECTOR

Last updated: June 19, 2025, 18:30 | Written by: Elizabeth Stark

A New Ransomware Deploys Human-Operated Attacks Against Healthcare Sector
A New Ransomware Deploys Human-Operated Attacks Against Healthcare Sector

The healthcare sector, already grappling with immense pressures, faces a growing and insidious threat: human-operated ransomware. In a new Microsoft Threat Intelligence report, US healthcare at risk: strengthening resiliency against ransomware attacks, our researchers identified that ransomware continues to be among the most common and impactful cyberthreats targeting organizations. The report offers a holistic view of the healthcare threat landscape with a particularThis isn't the automated, spray-and-pray approach of traditional ransomware. This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.Instead, it involves sophisticated cybercriminals who actively infiltrate networks, meticulously plan their attacks, and deploy ransomware strategically.This targeted approach is proving particularly devastating, and several new strains are emerging to exploit vulnerabilities in healthcare systems. The digital transformation of healthcare, combined with the high value of health data, has made the sector a prime target for cybercriminals, Tedros continued, citing examples of the 2025 ransomware attack on Brno University Hospital in Czechia and a May 2025 breach of the Irish Health Service Executive (HSE).The increasing digitization of medical records, reliance on interconnected devices, and the critical nature of healthcare services have made hospitals and clinics prime targets for financially motivated cybercriminals. Across all 374 attacks, approximately 1 in 5 (20.6%) health care organizations were reportedly able to restore data from backups ().For 59 ransomware attacks (15.8%), there was evidence that ransomware actors had made some or all of the stolen PHI public, typically by posting it on dark web forums where stolen data are advertised for sale by including a subset of records.The U.S.Department of Health and Human Services (HHS) and cybersecurity agencies are raising alarms about emerging threats like Rhysida and Trinity ransomware, along with activity from groups such as Vanilla Tempest utilizing the INC ransomware. Human-Operated Ransomware. Ransomware has emerged as a dominant cyber threat and one of the most expensive types of cyberattacks that an organization can fall victim to. However, not all ransomware attacks are created equal. Human-operated ransomware has emerged as a more dangerous and expensive alternative to the traditional ransomware attack.These attacks not only encrypt sensitive patient data but can also disrupt essential services, potentially endangering lives.Understanding the evolving landscape of these threats is crucial for healthcare organizations to fortify their defenses and protect their patients.

The Rising Threat of Human-Operated Ransomware in Healthcare

Unlike automated ransomware attacks, human-operated ransomware involves attackers actively navigating a victim's network, identifying valuable data, and strategically deploying the ransomware for maximum impact. Microsoft has identified that Vanilla Tempest is a financially motivated cybercriminal group and has been found to be using a new ransomware strain dubbed INC to target healthcare organizations in the US.This allows them to demand larger ransoms and inflict more significant damage.Microsoft has highlighted the growing prevalence of this type of attack, noting a 2.75x year-over-year increase in human-operated ransomware encounters across their customer base.

Why is the Healthcare Sector a Prime Target?

Several factors contribute to the healthcare sector's vulnerability:

  • Sensitive Data: Healthcare organizations store vast amounts of personally identifiable information (PII) and protected health information (PHI), making them attractive targets for data theft and extortion.
  • Critical Services: Disruptions to healthcare services can have life-threatening consequences, increasing the likelihood that organizations will pay ransoms to restore operations quickly.
  • Complex IT Environments: Hospitals often have complex and interconnected IT systems, including legacy systems and medical devices, which can create vulnerabilities for attackers to exploit.
  • Limited Resources: Many healthcare organizations, particularly smaller clinics and rural hospitals, may lack the resources and expertise to implement robust cybersecurity measures.

Emerging Ransomware Threats Targeting Healthcare

Several new ransomware families and threat actors are actively targeting the healthcare sector.Understanding their tactics, techniques, and procedures (TTPs) is essential for effective defense.

Rhysida Ransomware

The HHS recently issued an alert about Rhysida, a ransomware-as-a-service (RaaS) group that has been actively targeting healthcare organizations since May. A New Ransomware Deploys Human-Operated Attacks Against Healthcare Sector Cryptocurrency CryptocurrencyNewsThe FBI, CISA, and MS-ISAC have also issued warnings about this group.Rhysida is believed to be behind a recent cyberattack on Prospect Medical Holdings, which resulted in a system-wide outage impacting 17 hospitals and 166 clinics.

Trinity Ransomware

Trinity ransomware is another emerging threat targeting healthcare and public health organizations.First seen in May 2025, Trinity encrypts files and adds the .trinitylock extension.It shares similarities with other ransomware families, indicating a potential evolution or collaboration among cybercriminals.

INC Ransomware and Vanilla Tempest

Microsoft has identified a financially motivated cybercriminal group, Vanilla Tempest (formerly DEV-0832), using a new ransomware strain called INC to target healthcare organizations in the U.S.This highlights the continuous emergence of new threats and the need for constant vigilance.

PonyFinal Ransomware

Microsoft previously unveiled PonyFinal, a human-operated ransomware that deploys its payload manually.It often uses brute force attacks against a target company's systems management server and primarily targeted the healthcare sector during the COVID-19 crisis.

Common Tactics and Techniques Used by Attackers

Understanding the methods attackers use to gain access to healthcare networks is crucial for preventing ransomware attacks. Conti Ransomware and the Health Sector TLP: WHITE, ID Recent high-profile ransomware attacks against critical infrastructure: HumanHere are some common TTPs:

  • Phishing: Attackers use deceptive emails or messages to trick employees into clicking malicious links or providing sensitive information.
  • Remote Desktop Protocol (RDP) Exploitation: Attackers exploit vulnerabilities in RDP to gain unauthorized access to systems. Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S. The tech giant's threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832).According to Shodan, a search engine for internet-connected devices, a simple search for port 3389 reveals a significant number of exposed Microsoft Remote Desktop services, presenting easy targets.
  • Exploiting Software Vulnerabilities: Attackers leverage known vulnerabilities in software applications and operating systems to gain access to networks. Conti Ransomware and the Health Sector TLP: WHITE, IDThis includes vulnerabilities in less common software, making proactive patching essential.
  • Brute Force Attacks: Attackers use automated tools to guess passwords and gain access to accounts.
  • Supply Chain Attacks: Attackers target vendors and suppliers that provide services to healthcare organizations to gain access to their networks.

The Impact of Ransomware Attacks on Healthcare

The consequences of ransomware attacks on healthcare organizations can be devastating. The rapid digitization of the healthcare sector has made it increasingly susceptible to cyber threats, with ransomware being a particularly damaging form of malware. Our research focuses on the changing landscape of ransomware attacks on healthcare institutions, aiming to identify attack patterns and improve detection methods. These attacks specifically target healthcare organizations due toBeyond the financial costs associated with ransom payments and recovery efforts, these attacks can:

  • Disrupt Patient Care: Ransomware can disrupt access to medical records, imaging systems, and other critical applications, leading to delays in treatment, canceled appointments, and potentially life-threatening situations.
  • Compromise Patient Data: Sensitive patient data, including medical histories, insurance information, and social security numbers, can be stolen and exposed, leading to identity theft and other forms of fraud.
  • Damage Reputation: Ransomware attacks can damage the reputation of healthcare organizations, leading to a loss of trust from patients and the community.
  • Lead to Legal and Regulatory Penalties: Healthcare organizations that fail to adequately protect patient data may face legal and regulatory penalties under laws such as HIPAA.

The effects of major ransomware attacks, such as those against Ascension and Change Healthcare, are difficult to fully quantify, highlighting the widespread impact on the healthcare ecosystem.

How to Protect Your Healthcare Organization from Ransomware

Protecting your healthcare organization from ransomware requires a multi-layered approach that includes proactive security measures, employee training, and incident response planning.

Proactive Security Measures

Implement the following security measures to reduce your risk of ransomware attacks:

  • Regularly Back Up Data: Create regular backups of critical data and store them offline or in a secure cloud location.Ensure that backups are tested regularly to verify their integrity.Approximately 20.6% of healthcare organizations reportedly restored data from backups after a ransomware attack.
  • Patch Systems Promptly: Patch software vulnerabilities as soon as updates are available.Prioritize patching critical systems and applications.
  • Implement Strong Access Controls: Use strong passwords, multi-factor authentication (MFA), and least privilege access to limit access to sensitive data and systems.
  • Segment Your Network: Segment your network to isolate critical systems and prevent attackers from moving laterally within your network.
  • Implement Intrusion Detection and Prevention Systems: Use intrusion detection and prevention systems to monitor network traffic and detect malicious activity.
  • Employ Endpoint Detection and Response (EDR) Solutions: Deploy EDR solutions on all endpoints to detect and respond to threats in real-time.
  • Conduct Regular Security Audits and Penetration Tests: Regularly assess your security posture and identify vulnerabilities through security audits and penetration tests.

Employee Training and Awareness

Educate your employees about the risks of ransomware and how to identify and avoid phishing attacks. Microsoft refrained from naming the healthcare provider(s) targeted in this attack. It is also unclear if the threat actor has made any ransom demands to date and received or were denied any payment.Conduct regular training sessions and provide employees with resources to stay informed about the latest threats.

Incident Response Planning

Develop a comprehensive incident response plan that outlines the steps to take in the event of a ransomware attack.The plan should include:

  • Identification and Containment: Procedures for identifying and containing the attack to prevent further spread.
  • Data Recovery: Procedures for restoring data from backups.
  • Communication: Procedures for communicating with stakeholders, including patients, employees, and law enforcement.
  • Legal and Regulatory Compliance: Procedures for complying with legal and regulatory requirements, such as HIPAA.

The Role of Cryptocurrency in Ransomware Attacks

Many ransomware attackers demand payment in cryptocurrency, such as Bitcoin, because it offers a degree of anonymity.Some North Korean (DPRK) cyber actors have been known to use cryptocurrency to demand ransoms.Healthcare organizations should be aware of this and consider how they would respond to a ransom demand involving cryptocurrency.

Key Takeaways and Future Outlook

The threat of human-operated ransomware to the healthcare sector is significant and growing. Sources have told BleepingComputer that Rhysida is behind a recent cyberattack on Prospect Medical Holdings, which still experiences a system-wide outage impacting 17 hospitals and 166 clinicsHealthcare organizations must take proactive steps to protect their networks, data, and patients. The effects of just two major ransomware attacks this year - one against the hospital system Ascension and the other against a payment processor, Change Healthcare - are hard to quantify. But tensBy implementing strong security measures, educating employees, and developing comprehensive incident response plans, healthcare organizations can reduce their risk of falling victim to these devastating attacks.

Looking Ahead

The ransomware landscape is constantly evolving, with new threats and tactics emerging regularly.Healthcare organizations must stay informed about the latest threats and adapt their security measures accordingly.Collaboration and information sharing between healthcare organizations, cybersecurity vendors, and government agencies are crucial for staying ahead of the attackers. Broadening the scope beyond healthcare, among its customer base, Microsoft also reported a 2.75x increase in YoY human-operated ransomware-linked encounters, which was defined by having at least one device targeted within a network.As ransomware operators increasingly exploit vulnerabilities in less common software, healthcare systems must broaden their detection methods and threat mitigation strategies to encompass this new attack vector.

The digital transformation of healthcare presents both opportunities and challenges. RDP Exposure Measured by Shodan (Matherly, J, 2025). In addition, by performing a Shodan search using the search string port: '3389', it is evident that there are currently over 4,493,357 exposedWhile technology can improve patient care and efficiency, it also creates new vulnerabilities that cybercriminals can exploit.By prioritizing cybersecurity and investing in robust security measures, healthcare organizations can harness the benefits of technology while protecting themselves and their patients from the growing threat of ransomware.

Frequently Asked Questions (FAQ)

What is human-operated ransomware?

Human-operated ransomware is a type of cyberattack where attackers actively infiltrate a victim's network, explore the environment, identify valuable data, and strategically deploy ransomware for maximum impact. Royal Ransomware . Executive Summary Royal is a human-operated ransomware that was first observed in 2025 and has increased in appearance. It has demanded ransoms up to millions of dollars. Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimizingIt's more targeted and sophisticated than automated ransomware attacks.

Why is the healthcare sector a prime target for ransomware?

The healthcare sector is attractive to cybercriminals because it stores vast amounts of sensitive patient data, provides critical services, and often has complex IT environments with limited resources for cybersecurity.

What are some of the emerging ransomware threats targeting healthcare?

Emerging threats include Rhysida, Trinity, and INC ransomware, as well as groups like Vanilla Tempest.These groups are constantly evolving their tactics and techniques to evade detection and maximize their impact.

What can healthcare organizations do to protect themselves from ransomware attacks?

Healthcare organizations should implement proactive security measures such as regular data backups, prompt patching of software vulnerabilities, strong access controls, network segmentation, and employee training and awareness programs.A comprehensive incident response plan is also essential.

What is the role of cryptocurrency in ransomware attacks?

Many ransomware attackers demand payment in cryptocurrency because it offers a degree of anonymity. A New Ransomware Deploys Human-Operated Attacks Against Healthcare SectorHealthcare organizations should be prepared to address ransom demands involving cryptocurrency.

By staying vigilant, investing in robust cybersecurity measures, and fostering collaboration, the healthcare sector can strengthen its defenses against the ever-evolving threat of human-operated ransomware and protect the critical services it provides to communities worldwide. {{item.textPrioritize cybersecurity – your patients are counting on it.

Elizabeth Stark can be reached at [email protected].

Articles tagged with "11 Best Crypto Apps on Mobile in 2025" (0 found)

No articles found with this tag.

← Back to article

Related Tags

medcitynews.com › 2025 › 08HHS Warns Providers About a New Cybercriminal Gang Attacking www.aha.org › advisory › -new-ransomwareNew Ransomware Threat: Rhysida Group Targets Hospitals, Puts www.securityweek.com › healthcare-organizationsHealthcare Organizations Warned of Trinity Ransomware Attacks cybersecuritynews.com › vanilla-tempest-hackersMicrosoft Warns Of Vanilla Tempest Hackers Attacking www.bleepingcomputer.com › news › securityRhysida ransomware behind recent attacks on healthcare www.cisa.gov › news-events › cybersecurityStopRansomware: Ransomware Attacks on Critical - CISA mednetconcepts.com › mednetconnect › a-newA New Ransomware Deploys Human-Operated Attacks against www.btcethereum.com › blog › A New Ransomware Deploys Human-Operated Attacks Against www.bitcoininsider.org › article › A New Ransomware Deploys Human-Operated Attacks Against www.facebook.com › planetkrypto › postsPlanetKrypto - A New Ransomware Deploys Human-Operated www.investing.com › news › cryptocurrency-newsA New Ransomware Deploys Human-Operated Attacks Against www.reddit.com › r › mrcryptoliveA New Ransomware Deploys Human-Operated Attacks Against www.sharecast.com › post › cryptocurrenciesA New Ransomware Deploys Human-Operated Attacks Against www.cisa.gov › news-events › cybersecurityRansomware Activity Targeting the Healthcare and Public www.facebook.com › CryptoStop › postsA New Ransomware Deploys - CryptocurrencyStop - Facebook www.hhs.gov › conti-ransomware-health-sectorConti Ransomware and the Health Sector - HHS.gov www.hipaajournal.com › was-another-bad-year2025 Was Another Bad Year for Healthcare Ransomware Attacks news.un.org › en › storyCyberattacks on healthcare: A global threat that can t be twitter.com › CyberTrebuchetTrebuchet Cyber Security s Tweets - Twitter thehackernews.com › 2025 › 09Microsoft Warns of New INC Ransomware Targeting U.S

Comments