Table of Contents
Ransomware Activity in Healthcare: Trends and Threats in 2025
From January 1 to May 15, 2025, there have been 3,194 documented ransomware and data extortion incidents globally. Among these, 194 targeted the healthcare sector, reflecting a continued and growing focus on this critical industry by cybercriminal groups.
Healthcare organizations remain particularly susceptible to these attacks due to the combination of complex IT environments, regulatory constraints, and the high value of operational continuity. Threat actors are aware that operational downtime can be used as leverage for payments, making them a frequent target for threat actors seeking both financial gain and strategic disruption.
Key Threat Actors Targeting Healthcare
Three ransomware groups have been the most active within the healthcare sector during this period:
- Qilin – 24 incidents
- IncRansom – 21 incidents
- Ransomhub – 18 incidents
These three groups combined account for 1/3rd of all ransomware and data extortion attacks in the healthcare sector.
Of these three, Qilin currently leads in overall ransomware activity across all sectors, with 204 incidents attributed to them in 2025 alone. Their 24 attacks against healthcare organizations also make them the most prominent threat group in this sector so far this year. This equates to Qilin completing one successful attack in the healthcare sector every 5.5 days.
Notably, there is growing evidence that Qilin has been operating in coordination with Moonstone Sleet, a threat group linked to North Korea. This collaboration is believed to have started in February 2025, raising further concern given the intersection of cybercrime and state-aligned operations.Shape
Vulnerabilities Exploited
The groups targeting healthcare organizations are not relying solely on phishing or opportunistic entry points. Instead, they are actively exploiting known vulnerabilities, including:
- CVE-2023-4966 (CitrixBleed) – A vulnerability in Citrix NetScaler ADC and Gateway that allows session hijacking.
- CVE-2023-27532 – An issue in Veeam Backup software that enables unauthorized access to stored credentials.
- CVE-2025-31161 – An authentication bypass flaw in CrushFTP affecting secure file transfer configurations.
- CVE-2025-31324 – A vulnerability in SAP NetWeaver permitting unrestricted file uploads, which may lead to code execution.
These vulnerabilities are being used to gain initial access, move laterally within networks, and escalate privileges before deploying ransomware payloads or exfiltrating data.
Additionally, a coordinated exploit chain targeting SimpleHelp RMM has been active since January 2025, involving:
- CVE-2024-57726 – Abuse of API key generation to gain elevated permissions.
- CVE-2024-57727 – A path traversal flaw allowing arbitrary file downloads.
- CVE-2024-57728 – A file upload vulnerability that can result in remote code execution.
These chained vulnerabilities provide threat actors with a reliable method for establishing persistence and executing attacks with minimal detection.
Operational Tactics and Infrastructure
While technical analysis of Qilin’s toolset continues, available evidence indicates they are employing a mix of custom malware and LOLbins to evade detection and reduce forensic visibility. Data exfiltration precedes encryption, aligning with broader trends toward double extortion tactics.
Infrastructure supporting these operations includes anonymized hosting, the use of virtual private servers in offshore jurisdictions, and obfuscation techniques such as domain shadowing and fast-flux DNS configurations.
For MITRE IDs, see the TTPs section at the end of this report.
Implications for Healthcare Organizations
The data from the first five months of 2025 underscores the continued need for proactive cybersecurity measures in the healthcare industry. Immediate priorities should include:
- Prioritizing patching of publicly known vulnerabilities.
- Implementation of robust access controls, particularly for third-party tools and RMM platforms.
- Regular security assessments, including penetration testing and incident response simulations.
Healthcare remains a high-value target due to the critical nature of its services and the sensitivity of its data. The threat landscape is evolving, and maintaining resilience requires continuous adaptation of both technical defenses and organizational readiness.
Indicators of Compromise
IP Addresses
109.107.173.60
186.2.163.10
109.70.100.1
92.119.159.30
128.127.180.156
180.131.145.73
184.174.96.74
184.174.96.70
5.101.179.214
SHA256
e06cdab4eab5c570266a6ccdf4667e2f4087491c764d907b07c6869b6414199e
0e2aca92bb5ac8b1cd9635be395dc6c65f13f732dc5f0f90d6fe1a8f67542bfe
144c30c39ba1589a1a9478e40e23d68dacc1ae6794198058de0c403d8a1ddf5a
b3d6983fc1ad3abc74cc47fed2ba5d07a2788a214eb6d3f5b10ff98483846d4a
41f9079162752634318f638cdf354eb6aebcc3fe5b589a4f35a12a295f9d6eb5
ef40057c0a5784ed71b745826c84c2a4d52bf9f50cc6ca4b723716a0be4ce521
Domains
account.microsoftonline.com.ms
auth-securelink.help
cloud.screenconnect.*
cloud.screenconnect.cl
cloud.screenconnect.is
Cloud.screenconnect.com.*
cloud.screenconnect.com.ms
cloud.screenconnect.com.bo
cloud.screenconnect.com.cm
cloud.screenconnect.com.am
cloud.screenconnect.com.ly
cloud.screenconnect.com.mx
cloud.screenconnect.eu
*.designstore.ru
70bf4d17-5688-437f-b4a0-362ca5098476.designstore.ru
map.designstore.ru
sitemap.designstore.ru
lisikh.designstore.ru
cureimap.designstore.ru
forums.designstore.ru
sci-hub.red
2024.sci-hub.red
account.microsoftonline.com.*
account.microsoftonline.com.ec
top.toppam.top
toppam.top
mail.darteks.eu
darteks.eu
s2fb61de7.fastvps-server.com
TTPs
Kill Chain Stage |
MITRE ID |
Name |
|---|---|---|
| Initial Access | T1566 | Phishing |
| T1190 | Exploit Public-Facing Applications | |
| T1133 | External Remote Services | |
| T1078 | Valid Accounts | |
| T1078.002 | Valid Accounts: Domain Accounts | |
| Execution | T1204.001 | User Execution: Malicious Links |
| T1053.005 | Scheduled Tasks / Jobs | |
| T1059 | Command and Scripting Interpreter | |
| T1218.011 | System Binary Proxy Execution: Rundll32 | |
| T1480 | Execution Guardrails | |
| Persistence | T1037 | Boot or Logon Initialization Scripts |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | |
| T1053.005 | Scheduled Tasks / Jobs | |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| T1548 | Abuse Elevation Control Mechanism | |
| T1134 | Access Token Manipulation | |
| T1055 | Process Injection | |
| T1055.001 | Process Injection: Dynamic-link Library Injection | |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| T1014 | Rootkit | |
| T1070.001 | Clear Windows Event Logs | |
| T1070.004 | File Deletion | |
| T1211 | Modify Registry | |
| T1484.001 | Exploitation for Defense Evasion | |
| T1484.001 | Group Policy Modification | |
| T1562.001> | Disable or Modify System Firewall | |
| T1562.002 | Disable Windows Event Logging | |
| T1562.009 | Safe Mode Boot | |
| T1574.010 | Services File Permissions Weakness | |
| Credential Access | T1003.001 | LSASS Memory |
| T1552.001 | Credentials in Files | |
| T1552.006 | Group Policy Preferences | |
| Discovery | T1010 | Application Window Discovery |
| T1012 | Query Registry | |
| T1018 | Remote System Discovery | |
| T1046 | Network Service Discovery | |
| T1082 | System Information Discovery | |
| T1087.002 | Domain Account Discovery | |
| T1614.001 | System Language Discovery | |
| Lateral Movement | T1021.001 | Remote Desktop Protocol |
| T1021.002 | SMB/Windows Admin Shares | |
| T1021.004 | SSH |