Verticals Targeted: Healthcare
Regions Targeted: US, Europe, Worldwide
Related Families: Multiple
Executive Summary
The healthcare sector in 2025 has endured a persistent wave of ransomware attacks, with threat actors exploiting vulnerabilities to disrupt critical operations and exfiltrate sensitive patient data, underscoring the need for robust defenses against evolving cyber threats.
Key Takeaways
- There has been a surge in ransomware attacks on the healthcare vertical in 2025, with over 50 confirmed incidents on US healthcare providers, compromising more than 3.2 million patient records.
- Prominent ransomware groups have been observed targeting hospitals, leading to operational outages and data theft.
- Attacks can result in real-world harm, such as procedure cancellations, ambulance diversions, and in extreme cases, contributing to patient deaths.
Background
Throughout 2025, ransomware operators have intensified their focus on the healthcare vertical, capitalizing on the sector's high-value data and time-sensitive operations to maximize disruption and extortion payouts. In the first half of the year, US healthcare entities reported over 50 confirmed ransomware incidents, exposing more than 3.2 million patient records to risks of identity theft and fraud. Ransomware actors have deployed sophisticated tactics, often involving initial access via phishing or unpatched vulnerabilities, followed by data encryption and exfiltration.
Notable attacks in early 2025 included Frederick Health in January, where ransomware affected over 934,000 individuals and forced ambulance diversions. May saw multiple breaches, such as Ocuco Inc., which was attacked by Killsec, with 241,000 patients affected and the Neurological Institute of Savannah, which was targeted by RansomHub, with 33,000 patients affected. These attacks involved unauthorized data access. June incidents included McLaren Health Care, targeted by INC, with 743,000 patients affected, and Kettering Health, targeted by INTERLOCK, causing system outages and procedure cancellations. Episource suffered a massive breach impacting 5.4 million patients with stolen medical data.
July continued the trend with Gastroenterology Consultants of South Texas, targeted by INTERLOCK, with 45,000 patients affected, while August's DaVita attack, also targeted by INTERLOCK, compromised 2.7 million records. Information in these records included Social Security numbers, medical histories, and check images, incurring $13.5 million USD in costs.
The ransomware used in these attacks, often written in cross-platform languages like Golang for broader reach, highlight the absence of exploited CVEs in reports but emphasize reliance on social engineering and supply chain weaknesses. The consequences extend beyond data loss, with disruptions leading to delayed care and, in one UK case, contributing to a patient's death.
Ransomware Families
The following ransomware families tracked by PolySwarm have been observed targeting the healthcare vertical in recent months.
INC
First observed in January 2025, INC Ransomware operates as a RaaS. It targets both Windows and Linux systems. Its attack chain starts with phishing or unpatched vulnerabilities, followed by Cobalt Strike for persistence, Mimikatz for credential dumping, and Rclone for data exfiltration. Encryption appends random extensions, with double-extortion demands to be paid in Bitcoin. In 2025, INC targeted US healthcare sector entities, hitting McLaren Health Care, with 743,000 patient records affected and Kettering Health in June, causing outages and procedure delays. Over 30 healthcare attacks were attributed to INC in the first half of 2025.
RansomHouse
RansomHouse, first observed in 2021, is written in Golang. It targets Windows and Linux. It began with a data-only extortion model, evolving to encryption in 2025. It uses Log4Shell or IAB for access, Cobalt Strike for persistence, and Rclone for exfiltration. Encryption adds .RH extensions to encrypted files, and threat actors demand a ransom to be paid in Bitcoin. In 2025, RansomHouse hit at least five healthcare entities, including a US hospital chain in March, and a European clinic in May.
Qilin
First seen in July 2022, Qilin is written in Golang and Rust. It targets Windows and Linux systems and obtains access via phishing or by exploiting CVE-2023-27532. It uses Cobalt Strike, Mimikatz, and Rclone in its attack chain, with ChaCha20/RSA encryption, appending .qilin extensions to encrypted files. In 2025, Qilin hit 25 healthcare targets, including Japan’s Utsunomiya Central Clinic and Lake Washington Vascular, demanding up to $5 million USD in ransom and causing delays. Additionally, patient records were leaked.
Akira
Akira, first seen in March 2023, is written in C++ and Rust. It targets Windows, Linux, and ESXi. Akira exploits CVE-2023-20269. It uses ChaCha20/RSA for encryption and appends .akira extensions to encrypted files. In 2025, it hit 70 healthcare targets, including Tietoevry in Sweden and Prospect Medical Holdings, disrupting 16 hospitals and demanding $4 million USD. The threat actors leaked millions of patient records.
Embargo
Emerging in April 2024, Embargo is a BlackCat rebrand. It is written in Rust and targets Windows, Linux, and ESXi. Its attack chain uses phishing, Brute Ratel, and Mimikatz. Stolen files are exfiltrated to cloud storage and .embargo extensions are appended to encrypted files. In 2025, it targeted US based Memorial Hospital and Weiser Memorial Hospital, demanding $1.3 million USD. The attacks caused outages, and the threat actors leaked patient data.
INTERLOCK
INTERLOCK, first observed in September 2024, evolved from Chaya_002. It is written in Golang and PHP/JavaScript and targets Windows and Linux. It uses drive-by downloads to deliver RATs, with AzCopy used for exfiltration. It appends the .INTERLOCK extension to encrypted files. In 2025, it hit at least 14 healthcare entities, including DaVita and Texas Tech HSC.
BrainCiper
BrainCipher, a LockBit 3.0 variant first seen in June 2024, is written in Golang. It targets Windows and Linux. It exploits CVE-2023-28252. BrainCipher appends encrypted files with the .braincipher extension. In 2025, it hit Delta County Memorial Hospital and River Region Cardiology, causing disruptions.
Rhysida
First observed in May 2023, Rhysida is written in C++. It targets Windows and Linux, exploiting CVE-2024-37085. It employs ChaCha20/RSA encryption and appends encrypted files with the .rhysida extension. In 2025, it targeted King Edward VII’s Hospital (UK) and Prospect Medical Holdings.
RansomHub
RansomHub, a Knight rebrand from February 2024, targets Windows, Linux, macOS, and ESXi. In 2025, it targeted at least 13 healthcare vertical entities, including Change Healthcare. In this attack, 100 million records were stolen.
Warlock
Warlock ransomware emerged in June 2025 as a ransomware-as-a-service (RaaS) advertised on a Russian cybercrime forum and quickly evolved into a notable threat. It is tied to the China-based actor tracked as Storm-2603. The threat actors rely on Microsoft SharePoint zero-day vulnerabilities for initial access, deploy web shells for persistence, steal credentials, move laterally, and use double-extortion tactics involving data exfiltration and limited encryption to coerce payments. According to their leaks site, Warlock ransomware has targeted at least two healthcare sector entities in August 2025.
IOCs
PolySwarm has multiple samples of these ransomware families.
INC
73237b5c37b9625b0b26d6f4d476a619dfa78d9bc3959b48c7a77302d40093c1
1df4a74fbe8a9875a4386960f1006d29de7907af830b4c8a30a643e752299030
abaa2cc0895b34d3a3e0872a4a7a63d49de8ae654c4db961918d10a5163d186f
a5925db043e3142e31f21bc18549eb7df289d7c938d56dffe3f5905af11ab97a
9ac550187c7c27a52c80e1c61def1d3d5e6dbae0e4eaeacf1a493908ffd3ec7d
1a7c754ae1933338c740c807ec3dcf5e18e438356990761fdc2e75a2685ebf4a
1a50f5f752562c7be64a14a1cbef54a460cb7d11631ce2af55622a1f4156b169
0cb4e7d35eb3f4585c6168988247e30d99ef24d3ef006d91971e3913ef593c42
36e3c83e50a19ad1048dab7814f3922631990578aab0790401bc67dbcc90a72e
05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9
RansomHouse
afe398e95a75beb4b0508c1bbf7268e8607d03776af0b68386d1e2058b374501
Qilin
50edef3388c7764610d86356b90ba9ebda87c4b6ce45d29987d0c45c8e8d1bb9
03846420849bd03645e675f1b8d86fc31d08c39728cf6d3d4ab209380e843ef7
62ae1907a67e73205bd2c88450d44127fe5aecb1e8ec06c67d537a0e566a3343
4e9545f24a45431cdb10934b6df256f95c08103d9307eebaeea6cafef2488071
688301516539c4a5845045f298d804c492454e1f04fca9c85c0af5dd458db3c3
1bb0f159fe7a9a43eec4b366b59c768c89b7ace1cad2c1d3a2398f0a69c6e2bd
afd0698d3d4c01bcb94d45e23e36db28753da5f1167543b431475ef5fbc36bfc
416474b42b86079b8bf4071caaca4875a29ff357f8f05bf85ebdc23cf19d6bc0
1835ea8f97dcc423df4e3382847a97a001c60be8ac566dfead3ae9b81f877161
5c0a9e6b32b331c2c065716226bab1d33d048f88f36660a8e06e124cceb63eb3
Akira
0195f7d41644e87291092aff91770f0eca1ab775562b56791a31f409793499e4
d5d55ab3e29faa76ec513f9b32112cf4dff67f8911786a2916d6b951150cd722
5c4aa8b8458413fcc5ab94324f3194d70d655a7e878d370ab42e6e0ce25935eb
def3fe8d07d5370ac6e105b1a7872c77e193b4b39a6e1cc9cfc815a36e909904
99dac6e8f48a07273a6719caeda1190ba7b16469ce722bd298dc9e5367bdd8b4
571af182ae02fe3d7ae01206d618ef142129a327badb87bfd73b83bb8ab3b37b
2c2d5cf0d29789e2a4d451c06fee257a1180dc6b7a5d66d1f96b32ef832d06d3
c7ed7ee3e15bb74f5e91b6b2bc677cf8e24433aeeaf976f67668f2d1cd6e901e
9ee3030ae659cdb3405aaf7a8aca223698667d26c4753a890ac0f39c3b2af46d
0f2b1392977e297d19e3d44fbb24cb9dcf8b8fa74b46a1d21daef8a97b25a10b
Embargo
Ebffc9ced2dba66db9aae02c7ccd2759a36c5167df5cd4adb151b20e7eab173c
INTERLOCK
a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642
BrainCipher
66160f72ad9521da85a4edd197ce30f12cc38cc2ba53cdfb1017cb99203dba73
2d04d802438ae93b095acfbb87cf5760bfaf1bbd300a609d6941a6861bcc68a7
ec089cdd699fafbeb3cfd7dc68ac16f556c3456c7f7a57984030ae8975d8267f
27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd
7d67c8711b4cad0f585604ff3f9f8f40359e4f8e1524e152f50159b0f56d0952
6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417
eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12
Rhysida
2a3942d213548573af8cb07c13547c0d52d1c3d72365276d6623b3951bd6d1b2
250e81eeb4df4649ccb13e271ae3f80d44995b2f8ffca7a2c5e1c738546c2ab1
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6
6903b00a15eff9b494947896f222bd5b093a63aa1f340815823645fd57bd61de
3bc0340007f3a9831cb35766f2eb42de81d13aeb99b3a8c07dee0bb8b000cb96
RansomHub
b465639dc9436433ce8a28f29b8681c2f966dd0c690d0159261476cc499ed448
269338a2e650faa4ad01951e874d33f00d968af77c3a73432294fe46fb7669d5
7114288232e469ff368418005049cf9653fe5c1cdcfcd63d668c558b0a3470f2
8bdacea1a0262169d0af33bd4de489db81bd6dad49b052f84b9466e3238555ac
b2f5b352f2fd517237b0f95bc96d5033f8bad3f8f6d8ac2aea24fa053cccf0cd
b31fbb61443ebb34d25eb109074e17e5be3f50d9fd265566dee37851ce6be512
0e2cb8aa1d0d385eb0f45730c682501600b68e672896869472ad975c33d00a6f
710ca26365127af494da888f617cbdef30d6622e2f82d011f15959596f8c4fe9
f6663774f9e46cb408c6865f725b27dcb314efbf5c9f3191484caeed32ead66f
be3561689979044aaafb611e82af64a9571b9af3e8afd7c710178cf611d11a2f
Warlock
da8de7257c6897d2220cdf9d4755b15aeb38715807e3665716d2ee761c266fdb
You can use the following CLI command to search for all samples of a specific malware family in our portal:
$ polyswarm link list -f FamilyName
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
