Insights into the Current Healthcare Threat Landscape
Two recent reports provide insights into the current threat landscape and the evolving tactics, techniques, and procedures of the growing number of ransomware groups and other threat actors targeting healthcare and other critical infrastructure entities in the United States.
According to the Information Technology – Information Sharing and Analysis Center (IT-ISAC), 57% of ransomware attacks tracked by IT-ISAC in 2024 were conducted on entities in the United States, with the UK the next most targeted country, accounting for just 4.6% of attacks. The IT-ISAC report – Exploring the Depths: Analysis of the 2024 Ransomware Landscape and Insights for 2025 – is based on threat intelligence gathered from approximately 3,500 ransomware attacks in 2024, a significant increase from the 3,000 ransomware attacks identified in 2023. The increase is due to an improved ability to track ransomware attacks and threat actors conducting attacks in increasing volume, in part due to the increased reluctance of victims to pay ransom demands. A report by Chainalysis earlier this month shows a 35% reduction in ransom payments compared to 2023, despite an increase in attacks.
The healthcare and public health sector was the third most targeted sector with 332 confirmed attacks, accounting for 9% of attacks in 2024 behind the commercial facilities sector (614 attacks/17%) and the critical manufacturing sector (733 attacks/20%). LockBit was once the most prolific ransomware-as-a-service group; however, an international law enforcement operation resulted in the seizure of its infrastructure in early 2024. LockBit rebuilt its infrastructure and remains active but is now conducting attacks at a reduced rate. RansomHub is now the most prevalent ransomware strain and was involved in 319 attacks in 2024, followed by LockBit 3.0 (276 attacks), Akira (268 attacks), Play (213 attacks), and Hunters International (148 attacks).
IT-ISAC warns of the threat of AI integration into ransomware, such as the recently identified FunkSec ransomware group. Emerging in December 2024, the group has built its ransomware using AI tools, which have helped it evade security solutions. The malware is capable of self-modifying its behavioral patterns and changing tactics in real-time by analyzing the target’s security posture, allowing it to bypass conventional gatekeeping such as antivirus software and firewalls. Despite only emerging at the end of 2024, 54 companies were attacked and attack volume could well increase in 2025.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The report reveals the diverse tactics used by ransomware gangs for initial access to victims’ networks, including the exploitation of known and zero-day vulnerabilities, RDP compromise, social engineering, and remote access trojans, and the difficulty organizations have defending against multiple attack vectors and a sprawling attack surface. “As cybercriminals continue to evolve their methods, it is crucial for organizations to adopt a proactive, multi-layered defense strategy to keep their systems secure,” said Scott Algeier, Executive Director of the IT-ISAC. “These groups are leveraging advanced tactics and exploiting unknown vulnerabilities to maximize their impact. The IT-ISAC remains committed to providing actionable threat intelligence to help our members stay ahead of emerging threats and improve their cybersecurity resilience.”
Huntress Highlights Growing Fragmentation of Ransomware Landscape
The 2025 Cyber Threat Report from Huntress draws attention to an increasingly fragmented ransomware ecosystem following the law enforcement actions against Hive, Dharma/Crysis, Phobos, and LockBit, and the disbanding of the ALPHV/BlackCat ransomware group. The result has been a proliferation of smaller, more agile affiliate networks including RansomHub and INC Ransom. Affiliates have been attracted to these smaller groups with promises of a bigger share of ransom payments.
While ransomware continues to pose a significant threat to businesses, ransomware only accounts for around 9.5% of threats overall, with infostealers (24%), malicious scripts (22%), malware (17%), and remote access trojans (13%) more common threats, with RATs proliferating. RATs were involved in more than three-quarters of remote access incidents and Huntress identified increased exploitation of remote monitoring and management (RMM) tools such as ConnectWise ScreenConnect, TeamViewer, and LogMeIn to gain access, move laterally, and maintain persistence. Phishing has also increased in sophistication and is still one of the primary methods for initial access and reconnaissance, fueled by malicious frameworks that require threat actors to conduct attacks with minimal effort.
Across all attack methods, education was the most targeted sector, accounting for 21% of incidents, closely followed by healthcare (17%). The Huntress researchers explained that healthcare is particularly vulnerable to script-based attacks and the exploitation of vulnerabilities in legacy systems. Most of the malicious scripts identified and blocked by Huntress appear related to infostealers such as Gootloader and PowerShell components being abused for obfuscation and anti-analysis. The scripts often queried the Windows Registry to gather data for exfiltration and established persistence, with the second stage of the attacks often involving downloading other malware payloads such as RATs.
Huntress notes that there is a trend across all industry sectors of threat actors abandoning file encryption to concentrate on data theft and extortion, with ransomware groups targeting healthcare organizations also slowly moving away from file encryption as they adopt a high-speed, high-volume business model. The researchers also note a narrowing of the gap between the sophistication of attacks on large organizations and attacks on small to medium-sized businesses, with the standardization of attack methods across businesses of all sizes improving efficiency.
“Looking ahead, we anticipate certain trends escalating: ransomware operators are likely to refine their extortion strategies, and many will look to changing their extortion methodologies to those that prioritize data theft over encryption, while exploitation involving LOLBins, credential stealers, and deploying RATs to maintain control will remain staples in attackers’ arsenals,” explained Huntress. “The rise in phishing sophistication, including the use of QR codes, image-based content, and impersonation of trusted brands, means that greater vigilance and security awareness training are crucial.”
