The Ransomware Groups Targeting Healthcare Organizations
Research recently published by Black Kite has confirmed that ransomware groups are disproportionately targeting the healthcare sector, with some ransomware-as-a-service groups having a strong healthcare focus. The groups with the biggest healthcare focus were Everest, which conducted 25% of its attacks on healthcare organizations, followed by INC Ransom (21.7%), Monti (20.8%), Rhysida (18.5%), BianLian (15%), and Qilin (14%) and Black Suit (14%).
Healthcare is the third-most targeted sector behind manufacturing and professional services, according to Black Kite’s Research Intelligence Team (BRITE), which reports a sizeable increase in healthcare ransomware attacks in 2024. From Q1, 2023, to Q3, 2023, healthcare was the 6th or 7th most targeted sector; however, there was a jump in attacks in Q4, 2023 when healthcare rose to the third most targeted sector and has remained in third spot ever since.
Healthcare ransomware attacks increased throughout 2024. BRITE identified 66 healthcare victims in Q1, 87 in Q2, 99 in Q3, and 121 in Q4, 2024, when 8.22% of all ransomware attacks were on the healthcare industry. BRITE tracked 374 healthcare ransomware attacks in 2024 – a 32.16% increase from 2023. BRITE identified 211 U.S. healthcare victims in 2023, and 268 in 2024 – a 27% increase. BRITE also identified an increase in ransomware attacks reported to the HHS’ Office for Civil Rights. According to BRITE, only 37.4% of healthcare ransomware victims reported attacks to the HHS in 2023; however, the ratio increased to 61.6% in 2024.
Ransomware attacks on hospitals are extensively reported by the media due to the impact these attacks have and the number of patients affected, but attacks on physicians’ offices were more common, accounting for 25% of attacks tracked by BRITE. General medical and surgical hospitals were the next most targeted subindustry (22%), followed by other health professionals’ offices such as outpatient centers, individual and family services (9%), and dentists’ offices (6%).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In the past year, there have been attacks on large healthcare providers such as Ascension Health, which saw the Black Basta ransomware group steal the data of up to 5.6 million patients, and major attacks on large business associates, such as Change Healthcare. The now-defunct ALPHV/BlackCat ransomware group conducted that attack and stole the protected health information of approximately 100 million individuals. The potential ransom payments that can be obtained from attacks on hospitals and other large healthcare providers may be high; however, cybersecurity tends to be more robust. Many ransomware groups target smaller healthcare providers, as while the potential returns are much lower, they tend to have much weaker security and are low-resistance targets for ransomware groups.
According to BRITE, there has been a shift in how ransomware groups operate, from ransomware groups having considerable control to that control being seized by the affiliates who work with ransomware groups. There is a great deal of fluidity between groups, with affiliates frequently transitioning between different groups looking for the right fit. This shift to an affiliate-centric model became more pronounced following the Change Healthcare ransomware attack, where the ALPHV/BlackCat group pocketed the $22 million ransom payment and didn’t pay the affiliate. That led to widespread distrust in the operators of ransomware groups and accelerated the shift to an affiliate-centric ransomware model. For instance, following the attack, RansomHub offered affiliates 90% of the ransoms they generated and allowed them to handle transactions directly. That decision proved popular with affiliates and has greatly benefited the RansomHub group, which has taken the top spot as the most prolific ransomware group.
Another shift has been the adoption of more aggressive tactics, where victims are given little time to respond and there is less opportunity for negotiation. It was common for ransomware groups to set a high ransom demand and enter into long negotiations before accepting a much lower payment but it is now much more common for one-time demands with little to no room for negotiation.
The BRITE researchers offer some valuable advice for healthcare organizations to avoid becoming targets for ransomware groups: Focus on being proactive rather than reactive, implement protections to make ransomware groups look elsewhere, and assess how the organization looks to attackers from the outside.
