Healthcare organizations faced a sustained surge of ransomware attacks in 2025 that disrupted operations, forced patient-care delays, and exposed millions of records. Prominent families like INC, INTERLOCK, Akira, Qilin, RansomHub, and Warlock targeted hospitals worldwide, using phishing, exploited CVEs, Cobalt Strike, Mimikatz, and Rclone to persist, steal, and extort data. #INC #INTERLOCK
Keypoints
- Over 50 confirmed ransomware incidents impacted US healthcare providers in the first half of 2025, exposing more than 3.2 million patient records.
- Ransomware actors caused real-world harm including ambulance diversions, procedure cancellations, and at least one reported death linked to disruptions.
- Multiple ransomware families (INC, RansomHouse, Qilin, Akira, Embargo, INTERLOCK, BrainCipher, Rhysida, RansomHub, Warlock) targeted Windows, Linux, macOS, and ESXi systems.
- Common initial access vectors included phishing, exploited vulnerabilities (e.g., CVE-2023-27532, CVE-2023-20269, CVE-2023-28252, CVE-2024-37085, SharePoint zero-days, Log4Shell/IAB), and supply chain weaknesses.
- Attack chains frequently used Cobalt Strike for persistence, Mimikatz for credential theft, and Rclone/AzCopy/cloud storage for data exfiltration, often followed by double-extortion demands and custom file extensions (.qilin, .akira, .embargo, .INTERLOCK, .braincipher, .rhysida, .RH).
- Several large-scale breaches were documented: McLaren Health Care (INC) 743k records, DaVita (INTERLOCK) 2.7M records, Episource 5.4M records, and a 100M-record theft associated with RansomHub.
- Ransomware authors increasingly write cross-platform binaries (Golang, Rust, C++) to broaden targets and many operate as RaaS, increasing access to sophisticated tooling and techniques.
MITRE Techniques
- [T1566] Phishing – used as an initial access vector (“starts with phishing or unpatched vulnerabilities”).
- [T1190] Exploit Public-Facing Application – exploited CVEs such as CVE-2023-27532, CVE-2023-20269, CVE-2023-28252, CVE-2024-37085 and SharePoint zero-days for initial access (“exploits CVE-2023-27532”, “exploits CVE-2023-20269”, “exploits CVE-2023-28252”, “exploits CVE-2024-37085”, “Microsoft SharePoint zero-day vulnerabilities”).
- [T1218] Signed Binary Proxy Execution / [T1059] Command and Scripting Interpreter – use of tools like Rclone and AzCopy for exfiltration (“Rclone for data exfiltration”, “AzCopy used for exfiltration”).
- [T1055] Process Injection / [T1053] Scheduled Task (persistence implied) – use of Cobalt Strike for persistence and post-exploitation activities (“Cobalt Strike for persistence”).
- [T1003] Credential Dumping – use of Mimikatz to steal credentials (“Mimikatz for credential dumping”).
- [T1041] Exfiltration Over C2 Channel / [T1537] Transfer Data to Cloud Account – exfiltration to cloud storage and via tools (“Stolen files are exfiltrated to cloud storage”, “Rclone for data exfiltration”).
- [T1486] Data Encrypted for Impact – ransomware encrypting files and appending unique extensions (“.qilin”, “.akira”, “.embargo”, “.INTERLOCK”, “.braincipher”, “.rhysida”, “.RH”) as part of double-extortion (“appends the .INTERLOCK extension”, “encryption adds .RH extensions”).
- [T1588] Modify Cloud Compute Infrastructure – use of web shells and SharePoint web shells for persistence after exploiting SharePoint zero-days (“deploy web shells for persistence”).
Indicators of Compromise
- [File Hashes] Ransomware samples and payloads – INC example: 73237b5c37b9625b0b26d6f4d476a619dfa78d9bc3959b48c7a77302d40093c1, 1df4a74fbe8a9875a4386960f1006d29de7907af830b4c8a30a643e752299030 (and 8 more INC hashes).
- [File Hashes] RansomHouse and Qilin samples – RansomHouse example: afe398e95a75beb4b0508c1bbf7268e8607d03776af0b68386d1e2058b374501; Qilin example: 50edef3388c7764610d86356b90ba9ebda87c4b6ce45d29987d0c45c8e8d1bb9 (and multiple additional Qilin hashes).
- [File Hashes] Akira and Embargo samples – Akira example: 0195f7d41644e87291092aff91770f0eca1ab775562b56791a31f409793499e4, Embargo example: Ebffc9ced2dba66db9aae02c7ccd2759a36c5167df5cd4adb151b20e7eab173c.
- [File Hashes] INTERLOCK, BrainCipher, Rhysida, RansomHub, Warlock – INTERLOCK example: a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642; Warlock example: da8de7257c6897d2220cdf9d4755b15aeb38715807e3665716d2ee761c266fdb (and numerous others across families).
- [File Extensions / Artifacts] Encrypted file extensions observed – examples: .qilin (Qilin), .akira (Akira), .embargo (Embargo), .INTERLOCK (INTERLOCK), .braincipher (BrainCipher), .rhysida (Rhysida), .RH (RansomHouse) indicating encrypted or exfiltrated data.