On a Sunday evening in late December, 2022 The Hospital for Sick Children in Toronto was hit with a ransomware attack that took down several vital hospital network systems and caused widespread disruptions in patient care. While the hospital, the largest children’s healthcare center in Canada, said no deaths resulted from the attack and no patient information was compromised, doctors were unable to access imaging and lab results. This led to delays in diagnosis and treatment system-wide.
The attack utilized the Ransomware-As-A-Service strain LockBit. While no group claimed responsibility for launching the attack, the makers of LockBit Ransomware issued an apology two weeks after the incident. “We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program.” However, the damage had already been done. This latest in a wave of ransomware attacks targeting healthcare sent shockwaves through the industry.

Apology issued by LockBit for the ransomware attack on The Hospital for Sick Children


Ransomware in Healthcare: Healthcare Sector Attacks On The Rise

While the incidence of ransomware attacks has increased in every industry, few sectors have been hit harder than healthcare. The statistics are alarming: the number of ransomware attacks on healthcare organizations rose 94% from 2021 to 2022. In 2021, over two-thirds of healthcare organizations in the US reported experiencing a ransomware attack. Only educational institutions and government organizations experienced a higher number of attacks during the same period.

Unlike ransomware attacks targeting the financial or banking sector, attacks on healthcare facilities can have serious consequences beyond just data loss or stolen information. When a hospital or healthcare facility is shut down by threat actors, it can impact human health and safety by interrupting patient care. This makes healthcare attacks often more devastating and more noteworthy than other types of attacks.

This blog will cover recent ransomware attacks in the healthcare sector, explain why such attacks have gained momentum in recent months, their overall impact, and how SCADAfence can help you fight back and protect your organization from this emerging threat.

Healthcare Sector: A Long History of Threats

One of the largest and most notable examples of ransomware attacks against healthcare organizations occurred in May 2017, when the WannaCry ransomware attacked the United Kingdom’s National Health Services (NHS). The attack affected over 200,000 computers in 150 countries. It caused a widespread disruption to the NHS, with nearly 20% of hospitals being forced to cancel lifesaving procedures and turn away patients. Some targeted hospitals were unable to access MRI machines or blood storage refrigerators. Final estimates of the damages reached over 92 million pounds. (110 million USD). While the attackers were never definitively identified, the NHS was criticized for not having sufficient cyber security measures in place.

While the WannaCry attack highlighted the need for robust cyber security protections and incident response plans, many healthcare organizations are still unprepared.

Average Weekly Attacks Per Organization By Industry - Global 2022 Q3 and YoY (1)

Recent Ransomware Incidents in the Healthcare Sector


Hive Ransomware is a cybercrime group using the Ransomware-As-A-Service model and has been active since at least 2020. The group is thought to operate out of Eastern Europe and is known for carrying out targeted ransomware attacks against the healthcare, education, and government sectors.

Hive Ransomware uses double extortion tactics, not only encrypting the data but threatening to release it publicly as well. The group employs the REvil strain of ransomware, which has the ability to propagate through a network and encrypt multiple systems. This makes it particularly damaging to organizations that are hit by an attack.

The method of initial access depends on the target. Hive affiliates often gain initial access by exploiting known vulnerabilities, such as the FortiOS vulnerability (CVE-2020-12812), and the ProxyShell and ProxyLogon vulnerabilities (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523).

Hive was used by threat actors in October, 2022 to breach the systems of Lake Charles Memorial Health System in Louisiana and steal data for 270,000 patients.


Royal Ransomware is a notorious cybercrime group that has been active since at least 2018. Similar to Hive ransomware, one of the hallmarks of the Royal group is their use of double extortion tactics. The group has been known to target a wide range of organizations, including schools, and government agencies in addition to their main target, hospitals.

The group is thought to operate out of Russia, and they primarily use the Ryuk ransomware, a sophisticated strain of ransomware that is difficult to detect and even more difficult to remove, to carry out their attacks.

The group uses malicious Google Ads, also known as “malvertising” to blend in with normal ad traffic. It relies on malicious downloads and contact forms located on an organization’s website to distribute phishing links for initial access.

Another of Royal's unusual tactics is to leverage hacked Twitter accounts to tweet information about compromised targets to journalists, in an effort to get media attention and add on extra pressure for the victims.

The U.S. Department of Health and Human Services issued a warning in December advising healthcare organizations to consider Royal a threat.


Maui ransomware was first discovered in early 2021 and has since been actively distributed through email phishing campaigns and by exploiting known vulnerabilities. It is believed to be a

Maui stands out from other ransomware groups due to its lack of many features that are commonly present in ransomware tools, such as an embedded ransomware note with instructions for data recovery.

According to CISA and the FBI, Maui is a North Korean state-sponsored ransomware used to encrypt servers responsible for healthcare services, first observed in May, 2021.


Zeppelin is a relatively new type of ransomware that was first discovered in late 2020 and has since been actively distributed by various means, including email phishing campaigns and exploits in unpatched software.

According to CISA, Zeppelin is a, Delphi-based Vega malware family and functions as a Ransomware as a Service (RaaS).” Zeppelin actors gain access to victim networks via RDP exploitation, exploiting SonicWall firewall vulnerabilities, and by phishing campaigns, according to CISA.


Venus ransomware was first discovered in 2020, and has since evolved and become more sophisticated. The latest iteration of the malware was identified in August, 2022. It has been known to target a wide range of industries including healthcare, education, and government.

The Health Sector Cybersecurity Coordination Center (HC3) reported that they are aware of at least one instance of Venus being deployed in a U.S. healthcare organization. According to HC3 the ransomware appears to be targeting “publicly-exposed Remote Desktop services, even those running on non-standard TCP ports. They advise putting those services behind a firewall.  

Daixin Team

The Daixin Team is a cybercrime group that has targeted the HPH Sector since at least June 2022. They have been linked to several ransomware attacks on healthcare organizations, in which they have encrypted systems used for storing electronic health records, diagnostic tools, imaging services and internal network services.

To gain initial access to their targets, the Daixin actors send phishing emails with malicious attachments to acquire login credentials for VPN servers.

After obtaining access to the victim’s VPN server, Daixin actors move laterally via SSH and RDP. Daixin actors have sought to gain privileged account access through credential dumping and pass the hash. The actors have leveraged privileged accounts to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment, and then used SSH to connect to accessible ESXi servers and deploy ransomware.

Why Target Healthcare?

Ransomware attacks on healthcare facilities are common due to several reasons. Firstly, they possess a significant amount of sensitive patient data that hackers find valuable. Secondly, healthcare providers are expected to offer continuous care and may be more likely to pay a ransom to regain access to their systems. Despite the advice of organizations such as CISA against paying ransoms, many healthcare providers feel they have no alternative. In 2021, a greater percentage of healthcare organizations admitted to paying ransoms (over 60%) compared to the overall average across all sectors (46%)

The Impact of Ransomware Attacks on Healthcare

Ransomware attacks on healthcare facilities can have serious consequences. They can disrupt patient care, leading to delays in treatment and potentially putting lives at risk. There have been two reported deaths resulting from ransomware attacks since 2020. In Düsseldorf, Germany a ransomware attack caused the closure of the emergency department and a patient died in an ambulance while being transported to another hospital. In a second incident, a lawsuit alleged that a cyberattack against a hospital in Alabama had prevented doctors from performing critical pre-birth tests, leading to a baby being born with the cord around its neck. This resulted in brain damage and eventually, the baby's death.

Prevent Ransomware in Healthcare: SCADAfence Recommends

The best defense against any ransomware strain is a comprehensive cyber security protection solution that can detect the use of the ProxyShell and FortiOS server vulnerabilities used for initial access, as well as command execution using CMD and the creation of scheduled tasks used to execute different ransomware strains.

The SCADAfence Platform has all these capabilities and can protect your OT network. Moreover, the SCADAfence Platform detects the use of Mimikatz, PsExec, and Cobalt Strike tools used by ransomware groups for credential access and lateral movement.

SCADAfence recommends taking the following measures to minimize the risk of exploitation:

Limit Network Exposure – Minimize network exposure for all of your control system devices and/or systems, and ensure they are not accessible from the Internet.

Monitor Network Traffic – Monitor access to the production segments. In your network monitoring tool, create logical groups of the affected devices and define traffic rules to alert on suspicious access to them.

Monitor User Activity – If you’re a SCADAfence customer, you can use the SCADAfence Platform to monitor access to the affected devices and track all of your user activities using the User Activity View. RDP and SMB connections can be tracked in an attempt to discover ransomware activity.

Connect to the SCADAfence Cloud – If you’re a SCADAfence customer, connect your SCADAfence Platform to the SCADAfence Cloud to get the latest security updates.

Best Practices – SCADAfence recommends following the best practices:

  • Make sure secure offline backups of critical systems are available and up-to-date.
  • Apply the latest security patches on the assets in the network.
  • Use unique passwords and MFA (multi-factor authentication) on authentication paths to OT assets.
  • Enable strong spam filters to prevent phishing emails from reaching end users.
  • Disable ports and protocols that are not essential.
  • Encrypt sensitive data when possible.
  • Educate your staff members about the risks and methods of ransomware attacks and how to avoid infection.
  • Have a response plan in place for how to handle a ransomware attack.


Learn more about preventing ransomware attacks on our blog.