The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the healthcare organizations, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the healthcare industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting healthcare organizations.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA delivers pre-emptive cybersecurity, cyber threat intelligence, and external threat landscape management through its platforms, DeCYFIR and DeTCT. These platforms have been purpose-built over many years to continuously collect, correlate, and analyse large volumes of external threat data, combining proprietary intelligence automation with deep, hands-on cyber threat research.
For the purpose of this report, the analysis draws on intelligence generated from CYFIRMA’s platforms. The data referenced has been processed through automated correlation and enrichment mechanisms, informed and validated by human-led research and investigative expertise, and sourced from both structured and unstructured external intelligence channels.
While this report contains data collected and processed by our in-house AI and ML, all charts, statistics, and analyses are done by human CYFIRMA CTI analysts to ensure the highest quality and provide accurate insights.
The healthcare industry featured in 2 out of the 11 observed campaigns, which is a presence in 18% of all campaigns, an increase from the previous period, where healthcare organizations were present in none of the 16 campaigns (0% presence).
The last 90 days were relatively quiet. One campaign was observed in late October, and the other only now in January.
Over the past 90 days, observed APT activity against the healthcare sector was limited in volume and split between China-linked and Turkish-speaking actors. October campaigns were attributed to CCTR2501, whereas the January shows TTP for both MISSION2047 and Stone Panda.
The chart shows the geographic distribution of healthcare-sector victims identified across two observed APT campaigns. Victims were spread across 14 countries, with South Korea and India each recording victims in both campaigns, while the remaining countries recorded victims only in either campaign.
The distribution indicates a broad geographic reach rather than concentration in a single region.
The chart illustrates the affected technology categories observed in healthcare-sector intrusions across two APT campaigns. Web applications, application security software, storage management software, and technology business management software each appear in a single observed case.
Intrusions did not rely on a single dominant technology vector.
Risk Level Indicator: Low
Over the past 90 days, the healthcare industry has not been significantly impacted by advanced persistent threat (APT) campaigns.
2 out of 11 observed APT campaigns recorded victims in this industry, which is an 18% presence in observed campaigns.
That is an increase from the previous 90-day period, during which none of the 16 campaigns targeted this industry, also increasing the overall share from the previous 0%.
Monthly Trends
1 of the campaigns was observed at the tail of October, and then after a long period of calm, another campaign was detected in January.
Key Threat Actors
The October campaigns were attributed to the Turkish-speaking cybercrime group CCTR2501. January hit shows overlapping TPPs of Stone Panda and MISSION2074.
Geographical Impact
Victims are geographically scattered, but half of the countries are Asian, from India to Japan. India and South Korea were the only countries with victims in both campaigns.
Targeted Technologies
Web applications, application security software, storage management software, and technology business management software were targeted, showing the adaptability of threat actors.
Over the past three months, CYFIRMA’s telemetry has identified 3,682 mentions of the healthcare industry out of a total of 82,546 industry-linked mentions. This is from a total of 300k+ posts across various underground and dark web channels and forums.
The healthcare industry placed 8th out of 14 industries in the last 90 days, with a share of 4.46% of all detected industry-linked chatter.
Below is a breakdown by 30-day periods of all mentions
Ransomware-related discussions peaked in the first 30-day window and declined sharply in subsequent periods, while data breach and data leak chatter show a more gradual downward trend. Lower-volume categories, including hacktivism, web exploits, claimed hacks, and DDoS, remain consistently limited and declined over the 90-day period.
Risk Level Indicator: Moderate
In total, the healthcare industry comprise 4.46% of all detected industry underground and dark web chatter in the last 90 days, ranking 8th out of 14 industries. Below are observed key trends across 90 days:
Data Breach
485 → 560 → 427, High activity with a mid-period peak followed by a decline. Despite the recent drop, healthcare remains heavily targeted due to the value of patient data, insurance records, and research information.
Ransomware
591 → 312 → 189, Very sharp decline across periods. This suggests a notable reduction in ransomware-focused chatter, possibly due to improved defenses, increased law enforcement pressure, or attacker pivot toward quieter data-theft and extortion models.
Data Leak
327 → 342 → 213, Moderate early activity with a clear downward trend. Indicates fewer healthcare data leak postings, though this may also reflect a shift toward private marketplaces rather than reduced compromise rates.
Hacktivism
39 → 28 → 10, Steady decline. Ideologically motivated activity against healthcare organizations appears to be tapering, leaving financially driven threats as the dominant concern.
Web Exploit
44 → 18 → 12, Significant drop after the first period. Suggests reduced exploitation of healthcare web applications or successful patching of previously targeted vulnerabilities.
Claimed Hacks
25 → 17 → 8, Consistent decrease. Fewer public claims may indicate attackers are opting for less visible monetization methods or that fewer successful intrusions are being openly advertised.
DDoS
15 → 13 → 7, Gradual decline. Disruption-focused attacks are becoming less common compared to data-centric threats within the healthcare sector.
Over the past three months, CYFIRMA’s telemetry has identified 81 mentions of the healthcare industry out of a total of 2,547 industry mentions. This is from over 10k CVEs reported and updated in the last 90 days.
The healthcare industry ranked 10th out of 14 industries in the last 90 days, with a share of 3.18% of all detected industry-linked vulnerabilities.
Below is a breakdown by 30-day periods of all mentions.
Remote and arbitrary code execution and injection-related vulnerabilities remain the most frequently reported categories. Several lower-volume classes, including cross-site scripting, information disclosure, and denial-of-service vulnerabilities, show increased presence in the most recent period, while memory and buffer-related issues decline to zero.
Risk Level Indicator: Low
In total, the healthcare industry comprises 3.18% of all detected industry-linked vulnerabilities in the last 90 days. And ranking 10th out of 14 industries. Below are observed key trends across 90 days.
Remote & Arbitrary Code Execution (RCE & ACE)
11 → 7 → 8, Consistently moderate with a slight dip and stabilization. RCE disclosures remain a key concern in healthcare software stacks, reflecting ongoing discovery of high-impact flaws in clinical systems, imaging platforms, and backend services.
Injection Attacks
9 → 7 → 6, Gradual decline across periods. Suggests fewer newly disclosed input validation issues.
Cross-Site Scripting (XSS) & Clickjacking
0 → 3 → 5, Clear upward trend. Indicates increasing disclosure of client-side vulnerabilities in patient portals, scheduling systems, and web-facing healthcare applications.
Information Disclosure & Data Leakage
4 → 0 → 3, Dropped to zero mid-period but resurfaced. Highlights intermittent findings where sensitive healthcare data or configuration details may be unintentionally exposed.
Memory & Buffer Vulnerabilities
4 → 3 → 0, Steady decline to none in the latest period. May reflect reduced researcher focus on low-level issues or successful remediation in legacy healthcare systems.
Denial of Service (DoS) & Resource Exhaustion
2 → 0 → 3, Low overall but reappearing recently. Suggests occasional identification of availability-related flaws that could affect service continuity in healthcare environments.
Directory Traversal & Path Manipulation
1 → 0 → 2, Rare but increasing slightly. These disclosures typically involve file-handling weaknesses in specialized healthcare software.
Security Misconfigurations & Insecure Defaults
2 → 0 → 0, Limited to the earliest period. Indicates isolated findings related to default settings or unsafe configurations rather than a sustained trend.
Privilege Escalation & Access Control Issues
1 → 0 → 0, Minimal reporting. A few newly disclosed access control flaws have been disclosed in recent periods, though this may reflect disclosure timing rather than the absence of risk.
In the past 90 days, CYFIRMA has identified 162 verified ransomware victims in the healthcare industry. This accounts for 7.8% of all 2,078 ransomware victims during the same period, placing the healthcare industry 6th out of 14 industries.
Furthermore, a quarterly comparison shows that interest in healthcare organizations has declined. Despite an increase of 9.5% from 148 to 162 victims, the overall share declined from 8.6% to 7.8% of all victims.
Ignoring just a few days of July, the monthly trendline shows us sustained high volume of victims across months. October and December recorded spikes, and the first 3 weeks of January are on track to match at least the monthly average.
A breakdown of monthly activity per gang reveals which gangs were most active each month. For instance, Qilin remained active across all months. Sinobi recorded most victims in January. Devman, LockBit5, and Safepay were behind most of the December victims.
Out of the 67 gangs, 35 recorded victims in the healthcare industry in the last 90 days, representing a 34% participation.
Qilin had the highest number of victims, however, a relatively low share of 7.8%.
The number of gangs with a very high share of healthcare is frankly disturbing. Kazu (50%), Anubis (42%), Devman (20%), and Sinobi (14%) are the worst offenders among gangs with a high number of victims. Many gangs have very low victims count, skewing the % number.
Dental & Oral health has been the most frequent victim in the last 90 days, with Hospitals and Clinics in close second place. Overall, we can see that targeting is quite wide across many sectors within the healthcare industry.
The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.
The chart shows quarter-to-quarter changes in targeted countries. Data is sorted by the last 90 days and compared to the previous 90 days, marked in blue.
Healthcare victimology shows that a high majority (59%) of victims are from the US, driven by its for-profit healthcare model. Canada, the UK, Australia, France, Tunisia, Thailand, Italy, and Vietnam are among the countries with new victims in the last 90 days.
31 countries recorded healthcare industry victims. Significant jump from 22 countries in the previous period, suggesting ransomware spill-over beyond the US in this industry.
Risk Level Indicator: High
The healthcare industry ranked 6th out of 14 monitored industries, recording 162 victims in the last 90 days.
Despite an increase in the total number of victims from 148 to 162, the overall share of victims dropped mildly from 8.6% to 7.8%.
Monthly Activity Trends
Monthly data show sustained interest across the months with spikes during October and December. January so far is on track to match the monthly average; in other words, no signs of slowing down.
Ransomware Gangs
35 out of 67 active ransomware groups targeted this industry in the past 90 days – 52% participation:
Qilin: Continuously the most active gang. However, their focus on this industry is relatively low (7.8% of all victims). High count comes from the sheer volume of their victims.
Anubis: Highest share (43%) among gangs with high victim count. Suggesting a high focus on this industry.
Devman, Sinobi, Rhysida, and Kazu: Recording 20%,14%, 20%, and 50% of their victims from healthcare, also showing a high focus on this industry.
Geographic Distribution
The geographic distribution of ransomware victims has grown and spread across 31 countries. increase from 22 in the previous period.
The USA recorded 52% of all victims in this industry. Many countries recorded significant upticks, including France, Tunisia, Thailand, and Vietnam, suggesting a potential move from heavy US targeting.
For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.
APT Campaigns (Low): Healthcare remained a peripheral APT target, with 2 of 11 observed campaigns (18%) affecting the sector – an increase from zero in the previous period but still limited in scope. Activity was sporadic, with one campaign in late October and another emerging in January after a prolonged lull. Threat attribution points to Turkish-speaking cybercriminals (CCTR2501) and a later campaign showing overlapping TTPs linked to Stone Panda and MISSION2074, indicating limited but adaptable actor interest. Victims were geographically dispersed, with Asia accounting for half of the impacted countries; India and South Korea were the only nations affected in both campaigns. Targeted technologies varied, centering on web applications alongside storage, application security, and business management software, suggesting opportunistic rather than strategic targeting.
Underground & Dark Web Chatter (Moderate): Healthcare accounted for 4.46% of total underground chatter, ranking 8th. Data breach activity remained high despite a late-period decline, reinforcing the sector’s continued exposure due to the value of patient, insurance, and research data. In contrast, ransomware chatter dropped sharply, indicating a meaningful reduction in visible ransomware-focused activity. Data leak, web exploit, claimed hacks, DDoS, and hacktivism trends all declined, pointing to a broader contraction in overt underground activity and a possible shift toward quieter monetization channels.
Vulnerabilities (Low): The sector represented 3.18% of reported vulnerabilities, ranking 10th. RCE disclosures remained moderate and stable, while injection flaws trended downward. Client-side issues (XSS) increased steadily, particularly affecting patient portals and web-facing healthcare systems. Other categories, including memory, misconfiguration, and privilege escalation, remained low and inconsistent, suggesting no systemic surge in healthcare-specific vulnerability exposure during this period.
Ransomware (High): Despite declining chatter, ransomware impact remained high, with 162 victims, up from 148, placing healthcare 6th overall. Monthly activity stayed elevated, with spikes in October and December and no slowdown entering January. While large-volume groups like Qilin contributed many cases, their proportional focus was limited. In contrast, Anubis, Devman, Sinobi, Rhysida, and Kazu demonstrated strong sector specialization, with a substantial share of their victims in healthcare. Geographic spread widened to 31 countries, up from 22, while the U.S. share declined to 52%, signaling increasing internationalization of healthcare ransomware targeting.
