The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the healthcare industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the healthcare industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the healthcare industry.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
Each attack campaign may target multiple organizations across various countries.
Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.
Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.
Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.
In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.
During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs. While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.
Healthcare organizations featured in 2 out of the 24 observed campaigns, which is a presence in 8% of campaigns.
Observed Campaigns per Month
The monthly chart shows 2 campaigns detected in November and December respectively.
Suspected Threat Actors
Suspected threat actors are divided between nation-state and financially motivated APTs.
GEOGRAPHICAL DISTRIBUTION
Victims of both observed attack campaigns were recorded in 12 different countries.
TOP ATTACKED TECHNOLOGY
Attack campaigns focused on attacking application security software and web applications
Risk Level Indicator: Low
While monthly activity recorded a significant surge in November, since the period of relative calm, the healthcare sectors, including pharma and biotech did not appear in the crosshairs of these campaigns. Healthcare victims were recorded only in 2 out of 24 observed campaigns conducted by tracked APTs. With low confidence, we assume priority shifts by nation-state-linked adversaries, focusing more on strategic objectives related to ongoing tensions and hot conflicts over theft of intellectual property, which was traditionally the reason behind healthcare APT activities.
Regarding suspected threat actors both campaigns were attributed to Stone Panda with TTPs overlapping with a broader nexus of Chinese ATPs tracked collectively as Mission2025
In terms of geographical impact, the same 12 countries recorded victims in both campaigns detected 35 days apart. Analysis suggests this is likely the same campaign with evolving TTPs.
Web applications remain the top-attacked technology for cyberattacks across various industries, with operating systems following closely in terms of susceptibility. Additionally, we’ve observed instances of attacks targeting application security software.
Over the past 3 months, CYFIRMA’s telemetry recorded 54 phishing campaigns out of a total of 322,180 that impersonated the healthcare industry brands, which accounts for 0.01% of all campaigns. Due to low amounts of observed healthcare themed campaigns, we did not track it as category on the chart below.
Global Distribution of Phishing Themes per Sector
Top Impersonated Brands
French Health Insurance was responsible for 44 out of 54 detected campaigns. Remaining 10 were only identified as sectors.
Top Countries of Origin based on ASN
Despite French Health Insurance being a majority of the detections, most of the campaigns have ASN origin outside France, suggesting worldwide botnet behind the activity.
Risk Level Indicator: Low
The healthcare industry proves less appealing for phishing and lacks the characteristics of a lucrative target. Its fragmented structure, spanning drug manufacturing and research, hinders widespread internet or nationwide phishing campaigns. Unlike the financial sector, personal information in healthcare is dispersed across patient records rather than centralized.
Data analysis reveals French Health Insurance as only identified impersonated organization, associated with healthcare, aligning more with the financial industry. Moreover, targeting healthcare organizations draws considerable law enforcement attention, a risk many cybercriminals avoid. Finally, some cybercriminals adhere to ethical boundaries, refraining from attacks that directly harm individuals.
In the past 90 days, CYFIRMA has identified 149 verified ransomware victims within the healthcare industry sectors. This accounts for 12.5% of the overall total of 1,184 ransomware incidents during the same period.
The Monthly Activity Chart
Monthly trends show consistently high numbers across months with major slump in January.
Breakdown of Monthly Activity by Gangs
A breakdown of the monthly activity provides insights into per-group activity. For example, LockBit3 and ALPHV were highly active in November and December, whereas Akira mostly in November and January.
Ransomware Victims in Healthcare per Group
In total 36 out of 49 groups recorded healthcare organization victims in the past 90 days. The top 6 are responsible for half of them.
Comparison to All Ransomware Victims by Group
Compared to all recorded victims in the same time period, 3rd most active gang Play did not record any healthcare victims, suggesting no interest. Conversely Hunters and Cactus gangs record significant share of their victims from healthcare industry.
Geographic Distribution Of Victims
The heatmap of geographic distribution shows truly a global reach of ransomware
Total Victims per Country
In total 28 countries recorded ransomware victims with the US alone accounting for ~62% of all victims with identified geography.
Sectors Distribution
Listing consolidated sectors matched under the healthcare industry umbrella shows pharmaceuticals and hospitals as the most attacked sectors. Furthermore, it shows diverse range of impacted sectors, including many niches.
Risk Level Indicator: High
Healthcare is among the most targeted industries by ransomware attacks, comprising over 12% of all recorded victims. Monthly activity consistently shows a substantial volume of attacks, with a drop in January, which corresponds with overall ransomware activity.
Of the 49 active gangs in the past 90 days, 36 have targeted the healthcare industry. A closer look at the groups behind these attacks highlights LockBit3, ALPHV, Hunters and Cactus among the most active groups in healthcare sectors. On the other hand, 3rd most overall active gang Play did not record any healthcare victims. The data on the total number of victims per group shows a more even distribution of victims with 6 top groups responsible for 50% of attacks and many mid to small-size gangs contributing to the total number.
Among the victims with identified locations in 29 different countries, the United States ranks as the most affected, with 91 victims (62% of all), followed by the UK, France and Italy. The United States remains the most targeted country across various industries, but specifically in healthcare, it presents an attractive target due to the for-profit nature of the US healthcare system.
For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.
In the healthcare industry’s external threat landscape, we consistently observe a high risk of ransomware attacks and a shift in the risk associated with Advanced Persistent Threat (APT) campaigns, while phishing impersonations remain low.
Ransomware remains a significant threat, with healthcare organizations accounting for over 12% of all victims in the last 90 days. Active groups include LockBit3, ALPHV, Banlian, and Hunters, while the notorious Play gang showed no recorded interest in healthcare victims. The USA, primarily due to its for-profit healthcare system, remains the prime target with 62% of all victims.
Over the last 90 days, only 2 APT campaigns attributed to Stone Panda from China were observed, continuing a trend of low detection in the healthcare sector. This is tentatively linked to nation-state APTs shifting priorities towards objectives related to international tensions and an increasing number of conflicts, diverging from the usual focus on industrial espionage for technology and IP theft.
Conversely, phishing campaigns present a low risk in this sector. The healthcare industry’s fragmented structure and the potential for law enforcement involvement act as deterrents for cybercriminals, steering them towards sectors perceived as less risky and more profitable.