Source: IBM - Data Breach Report
Security and IT teams must architect resilience. When sophisticated threats inevitably breach your perimeter, the game shifts entirely to agile cyber recovery
Recent Major Cyberattacks in Healthcare: Technical Vectors
To effectively plan your recovery, you must understand the threat landscape. Here are key technical vectors leveraged by recent attackers:
1. Attack via Compromised Remote Access Infrastructure
Attacker/Malware: ALPHV (BlackCat) ransomware gang.
Technical Vector: Initial access was gained through a Citrix remote access server lacking Multi-Factor Authentication (MFA). The attackers then moved laterally using techniques like T1021.001 (Remote Desktop Protocol), exfiltrated massive amounts of data, and encrypted systems.
Impact: A nationwide shutdown of healthcare payment and prescription processing.
2. Phishing-Led Data Exfiltration and System Disruption
Attacker/Malware: Black Basta ransomware.
Technical Vector: Typically initiated via Phishing (T1566). The group uses legitimate, dual-purpose tools like Qakbot for backdoors, Cobalt Strike for Command and Control (C2) to send commands and receive data, and Rclone for rapid data exfiltration before encryption.
3. Vulnerability Exploitation Leading to System-Wide Outage
Attacker/Malware: Rhysida ransomware.
Technical Vector: Initial access was likely through vulnerability exploitation. The ransomware uses strong encryption algorithms, including ChaCha20 and RSA-4096. Attackers focus on T1490 (Inhibit System Recovery) to ensure victims cannot restore systems without paying.
4. Supply Chain Breach via Managed File Transfer (MFT) Zero-Day
Vulnerability: CVE-2025-10035 (CVSS score: 10.0) in Fortra's GoAnywhere MFT.
Attacker/Malware: Storm-1175 group, deploying Medusa ransomware.
Technical Vector: Attackers exploited a critical deserialization vulnerability to achieve Remote Code Execution for initial access. A zero-day is a flaw actively exploited before the vendor has released a patch, making perimeter defenses immediately ineffective.
Common Healthcare vertical? Attack Vectors Mapped to MITRE ATT&CK TTPs
These attacks target healthcare systems like EHR/IN (Electronic Health Record/Information), PACS (Picture Archiving and Communication Systems), and Laboratory Information Systems (LIS). The patterns are clear:
Attack Vector
| How It Works
| Key Risk
| MITRE ATT&CK TTP ID
|
Phishing & Social Engineering
| Deceptive messages trick users into revealing credentials or deploying malware.
| Credential Theft & Malware Installation—giving adversaries a foothold.
| T1566 (Phishing)
|
Exposed RDP
| Remote Desktop Protocol port exposed to the internet with weak credentials.
| Direct Server/Network Compromise, enabling ransomware deployment.
| T1133 (External Remote Services)
|
Third-Party Vendor Compromise
| Breach of a less-secure vendor (e.g., software supplier) that has trusted access to your network.
| Supply Chain Attack—a single vendor breach compromises hundreds of clients.
| T1195 (Supply Chain Compromise)
|
Software Vulnerabilities
| Exploiting unpatched flaws in OS or applications (e.g., VPNs, Firewalls).
| System Exploitation & Privilege Escalation—granting complete system control.
| T1190 (Exploit Public-Facing Application)
|
Tactics, Techniques, and Procedures (TTPs) mapped to MITRE ATT&CK:
Initial Access (TA0001):
Exploit Public-Facing Application (T1190): Gaining initial access through a Citrix remote access server that lacked Multi-Factor Authentication (MFA) and exploitation of CVE-2025-10035 in Fortra's GoAnywhere MFT.
Phishing (T1566): Initiated via phishing, tricking individuals into revealing sensitive information or deploying malware.
External Remote Services (T1133): Exposed RDP with weak or stolen credentials allowing direct remote control.
Execution (TA0002):
Command and Scripting Interpreter (T1059): Attackers using legitimate tools like Qakbot for backdoors and Cobalt Strike for command and control.
System Services (T1569): Ransomware deployment leading to system disruption.
Persistence (TA0003):
Privilege Escalation (TA0004):
Defense Evasion (TA0005):
Credential Access (TA0006):
Discovery (TA0007):
Lateral Movement (TA0008):
Collection (TA0009):
Exfiltration (TA0010):
Impact (TA0040):
Data Encrypted for Impact (T1486): Encrypting systems with ransomware (ALPHV, Black Basta, Rhysida, Medusa).
Data Destruction (T1485): Mass encryption, deletion, or modification of data.
Service Stop (T1489): Causing nationwide shutdowns, ambulance diversions, and widespread disruption to patient care.
Inhibit System Recovery (T1490): Potentially impacting recovery efforts by encrypting or deleting backups.
Defacement (T1491): Attackers claiming to have stolen sensitive data.
Resource Development (TA0042):
Supply Chain Compromise (TA0001):
Indicators of Compromise (IOCs)
Static Indicators (like SHA256 hashes) are constantly changing. Therefore, Behavioral Indicators of Compromise (IOCs) are also essential because they track the predictable, hard-to-change actions attackers take on a network.
Threat Entity
| Behavioral IOC
|
ALPHV (BlackCat)
| A running program tries to turn off security tools like Windows Defender or creates a fake administrator account.
|
Black Basta
| A process is running a command to delete all local system backup copies (Shadow Copies).
|
Rhysida
| A program on a server tries to steal the main password file from the Domain Controller.
|
Medusa
| Secret installation of multiple legitimate remote control tools (like AnyDesk or SimpleHelp) on key systems.
|
Storm-1175 / CVE-2025-10035
| The File Transfer program suddenly starts running a command shell (like PowerShell or cmd) instead of just transferring files.
|
Qakbot (Qbot)
| Malware code is injected into a normal, trusted Windows program (like Explorer) and starts making many unusual network calls.
|
Rclone
| A host (like a file server) is running the Rclone program to transfer a very large amount of data to a cloud storage service (like Mega or Dropbox).
|
Conclusion
The healthcare sector remains a prime target for increasingly sophisticated cyber threats, from ALPHV’s ransomware to supply chain zero-days. As these attacks evolve, relying solely on perimeter defenses is no longer a viable strategy. The sheer value of PHI and the critical nature of patient care demand a shift from simple prevention to comprehensive cyber resilience.
True resilience requires assuming a breach will occur and being prepared to bounce back instantly. This is where the conversation shifts to data protection. At Druva, we believe that a modern, cloud-native data resiliency platform is your ultimate fail-safe. By ensuring your data is air-gapped, immutable, and always recoverable, you can neutralize the impact of ransomware. Don't just secure your endpoints, guarantee your recovery, safeguard patient trust, and ensure continuity of care no matter what threats arise.
