2026年全球医疗行业威胁态势报告

January2026

TLP:WHITE

2026HealthSectorCyberThreatLandscape

Contents

Introduction 1

AnnualMemberSurveyInsights 3

SurveyBackground 3

SurveyFindings 4

KeyInsights 5

PartI:TheCurrentThreatLandscape 6

PhysicalSecurity 6

PhysicalSecurity/ViolenceLegislation–U.S.andGlobal 6

Man-MadeandNaturalThreatstoSecurity 6

CybercriminalActivity 8

HacktivistAttacksAgainsttheHealthSector 8

DataBreaches—Episource 8

SignificantTakedowns 9

RaccoonO365Disruption 9

RansomwareGangsAttackingHealthSector 10

Qilin 10

INCRansomware 10

SAFEPAY 10

Sinobi 11

WorldLeaks 11

RansomwareTrendsintheHealthSector 12

EmergingandRecedingRansomwareGroups 12

RansomwareInsights 12

Nation-StateActivity 13

DPRKRemoteITWorkerCampaigns 13

GeopoliticalActivity 14

Israel-IranWar 14

HybridWarfare 14

MedicalDeviceCybersecurity 14

ContecCMS8000PatientMonitor 14

LegacyDevices 15

DICOM/PACSExposure 15

PartII:Tactics,Techniques,andProcedures 16

SocialEngineering 16

ClickFixandFileFix 16

QRCodePhishing 17

CleoCompromiseVictimBundling 17

MaliciousActivityObservedbyMembers 18

XWorm 18

NetSupportRAT 18

njRAT 18

SocGholish 18

AsyncRAT 18

Breakdownof2025MITREATT&CKData 19

NotableVulnerabilities 19

MicrosoftSharePointToolShell 19

CiscoASA5500-XSeries 19

PopularTargetedAlerts 20

DanglingDNS 20

CitrixNetscalerADCandCitrixGateway 20

BeyondTrust 21

CEODoxxing 21

RemoteDesktopProtocolExposures 21

PartIII:FutureCybersecurityOutlook 22

BusinessResilience 22

BusinessResiliencyLookinginto2026 23

Conclusion 24

health-isac.org

2026HealthSectorCyberThreatLandscape

health-isac.org

1

Introduction

2025wasdefinedbyacriticalescalationinthevolume,complexity,andsystemic

riskfacingtheglobalhealthecosystem.Asthedigitaltransformationofthehealthsector—fromadvancedmedicaldevicestotelehealthplatforms—continuedto

accelerate,itexpandedtheattacksurface,confirmingthatthehealthindustry

remainsaprimary,high-valuetargetforcybercriminalsandnation-stateactorsalike.

Theprimarythreatfacingthehealthsectorremainsransomware,withprolific

groupslikeQilin,INCRansom,andtherapidlygrowingSAFEPAYdominatingthe

threatlandscape.However,themostconcerningtrendisthecontinuedpivotandaccelerationbythreatactorstosupplychainexploitation.Majorsecurityincidentsthroughouttheyearrepeatedlydemonstratedthataprovider’ssecurityisonly

asstrongasitsweakestvendorlink,leadingtowidespreadcompromisesthatimpactedmillionsofpatientrecordsandforcedasignificantindustry-wide

reevaluationofthird-partyriskmanagement.

Attackmethodologiesalsoevolved,requiringmoreadvanceddefenses.The

proliferationofsophisticatedsocialengineeringtechniquesusedinmalware,suchasClickFixandFileFix,alongwiththeemergenceofQRcodephishing(quishing),showcasedanincreasingrelianceonmethodsthatbypasstraditionalperimeter

defensesbyexploitinghumantrust.Theevolvingattackmethodologieswereoftensuccessfullycountered,asdemonstratedbytheinterventionofillegitimateCobaltStrikeusageandthesuccessfultakedownoftheRaccoonO365phishing-as-a-

serviceinfrastructure.

2026HealthSectorCyberThreatLandscape

health-isac.org

2

Compoundingthesecyberchallengesistheuniquedualityofthehealthsector:theurgentneedtosecure

life-criticaloperationaltechnologyandtheexposuretogeopoliticalevents.Thesecurityrisksposedby

legacymedicaldevices,particularlythoseapproachingend-of-life,demandedimmediatecompensating

controlstoprotectpatientsafety.Furthermore,2025sawthecontinuedimpactofnation-statecyberactivity,fromwidespreadremoteITworkerfraudcampaignstohybridwarfaretacticsthatleveragedcybercriminal

elementsagainstgeopoliticaladversaries.

Aswelooktoward2026,thefocusmustshiftfromincidentresponsetosustainedBusinessResilience.

Thelessonslearnedfrommassivedisruptiveevents—suchasthewidespreadimpactfromthefaulty

CrowdStrikeupdateinJuly2024—underscorethenecessityforrobustplanningthatgoesbeyondtraditionalcybersecurityandaddressesoperationalcontinuityinthefaceofwidespreadthird-partyfailure.

Thisreportisstructuredtoprovideanin-depthanalysisofthesedynamics,offeringclearinsightinto:

•PartI:TheCurrentThreatLandscape:Adeepdiveintothemostactivecybercriminalgroups,

significantlawenforcementtakedowns,nation-stateactivity,andcriticalissuesinmedicaldevicesecurity.

•PartII:NotableTactics,Techniques,andProcedures(TTPs):Abreakdownofthemosteffectiveinitialaccessandevasiontechniquesusedbyadversaries.

•PartIII:FutureCybersecurityOutlook:Strategicguidanceonenhancingbusinessresilienceandpreparingfortheemergingrisksof2026.

Bysharingintelligenceandadoptingacollaborativedefensestrategy,thehealthsectorcanbuildthecollectiveresiliencenecessarytoprotectpatients,staff,andcriticalservicesintheyearsahead.

health-isac.org

3

2026HealthSectorCyberThreatLandscape

AnnualMemberSurveyInsights

SurveyBackground

InNovember2025,Health-ISACconductedasurveyofnearly250executivesandcybersecurityprofessionalsacrossthehealthsector.Thesurveyincludedcyber

(e.g.,CISO)andnon-cyber(e.g.,CFO)executivesacrossmultiplehealthsubsectors(e.g.,providers,pharmaceuticalcompanies,payers,medicaldevicemanufacturers,healthIT)aswellashealthcareorganizationsofvaryingsizesandIT/ISbudgets.

Surveyresponseswerereceivedfrommembersof:

•Health-ISAC

•TheAssociationfortheAdvancementofMedicalInstrumentation®(AAMI)

•HealthSectorCoordinatingCouncilCybersecurityWorkingGroup(HSCCCWG)

HealthSecurityProfessionalswereaskedtorankthefivegreatestcybersecurityconcernsfacingtheirorganizationsfor2025and2026andMedicalDeviceManufacturerswerealsoaskedthetopthree

challengesindevelopingsecuremedicaldevicesfor2025and2026.

ThedetailedsurveyresultsareavailableformembersintheHealth-ISACThreatIntelligencePortal(HTIP).

/webapp/user/doc-library/43dd7f6d

-be19-4d26-b235-aa203e4b0a37

2026HealthSectorCyberThreatLandscape

health-isac.org

4

SurveyFindings

4.DataBreaches

5.Zero-DayExploits

HealthSectorSecurityProfessionalsrankedthetopfivecyberthreatsfacingtheirorganizationsin2025asfollows:

1.RansomwareDeployments

2.PhishingAttacks

3.ThirdParty/PartnerBreaches

4.Zero-DayExploits

5.Phishing/SpearPhishing

HealthSectorSecurityProfessionalsrankedthetopfivecyberthreatsfacingtheirorganizations,lookingaheadtoward2026,asfollows:

1.AI-EnabledAttacks

2.RansomwareDeployments

3.ThirdPartyBreaches

MedicalDeviceManufacturersreportedthetopthreechallengesindevelopingsecuremedicaldevicessuchas:

1.Integratingsecurityintothedesignanddevelopmentprocess

2.Providingregularandsecureupdatingandpatchingformedicaldevices

3.Designingfortheongoingsecurityofmedicaldevicesovertheirlongoperationallifespan

Conversely,thetopthreeimpactsonHealthcareDeliveryOrganizationswerereportedas:

1.Disruptioninthenormaloperationofmedicaltechnology

2.Unauthorizedaccess,theft,orexposureofpatients'personalhealthinformation(PHI)

3.Disruptionofoverallhospitaloperations,includingadministrativeprocesses,scheduling,andcommunication

2026HealthSectorCyberThreatLandscape

health-isac.org

5

KeyInsights

•Themostsignificantconsequencesofcyberattacksonpatientcarewerefoundtobethesamein2025asthosereportedin2024.

•Executivesandcybersecuritypractitionersreportedthesameconcernsgoinginto2026,indicatingalevelofsynergyacrossalllevelsofhealthsectorcybersecurity.

•Memberorganizationswithsmallercybersecuritybudgetsweremore

concernedbyphishingin2025,whilethosewithlargerbudgetsweremoreconcernedbyransomwaredeployments.

health-isac.org

6

2026HealthSectorCyberThreatLandscape

PartI:TheCurrentThreatLandscape

PhysicalSecurity

Throughout2025,thehealthsectorhasmaintainedanincreasedfocuson

workplaceviolenceandthesafetyofstaff.MostrecentreportingbytheBureau

ofLaborStatisticsin2023statesthathealthcarewastheindustrywherestaff

hadthehighestlikelihoodofexperiencingviolenceintheworkplace.1This,

combinedwiththeassassinationofahealthinsuranceexecutiveattheendof

2024,hascausedanincreasedfocusonphysicalsecurityandexecutiveprotectionmeasures,drivingincreasedbudgetallocationstothesafetyofallemployees.

PhysicalSecurity/ViolenceLegislation–U.S.andGlobal

FromaregulatoryperspectiveintheUnitedStates,theSaveHealthcareWorkersAct(H.R.3178/S.1600)

wasreintroducedtoCongressforathirdtimeonMay5,2025.Thelegislationaimstomakeassaultona

healthcareworkerafelonyoffense.AnotherregulationaimedatincreasinghealthcareworkersafetywasTheWorkplaceViolencePreventionforHealthCareandSocialServiceWorkersAct(H.R.2531/S.1232),

whichwasintroducedtoCongressforthefourthtimeonApril01,2025.Thisact,ifpassed,wouldestablishafederalstandardforpreventingworkplaceviolenceinhealthcareenvironments.Workingoutsideofthe

legislativeprocess,healthsectororganizationshavebeenimplementingtheirownpoliciesandusing

recommendationsfromtheOccupationalSafetyandHealthAdministrationtoreduceworkplaceviolence.2

Man-MadeandNaturalThreatstoSecurity

The2025wildfireseasoninNorthAmericawasmarkedbymultiplemajorfires.Itwasthesecond-worstfireseasononrecordinCanadaintermsoftotalareaburned.3

TheAtlantichurricaneseasonsawminimalactivity,withfewerstormsmakinglandfallcomparedtorecentyears.ThePacifictyphoonseasonalsosawfeweroverallstorms,althoughSuperTyphoonFung-Wong

causedseveredamageinthePhilippinesinmid-November.4

1

/iif/factsheets/workplace-violence-2021-2022.htm

2

/iif/factsheets/workplace-violence-2021-2022.htm

3

https://www.cbc.ca/news/climate/wildfire-season-2025-1.7606371

4

/news/super-typhoon-fung-wong-philippines/

2026HealthSectorCyberThreatLandscape

health-isac.org

7

Thereweremultiplesignificantviraloutbreaksthroughouttheyear,thelargestofwhichwastheresurgenceofChikungunya.AccordingtotheWorldHealthOrganization,therewerepotentially445,271casesand155deathsgloballyacross40countries.5

The2025outbreakofmeaslesintheUnitedStateswasthelargestsince2000.ItstartedinwestTexasandquicklyspread,withmultiplecasesappearingaroundthecountry.6

AvianInfluenzahasremainedaglobalconcernthrough2025,asconcernsofviraladaptationthatmakesthediseasebecomehuman-to-humantransmissiblecontinue.TheCentersforDiseaseControlandPreventionreported70casesintheUnitedStates,withonedeath.TheWorldHealthOrganizationreported18cases

witheightdeathsacrosstheWesternPacificRegion.7

The"50501"movement(shortfor"50protests,50states,1movement")hasbeenresponsiblefornationalprotestson10differentdaysacrosstheUnitedStates,eachgrowinginattendanceandparticipation.

Themovementwasfoundedwiththeintentofresistingperceivedanti-democraticpolitics.8Theprotests

havehadalargefootprintanddrawninmanyparticipants.Astheygrow,thereisanincreasedpotential

fordisruptionstoemergencymedicalservicesandbusinesstravel.Theprotestscanalsodisruptday-

to-dayoperationsinthehealthcareindustry,astheycanpullstaffandpatientsawaywhowishto

participate.Internationalactivityrelatedtothe50501movementhasmanifestedascoordinatedsolidaritydemonstrationsoutsidetheUS,primarilyconcentratedinWesternEuropeandkeyAsiancapitals.These

protestscreatelocalizedphysicalsecurityrisksbyrestrictingthefreedomofmovementaroundUS

governmentfacilities,potentiallydelayingsecurelogisticsandcomplicatingemergencyresponseprotocolsofpersonnelinthearea.

Manynationshavemovedtocategorizehealthcarestaffasa"protectedclass"orhaveincreasedpenaltiesspecificallyforcrimescommittedagainstthem.HereareseveralexamplesHealth-ISACistrackingaroundtheworld:

1.UnitedKingdom—AssaultsonEmergencyWorkers

(Offences)Act2018:ThisisperhapsthemostdirectparalleltotheU.S.legislation.ThisActdoubledthemaximum

sentenceforcommonassaultagainst"emergencyworkers"

(includingNHSstaff,paramedics,andpolice)fromsixmonthsto12monthsinprison(laterincreasedtotwoyearsviathe

Police,Crime,SentencingandCourtsAct2022).TheActalsocreatedaspecificoffenseof"assaultinganemergencyworker,"makingtheprofessionofthevictimanaggravatingfactorthatmandatesatoughersentence.

2.India—EpidemicDiseases(Amendment)Act2020:

Followingasurgeinviolenceagainstdoctorsduringthe

COVID-19pandemic,Indiaenactedsignificantfederal

protections.Theamendmentmakesanyactofviolence

againsthealthcarepersonnelacognizableandnon-bailable

offense.Perpetratorscanfaceimprisonmentrangingfrom

threemonthstofiveyearsandheavyfines.Incasesof

"grievoushurt,"theprisontermcanextenduptosevenyears.Italsomandatesthattheoffenderpaytwicethemarketvalueofanypropertydamaged(suchashospitalequipment).

3.Australia—State-Level"HealthWorker"Protections:

NewSouthWalesintroducednewlawsin2022makingit

aspecificcrimetoassaultahealthcareworker.Penalties

rangefrom12monthsto14yearsinprison,dependingon

theseverityoftheharm.Queenslandhassimilar"assaultsonpublicofficers"lawsthatcarryincreasedpenalties(uptosevenor14years)specificallyforthosewhobite,spiton,orassaulthealthcarestaff.

4.France—Loin°2021-502:Francehasimplementedspecificcriminalprovisionstoprotectmedicalpersonnel,particularlythoseinemergencyservices.Thelawallowsforincreasedcriminalpenaltieswhenanassaultiscommittedagainstaperson"performingapublicservicemission,"whichexplicitlyincludeshospitalandemergencystaff.

5.Armenia—2025CriminalCodeProposals:Asofmid-2025,Armeniaisdebatingadraftlawverysimilartothecurrent

U.S.bill.TheLawproposescriminalizingthe"obstructionofprofessionalduties"ofhealthcareworkers.Iftheobstructioninvolvesthreatsorviolence,theprisontermcanbeupto

twoyears.

5

/outbreak-of-chikungunya-virus-poses-global-risk-warns-who

6

/emergencies/disease-outbreak-news/item/2025-DON561

7

/bird-flu/h5-monitoring/index.html

8

/50-states-anti-trump-protest-nationwide-50501-explainer-2026115

2026HealthSectorCyberThreatLandscape

health-isac.org

8

CybercriminalActivity

HacktivistAttacksAgainsttheHealthSector

Hacktivisminvolvesusinghackingtechniquestopromoteapoliticalorsocialcause.HacktivistgroupsoftenleverageDistributedDenialofService(DDoS)attacksto

achievetheirgoals.

Attackersareincreasinglytargetingbusinessassociatesandthird-partyvendorsthatprovidecriticalservices(likemedicalbilling,software,orITsupport)tohealthcare

providers.

InJune2025,aHacktivistgroupoperatingonTelegramwithinachanneldubbed

ServerKillersorchestratedatemporarydisruptionofwebsitesassociatedwithMedicalCentersinIsraelinresponsetoIsrael’sstrikesonIran.

TheServerKillersteamisdescribedaspartofthelargerKillnetCollectivethathastargetedhealthsectororganizationsinpreviousyears.TheKillnetCollectiveis

self-describedasincludingUserSec,CoupTeam,DarkStormTeam,ServerKillers,D0rGe1st,andPalachPro.

Thepro-IranhacktivistgroupCyberIslamicResistancealsoattackedIsraelihealthsectorentitiesinresponsetomilitaryactionagainstIran.InJuly2025,thegroupattackednineIsraelihealthorganizations,includingmentalhealthhospitals,

emergencyrooms,andchildren’shospitals.910

DataBreaches—Episource

Databreacheswereidentifiedasthefourthmostsevereconcernforglobalhealthsectorcybersecurityprofessionalsin2025.

Aransomware-drivenintrusionbetweenJanuaryandFebruary2025exposeddatafromover5.4millionindividuals.Thedatabreachoriginatedfromasinglevendor,Episource,aproviderofriskadjustmentservices,software,andsolutionsforhealthplansandprovidergroups.Thebreachresultedinacascadingeffectthatimpactednumerousprovidersandmillionsofpatients.11

ANewEraofDigitalWarfare:

UnderstandingandMitigatingModernDDoSandRDoSAttacks

DistributedDenial-of-Service(DDoS)attackshaveincreasedinmagnitudeasmoredevicescomeonlineand

organizationsincreaseremote

accessfortheirstaff.InSeptember2025,Health-ISACpublishedawhitepaperthatcoversthemotivationsbehindDDoSattacks,provides

severalhistoricalexamplesand

detailsseveralstrategicand

tacticalrecommendationsITandinformationsecurityprofessionalscanusetolimitimpactsfromthesedisruptiveattacks.

Link:

/a-new

-era-of-digital-warfare-understanding-and-mitigating-modern-ddos-and-

rdos-attacks/

9

/FalconFeedsio/status/1947009260543791524

10

/FalconFeedsio/status/1946905848795546105

11

/episource-data-breach/

9

2026HealthSectorCyberThreatLandscape

SignificantTakedowns

CybercriminalCobaltStrikeUsageDown80%

CobaltStrikeisalegitimatepenetrationtestingframeworkusedbyredteamoperatorstoemulateadversaries.Itofferscommandandcontrolcapabilitiesthatallowredteamoperatorstoemulatecybercriminalsandnation-statethreatactors.However,itscapabilitiesdrewinterestfrom

cybercriminals,andillegitimateinstancesoftheCobaltStrikeframeworkwereusedincountlesscyberattacksontheglobalhealthsector.In2023,Fortra,Health-ISAC,andMicrosoftledanefforttoidentifyanddisruptinstancesofCobaltStrikebeingabusedbythreatactors.

Inthefirstquarterof2025,Fortraannouncedabusebythreatactorshaddroppedby80%,thankslargelytothejointCobaltStrikedisruptioneffortstartedin2023.TheblogwentontostatethatnewinstancesofCobaltStrikeoperatedbythreatactorsarebeingdetectedfasterandusually

takendownwithinoneortwoweeks.12

RaccoonO365Disruption

RaccoonO365isaphishing-as-a-servicekitusedincyberattackstostealusercredentials

(usernamesandpasswords)plusone-timelogintokens,specificallytargetingMicrosoftOffice

80%

Reduction

Inthefirst

quarterof

2025,Fortra

announced

abusebythreatactorshad

droppedby80%.

365accountsthroughasophisticatedphishingkit.AfteritslaunchinJuly2024,thekitquicklybecamethefastest-growingtoolusedbycybercriminalstovictimizethousandsoforganizationsglobally.

WhileRaccoonO365servicesareusedtotargetallindustries,itsphishingkitshavebeenusedtotargetmorethan25healthsectororganizations.13Asphishingemailsareoftenaprecursortotheinstallationofmalwareandransomware,usageoftheRacoonO365phishingkitscouldhavesevereconsequencesforhospitalsandputpatientsafetyatrisk.Whenhospitalsgethitbyransomware,patientservicesaredelayed,criticalcareispostponedorcanceled,labresultsarecompromised,andsensitivedataisbreached,causingmajorfinanciallossesanddisruptionsthatdirectlyimpactpatients’lives.

Startingin2024,Microsoft’sDigitalCrimesUnit(DCU)collaboratedwithHealth-ISACtotakedownthe

RaccoonO365phishingservice.ThepartnershipledtoacivillawsuitandacourtordergrantedinSeptember2025bytheSouthernDistrictofNewYorkthatallowedMicrosofttoseizethecriminalinfrastructureused

bytheattackers.TheDCUseized338websitesassociatedwithRacoonO365,disruptingtheoperation’stechnicalinfrastructureandcuttingoffcriminals’accesstovictims.

ThenamingofaspecificdefendantandthereferralofthiscasetolawenforcementinSeptember2025,plusthesubsequentarrestoftheRaccoonO365operatorandtwoofhisaccomplices,sendsastrongmessagethatcybercriminalscannotoperatewithimpunity.

Thisjointeffortisconsideredasignificantwinforthehealthsector.Itdemonstratestheimportanceof

collaborationandthreatintelligencesharingwhenprotectingsensitivedataandessentialhealthservices.

ThisexampleshowsthatcybercriminalsdonotneedsophisticatedITskillstocausewidespreadharm.ToolslikeRaccoonO365makecybercrimeaccessibletovirtuallyanyone,puttingpatientsatrisk.

12

/blog/update-stopping-cybercriminsignificantls-from-abusing-cobalt-strike

13

/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/

2026HealthSectorCyberThreatLandscape

10

RansomwareGangsAttackingHealthSector

ThethreatactorprofileslistedbelowcorrespondtothefivemostactiveransomwaregangsHealth-ISACobservedgloballywiththehighestnumberofhealthsectorvictimsforcalendaryear2025.Intotal,

Health-ISACtracked455ransomwareeventsacrossthehealthsector.

MorethreatactorprofilesareavailableontheHealth-ISACThreatIntelligencePortal(HTIP)underthe“KnowledgeBase.”ThreatactorprofilesareactivelyupdatedandmaintainedbyHealth-ISACanalysts,ensuringmembersgetthemostrelevantinformationpossible.

MostActiveRansomwareGangs

NumberofHealthSectorEntitiesAttacked

Qilin

77

INCRansom

50

SAFEPAY

23

Sinobi

21

WorldLeaks

18

Qilin

77

AttacksonHealthSectorEntities

TheRussian-speakingransomware-as-a-service(RaaS)groupQilinhasbeenactivesince202214andhasbeensteadilygainingsteamasarenowned

ransomwarethreat.Itsactivityagainstthehealthsectorsoaredin2025.Thegrouphadnearlytriplethenumberofhealthsectorvictimsin2025thanithadin2024(23victimsin2024vs77in2025);QilinhasbeennamedasthegroupattackingthehealthsectorthemostsinceLockbitwasdisruptedbyinternationallawenforcementatthebeginningof2024.

INCRansomware

50

AttacksonHealthSectorEntities

INCRansomware,anRaaSoperator,hasbeenactivesince2023.Ituses

vulnerabilityexploitation,supplychaincompromiseandsocialengineering

togainaccesstotargetnetworks15andhasposedasignificantthreattothe

healthsectorinboth2024and2025.In2024,thegroupwasnamedthesecondmostdisruptivegrouptothehealthsector.Despitehavingthesamerankingin2024,thetotalvictimcountin2025increasedby11,indicatingthatthegroupmaybegrowing.

SAFEPAY

23

AttacksonHealthSectorEntities

SAFEPAYisarelativelynewransomwaregroup.UnlikethetwoRaaSgroups

namedpreviously,SAFEPAYoperatesasasinglesophisticatedcybercriminal

outfit.Thegroupisknowntousesocialengineeringandstolencredentialsto

gainaccesstotargetnetworks.16ItsfirstactivitywasobservedinSeptember

2024.Sincethen,itsattacksonthehealthsectorgrewfromjust3victimsin

2024to21victimsin2025,makingthethirdmostdisruptiveransomwaregrouptargetingthehealthsector,andthegroupwiththesharpestyear-over-year

percentageincreaseinvictimcount,increasingoversixfoldfrom2024to2025.

14

/threat-actors/qilin-threat-actor-profile/

15

/threat-profile/inc-ransom-ransomware/

16

/cyber-hub/threat-prevention/ransomware/safepay-ransomware/

2026HealthSectorCyberThreatLandscape

11

Sinobi

21

AttacksonHealthSectorEntities

Sinobiisalsoanewactor.Firstobservedinthesummerof2025,Sinobihas

aggressivelytargetedthehealthsectorforthepastsixmonths.Thegroupusesstolencredentialsandexploitspublic-facingapplications.17Inthesecondhalfof2025alone,Sinobihad21victims;theyappeartobeoperatingasanRaaSplatform,creatingtheinfrastructureandtoolingthataffiliatesuseduringtheirattacks.Intheabsenceofsignificantlawenforcementaction,Sinobi’sRaaS

affiliatesarelikelytokeepaggressivelytargetingthehealthsector.

WorldLeaks

18

AttacksonHealthSectorEntities

WorldLeaksissuspectedtobearebrandofthegroupHuntersInternational,

emergingjusttwomonthsaftertheannouncementthatHuntersInternationalwasshuttingdownduetofearoflawenforcementaction.Notably,WorldLeakshasadoptedasingleextortionstrategy,prioritizingdatatheftratherthan

encryption.Thegroupthenusesthethreatofpublicationtocoercevictimstopayaransom.18WorldLeakswasfirstobservedin2025,makingitthesecondgrouponthislistthatislessthanayearold.Intheshorttimethegrouphasbeenactive,ithasaccrued18healthsectorvictims,makingitthefifthmostdisruptiveransomwarethreattothehealthsector,astrackedbyHealth-ISACin2025.

17

/resources/moxfive-threat-actor-spotlight-sinobi

18

/en/ransomware-groups/worldleaks-thehealthcaresectorthemost

,suggestingtheymaybescalingbackbetween-pure-extortion-and-traditional-ransomware-whats-the-difference/

12

2026HealthSectorCyberThreatLandscape

RansomwareTrendsintheHealthSector

Health-ISAChasbeencompilingransomwareincidentdataacrossallsectorsgloballysince2020.Health-ISACderivedthefollowinginsightswhenexaminingthechangesinthehealthsectorransomwarelandscapefrom2024to2025.

EmergingandRecedingRansomwareGroups:

Followingisalistofthetop10ransomwaregroupsbyvictimcountoverthepasttwoyears,organizedtoidentifywhichgroupshaveexperiencedthelargestpercentagechangeinvictimcountfrom2024to2025.Thechartillustrateswhichgroupsarestrengtheningtheiroperationsandwhichareslowingdown.Thislistexcludesransomwaregroupsthatfirstemergedin2025.

SAFEPAY,Qilin,andINCRansomwarehavethehighestpercentageincreaseinvictimcountyear-over-year,suggestingtheymaybeexpandingoperationsagainstthehealthsector.Conversely,Everest,BianLian,andLockbithavereducedtheirhealthsectorvictimcount,suggestingtheymaybescalingbackoperations

againsthealthsectororganizationsmovingf