Why Healthcare Is Now in the Bullseye for Ransomware Groups

Written by: Ferhat Dikbiyik, Chief Research & Intelligence Officer at Black Kite

Cybercriminals are becoming increasingly bold — and no industry is safe, even those once considered untouchable. Last year, ransomware attacks in the healthcare industry skyrocketed, propelling it from the 7th most targeted industry to 3rd in just one year with attacks increasing by over 32%. The sector now accounts for 8% of ransomware attacks — up from just 5% a year ago — ranking behind only manufacturing and professional services.

What’s driving this surge? Cybercriminals are exploiting vulnerabilities unique to healthcare — making it one of the most lucrative targets. From sensitive patient data to operational disruptions that could jeopardize lives, the stakes couldn’t be higher. With 303 attacks in a single year on major hospitals to small clinics, no corner of healthcare is immune. 

Our latest report, Healthcare Under Ransomware Attack, breaks down what’s behind this alarming trend — and what healthcare organizations can do to shore up their defenses.

Healthcare’s ransomware epidemic: The surge explained

Healthcare’s rise as a prime ransomware target marks a turning point in the tactics of cybercriminals. Once considered “off-limits” under an informal (yet twisted) code of conduct, healthcare now finds itself firmly in the crosshairs. Today’s ransomware groups prioritize ease of access and high ransom potential, and the unique pressures within healthcare — where patient safety and operational continuity are at stake — make the sector especially attractive.

This shift can be traced to two main catalysts: the high-profile attack on Change Healthcare and the dismantling of prominent ransomware groups like LockBit and AlphV (BlackCat).

The February 2024 ransomware attack on Change Healthcare disrupted vital services for healthcare facilities across the U.S. Although the company acted quickly to minimize the impact, the incident exposed vulnerabilities in healthcare operations. It also revealed growing tensions within the ransomware ecosystem. During the attack, a failed payment to an affiliate (an independent attacker partnering with a ransomware operator) sparked disputes, leading to an uprising by affiliates seeking to shift the power away from large ransomware groups. 

The exit of AlphV (BlackCat) in December 2023 and the disruption of LockBit in February 2024 further impacted the ransomware landscape. While these events temporarily reduced attack volumes, the lull was quickly followed by an influx of new groups, many of which now lead attacks and work off an affiliate-led model. Emerging groups like RansomHub attracted many affiliates disillusioned with how ransomware groups were previously structured, offering affiliates greater control and payouts as high as 90%.

The shift in how ransomware groups operate also means affiliates are in high demand. Now, they transition freely between groups, spreading their knowledge further and making attacks by new, more aggressive players more likely. They’re also taking a carefully planned approach to which companies they target next.

Why ransomware groups are targeting healthcare

Healthcare’s ethical responsibility to ensure continuity of care for patients sets it apart from other industries and makes it uniquely vulnerable to attacks. When systems are compromised, the consequences can be a matter of life and death — delayed surgeries, inaccessible medical records, and compromised patient safety. This means that when attacked, healthcare companies are often pressured to pay ransoms to avoid disruptions to life-saving care.

Smaller healthcare providers, with less robust cybersecurity defenses, are especially vulnerable. But no organization — large or small — is immune. Attackers aren’t picking targets at random — they are following a deliberate, calculated strategy based on:

• Technical vulnerability: Unpatched systems and outdated software are low-hanging fruit.
• Industry: Sectors with sensitive, valuable data, like healthcare.
• Likelihood to pay: Organizations with a history of paying ransoms are more likely to pay again.
• Geographic area: The U.S. remains the top target for ransomware groups.
• Revenue profile: Large enterprises (revenues over $100M and small to mid-sized businesses (revenues below $20 million) are commonly targeted. 

While legacy ransomware groups tended to favor negotiation, modern groups are more likely to demand fast payments of a one-time ransom, with no room for negotiation. And sensitive patient data combined with high-stakes operations makes it more likely that affected companies will pay. In healthcare, ransom demands have climbed as high as $20M, driven by the urgent need to restore operations and protect patient outcomes.

The impact of these attacks goes far beyond finances. Attacks ripple through the healthcare ecosystem, exacting a human toll on providers, patients, and their families. The effects can also spill over to vendors and suppliers, putting your entire third-party ecosystem at risk. With no subindustry of healthcare safe — and ransomware groups targeting practices both large and small — maintaining the status quo is no longer an option. 

Taking control: How to get ahead of the curve

With the chances of an attack becoming increasingly likely, it’s time to take a proactive approach to protect healthcare organizations and third-party ecosystems from attacks. Here’s how to start building a robust line of defense:

Continuously monitor risk factors

Healthcare organizations need to focus on monitoring risk factors that could increase the chance of an attack. Consider what your ecosystem looks like to attackers. Unpatched systems, outdated defenses, and weak links in your third-party ecosystem are common entry points.

By continuously monitoring for changes in risk factors — both within your organization and across your third-party network — it’s easier to take action before vulnerabilities are exploited.

Use an early warning system

An early warning system is one of the best ways to assess your company’s vulnerability to attack. Proactive tools like Black Kite’s Ransomware Susceptibility Index^® (RSI™) provide insights into your organization’s risk of a ransomware attack. RSI™ uses machine learning and data analysis to assess vulnerability on a scale from 0 (low risk) to 1 (high risk). Scores above 0.50 indicate a heightened likelihood of attack, allowing organizations to prioritize and remediate vulnerabilities before they become problematic.

What makes RSI™ particularly powerful is that it mirrors the factors ransomware attackers themselves evaluate when choosing targets. By identifying and addressing any vulnerabilities before they’re picked up on by attackers, you can stay off their radar and keep sensitive patient data safe.

Prevention is the best medicine

Healthcare providers preach the power of preventative care — and the same goes for cybersecurity. Taking a proactive approach to ransomware defense, you can assess the risks to your organization and its third-party ecosystem, protecting against the growing risk of attacks before it’s too late. 

With attacks on the healthcare industry becoming more frequent and aggressive, the cost of inaction is too great — not just in financial losses but in disruptions to patient care. Protecting your organization from these threats isn’t just a cybersecurity priority — it’s a critical investment in the safety and well-being of the patients and communities you serve.