Healthcare Ransomware Is Killing Patients: A Technical Assessment of Hospital Cyber Threats
A University of Minnesota study found that ransomware attacks on hospitals caused at least 47 Medicare patient deaths between 2016 and 2021 [7]. Among patients already admitted when an attack begins, in-hospital mortality increases by 35% to 41% [7]. Former FBI official Cynthia Kaiser believes the real number of lives lost to this crime is "almost certainly in the hundreds" [6]. She's now proposing terrorism designations and homicide charges for ransomware operators who target hospitals [6].
These aren't abstract policy debates. In February 2026, the Medusa ransomware operation hit the University of Mississippi Medical Center, Mississippi's only children's hospital and Level I trauma center [4]. The entire organization went dark for nine days [4]. Staff resorted to handwritten charts and makeshift command centers [5]. The cancer infusion center had to reschedule patients [4]. Medusa demanded $800,000 within one week [5]. Available evidence strongly suggests that ransomware attacks contribute to increased patient mortality.
The Numbers Tell a Brutal Story
Healthcare ransomware attacks surged 30% in the first half of 2026 compared to the same period in 2025 [2]. Ransomware now accounts for over one-third of all healthcare cyberattacks [8]. January 2026 alone logged 27 incidents against healthcare organizations [2]. Through Q1 2026, providers reported 120 ransomware attacks, a 14% decrease from Q4 2025, but the severity per incident spiked dramatically [1].
The average ransom demand in Q1 2026 hit $16.9 million, up from $577,800 in the previous quarter [1]. This represents a 29x increase in a single quarter. Meanwhile, 252 large healthcare data breaches were reported to OCR from January through April 2026, and 772 breaches affecting 500 or more individuals were logged across the broader year. Hacking and IT incidents accounted for more than 80% of those large breaches.
Patient records sell for up to 10 times the price of financial records on darknet markets [16]. The economic incentive is obvious, and threat actors are responding accordingly.
Who's Doing This: Qilin, Medusa, and State-Backed Operators
Qilin dominated Q1 2026 healthcare ransomware activity with 23 confirmed and claimed attacks against providers [1]. Across all sectors, Qilin claimed 550 total victims in Q1 2026 [1]. By June, the group had accumulated 168 confirmed victims in the healthcare sector alone [2].
Medusa, tracked by Microsoft as Storm-1175, has been active since June 2021 and operates as a ransomware-as-a-service (RaaS) platform [10]. Over 300 victims from critical infrastructure sectors were impacted as of February 2025 [10]. The group uses a double-extortion model: steal data first, then encrypt [10].
A significant development is the involvement of North Korean state-backed operators assessed to be associated with the Lazarus Group, which have been observed deploying Medusa ransomware against U.S. healthcare and Middle East organizations [12]. These operations represent a convergence of financially motivated cybercrime and state-sponsored hacking, with an average ransom demand of $260,000 for healthcare victims in Lazarus-linked campaigns [12].
Storm-1175: 24-Hour Kill Chains and Zero-Day Exploitation
Microsoft's April 2026 analysis of Storm-1175 revealed an operational tempo that collapses traditional incident response timelines. The group "rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within 24 hours" [3]. This means initial compromise, lateral movement, credential harvesting, data theft, and encryption, all inside a single day.
Storm-1175 has exploited 16 or more vulnerabilities across widely used platforms since 2023 [13]. Two recent zero-day exploits stand out:
- CVE-2026-23760 in SmarterMail, exploited one week before public disclosure [3]
- CVE-2025-10035 in GoAnywhere Managed File Transfer (CVSS 10.0), exploited one week before public disclosure [3][15]
Exploiting vulnerabilities before they're publicly known means patching can't help. Organizations running SmarterMail or GoAnywhere MFT were compromised before they even knew a flaw existed.
The Kill Chain: From Web Shell to Encryption
Storm-1175's typical attack sequence follows a well-defined pattern across healthcare targets in the United States, United Kingdom, and Australia [3].
Initial Access: Exploitation of public-facing web applications, particularly mail servers and managed file transfer platforms [3]. Suspicious .jsp files within application directories indicate successful web shell deployment [15].
Persistence and C2: The group deploys MeshAgent and SimpleHelp remote management tools for persistent access [15]. C2 communications are tunneled through Cloudflare, "providing obfuscation and resiliency" [15]. A Cloudflare tunnel binary is renamed to conhost.exe to mimic a legitimate Windows process [14].
Credential Harvesting: Storm-1175 accesses the Active Directory database (NTDS.dit) for credential dumping [3]. The group manipulates WDigest registry settings to enable cleartext credential caching [14] and runs Veeam password recovery scripts to extract credentials from backup infrastructure [14]. Tools include Mimikatz and Impacket [13].
Lateral Movement: Remote Desktop Protocol connections and RMM software facilitate movement across the network [13][15]. Unusual usage patterns of mstsc.exe (the RDP client) serve as behavioral indicators [15].
Data Exfiltration: Rclone handles cloud synchronization for data theft [13]. Bandizip compresses collected data before exfiltration [13]. The RunFileCopy.cmd script stages data for extraction [3].
Encryption: The ransomware payload, gaze.exe, uses AES-256 encryption and appends the .medusa extension to files [14]. Distribution across the network is handled via PDQ Deploy, a legitimate software deployment tool repurposed for mass encryption [14]. Antivirus exclusion paths are configured to include C:\ to prevent detection [3]. Ransom notes are dropped as !!!READ_ME_MEDUSA!!!.txt [10].
Supply Chain Breaches Multiply the Damage
NYC Health and Hospitals Corporation disclosed a breach in February 2026 affecting 1.8 million individuals [9]. Threat actors had maintained access to systems between November 2025 and February 2026 through a third-party vendor [9]. Exposed information included personal, health insurance, medical, biometric, and financial data [9]. Three months of undetected access through a supply chain vector.
Double-extortion tactics create automatic HIPAA violations regardless of whether the ransom is paid [8]. The 2024 HIPAA Security Rule updates, now effective in 2026, require ongoing risk assessments [8], but compliance frameworks don't stop a zero-day exploit deployed before dawn.
IOC Table
| Type | Value | Context | Source |
|---|---|---|---|
| Filename | gaze.exe |
Medusa ransomware encryptor payload | [10][14] |
| Filename | svhost.exe |
Malicious executable | [10] |
| Filename | !!!READ_ME_MEDUSA!!!.txt |
Ransom note | [10] |
| Filename | !!READ_ME_MEDUSA!!.txt |
Ransom note variant | [11] |
| Filename | RunFileCopy.cmd |
Payload delivery script | [3] |
| Filename | conhost.exe |
Cloudflare tunnel binary disguised as legitimate process | [14] |
| Filename | NTDS.dit |
AD database targeted for credential dumping | [3] |
| Domain | go-sw6-02.adventos.de |
C2 infrastructure | [11] |
| IP | 195.123.246.138 |
C2 server | [11] |
| IP | 185.220.100.249 |
C2 server | [11] |
| IP | 23.27.140.49 |
Lazarus-linked C2 infrastructure | [12] |
| IP | 23.27.140.135 |
Lazarus-linked C2 infrastructure | [12] |
| Malware | Medusa |
Ransomware (.medusa extension) |
[3] |
| Malware | Comebacker |
Lazarus custom backdoor/loader | [12] |
| Malware | RP_Proxy |
Custom proxying tool | [12] |
| Malware | Mimikatz |
Credential dumping | [13] |
| Malware | Impacket |
Lateral movement and credential access | [13] |
| Malware | Rclone |
Data exfiltration via cloud sync | [13] |
MITRE ATT&CK Mapping
| Technique ID | Name | Context | ||||
|---|---|---|---|---|---|---|
| ------------- | ------ | --------- | n | T1190 | Exploit Public-Facing Application | Zero-day exploitation of SmarterMail, GoAnywhere MFT [3] |
| T1003.001 | LSASS Memory | Mimikatz credential dumping [13] | ||||
| T1003.002 | Security Account Manager | NTDS.dit extraction [3] | ||||
| T1562.001 | Disable or Modify Tools | AV exclusion of C:\ drive [3] | ||||
| T1486 | Data Encrypted for Impact | AES-256 encryption via gaze.exe [14] | ||||
| T1567.002 | Exfiltration to Cloud Storage | Rclone cloud synchronization [13] | ||||
| T1560.001 | Archive via Utility | Bandizip compression [13] | ||||
| T1219 | Remote Access Software | MeshAgent, SimpleHelp, PDQ Deploy [14][15] | ||||
| T1021.001 | Remote Desktop Protocol | Lateral movement via mstsc.exe [15] | ||||
| T1090 | Proxy | Cloudflare tunneling for C2 obfuscation [15] | ||||
| T1105 | Ingress Tool Transfer | Tool staging and deployment [13] | ||||
| T1133 | External Remote Services | RDP and RMM abuse for persistence [13] |
Detection and Hunting
Network Indicators:
- Monitor for Cloudflare tunnel connections originating from servers that shouldn't have them. Look for
conhost.exemaking outbound HTTPS connections, particularly from non-standard directories [14][15]. - Block or alert on connections to known Medusa C2 IPs:
195.123.246.138,185.220.100.249,23.27.140.49,23.27.140.135[11][12]. - Watch for Rclone traffic patterns (high-volume outbound transfers to cloud storage providers) from server segments [13].
Endpoint Indicators:
- Hunt for
gaze.exeorsvhost.exein non-standard paths. Neither should appear outsideC:\Windows\System32\for the legitimatesvchost.exe[10]. - Alert on WDigest registry modifications:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredentialset to1[14]. - Detect antivirus exclusion additions covering entire drive letters, particularly
C:\[3]. - Monitor for PDQ Deploy executions outside of normal change windows [14].
- Flag
NTDS.ditaccess or copies viantdsutil,vssadmin, or shadow copy creation [3].
SIEM Queries:
index=windows EventCode=4688 (NewProcessName="\\gaze.exe" OR NewProcessName="\\svhost.exe" OR NewProcessName="*\\RunFileCopy.cmd")index=proxy dest_ip IN (195.123.246.138, 185.220.100.249, 23.27.140.49, 23.27.140.135)index=windows EventCode=13 TargetObject="WDigestUseLogonCredential*" Details="DWORD (0x00000001)"
Behavioral Patterns:
- MeshAgent or SimpleHelp installations on systems where they weren't previously deployed [15].
- Suspicious
.jspfiles appearing in web application directories, particularly on SmarterMail or GoAnywhere MFT servers [15]. - Assume your phishing detection is missing initial access attempts. Focus on post-compromise detection.
Analysis
The healthcare ransomware problem is getting worse on every metric that matters except raw volume. The 14% drop in Q1 2026 attack counts [1] masks a 29x surge in ransom demands and continued acceleration in attack speed. Threat actors are optimizing for impact per operation rather than volume. Fewer attacks, higher stakes, faster execution.
The involvement of actors assessed to be associated with the Lazarus Group in Medusa ransomware deployment [12] represents a qualitative shift. Nation-state operators bring resources, patience, and zero-day capabilities that typical cybercriminal groups lack. Storm-1175's demonstrated ability to exploit vulnerabilities before public disclosure [3] means traditional vulnerability management programs are structurally insufficient.
Kaiser's call for terrorism designations and homicide charges [6] reflects growing frustration with the status quo, but legal frameworks aren't designed for transnational cyber operations. Most Medusa operators are beyond the reach of U.S. federal prosecutors. The practical value of such designations would primarily lie in sanctions authorities and intelligence collection priorities.
Red Sheep Assessment
Confidence: Moderate-High
The convergence of three trends points to a dangerous trajectory that none of the sources individually articulate.
First, average ransom demands jumped from $577,800 to $16.9 million in a single quarter [1]. This isn't gradual escalation. It signals that operators have recalibrated their understanding of healthcare organizations' willingness and ability to pay. The Change Healthcare payment (reported widely at $22 million) likely reset attacker expectations across the ecosystem.
Second, Storm-1175's zero-day exploitation capability [3] combined with involvement of actors assessed to be Lazarus Group [12] means Medusa operations now benefit from both nation-state reconnaissance and criminal monetization. This hybrid model is more dangerous than either threat category alone. State-backed groups identify targets and access vectors; criminal affiliates handle the extortion. The profit motive sustains operations while state backing provides capability uplift.
Third, the combination of compressed attack timelines (24 hours) [3] creates a detection gap that most healthcare security programs can't close. Hospitals that rely on user reporting as an early warning system are functionally blind to initial access attempts. By the time anyone notices something wrong, the attack is complete.
The alternative interpretation: that declining attack counts represent successful deterrence or improved defenses, doesn't hold up against the data. Attackers are simply being more selective, targeting organizations with higher revenue and more sensitive data, knowing that a single successful operation at $16.9 million is worth more than dozens of smaller hits.
Healthcare organizations should plan for the assumption that a sophisticated ransomware operator will breach their perimeter. The defensive question isn't "how do we prevent initial access?" but "how do we detect and contain within hours, not days?"
Defender's Checklist
- ▢[ ] Patch SmarterMail (CVE-2026-23760) and GoAnywhere MFT (CVE-2025-10035) immediately. Storm-1175 exploited both before public disclosure. Verify patch status across all instances and consider network segmentation for internet-facing mail and file transfer servers [3][15].
- ▢[ ] Hunt for Medusa-specific IOCs now. Search endpoint telemetry for
gaze.exe,svhost.exe,RunFileCopy.cmd, andconhost.exerunning Cloudflare tunnels. Query DNS logs forgo-sw6-02.adventos.de. Query firewall logs for C2 IPs:195.123.246.138,185.220.100.249,23.27.140.49,23.27.140.135[10][11][12][14]. - ▢[ ] Monitor for WDigest credential caching and NTDS.dit access. Deploy detections for registry modification of
UseLogonCredentialto1and anyntdsutilor shadow copy operations targeting the AD database [3][14]. - ▢[ ] Audit RMM tool installations across the environment. MeshAgent, SimpleHelp, and PDQ Deploy are legitimate tools abused by Storm-1175 for persistence and payload distribution. Flag any installations not authorized by IT operations [14][15].
- ▢[ ] Establish a sub-4-hour containment capability for ransomware. Storm-1175 completes full kill chains in 24 hours [3]. Organizations relying on next-business-day IR procedures will lose. Pre-authorize network isolation actions, maintain offline backups tested within the last 30 days, and conduct tabletop exercises against this specific timeline.
References
[1] https://www.paubox.com/blog/ransomware-in-healthcare-is-getting-worse-even-as-the-numbers-go-down
[2] https://thecyberexpress.com/qilin-inc-ransom-drive-2026-ransomware-surge/
[3] https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
[4] https://therecord.media/medusa-ransomware-mississippi-cyber
[5] https://www.comparitech.com/news/cybercriminals-say-they-hacked-university-of-mississippi-medical-center-demand-ransom/
[6] https://www.nextgov.com/cybersecurity/2026/04/former-fbi-official-proposes-terror-designations-ransomware-hackers-targeting-hospitals/413002/
[7] https://www.govinfosecurity.com/are-hospital-attacks-terrorism-patient-deaths-murder-a-31560
[8] https://medicalitg.com/hipaa-compliance/2026-healthcare-ransomware-crisis-it-security-guide/
[9] https://www.securityweek.com/millions-impacted-across-several-us-healthcare-data-breaches/
[10] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
[11] https://threatlabsnews.xcitium.com/blog/medusa-ransomware-what-it-is-and-how-xcitium-keeps-you-safe/
[12] https://www.security.com/threat-intelligence/lazarus-medusa-ransomware
[13] https://rewterz.com/threat-advisory/storm-1175-exploiting-zero-days-for-medusa-ransomware-active-iocs
[14] https://labs.cloudsecurityalliance.org/research/csa-research-note-storm1175-medusa-ransomware-zero-day-20260/
[15] https://dailysecurityreview.com/ransomware/microsoft-ties-storm-1175-to-medusa-ransomware-via-goanywhere-flaw-cvss-10-0/
[16] https://thecyberexpress.com/qilin-inc-ransom-drive-2026-ransomware-surge/