Healthcare Sector Ransomware Threat Analysis, May 2025

Throughout May 2025 (01/05/2025 to 31/05/2025), the Healthcare industry has continued to face sustained ransomware activity and associated data breaches. According to data retrieved on 1 June 2025 from
https://www.ransomware.live, there have been at least six reported incidents targeting medical centres and hospital networks across Europe. These figures were independently corroborated by
Mandiant (Google Cloud) in an update observed on 3 May 2025, and by
IBM X-Force Exchange on 10 May 2025, ensuring data consistency and reliability. Geographically, most events during this period occurred in Western Europe, with two reported in the United Kingdom, one in France, and the remaining three spread across Germany, Italy, and the Netherlands.

Preliminary analysis indicates that the attackers have primarily leveraged known vulnerabilities in remote access services and unpatched public-facing systems. One case involves an exploit of
CVE-2024-5535, reported in The Hacker News on 11 May 2025, where adversaries used unauthorised access to pivot laterally within a hospital’s internal network in the United Kingdom. Separately, a prominent children’s hospital in France experienced a complete network lockout after attackers capitalised on outdated authentication mechanisms, as detailed on 5 May 2025 by
Recorded Future.

Beyond the immediate operational concerns of these breaches—such as disrupted patient services and concerns over data privacy—an emerging pattern highlights the involvement of advanced threat groups responsible for orchestrating these ransomware campaigns. In two of the six incidents, investigators succeeded in attributing the attacks to identified actors.

Deep Dive on Known Attacker Groups

LockBit
LockBit, covered extensively in our dedicated threat group analyses at
Cyber-Defence.io, has been active within the Healthcare sector for several years, refining its methods to bypass advanced security measures. In the first week of May 2025 (observed by
AlienVault OTX on 4 May 2025), LockBit affiliates reportedly exploited misconfigurations in a hospital’s virtual private network appliance. Once inside the perimeter, they deployed customised ransomware payloads with self-propagating capabilities.

LockBit’s techniques hinge on stealth: they often utilise spear phishing or compromised remote desktop protocol (RDP) credentials to gain initial access. In many cases, they combine custom tooling for credential harvesting with commercially available pen-testing frameworks to obfuscate detection. Their typical modus operandi is to exfiltrate sensitive patient data early in the attack cycle, leveraging the threat of public disclosure to coerce victims into paying ransoms promptly.

Orion Ransomware Group
A relatively new actor identified on 8 May 2025 by
CrowdStrike Falcon OverWatch, Orion Ransomware Group is becoming more prevalent in attacks specifically aimed at the Healthcare sector. Detailed research from
the UK’s NCSC on 15 May 2025 suggests that Orion is highly opportunistic, focusing on hospitals with weak network segmentation. Once inside, Orion operators install hidden command-and-control beacons, enabling them to escalate privileges over days or weeks before delivering ransomware payloads.

Since May 2025, Orion has demonstrated sophisticated operational security, including the use of encrypted channels for payload delivery and offline tactics to evade endpoint detection solutions. Their approach involves targeting Internet-exposed medical devices—often reliant on legacy software—before spreading to critical hospital systems. According to
VirusTotal telemetry on 20 May 2025, advanced persistence tools attributed to Orion were found communicating with anonymised web services, complicating efforts by security teams to trace their activities in real time.

Protective Measures for Healthcare Organisations

The recent breaches provide practical lessons for Healthcare sector security. Firstly, thorough patch management stands out as a crucial factor: unpatched software and outdated authentication systems have consistently proven to be entry points for attackers. Secondly, healthcare organisations must enforce robust network segmentation, ensuring that systems linked to patient care and device monitoring remain isolated from public-facing networks.

Organisations should also mandate multi-factor authentication (MFA) for remote connections, a measure that potentially thwarts many common attack vectors. Regular assessments of digital supply chains—incorporating inventories of authorised vendors and their security posture—can further reduce the risk of compromise through vulnerable third-party technology. Finally, rapid-detection methods, such as continuous threat hunting and effective log monitoring, help contain breaches in their earliest stages. CrowdStrike’s intelligence from 8 May 2025 underscores that early detection can drastically limit the scope of a ransomware infection.

Conclusion

The concerted targeting of Healthcare institutions throughout May 2025, as seen on
ransomware.live and supported by cross-referencing sources such as Mandiant (3 May 2025) and IBM X-Force Exchange (10 May 2025), underlines the persistent and evolving nature of ransomware threats against critical services. Groups like LockBit and Orion Ransomware Group are adapting their tools, techniques, and practices to circumvent established defences and exploit weak configurations in hospital networks.

As the Healthcare sector becomes increasingly digitised—and reliant on data-driven patient care—these developments underscore the need for organisations to embrace proactive threat intelligence as part of their security strategies. Investing in robust endpoint controls, enforcing strict access privileges, and prioritising timely security patches are essential to limiting the damage caused by modern ransomware adversaries. For further insights on these and related threat groups, readers are encouraged to visit our
Threat Intelligence section and consult reputable sources like the UK’s NCSC or The Hacker News for timely advisories.

By staying informed of the latest attacker methodologies, Healthcare organisations can keep pace with the shifting threat landscape and safeguard vital patient care services.