New Ransomware Threat Targets Common Health Care Data Protection Tool

The health care sector faces some of the costliest data breaches of any industry. Containment costs soared to an average of $9.77 million in 2024. And each year, cyber criminals get smarter and find new ways to attack health care organizations.

Two new cyber threats have set their sights on the health care industry. One pioneered a new hacking technique that targets a common data protection tool used by health care organizations. As cyber criminals expand their methods and networks, health care organizations need to evolve, too, to protect their operations and patient data.

Cyber Threats on the Rise

Secureworks explained in its 2024 State of The Threat Report that “ransomware remains a significant threat to organizations. . . . However, third-party reporting indicates that ransom payments are decreasing” as shown by the increased number of victims posted to ransomware leak sites. These cyber threats continue to evolve and highlight the need for strong cybersecurity policies and defenses in the health care sector.  

Two new ransomware groups recently emerged as threats to health care organizations: DragonForce and Anubis.

• DragonForce rebranded itself as a ransomware cartel on March 19. This new rebranding and strategy allows DragonForce to engage affiliates and allows these affiliates to “create their own ‘brands.’” Different from traditional ransomware-as-a-service (RaaS) infrastructures, this affiliate-based cartel allows technically unskilled threat actors to enter the ransomware game. Secureworks noted that this new cartel-style ransomware scheme adds new risks. The compromise of a single affiliate means that “other affiliates’ operational and victim details” could also be exposed.
• Anubis emerged around Nov. 13, 2024, and offers three options to its affiliates: RaaS, data ransom, and accesses monetization. With each option, the affiliates get access to victim information. They use this to pressure victims to pay the ransom to stop the release of information on X (formerly Twitter) or Anubis’ dark web blog. Anubis’ various options offer different features and incentives, drawing in more affiliates and increasing the reach of threat actor groups.

 Newly Discovered Bypass to SentinelOne EDR Solution

Many health care organizations use endpoint detection and response (EDR) to protect against cyber criminals and data leaks. EDR standard cybersecurity products, including SentinelOne, are facing a new hacking technique. The “bring your own installer” method “circumvents SentinelOne’s anti-tamper feature by exploiting a flaw within the upgrade/downgrade process of the SentinelOne agent, resulting in an unprotected endpoint.”

There are ways to mitigate this loophole, including by “[u]sing SentinelOne’s local agent passphrase (enabled by default) to prevent unauthorized agent uninstalls and protect against unauthorized agent upgrades [and, using] Local Upgrade Authorization feature to ensure upgrades are authenticated through the SentinelOne console.” But the development of these new strategies emphasizes the importance for health care organizations to continually update cybersecurity defenses, develop protective operating policies, and prepare robust crisis management procedures.  

 The Effect of These New Tactics on the Health Care Sector

Cyber criminals often target the wealth of sensitive information within the health care sector. Anubis recently claimed to have access to the full information of more than 7,000 U.S. medical clinic patients from one breach. The group’s confirmed victims include national and international health care companies. During a ransomware attack, Anubis threat actors not only notify the victim’s customers of a data leak, but also release information to the U.K. Information Commissioner’s Office and the U.S. Department of Health and Human Services.

Health care organizations are subject to additional legal requirements for the protection of patient data, with more regulations on the horizon. In addition to federal law, states have their own statutes, regulations and cybersecurity consumer protections. Awareness, effective risk management and comprehensive incident response plans are the best defenses a health care organization has against these new cybersecurity threats.

Please contact Brie Zarzour, Walt Green, or any member of the Phelps cybersecurity, privacy and data protection or health care teams if you have questions or need advice or guidance.

Special thanks to our contributing author, Jordan-Elise Moore, a 2025 summer associate from Cumberland School of Law.