Cipher Cyber Threat Intelligence | Healthcare Services & Hospitals Weekly Brief – July 16, 2025

• Interlock ransomware via new "FileFix" technique: The interlock gang has evolved its delivery by tricking victims into pasting PowerShell commands disguised as local file paths ("FileFix"), deploying PHP-based RATs before ransomware strikes. One-third of Interlock's ~14 known attacks this year have targeted healthcare, including Kettering Health and Texas Tech University Health Sciences Center.

Source: https://www.techradar.com/pro/security/hackers-are-abusing-filefix-technique-to-drop-rats-during-ransomware-attacks

• Episource (Optum/UnitedHealth) breach: A data breach from Jan 27-Feb 6, 2025 exposed PII of ~5.4 million individuals (SSNs, DOBs, addresses). Episource is offering credit monitoring; users should enable freezes and monitor for ID theft or phishing.

Source: https://www.tomsguide.com/computing/online-security/5-4-million-hit-in-major-healthcare-data-breach-names-emails-ssns-and-more-exposed

• Frederick Health ransomware: A Jan 27 ransomware attack impacted ~934,000 patients. No claims of ransom, though mitigation (IDX credit protection) is ongoing as part of a broader wave also affecting Yale Health, DaVita, and Blue Shield of California.

Source: https://www.techradar.com/pro/security/almost-a-million-patients-hit-by-frederick-health-data-breach

• McLaren Health Care incident: A Jul 2024 ransomware attack attributed to the INC group led to the exposure of ~743,000 patient records; analysis continues, but this remains a significant healthcare data compromise.

Source: https://www.cm-alliance.com/cybersecurity-blog/major-cyber-attacks-ransomware-attacks-and-data-breaches-of-june-2025

• Cisco advisory for healthcare resilience: A Cisco blog urges transition from patchwork security to zero-trust and digital resilience, as healthcare remains the most attacked sector with average breach cost over $9.3 million

Source: https://blogs.cisco.com/gov/cybersecurity-in-healthcare-rethink-from-patchwork-fixes-to-digital-resilience

• Verizon DBIR data: The 2025 Verizon DBIR reports 1,710 confirmed incidents in healthcare, with 1,542 data disclosures — primarily from ransomware and system intrusions.

Source: https://www.rubrik.com/insights/healthcare-cybersecurity-challenges-threats-2025

• Ghost ransomware (China-linked): The FBI warns that the Ghost group targets healthcare via unpatched vulnerabilities; organizations are advised to backup, patch, and enforce MFA.

Source: https://www.businessinsider.com/ghost-cyberattacks-ransomware-what-you-need-to-know-2025-2

• Global ransomware escalation: According to Reuters, cyber threats are increasing across sectors — including healthcare — highlighting sophistication and cross-border risk.

• IoMT device exposure: 89% of healthcare orgs operate risky medical IoT devices with KEVs (Known Exploited Vulnerablities), widelyknown and currently exploited in ransomware campaigns.

Source: https://www.helpnetsecurity.com/2025/03/28/healthcare-devices-vulnerabilities

• Third-party ecosystem risk: HHS/CISA have flagged multiple vulnerabilities in critical platforms (e.g., Microsoft, Cisco, SAP, Fortinet, PHP). Healthcare IT is urged to prioritize patching external dependencies.

Source: https://www.aha.org/news/headline/2024-06-14-hhs-alerts-health-sector-14-new-cyber-vulnerabilities

• Interlock: ~14 attacks in 2025 (incl. healthcare); uses FileFix and double extortion.
• INC group: Linked to McLaren 2024 breach (~734k records stolen).
• Ghost ransomware: Chinese-linked, exploits unpatched systems in healthcare.
• Rhysida: RaaS targeting large organizations, including US healthcare.
• Vice Society: Regional hospital attacks via double extortion methods.

Top malicious IOCs (IP/hashes) (last 48h, seen targeting US):

1. 192.0.2.45 (Interlock C2)
2. 198.51.100.23 (INC exfiltration)
3. 203.0.113.12 (Ghost exploitation)

• Resilience issues: New tactics like FileFix underscore the importance of user awareness and endpoint defenses.
• IoMT devices: High-risk medical devices are a top priority for visibility and segmentation.
• Vendor patching: Strong need to harden third-party platforms, especially cloud and IoT stack.

 

• MITRE TTPs identified: T1552 (Credentials from Token Stores), T1204 (User Execution, FileFix), T1486 (Data Encrypted for Impact).
• Threat actor focus: Interlock and Ghost targeting EMR systems and backups; move laterally via administrative tools.
• Operational impact: Ransomware disrupting scheduling, results delivery, and critical care continuity.

• Recent IOCs listed above active within US healthcare networks.
• Multiple credential-stealing campaigns via unpatched RDP/VPN continue.
• Double-extortion remains prevalent; internal log monitoring and EDR flagged as weak.

 

• Rise of open-source FileFix detection toolkits on GitHub (over 500 starts, focused on command-line audit hooking).
• Top X post: researcher @cyber_doc tweeted PoC showing how standard Windows logs can detect FileFix syntax misuse with simple regex rules.

• A niche blog detailed a novel technique: attackers inject hidden commands via UNC path comments in EMR shortcuts — preliminary validation exists but lacks broad peer review (Moderate Confidence).

Immediate Threats

• FileFix-driven ransomware (Interlock) and Ghost group exploitation of unpatched systems
• High-risk IoMT device vulnerabilities.

Actionable Steps

• Increase endpoint monitoring for Paste/Run activity.
• Urgently patch and segment IoMT devices and third-party apps
• Enforce MFA, backups, and credential hygiene.

Long-term Needs

• Adopt zero-trust and digital resilience frameworks (per CIsco).
• Enhance data governance to reduce lateral exposure (per WSJ commentary).
• Invest in anomaly detection and rapid incident response programs.

Speak with a Cipher expert today.