.png)
Download Full Report
§ 00 · Orientation
How to use this brief.
This brief is structured so a CISO can read the Executive Summary in five minutes and brief their executive team, then pass Sections 03–07 to their security team for immediate action. It is built from Protos AI investigation work using open-source threat intelligence, vendor reporting, and OSINT as of 14 May 2026.
The brief covers five things:
- —Executive summary — the key finding and what it means for your organisation today.
- —Confirmed 2026 incidents — real attacks, real clinical disruption, patient-safety impact.
- —Threat actors & access ecosystems — who is responsible and how they get in.
- —Indicators of compromise — defanged IOCs for immediate detection use.
- —Prioritised recommendations — immediate, short-term, and long-term mitigations.
§ 01 · Executive summary
The headline for non-technical stakeholders.
The core finding. Ransomware exposure in US healthcare is not being driven by any single dominant group. It is being driven by a shared criminal access ecosystem — infostealers, loaders, botnets, and brokered credentials — that compresses the path from initial compromise to operational shutdown. Fixing the downstream (ransomware brand) problem without fixing the upstream (access generation) problem is insufficient.
Vendor credential exposure, infostealer deployment, and fast breakout times (~29 min average) mean attackers can reach critical clinical systems before most teams detect the intrusion.
Risk Level
HIGH
Confidence
High / Medium
30-Day Outlook
ELEVATED
Primary Action
Harden vendor access · enforce FIDO2 MFA · validate EHR backups
Risk level — HIGH
Confirmed 2026 incidents disrupted EHR access, forced ambulance diversions, cancelled chemotherapy, and shut down clinics statewide. Enabling conditions — vendor credential exposure, active botnet delivery, and ongoing sector disruption — remain live. A near-term increase in ransomware pressure is likely.
Why the access ecosystem framing matters
Traditional ransomware threat models focus on named brands: LockBit, ALPHV, Rhysida. In 2026, the more important model is upstream. A compromised vendor credential, harvested by an infostealer, sold to an access broker, and deployed by a loader, reaches your EHR before any ransomware brand enters the picture. Defending against the brand without defending against the supply chain that enables it leaves the primary attack path open.
This has direct implications for how healthcare organisations prioritise control investment: vendor MFA enforcement and credential hygiene are higher-leverage than signature-based ransomware detection alone.
§ 02 · Confirmed incidents
2026 attacks with real clinical impact.
These are not near-misses. The 2026 incident corpus documents clinic shutdowns, chemotherapy cancellations, ambulance diversions, and data exposures affecting hundreds of thousands of patients.
Feb 2026
University of Mississippi Medical Center (UMMC) — statewide clinic closures, Epic EHR outages, phone system disruption, and chemotherapy appointment cancellations. Attack caused direct patient-safety impact across the state health system.
Apr 2026
Signature Healthcare / Brockton Hospital (Massachusetts) — ambulance diversion, EHR outages, chemotherapy disruption, and pharmacy closures. Ransomware attribution not publicly confirmed but operational disruption was severe and sustained.
2026 (confirmed)
Cookeville Regional Medical Center (Tennessee) — data exposure linked to Rhysida ransomware affecting approximately 337,917 individuals. Loss of EHR access. One of the larger confirmed data exposures in 2026 healthcare reporting.
Jan 2026
Ann & Robert H. Lurie Children's Hospital (Chicago) — networks taken offline after cyberattack; some systems remained offline for over a month, significantly impacting care delivery across one of the nation's leading paediatric hospitals.
Medical device compromise — not confirmed
The incident corpus documents EHR and IT outages causing clinical workflow disruption, but no authoritative evidence of attacker manipulation of medical devices or dedicated clinical hardware. IoMT environments remain a high-exposure segment due to segmentation and visibility gaps, but direct device compromise is not asserted in the reviewed 2026 incidents.
§ 03 · Threat actors & ecosystem
Who is operating and how they get in.
Named ransomware brands remain relevant for attribution, but the more important threat model is the access supply chain that enables them.
Named actors — high confidence
Active — High Confidence
LockBit (family)
Remains the most referenced ransomware family in the healthcare sector. Delivered via the Phorpiex botnet (documented LockBit Black payload delivery). Attribution of specific incidents is often incomplete in open sources, but ecosystem linkage is strong.
Active — Medium Confidence
Rhysida
Confirmed linked to the Cookeville Regional Medical Center incident. Rhysida has a pattern of targeting healthcare, education, and government. Cookeville is one of the larger confirmed 2026 healthcare exposures in the reviewed corpus.
Relevant — Historical
ALPHV / BlackCat
Responsible for the Change Healthcare attack (2024) — the most disruptive healthcare ransomware incident in US history. Although law enforcement disrupted the group, its tradecraft continues to shape defensive planning. Affiliates and tooling persist.
Delivery Infrastructure
Phorpiex Botnet
Documented delivering LockBit Black payloads — illustrating how commodity botnet infrastructure feeds enterprise ransomware operations. Phorpiex is the conveyor belt; LockBit is the payload. Disrupting the loader ecosystem matters as much as tracking the brand.
The access ecosystem: how intrusions actually start
The dominant initial access vectors in 2026 healthcare ransomware are not novel. They are the same credential and supply-chain paths that have been exploited for years, still working because organisations have not closed them:
- —Infostealer-harvested credentials — malware like Redline, Vidar, and Lumma harvests credentials from employee devices, which are then sold on criminal markets and used for VPN, RDP, and EHR access.
- —Vendor and third-party compromise — attackers target MSPs, billing vendors, and SaaS providers to gain downstream access to multiple healthcare organisations from a single breach.
- —Phishing with healthcare lures — appointment notices, billing messages, prescription/lab-result notices, and vendor/MSP notifications. Healthcare context makes these lures highly credible.
- —Exposed remote access (VPN/RDP) — internet-facing remote access services without MFA remain a frequent entry point, particularly for initial credential spraying and brute force.
- —Supply-chain / GitHub Action compromise — the tdtqy C2 domain (see IOC section) was associated with a compromised GitHub Action supply-chain campaign, flagged by multiple vendors.
Breakout speed
CrowdStrike reported an average eCrime breakout time of ~29 minutes in 2025–2026 reporting. Healthcare organisations should assume that from the moment initial access is achieved, an attacker can reach critical clinical systems before most IR playbooks have been triggered. Detection SLAs need to account for this.
§ 04 · Indicators of compromise
Defanged IOCs for detection use.
All indicators are defanged. Refang before use in detection systems. These are corroborated by multiple vendor sources as of 14 May 2026.
Type
Indicator
Context
Risk
Domain
tdtqy-oyaaa-aaaae-af2dq-cai.raw[.]icp0[.]io
Trivy GitHub Action supply-chain C2 domain. Flagged by multiple vendors.
HIGH
IP
23[.]236[.]116[.]77
Associated with Trivy Action C2 domain enrichment.
HIGH
IP
178[.]16[.]54[.]109
Phorpiex-linked infrastructure. Observed in BitSight technical reporting on LockBit Black delivery.
HIGH
§ 05 · Recommendations
What to do now.
Actions are ordered by priority. The first three require immediate owner assignment. Subsequent items are short-term and strategic.
Priority 1 — Immediate (this week)
01
Enforce phishing-resistant MFA on all vendor and privileged accounts
Hardware token or FIDO2. Rotate stale credentials. Revoke inactive vendor access. This is the single highest-leverage control against the access ecosystem model.
Security / Identity
02
Hunt for infostealer and loader behaviours
Target credential exfiltration patterns, suspicious SMTP spikes, archive+LNK delivery chains, and new outbound connections to flagged domains and IPs (see IOC section).
DFIR / Threat Hunting
03
Validate offline EHR backups with a live restore test
Confirmed incidents caused multi-day EHR outages. Immutable, offline backups with tested recovery paths are the only reliable control against ransomware-driven clinical disruption. Also test paper-based fallback clinical workflows.
IT / BCP / Clinical Ops
Priority 2 — Short-term (30 days)
- —Require vendors and MSPs to demonstrate MFA, logging, and endpoint hygiene before or at next contract renewal. Apply least-privilege and just-in-time access models.
- —Increase network segmentation around clinical, IoMT, and EHR zones. Apply stricter remote-support controls. Limit lateral movement paths between IT and clinical networks.
- —Deploy detections for rapid lateral movement: credential use pattern anomalies and lateral RDP/SMB activity within 60 minutes of initial access. The ~29 minute breakout time demands early containment triggers.
Priority 3 — Strategic
- —Maintain a continuous vendor risk assessment programme with contractual security obligations and periodic attestation.
- —Expand telemetry to IoMT and XIoT assets. Integrate device monitoring into SOC workflows before a clinical device compromise occurs, not after.
- —Run quarterly tabletop exercises with clinical leadership focused on patient-safety outcomes — not just IT recovery. Include paper-based clinical fallback scenarios.
§ 06 · Detection opportunities
What your SOC should be watching.
- —Infostealer detection: abnormal archive or credential exfiltration patterns, spikes in outbound SMTP from user endpoints, and suspicious process spawning from user profile directories.
- —Vendor session monitoring: new vendor source IPs, geographically inconsistent login sessions, and high-volume data transfers from vendor service accounts.
- —C2 and exfil detection: outbound connections to newly-seen or low-reputation domains (particularly ICP blockchain domains like icp0[.]io), beaconing patterns, and outbound traffic to the IOCs listed in § 04.
Report ID
PATI-2026-HC-001
Generated
Protos AI Threat Intelligence · 2026-05-14
Classification
TLP:CLEAR
Sources
BitSight, CrowdStrike, RH-ISAC, NPR, MassLive, SecurityWeek, HIPAA Journal, CISA, Becker's Hospital Review
This report is produced by Protos AI Threat Intelligence using open-source intelligence and vendor reporting. All indicators are defanged. This report does not assert claims beyond what is supported by the cited sources. Attribution of specific 2026 incidents to named ransomware operators in open sources is frequently incomplete; attribution caveats are noted inline. TLP:CLEAR — share freely within and between organisations.
.png)