Cyber Incident Victim: US health care provider

On or around March 26, 2020, Ryuk ransomware operators attacked a US healthcare provider, encrypting its systems overnight during the COVID-19 pandemic. The incident was publicly disclosed by a Sophos representative, who confirmed the attack exhibited characteristics consistent with Ryuk's typical intrusion patterns but noted no unique indicators of compromise were available for sharing. This attack occurred despite public appeals for ransomware groups to avoid targeting healthcare organizations overwhelmed by pandemic response efforts. SentinelOne researchers observed Ryuk actively targeting at least 10 healthcare entities in the preceding month, including two standalone hospitals and a network of nine US hospitals. One affected facility operated in a state experiencing severe COVID-19 outbreaks at the time of the attack. The ransomware operators maintained silence regarding their targeting practices, unlike Maze and DoppelPaymer groups that had publicly pledged to avoid healthcare targets while continuing to leak data from previously compromised medical organizations.

The encryption of hospital systems directly impeded medical operations during a period of critical patient care demands, creating risks to treatment continuity and patient outcomes. Healthcare networks faced compounded operational strain as they simultaneously managed pandemic surges and ransomware-induced IT failures. No mitigation measures or containment actions by the victim organization were detailed in available reports. The incident exemplified Ryuk's persistent focus on healthcare targets despite global health emergencies, with attackers exploiting known vulnerabilities rather than employing novel technical approaches. Security researchers confirmed the attack methodology aligned with Ryuk's established patterns, though specific initial access vectors and data exfiltration details remained unspecified in public disclosures.