3 threat groups draw attention, consistently targeting healthcare

Qilin, INC Ransom, and SafePay are active ransomware groups with documented relevance to healthcare or healthcare-adjacent risks. Qilin has direct healthcare targeting documented by HC3 and major healthcare incidents.

INC Ransom has used enterprise vulnerabilities and double-extortion tactics that matter to healthcare defenders. SafePay rose quickly in late 2024 and 2025, with a centralized double-extortion model and major supply chain victims, but some claims about its victims should be attributed to actor claims rather than confirmed facts.

The timelines

Qilin

According to the HC3: Threat Profile on Qilin, “The Qilin ransomware operation was initially launched as ‘Agenda’ in July 2022.” The Russian speaking gang grew in 2023 through RaaS affiliate recruitment including advertising on the RAMP forum in Feb 2023. As of the end of 2023 it has multi language code (Go, Rust) and a Linux/ESXi variant. Qilin began targeting hospitals in early 2024: HC3 reports at least 15 healthcare related incidents since October 2022, including a June 3, 2024, UK pathology attack that disrupted London hospitals.

In May 2024, Qilin even added a WikiLeaks linked QR code to its Tor portal. In 2025, Qilin struck dozens of U.S. and UK hospitals e.g., Covenant Health later reported unauthorized access beginning May 18, 2025.

INC Ransom

INC Ransom is a double extortion RaaS targeting mid to large firms globally and was first observed in mid 2023. By late 2023, a Linux/VMware variant was added. Initial access vectors include spear phishing, purchased credentials, and key vulnerabilities, including a Citrix NetScaler flaw (CVE 2023 3519) and a Fortinet EMS SQLi (CVE 2023 48788).

In an article published in BleepingComputer, the Scottish Government offered the following statement on the attack surface of the vector, “We are aware of some data published on the web that is linked to the recent cyber attack on NHS Dumfries and Galloway. This incident remains contained to NHS Dumfries and Galloway and there have been no further incidents across NHS Scotland as a whole…”

Actions after initial access closely followed human operated ransomware patterns: credential harvesting, AD compromise, data compression (7 Zip/MegaSync), then rapid file encryption. Ransomware notes (INC README.txt) were dropped on desktops and printers, plus .inc or .lynx extensions on files. In late 2024, Lynx assumed INC’s role, but defenses for INC (patching Citrix/FortiEMS, multi factor authentication, and segmentation) remain relevant.

SAFEPAY

SafePay surfaced in autumn 2024 as a non-RaaS group (no affiliate program). Its earliest known strike was against UK telematics firm Microlise (Oct–Nov 2024), with SafePay claiming 1.2 TB stolen and demanding payment within 24 hours. Unlike prior silent operators, SafePay quickly amassed victims: by Q1 2025, it was the 9th most common variant, responsible for ~5–10% of new breaches each month, according to Check Point.

According to Bleeping Computer, in early 2025, SafePay’s attacks became rapid fire, waves of 10+ victims per day, including peaks of 23 and 29 claims in a single day (Nov 2024 and Mar 2025). Notably, on July 3, 2025, SafePay hit technology distributor Ingram Micro; they stole 3.5 TB of internal files, causing a mass outage.

Tactically, SafePay used valid, likely stolen credentials for VPN/RDP access, often exploiting known VPN/firewall flaws. It immediately disables defenses like Windows Defender via LOLBins and propagates such tools as AnyDesk and WinRM. Encryption is extremely fast and usually coupled with double extortion: SafePay publishes exfiltrated data if ransom isn’t paid.

What makes these groups different from older ransomware names like LockBit, ALPHV, and RansomHub?

The 2024 Crime Science study, Conti Inc.: Understanding the Internal Discussions of a Large Ransomware as a Service Operator with Machine Learning, says, “Ransomware as a service (RaaS) is increasing the scale and complexity of ransomware attacks.” All three are post 2022 entrants that capitalized on previous takedowns. The Qilin HC3: Threat Profile notes, “Qilin RaaS has emerged as one of the leading platforms following the takedown of LockBit, the exit scam by ALPHV/BlackCat, and the shutdown of RansomHub.” Qilin and INC follow classic RaaS models similar to LockBit/ALPHV, whereas SafePay eschews affiliates entirely.

Unlike LockBit’s open affiliate recruitment, SafePay operates as a tight knit team, keeping all ransom profits. Qilin even markets an unusually “professional” image, offering affiliates legal advice on compliance to pressure payments, a tactic unseen in LockBit. Code wise, SafePay’s encryptor borrows elements from LockBit and ALPHV, but its encryption scheme uses unique per file keys. RansomHub, by contrast, was a brief RaaS (Feb 2024) specializing in attacking cloud backup providers and misconfigured S3 buckets.

All groups share double extortion and modern TTPs (data theft, fast encryption), but the new gangs are more specialized: SafePay is remarkably fast (<24 h breach to encrypt); Qilin runs patient bill style leak sites with heavy PR; INC/Lynx has cross platform variants. In sum, Qilin and INC continue the affiliate led extortion model of old school gangs, SafePay breaks that mold with a solo model, and all three have adapted by blending proven techniques with new code and victims.

What are the group's primary means of attack?

Academic research supports the broader attack chain pattern behind these groups. A 2026 technical analysis of modern ransomware operations notes that “dominant infection vectors include phishing and malicious attachments, exploitation of exposed services,” and that “data exfiltration before encryption adds pressure on victims and complicates response.”

Each group follows a similar attack chain. Initial access, where all use spear phishing or purchased credentials. Qilin and INC commonly exploit remote access vulnerabilities or internet facing flaws. For example, INC Ransom used the Fortinet EMS SQLi for initial ingress. SafePay’s initial access has often been via leaked VPN/RDP credentials or unpatched gateway/VPN bugs.

Threat actors may also purchase network access from brokers to bypass the external stages. After entry, all groups escalate privileges and move through the network. Qilin specifically leverages remote monitoring and management.

Why vendor access increases ransomware risk

Granting vendors broad network access dramatically amplifies ransomware danger. Healthcare entities rely on third party vendors, including IT service providers, cloud platforms, billing vendors, software providers, and medical equipment vendors, many of which need privileged or remote access to support care operations. Paubox’s 2026 Healthcare Email Security Report found that 170 email related healthcare breaches occurred in 2025, affecting 2.5 million individuals, and that 28% of those breaches came from vendor and business associate email exposure. Those numbers show why third party access is not a side issue in healthcare security. When a vendor account, email thread, remote access pathway, or file transfer platform is compromised, attackers can expose PHI across multiple covered entities and business associate relationships.

Similarly, the massive Change Healthcare incident (attack by ALPHV) occurred through a vendor account. Attackers exploit trusted vendor credentials or vulnerabilities in vendor platforms to gain rapid entry. If a hospital’s vendor managed server or VPN is breached, an adversary can bypass initial phishing and hit internal systems directly. This supply chain access shortcut bypasses many defenses; it often already has user privileges and access to sensitive data. In ransomware campaigns, such vendor originated breaches can spread very quickly across an organization. The survey above noted that 66.7% of ransomware incidents now involve third party vectors.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is double extortion?

It is when attackers first exfiltrate sensitive data, then encrypt systems. Operational downtime and the threat of a public data leak coerce victims.

Is it safe to pay the ransom?

Authorities generally advise against paying. There’s no guarantee of getting working decryption or that data is deleted.

Why are backups not enough to stop ransomware risk?

Backups can help restore encrypted systems, but they do not undo data theft.