Two ransomware gangs targeting healthcare

While many ransomware groups are focused on healthcare, two currently stand out among the mix. Although Qilin and Interlock are difficult to protect against, they are not anonymous and have a defined structure and strategy. They have identifiable names, documented histories, and defined business structures, including affiliate programs, customer support functions, and, in some cases, legal counsel involved in ransom negotiations. Over time, ransomware operations targeting healthcare have changed from loosely organized criminal networks into more structured organizations with specialized roles, iterative tooling, and deliberate targeting strategies shaped by the sector's perceived willingness to pay.

Understanding the composition of these groups, their recruitment methods, and their pre-deployment activity helps healthcare organizations develop a more accurate picture of the threat. A phishing email marks the beginning of a sequence typically planned well in advance, not an isolated or opportunistic event.

Why healthcare became the preferred target

Healthcare organizations hold data worth more on criminal markets than almost any other category of personal information, including medical records, Social Security numbers, insurance details, and treatment histories combined into files that enable identity theft, insurance fraud, and medical fraud simultaneously. Providers run systems that cannot afford extended downtime because patients depend on them for care that cannot wait. The sector has historically underinvested in security relative to those stakes, creating a risk-reward ratio that has made healthcare the most targeted sector in the United States for two consecutive years.

Comparitech's tracking of Qilin activity found the group alone has struck healthcare providers 69 times since its emergence in 2022, with 28 confirmed attacks, and that is a single group in an area containing dozens of active operations. According to Paubox's 2025 Healthcare Email Security Report, ransomware attacks on healthcare organizations have surged by 264% since 2018, and email remains the dominant delivery mechanism for the initial access these groups depend on. According to Paubox's 2026 Healthcare Email Security Report, 170 email-related healthcare breaches occurred in 2025, affecting more than 2.5 million individuals.

Read more: What is ransomware? | What is phishing?

Qilin

Background

Qilin was first observed in 2022, originally operating under the name Agenda ransomware before rebranding alongside an upgrade from a Golang codebase to a more efficient Rust-based variant capable of targeting both Windows and Linux systems. The name comes from a mythical creature from Chinese, Korean, Japanese, and Vietnamese mythology, an ironic branding choice for a group believed to operate out of Russia or other former Soviet states. From 45 attack claims in 2023, Qilin's victim count rose to 179 in 2024 before surging dramatically in 2025, becoming the most prolific ransomware operator of the year after RansomHub went dormant and its affiliates needed somewhere to go.

How they operate

Qilin runs a RaaS model where affiliates earn up to 80-85% of ransoms extracted, with the group's leadership retaining the remainder in exchange for providing ransomware payloads, Tor infrastructure, and negotiation portal access. The group continually improves its platform, with 2025 additions including spam campaigns, DDoS attack capabilities, automated network propagation, and automated ransom negotiation. One feature stands out for its brazenness, a "Call Lawyer" button in the affiliate panel that connects victims to legal consultants to increase settlement pressure, alongside in-house journalists who write shame posts on the leak site, and an automated negotiation chatbot, all accessible from within the same affiliate dashboard.

Initial access methods

Common initial access vectors include phishing, exploiting public-facing applications, and external remote services such as RDP. In one documented April 2025 incident analyzed by Sophos, attackers phished the administrative credentials for a ScreenConnect remote monitoring tool to gain access to a managed service provider, then used that foothold to launch downstream ransomware attacks on the MSP's customers, a supply chain attack that multiplied the impact of a single phishing compromise. Qilin has also been observed exploiting critical Fortinet vulnerabilities, specifically CVE-2024-21762 and CVE-2024-55591, to bypass authentication and execute malicious code on unpatched VPN and firewall devices.

Inside the network

Once access is established, Qilin's attack chain follows a recognizable path, privilege escalation, lateral movement using legitimate admin tools including Cobalt Strike beacons, credential dumping with tools like Mimikatz, and thorough network mapping before any encryption begins. The Qilin. B variant, first observed in 2024, clears Windows event logs to remove execution traces, deletes itself post-encryption to erase payload evidence, and kills security processes and disables telemetry reporting before executing. Backups, when reachable from the compromised network, are targeted and destroyed first.

Healthcare attack at Synnovis

Qilin's attack on Synnovis, an NHS pathology services provider, halted approximately 90% of blood testing capacity and forced over 1,100 surgeries and 2,000 outpatient appointments to be cancelled within the first two weeks. Attackers demanded $50 million and exfiltrated 400 gigabytes of data covering records from an estimated 300 million patient interactions. When Synnovis refused to pay, Qilin published the data. The attack was later confirmed as a contributing factor in at least 170 cases of patient harm, with two classified as severe, involving long-term or permanent damage. Total costs to the NHS reached approximately £33 million.

Healthcare attack on Covenant Health

Qilin gained access to Covenant Health's IT environment and maintained a presence for eight days before detection. During that period, the group conducted full network reconnaissance, moved laterally across multiple affiliated facilities, escalated privileges, and exfiltrated 852 gigabytes of data comprising approximately 1.35 million files before deploying ransomware to encrypt systems and inhibit recovery. The breach exposed the records of 478,188 patients across St. Joseph Hospital of Nashua, St. Joseph Healthcare in Bangor, and St. Mary's Health System in Lewiston.

Interlock

Background

Interlock is a ransomware-as-a-service operation that first emerged in September 2024 and has accelerated rapidly, with a clear pattern of favoring organizations in the healthcare and public health sectors. In July 2025, the FBI, CISA, HHS, and MS-ISAC issued a joint advisory specifically warning about the group's escalating activity and unusual entry techniques. Affiliates are typically paid 70-80% of any ransom payments they generate, with operators retaining the remainder, a structure that incentivizes affiliates to pursue the highest-value targets aggressively.

How they operate

The FBI described Interlock's initial tactics as "uncommon" among ransomware groups, citing drive-by downloads from compromised but otherwise legitimate websites where attackers disguise malicious payloads as fake browser updates for Google Chrome or Microsoft Edge. The group also uses ClickFix, which deceives users into executing malicious code under the pretense of fixing a system error, and a variation called FileFix that uses native Windows elements to deploy malware, including remote access trojans, while avoiding security detection. These techniques bypass both email gateways and traditional endpoint controls because the malicious execution is triggered by the user themselves, under the impression that they are performing a routine system task.

Inside the network

Once inside, Interlock operators establish remote command and control infrastructure, with PowerShell scripts deployed to run credential-harvesting malware alongside keyloggers. The group uses remote desktop tools, including AnyDesk, to transfer malicious payloads and move exfiltrated data out of compromised environments. Like Qilin, Interlock employs double extortion, stealing data before encryption and threatening to publish it regardless of whether a decryption payment is made, creating two simultaneous levers of pressure.

Healthcare attack against DaVita

Cybercriminals first gained access to DaVita's network on March 24, 2025, and moved through systems undetected until April 12, nearly three weeks of quiet access to the infrastructure of one of America's largest kidney dialysis providers, which operates more than 2,600 outpatient centers treating roughly 200,000 patients who depend on regular dialysis to stay alive. Interlock claimed responsibility, stating it had stolen 1.5 terabytes of data, posting proof on its dark web leak site. DaVita incurred approximately $13.5 million in expenses in the second quarter from the incident alone, including $12.5 million in general and administrative costs, with billing, revenue collection, and patient census all disrupted in ways the company expected to affect treatment revenue for the full year. The final breach count, confirmed with HHS, reached 2,689,826 individuals.

Healthcare attack against Kettering Health

The ransomware attack on Kettering Health, which runs 14 medical centers and dozens of clinics in the Dayton area, began on May 20, knocking internal systems, phone lines, and the electronic health record system offline. Several facilities cancelled elective procedures, and some ambulances were diverted. Interlock claimed responsibility and posted samples of stolen financial records as proof of exfiltration. The outage spanned weeks and forced the cancellation of thousands of procedures across more than 120 outpatient clinics.

How both groups get their first foothold

Every documented healthcare attack above began with either a phishing email, compromised credentials purchased from initial access brokers, or exploitation of an unpatched public-facing system. All three of those initial access vectors connect back to the inbox, either directly through phishing delivery or indirectly through credentials harvested from prior phishing campaigns sold on dark web markets.

According to Paubox's Top 3 Healthcare Email Attacks in 2025 report, phishing-driven attacks accounted for the most damaging email-related healthcare breaches of the year, exposing 630,000 individuals. Paubox's 2025 Healthcare Email Security Report adds that only 5% of known phishing attacks are reported by employees to security teams, meaning the email that gives Qilin or Interlock their initial credentials is almost certain to go undetected at the human level. The three weeks Interlock spent inside DaVita's network before anyone noticed, and the eight days Qilin spent inside Covenant Health, both began with a single message that reached an inbox unchallenged.

Pre-delivery filtering that removes phishing attempts before clinical and administrative staff encounter them is the most direct intervention available at the point where all these attack chains begin. Paubox's 2026 Healthcare Email Security Report says attacks avoiding native email defenses rose 47% in 2025, and phishing emails increased 17%. Paubox Inbound Email Security uses AI to analyze sender behavior, message intent, and contextual signals, detecting phishing attempts that signature-based systems miss before they reach inboxes.

What the affiliate model means for defenders

The RaaS structure has a specific implication that often gets lost in discussions focused on individual group names. When RansomHub was taken over by the DragonForce Ransomware Cartel, experienced affiliates migrated to Qilin within weeks. LockBit affiliates scattered after Operation Cronos, and Qilin actively recruited them. The affiliates, the people actually conducting the attacks on hospitals, dialysis centers, and health systems, move between platforms, taking their skills, their access, and their willingness to target healthcare patients with them.

Healthcare organizations are not defending against Qilin or Interlock specifically, they are defending against the class of attacker that both groups attract, financially motivated operators who have identified healthcare as a sector worth targeting repeatedly, who use phishing and credential theft as their most reliable entry points, and who spend weeks inside networks quietly before any visible impact occurs.

FAQs

What makes Qilin and Interlock different from other ransomware groups?

Both operate mature RaaS platforms that give affiliates sophisticated tooling, negotiation support, and leak site infrastructure. Qilin distinguishes itself through its volume, its continuous product updates, and features like the in-house legal counsel and negotiation chatbot designed specifically to increase payment pressure. Interlock is newer but has shown a concentrated focus on healthcare and unusually creative initial access techniques, including fake browser update pages and ClickFix social engineering that prompt users to execute malicious code themselves, bypassing traditional email-based detection entirely.

Why do ransomware groups spend weeks inside a network before deploying encryption?

Groups use that time to map the network, locate and disable backup systems, identify the most critical infrastructure for maximum disruption, and stage data exfiltration for the double extortion threat. A group that rushes to encrypt on day one captures far less leverage than one that spends three weeks identifying every system a hospital depends on to function and every dataset whose publication would cause the most harm.

How do healthcare organizations get selected as targets?

Initial access brokers sell valid credentials to any network on dark web markets, meaning any organization with a compromised credential is a potential target, regardless of size. Larger organizations with greater operational difficulty, such as dialysis chains, regional hospital networks, and pathology providers, are selected for more deliberate, higher-demand campaigns because their dependency on continuous operations increases the probability of payment and the size of the demand that is realistic to make.

Does paying the ransom guarantee that data will not be published?

No, Synnovis refused Qilin's $50 million demand, and the data was published, but payment does not reliably prevent publication either, as ransomware groups have published data after receiving payment in documented incidents. Double extortion creates two separate threats simultaneously, and groups retain control of exfiltrated data regardless of whether a decryption ransom is paid.

Learn more: Paubox Inbound Email Security