Three NHS trusts have been targeted in ransomware incidents over the past six weeks, with attack patterns suggesting a coordinated campaign by affiliates previously associated with the ALPHV/BlackCat ransomware group, now operating under the RansomHub banner following ALPHV’s collapse in early 2024.
The incidents have caused disruption to patient administration systems, delayed elective procedures, and in one confirmed case resulted in diversion of emergency ambulance traffic.
How the Attacks Are Getting In
In all three cases, the initial access vector has been identified as unpatched remote access infrastructure — specifically, legacy SSL VPN appliances and Citrix NetScaler gateways that had not received security updates within the previous six months.
This is not a sophisticated attack pattern. The group is using well-documented exploits against known vulnerabilities in widely deployed healthcare remote access infrastructure. The sophistication lies not in the initial access, but in what follows: rapid lateral movement through clinical networks, deliberate targeting of backup systems before encryption, and the double-extortion model in which patient data is exfiltrated before encryption is triggered.
Healthcare organisations using Ivanti Connect Secure, Cisco ASA, or Citrix NetScaler should treat outstanding patches for these products as immediate priorities.
Healthcare Remains a Primary Target
Healthcare is disproportionately targeted by ransomware for several reasons:
Operational pressure creates negotiating leverage. Hospitals cannot afford extended downtime in the way a manufacturing plant might absorb a brief outage. Attackers know this. The decision-making window for paying a ransom is shorter when patient safety is on the line.
Legacy infrastructure is endemic. Clinical systems that have been certified for specific software versions cannot be updated without recertification. This creates long-lived vulnerabilities that remain exposed for years.
Recovery is exceptionally difficult. NHS trusts impacted by WannaCry in 2017 took weeks to recover. The complexity of clinical workflows, the age of systems, and the limited cybersecurity resources available to the average trust create a recovery environment that favours the attacker.
What Healthcare Leaders Should Prioritise
The NHS has made significant investments in cybersecurity since WannaCry, but the threat has evolved faster than the remediation.
Immediate priorities for healthcare organisations:
- Audit all externally-facing remote access infrastructure — identify appliance models, firmware versions, and patch status
- Verify backup integrity and offline backup availability — attackers specifically target backup infrastructure; cold or air-gapped backups are the primary recovery mechanism
- Review network segmentation between clinical and administrative systems — flat networks allow ransomware to spread far faster than segmented ones
- Test your business continuity plans under a scenario where clinical systems are unavailable for 72 hours
NHSE has issued updated guidance to trusts. Boards should request a written assurance from their CISO or Head of IT Security confirming patch status and backup integrity within the next two weeks.