Comprehensive Ransomware Detection for UK Public Healthcare

Key Threat Groups Targeting UK Healthcare

The following ransomware groups have either directly impacted UK healthcare organizations or exhibited TTPs that closely mirror attacks on the sector. Each group brings a distinct blend of techniques from phishing and RDP brute-forcing to advanced credential theft and data exfiltration. By examining their methods, UK defenders can better prioritize detection and response using the mapped Logpoint alert rules.

QILIN

Qilin (also called Agenda) is a cross-platform Golang/Rust ransomware-as-a-service (RaaS) group active since 2022, known for double extortion, encrypting files, and exfiltrating data for leverage. It has aggressively targeted healthcare. In June 2024, Qilin affiliates hit Synnovis, a UK pathology services provider for multiple London NHS hospitals, demanding a $50 million ransom to withhold ~400 GB of patient data. The attack severely disrupted blood testing and patient care; NHS officials later revealed it contributed to a patient’s death due to delayed lab results. Qilin leaked sensitive data of ~900,000 patients (e.g., STI and cancer test results with personal identifiers) when the ransom wasn’t paid. The U.S. HHS warned in 2024 that Qilin targets the health sector worldwide, noting its role in the UK Synnovis attack that caused canceled surgeries and organ transplants in London.

Common initial access vectors include phishing emails, exploiting exposed VPN/RDP/Citrix gateways, and even infostealer-derived credentials. After ingress, affiliates use tools like Cobalt Strike beacons for persistence, then move laterally with remote monitoring and management (RMM) tools, PsExec/SMB, or SSH to spread the payload. In one documented variant (“Qilin.B”), the malware attempts to evade defenses by terminating security processes, clearing Windows event logs, and deleting Volume Shadow Copies to inhibit backups. Qilin ransomware can also disable services and even load vulnerable drivers to bypass endpoint protections. Its encryption uses robust ciphers (ChaCha20, AES, RSA-4096) and can be tuned for speed or thoroughness by affiliates.
Once inside, Qilin typically performs credential harvesting, dumping LSASS memory, or accessing saved credentials to expand its foothold. They conduct network discovery and privilege escalation using built-in Windows tools, and laterally move via PsExec or RMM platforms. Before deploying ransomware, they often disable event logging, tamper with PowerShell logs, and delete shadow copies to inhibit recovery. Data encryption and exfiltration follow shortly after.

Logpoint Alert Rules for Qilin Ransomware

Everest Group

Everest is a Russian-speaking ransomware and extortion group active since 2020, known for data theft and for selling network access (it functions partly as an initial access broker). The group specifically threatens the healthcare sector: in 2024, the U.S. HHS warned that Everest was “increasingly targeting” health care, often by stealing credentials and using common remote access tools to infiltrate networks. While no major NHS breaches are public, U.S. authorities note Everest has increasingly targeted healthcare globally (at least 20 healthcare victims by mid-2024). The gang typically gains initial access by stealing or purchasing valid credentials (acting as an initial access broker), then uses tools like ProcDump (against the LSASS process) to grab user passwords and Cobalt Strike beacons to expand their foothold. They exfiltrate sensitive data (e.g., patient records) for leverage and can deploy ransomware to encrypt systems, often deleting backups to hinder recovery.

Logpoint Alert Rules for Everest Group

INC Ransom (Incransom)

INC Ransom has grown bolder in 2024 and 2025, with signs that they’re actively probing the UK’s public health systems. They use brute-force techniques to crack passwords and move laterally across systems using tools like PsExec. Once inside, they often upload data to cloud storage services before encrypting anything.

INC Ransom, a Russian ransomware group – struck UK healthcare in late 2024, hitting Alder Hey Children’s and Liverpool Heart & Chest NHS trusts and leaking patient data. According to Trend Micro, this group favors known vulnerabilities and phishing for initial access (for example, exploiting a Citrix ADC VPN flaw CVE-2023-3519). Once inside, they harvest credentials (using tools like Mimikatz or dumping backup passwords) and move laterally via PsExec, RDP or even remote tools like AnyDesk and TightVNC. INC Ransom is known to disable antivirus services and delete Volume Shadow Copies to impede system recovery. Finally, they deploy their AES-based ransomware (often in a “fast encryption” mode) to lock files.

Logpoint Alerts for INC Ransom 

RansomHouse

RansomHouse is a relatively new (first noted in 2022) cybercrime group that often forgoes traditional encryption in favor of straight data theft and extortion. They have attacked hospitals and health services abroad, for example, the cyberattack on Hospital Clinic de Barcelona in 2023 was attributed to RansomHouse. RansomHouse typically breaches targets by leveraging weak or leaked credentials: in many cases, they access networks via exposed Remote Desktop/Server gateways using compromised logins. Once in, they focus on credential access and persistence. Investigations reveal heavy use of Mimikatz (to dump passwords from memory) and built-in tools like PowerShell for downloading additional malware and utilities. RansomHouse operators will disable security software (e.g., turning off Windows Defender’s real-time protection) to avoid detection, then proceed to broaden their access – installing remote management tools (like TeamViewer or other RATs) and scanning the network (they commonly run Advanced IP Scanner for mapping the environment). Instead of encrypting everything, they concentrate on stealing large volumes of data: they often compress archives of data with tools such as 7-Zip (sometimes hiding them in innocuous directories like “Pictures” or “Documents”) before exfiltration. Because RansomHouse might not trigger a “file encryption” alert, defenders must rely on catching those earlier steps. Logpoint alert rules that detect unusual administrative logins, LSASS/Mimikatz usage, or atypical bulk file transfers can provide early warning to stop RansomHouse before sensitive NHS data is stolen.

Logpoint Alert Rules for RansomHouse 

DragonForce

DragonForce started as a hacktivist collective (notably DragonForce Malaysia, known for pro-Palestine campaigns) but has recently transformed into a hybrid ransomware cartel blending political and financial motives. By 2025, DragonForce had launched multi-extortion attacks on various sectors, from government agencies to commercial retailers, and is noted for targeting law firms and medical organizations as well. This group uses a mix of methods to infiltrate victims. Frequently, they send phishing emails carrying malware or exploit unpatched vulnerabilities (such as the Log4j “Log4Shell” flaw) to get an initial foothold. In other cases, they’ve leveraged stolen credentials to brute-force RDP or abuse VPN access points, similar to other ransomware actors. Once inside a network, DragonForce deploys a suite of offensive tools: Cobalt Strike beacons for command-and-control, Mimikatz to steal passwords, and scanning tools like Advanced IP Scanner or PingCastle to map out the Active Directory environment. They also install backdoors or use remote admin software to ensure persistence. DragonForce’s operations are characterized by a “triple threat” approach; they encrypt data, steal and leak sensitive information, and have even used DDoS attacks or website defacements to pressure victims. For NHS defenders, this means not only watching for classic ransomware signs (e.g., LSASS Dump Detected, spikes in file encryption activity, Shadow Copy removal) but also keeping an eye on service availability and external communications. Unusual outbound traffic or sudden service disruptions could indicate DragonForce’s involvement, and early alerts (for instance, detecting a mass account compromise or malicious PowerShell usage) are crucial to mitigate the impact on healthcare services.

Logpoint Alert Rules for DragonForce 

Maze

Maze was a pioneer of “double extortion” ransomware, first observed in 2019. The group not only encrypted files but also exfiltrated sensitive data, threatening to publish it, a tactic that many others (including REvil and LockBit) later adopted. Maze actors typically gained access through methods like malicious email attachments, exposed RDP servers, or exploit kits dropping malware (sometimes using the IcedID trojan as a foothold). After infiltration, they would perform internal reconnaissance and escalate privileges, often deploying tools such as Cobalt Strike and even Metasploit frameworks for lateral movement and credential harvesting. Maze was known to use PowerShell scripts for data theft (copying data to an attacker-controlled FTP server) before encryption. Like most ransomware, Maze also took steps to evade recovery; for instance, it would delete system Shadow Copies (Windows backup snapshots) so that files couldn’t be easily restored. It even logged a Windows event (ID 1102/104) by clearing logs, which a Logpoint alert rule like Eventlog Cleared Detected would flag. Although Maze disbanded by late 2020, its impact – including attacks on healthcare organizations internationally- demonstrated the need for comprehensive monitoring (phishing detection, abnormal admin tool use, backup deletion events, etc.) in NHS networks.

Logpoint Alert Rules for Maze Ransomware

LockBit 2.0

LockBit 2.0 – which emerged in mid-2021 – became one of the most prolific ransomware threats worldwide. Affiliates using LockBit have attacked organizations across critical sectors, including financial services, government, and healthcare. Common initial access vectors include stolen remote desktop credentials or unpatched vulnerabilities in VPN and server software. Once in, LockBit operators often use credential-stealing tools (e.g., dumping Windows credentials from memory via Mimikatz) and built-in admin utilities for lateral movement, such as RDP or SMB/PsExec. They typically execute scripts to disable security features, clear Windows event logs, and delete system shadow copies before commencing the file encryption spree – behavior that Logpoint’s Eventlog Cleared Detected and Shadow Copy monitoring rules are designed to catch Notably, LockBit was suspected in the 2022 attack on an NHS IT supplier that disrupted NHS 111 services, underscoring the need for alerts on unusual admin activity and high file modification volumes.

LockBit 3.0 (aka “LockBit Black”) debuted in 2022 with even more advanced extortion tactics, introducing cryptocurrency options (like Zcash) and even a criminal “bug bounty” program to improve its malware. This variant was confirmed to be behind the August 2022 ransomware attack on Advanced, a software provider for NHS 111, where hackers exploited a single-factor login to open an RDP session and deploy LockBit malware. Like its predecessor, LockBit 3.0 affiliates use a variety of techniques for entry (phishing, exploiting known bugs, or using leaked passwords) and then employ tools to steal credentials (dumping LSASS memory, running Mimikatz) and spread across the network. They aggressively impair defenses, for example, stopping antivirus services, wiping event logs, and deleting backups – before encrypting files on a large scale. Logpoint’s detection content can help spot these steps (e.g., alerts for cleared logs, disabled security services, Shadow Copy Deletion, and spikes in file modifications) so that NHS security teams can intervene before encryption causes widespread downtime.

Logpoint Alert Rules for LockBit Ransomware 

REvil (Sodinokibi)

REvil (aka Sodinokibi) was one of the most notorious ransomware gangs globally until 2021, known for massive breaches like the Kaseya software supply-chain attack. In the UK, REvil’s tactics hit home when they targeted a cosmetic surgery chain (“The Hospital Group”) in 2020, stealing 900GB of patient photos and data for extortion. REvil typically infiltrated networks via phishing emails or by exploiting server vulnerabilities, and in some cases by abusing trusted remote access tools. Once inside, they would secure higher privileges by dumping credentials from memory. Unit 42 analysts observed REvil using Mimikatz and the ProcDump tool to copy the LSASS process and extract account passwords. The group was also adept at network reconnaissance (using utilities like Advanced IP Scanner and BloodHound) and lateral movement using RDP with stolen credentials or deploying Cobalt Strike beacons. Before launching file encryption, REvil operators commonly cleared Windows event logs and deleted Volume Shadow Copies to frustrate incident responders. These steps closely align with Logpoint’s alerts (for example, detecting an LSASS Dump attempt or an Eventlog Cleared event), which are critical for catching REvil’s activity in its early stages. REvil’s double-extortion playbook – encrypting data and leaking stolen files highlights why UK healthcare organizations must monitor both system behaviors and outbound data flows.

Logpoint Alert Rules for REvil (Sodinokibi)

Logpoint's Extensive Ransomware Research and Resources

Understanding ransomware threats requires continuous research and analysis of emerging attack patterns. Logpoint has published extensive research on numerous ransomware families and malware strains, providing detailed technical analysis, TTPs mapping, and actionable detection strategies.

Comprehensive Ransomware Coverage

Our security research team has produced in-depth analyses covering a wide range of ransomware operations and related threats, which are mentioned below.

Ransomware-as-a-Service (RaaS) Operations

• A Comprehensive Guide to Detecting Ransomware-as-a-Service - Foundation guide covering RaaS detection methodologies and common TTPs across multiple ransomware families

• Akira in the Network: From SonicWall Access to Ransomware Deployment - Complete attack chain analysis from initial VPN compromise to encryption

• Akira, Not a CyberPunk Movie – A Very Real Ransomware Threat - Emerging threat analysis of Akira ransomware operations

• Hunting and Remediating BlackCat Ransomware - Detection and response strategies for ALPHV/BlackCat operations

• Detect RYUK Ransomware with LogPoint - Comprehensive RYUK detection coverage

• Detecting Conti Ransomware – The Successor of Infamous Ryuk - Analysis of Conti's evolution and detection strategies

• Detect, Manage, and Respond: Clop Ransomware - End-to-end response guidance for Clop incidents

• In-depth Look at the NetWalker Ransomware Operators - Operational analysis of NetWalker threat actors

• Cactus, a New Player in the Ransomware Game - Emerging threat profile of Cactus ransomware

• Uncovering Rhysida and Their Activities - Investigation into Rhysida ransomware operations

• Defending Against 8base – Uncovering Their Arsenal - Defensive strategies against the 8base ransomware group

• The PLAY with OWASSRF - Analysis of PLAY ransomware exploiting vulnerability chains

• A Crowning Achievement: Exploring the Exploit of Royal Ransomware - Detailed analysis of Royal ransomware tactics and exploitation techniques

Historical and Wiper Ransomware

• LockerGoga Ransomware - Analysis of targeted attacks against industrial organizations

• Petya/NotPetya Ransomware - Lessons from the destructive NotPetya campaign

• Bad Rabbit Ransomware - Detection strategies for Bad Rabbit infections

• Responding to the WannaCry Malware - Response guidance from the global WannaCry outbreak

• Russia V Ukraine: Round Two – Gamma Edition - Analysis of geopolitical ransomware campaigns

• ESXiArgs Ransomware: Never Too Early to Jump the Gun - Detection for ESXi-targeting ransomware

Vulnerability Exploitation Leading to Ransomware

• From Exploit to Ransomware: Detecting CVE-2025-29824 - Complete kill chain from vulnerability to encryption

Initial Access and Delivery Mechanisms

• Emotet: What You Need to Know - Comprehensive Emotet malware analysis

• Emotet-ually Unstable – The Resurgence of a Nuisance - Updated analysis of Emotet's return

• What the Quack: Hunt for the QBOT with Logpoint - QakBot banking trojan to ransomware pipeline

• IcedID Beacon – Hunting, Preventing, and Responding - IcedID malware detection and response

Defense Evasion Techniques

• EDR Killers: After All, EDRs Are Not Invincible - Analysis of tools used to disable endpoint detection and response solutions

These resources provide security teams with detailed technical intelligence, MITRE ATT&CK mappings, indicators of compromise (IOCs), and ready-to-deploy alert rules for Logpoint Customer. Each blog post includes practical detection strategies that can be immediately implemented in Logpoint deployments to strengthen defenses against specific threats.

Implementation Best Practices for UK Healthcare

Deploying Logpoint detection capabilities in the NHS and UK healthcare requires a context-aware approach based on operational realities.

1. Focus on Critical Systems

Prioritize monitoring of EPRs, imaging systems (e.g., PACS), pharmacy platforms, and emergency infrastructure. Apply the most critical alert rules to these assets to maximize early warning capabilities.

2. Understand Normal Operations

Healthcare runs 24/7 with on-call access and emergency overrides. Establish environment-specific behavioral baselines for:

• Domain admin logins during night shifts

• Use of remote access tools by authorized clinicians

• Medical device access patterns

This reduces false positives while retaining sensitivity to anomalous behavior

3. Implement Layered Detection

A single log source rarely tells the full story. Combine multiple perspectives for a defense-in-depth approach:

• Network Monitoring:
  Detect lateral movement (e.g., SMB, RDP) and large outbound transfers (e.g., cloud exfiltration tools).

• Endpoint Detection:
  Catch local behaviors like LSASS dumping, shadow copy deletion, or suspicious PowerShell execution.

• Log Analysis:
  Identify attack chain progression—event log clearing, privilege escalation, or unauthorized scheduled tasks.

• User & Entity Behavior Analytics (UEBA):
  Spot outliers like weekend data access by HR accounts or repeated login attempts from unusual devices.

4. Tune for Healthcare Use Cases

Adjust thresholds and filters to match real-world needs: allow trusted remote access tools used by IT and vendors, suppress alerts during maintenance windows, and monitor high-risk departments.

5. Pair Detection with Response

Detection is only useful when paired with a timely, structured response. Here are a few recommendations for early detection and response.

• Define clear escalation workflows from SOC to IT ops and clinical management.

• Develop pre-approved ransomware playbooks for response containment and communication.

• Run regular tabletop exercises simulating attacks on EPRs or diagnostic systems.

• Establish cross-functional communication channels to involve clinicians early without disrupting care.

6. Fix Common Weak Spots

• Patch Management:
  Prioritize updates for exposed systems (Citrix ADC, RDP, VPNs, web servers, medical devices)

• Network Segmentation:
  Separate patient care systems from corporate IT and third-party vendors. Enforce least-privilege networking.

• Access Control:
  Deploy MFA for all privileged and remote access. Use JIT (Just-in-Time) access and enforce least-privilege policies.

• Backup Strategy:
  Maintain immutable, offline backups. Validate restoration workflows regularly. Monitor for ransomware attempts to encrypt or disable backup services.

7. Conduct Security Awareness Training Regularly

Social engineering remains one of the most common entry points for ransomware attacks, particularly in healthcare, where staff face immense pressure and handle high volumes of email communication. As noted by CISA, Continuous user education and simulated phishing exercises significantly reduce the risk of user-initiated compromise.

• Train Staff Continuously: Focus on phishing, smishing, pretexting, and handling suspicious emails.

• Run Role-Based Simulations: Use phishing simulations tailored to clinical, administrative, and IT roles to identify at-risk staff.

• Reinforce Reporting Paths: Ensure all employees can report suspected attacks easily, e.g., via Outlook plugin or NHS internal reporting channels.

• Response Procedures: Train users on disconnecting from the network and notifying IT/SOC in suspected incidents.

Conclusion

The threat landscape facing healthcare continues to evolve, with ransomware groups becoming increasingly sophisticated and brazen. However, by implementing comprehensive detection capabilities mapped to known adversary techniques, healthcare organizations can significantly improve their security posture.

The Logpoint OOTB alert rules provided in this guide offer coverage across the complete attack lifecycle, from initial compromise through final impact. When combined with security best practices, staff training, and robust incident response capabilities, these detections form a critical component of healthcare cybersecurity defense.

Protection of patient data and continuity of care depend on proactive security measures. By understanding adversary TTPs and deploying targeted detection capabilities, UK healthcare organizations can better defend against the ransomware threat and fulfill their duty of care to patients.