Back to Intelligence

Defending Healthcare: Strategies for Countering Rising Extortion-Only Cyberattacks

SA
Security Arsenal Team
March 26, 2026
4 min read

Introduction

For years, the primary fear for healthcare security teams was "crypto-ransomware"—malware designed to encrypt electronic health records (EHRs) and shut down hospital operations. However, recent data indicates a significant shift in attacker tactics. According to the latest report from BakerHostetler, healthcare remains the most targeted sector, but the attack vector is changing.

Cyber actors are increasingly moving toward "extortion-only" attacks. Instead of encrypting files, these actors steal sensitive Protected Health Information (PHI) and threaten to release it unless a ransom is paid. For defenders, this changes the battlefield dramatically: a robust backup strategy is no longer enough. If data is stolen, operational continuity is preserved, but the legal, regulatory, and reputational damage can be catastrophic. Security teams must pivot their defenses from focusing solely on availability to aggressively protecting data confidentiality and integrity.

Technical Analysis

The Shift to Extortion-Only

The BakerHostetler report highlights that while traditional ransomware remains a threat, the proliferation of extortion-only attacks is accelerating. In these scenarios:

  • No Encryption Payload: Traditional anti-ransomware tools that detect mass file encryption processes may not trigger an alert because no encryption occurs.
  • Data Exfiltration: The core mechanism is unauthorized data transfer. Attackers gain access to the network (often via phishing, credential theft, or unpatched VPNs), move laterally to locate sensitive data stores, and exfiltrate large volumes of PHI.
  • Affected Systems: Primary targets include EHR databases (e.g., Epic, Cerner), file shares containing patient documents, and backup repositories.
  • Severity: The severity is high. Under HIPAA, the breach of unencrypted PHI triggers mandatory notification requirements and potential heavy fines. The psychological leverage on healthcare organizations is immense due to the sensitivity of patient data.

Why This Matters to Defenders

This trend exposes a gap in many security architectures. Organizations that invested heavily in immutable backups to ensure business continuity may have under-invested in Data Loss Prevention (DLP) and egress monitoring. The threat is no longer just "will we stay online?" but "is our data leaving the building?"

Executive Takeaways

  • Backups Are Not a Silver Bullet: Extortion-only attacks bypass the primary defense of backups. You cannot restore data that hasn't been encrypted but has been stolen.
  • Data Governance is Critical: You cannot protect what you cannot see. Security leaders must prioritize data discovery and classification to understand where sensitive PHI resides and who is accessing it.
  • Zero Trust is Mandatory: In an extortion-only scenario, lateral movement is the enemy. Assuming breach and verifying every request is essential to stop an attacker from reaching the data crown jewels.
  • Incident Response Readiness: The window to detect exfiltration is often small. Response teams must have playbooks specifically for data breach incidents, not just system outages.

Remediation

To defend against extortion-only attacks and protect patient data, healthcare organizations should implement the following specific controls:

1. Implement Rigorous Data Loss Prevention (DLP)

Deploy DLP solutions that monitor and block the transmission of sensitive data. Configure policies to identify PHI based on regex patterns and keywords.

2. Monitor Egress Traffic

Analyze outbound traffic for anomalies. Attackers often use large file transfers or uncommon protocols (like FTP over non-standard ports) to steal data. Use the following KQL query in Microsoft Sentinel to detect potential large data exfiltration events:

Script / Code
let threshold = 100000000; // 100MB
CommonSecurityLog
| where DeviceAction in ("Allowed", "accepted")
| where isnotnull(SentBytes)
| extend TotalBytes = toint(SentBytes)
| where TotalBytes > threshold
| summarize count(), sum(TotalBytes) by SourceIP, DestinationIP, DestinationPort, DeviceProduct
| where count_ > 5 // More than 5 large transfers
| project SourceIP, DestinationIP, DestinationPort, TotalDataExfiltrated=sum(TotalBytes), TransferCount=count_

3. Enforce Least Privilege and Access Controls

Restrict access to databases containing PHI to only those who need it. Use Multi-Factor Authentication (MFA) everywhere, especially for remote access and privileged accounts.

4. Encrypt Data at Rest and in Transit

While encryption does not stop theft, it mitigates the impact. If attackers steal encrypted database backups or files, the data is useless to them without the decryption keys, reducing the leverage for extortion.

5. Conduct Regular Tabletop Exercises

Test your incident response team specifically against a "data theft" scenario where no systems go down. Ensure your legal and communications teams are prepared to handle breach notifications and potential regulatory inquiries.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcarehipaaransomwareextortiondata-loss-preventionincident-response

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action