Back to Intelligence

UK Healthcare Under Siege: Analyzing the Tenfold Spike in Cyber-Attacks

SA
Security Arsenal Team
June 30, 2026
6 min read

The latest telemetry from SonicWall paints a grim picture for the UK healthcare sector: a tenfold increase in cyber-attacks during the first five months of 2026. With 264,000 recorded events, hospitals and NHS trusts are effectively under siege. For security practitioners, this is not just a statistic; it is an operational reality indicating a highly active threat landscape targeting critical infrastructure.

This surge is not driven by nuisance scanning. It represents a concerted campaign leveraging ransomware, credential harvesting, and malware loaders designed to disrupt patient care and exfiltrate sensitive data. Defenders in the healthcare space must move beyond baseline compliance and assume active compromise. This post provides actionable detection logic and remediation steps to counter this specific wave of hostility.

Technical Analysis

While the specific CVEs fluctuate as actors rotate their exploit kits, the attack vectors contributing to this tenfold spike remain consistent with high-volume campaigns observed in 2026:

  • Primary Vector: The surge is heavily attributed to automated ransomware operations and malware-as-a-service (MaaS) payloads targeting internet-facing infrastructure and remote access endpoints.
  • Initial Access: Phishing campaigns delivering malicious ISOs and HTML smugglers, combined with brute-forcing of exposed RDP and VPN services, remain the dominant entry points.
  • Execution: Attackers are increasingly utilizing "Living Off The Land" binaries (LOLBins) to evade signature-based detection. PowerShell is used extensively for downloaders (cradles) and lateral movement.
  • Impact: The primary goal is rapid encryption of EHR (Electronic Health Record) databases and PACS (Picture Archiving and Communication System) storage, maximizing pressure on hospital administration to pay ransoms.

Exploitation Status: Confirmed active exploitation. The volume (264,000 events) indicates automated propagation and opportunistic targeting of vulnerable healthcare networks.

Detection & Response

Given the volume of automated attacks, defenders must prioritize high-fidelity detection of execution chains rather than relying solely on IOCs. The following rules focus on the behavioral patterns associated with this surge: malicious PowerShell usage, anomalous file encryption activity, and lateral movement indicators.

SIGMA Rules

YAML
---
title: Suspicious PowerShell Web Request - Healthcare Alert
id: 3a1d2e4f-6789-4012-b3c4-5d6e7f8a9b0c
status: experimental
description: Detects PowerShell processes making web requests (Invoke-WebRequest/DownloadFile) often used in ransomware droppers observed in 2026 healthcare campaigns.
references:
  - https://attack.mitre.org/techniques/T1059/001
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
  selection_cli:
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'DownloadString'
      - 'IEX'
      - 'DownloadFile'
  selection_net:
    Network|contains:
      - 'http://'
      - 'https://'
  condition: all of selection_*
falsepositives:
  - System management scripts
  - Package managers (e.g., Chocolatey)
level: high
---
title: Potential Ransomware Activity - Mass File Modification
id: 8b9c0d1e-2345-5678-9a0b-cdef12345678
status: experimental
description: Detects processes rapidly modifying files in user directories, a precursor to ransomware encryption events targeting EHR backups.
references:
  - https://attack.mitre.org/techniques/T1486
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: file_change
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Users\'
      - '\Shared\'
  filter_legit:
    Image|contains:
      - '\Program Files\'
      - '\Windows\System32\'
  condition: selection and not filter_legit
  timeframe: 1m
  count: 10
falsepositives:
  - Bulk file updates by authorized backup software
  - Software installers
level: critical
---
title: Suspicious RDP Connection Frequency - Brute Force Indicator
id: 1122aabb-33cc-44dd-55ee-66ff77889900
status: experimental
description: Detects a high volume of RDP connection attempts from a single source, indicative of the brute-force attacks contributing to the UK healthcare surge.
references:
  - https://attack.mitre.org/techniques/T1110
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.initial_access
  - attack.t1110
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort: 3389
    Image|endswith: '\svchost.exe'
  condition: selection
  timeframe: 2m
  count: 10
falsepositives:
  - Legitimate RDP load balancing (rare in this volume)
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for the "Siege" behavior—high-frequency connection failures and successful logins from non-whitelisted geolocations, which SonicWall telemetry suggests is a major component of this campaign.

KQL — Microsoft Sentinel / Defender
let TimeWindow = 1h;
let FailedThreshold = 50;
DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where RemotePort == 3389 or RemotePort == 22 // RDP or SSH
| summarize FailedAttempts = count() by DeviceName, RemoteIP, RemoteCountry
| where FailedAttempts > FailedThreshold
| join kind=inner (
    DeviceLogonEvents
    | where Timestamp > ago(TimeWindow)
    | project LogonTime=Timestamp, AccountName, DeviceName, RemoteIP
) on DeviceName, RemoteIP
| project LogonTime, AccountName, DeviceName, RemoteIP, RemoteCountry, FailedAttempts
| order by FailedAttempts desc

Velociraptor VQL

Use this artifact to hunt for unsigned executables running in temporary directories—a common technique for malware loaders used in these mass-exploitation events.

VQL — Velociraptor
-- Hunt for unsigned binaries in temp directories often used by web shells/droppers
SELECT 
  Pid, 
  Name, 
  Exe, 
  CommandLine, 
  Username, 
  Signed, 
  Hash
FROM process_listing()
WHERE Exe =~ 'C:\\Windows\\Temp\\.*'
   OR Exe =~ 'C:\\Users\\.*\\AppData\\Local\\Temp\\.*'
   AND Signed = FALSE
LIMIT 100

Remediation Script (PowerShell)

This script checks for common persistence mechanisms used in these attacks and enforces strict RDP hardening recommended for healthcare environments under active siege.

PowerShell
# Audit and Harden RDP against Brute Force - Healthcare Response
Write-Host "[+] Auditing RDP Configuration..."

# Check NLA status (Network Level Authentication should be Enabled)
$nlaStatus = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -ErrorAction SilentlyContinue).UserAuthentication
if ($nlaStatus -eq 1) {
    Write-Host "[+] NLA is Enabled." -ForegroundColor Green
} else {
    Write-Host "[!] WARNING: NLA is DISABLED. Enabling now..." -ForegroundColor Red
    Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1
}

# Check for accounts in RDP sensitive local groups (high risk target)
Write-Host "[+] Checking for unauthorized RDP users..."
$rdpUsers = Get-LocalGroupMember -Group "Remote Desktop Users" -ErrorAction SilentlyContinue
foreach ($user in $rdpUsers) {
    Write-Host "[+] Found RDP User: $($user.Name)" -ForegroundColor Yellow
}

# Block common RDP brute force ports at firewall if strict deny list is applicable
Write-Host "[+] Reviewing Firewall Rules for RDP..."
$fwRules = Get-NetFirewallRule -DisplayName "*Remote Desktop*" | Where-Object {$_.Enabled -eq 'True'}
if ($fwRules) {
    Write-Host "[!] Active RDP Firewall Rules found. Consider restricting scope to specific subnets." -ForegroundColor Red
    $fwRules | Select-Object DisplayName, Enabled, Profile | Format-Table
}

Write-Host "[!] ACTION REQUIRED: If RDP is not essential for business continuity, disable the service immediately via Services.msc."
Write-Host "[+] Script Complete."

Remediation

To effectively mitigate this tenfold surge in attacks, UK healthcare organizations must immediately implement the following defensive measures:

  1. Isolate Critical Systems: Ensure PACS and EHR systems are segregated from the general network. Implement strict VLANs to prevent lateral movement from compromised workstations.
  2. Disable Unnecessary RDP: Given the high volume of brute-force attacks, disable Internet-facing RDP immediately. Enforce the use of approved VPN solutions with MFA for all remote access.
  3. Patch Management: Prioritize patching for known vulnerabilities in internet-facing medical devices and gateways. While the specific 0-days vary, the hygiene of legacy devices is the primary attack surface.
  4. Email Hygiene: Implement strict DMARC, SPF, and DKIM policies to block the phishing campaigns delivering the initial malware loaders.
  5. User Awareness: Re-deploy immediate security awareness training focused on identifying suspicious invoices and medical record requests (social engineering).

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachuk-healthcareransomwaresonicwall

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action