Healthcare Primary Target of Ransomware Attacks: Is this Terrorism?


March 12, 2024

World map

According to a new FBI Internet Crime Complaint Center’s (IC3) latest report, of the 16 industries designated as critical U.S. infrastructure, healthcare suffered more ransomware attacks than any other sector.

“<Attackers> view hospitals, clinics and other Healthcare organizations as lucrative targets because operators tend to pay a ransom to keep critical services running. Hospital networks also contain a trove of personal patient information,” Axios reported.

“A wave of attacks on health facilities late last year showed how patient care can be affected, through postponed procedures, diverted ambulance services and other disruptions. The Cybersecurity and Infrastructure Security Agency released guidelines for providers to use to prioritize and beef up their defenses.”

Takeaway: Ransomware attacks started as purely cybercriminal operations, and one could argue that most ransomware attacks today still fall in that category.

But at some point, ransomware attacks against critical infrastructure providers – and most specifically healthcare organizations - have crossed the line from cybercriminal activity to a serious national security threat.

A recent report by Ponemon found a direct link between ransomware attacks and negative patient outcomes:  

  • 68% said ransomware attacks disrupted patient care  
  • 46% noted increased mortality rates  
  • 38% noted more complications in medical procedures

Other research found that between 2016 and 2021, ransomware attacks contributed to between 42 and 67 patient deaths, as well as a 33% increase in death rates per month for hospitalized Medicare patients.

There is a good deal of evidence that many of the players and tooling used by the notorious ransomware gangs can be tied to the Russian government, so the potential dual nature of a subsection of ransomware attacks should be considered.

The attacks are a steady revenue stream for the attackers, but some of the attacks may also work to further the geopolitical interests of adversarial nations, with Russia being the prime culprit.

Another recent report by Chainalysis assessed that 74% of all the illicit revenue generated by ransomware attacks during 2021 went to Russia-linked attackers, the lion’s share of ransomware proceeds.

If, in fact, the Putin regime is directly controlling or influencing targeting in some or most of the onslaught of ransomware attacks we are seeing today, then there may be a case to redesignate some of those attacks – like those against healthcare providers - as acts of terrorism.

Some argue that the lack of a clear political motive behind ransomware operations means that while an attack on a hospital that disrupts patient care and leads to negative outcomes could be described as inflicting terror, it would not rise to the level of terrorism.

But Executive Order 13224, issued by then President Bush in September of, 2001, does not support that conclusion, and seems to be clearly applicable to some ransomware attacks, like those against healthcare:

“For the purpose of the Order, “terrorism” is defined to be an activity that (1) involves a violent act or an act dangerous to human life, property, or infrastructure; and (2) appears to be intended to intimidate or coerce a civilian population; to influence the policy of a government by intimidation or coercion; or to affect the conduct of a government by mass destruction, assassination, kidnapping, or hostage-taking.”

We simply cannot discount the dual nature of a good portion of today’s ransomware attacks, where the attackers may be serving themselves from a financial perspective but are also furthering a larger geopolitical strategy.

The fact that ransomware attacks appear on the surface to merely be cybercriminal activity provides a convenient level of plausible deniability when those attacks also serve the larger geopolitical goals of adversarial governments like Russia.

This is why it is imperative that the US government and allied nations who are the targets of these attacks need to differentiate a portion of the attacks by reclassifying them as terrorist acts – specifically those attacks that target healthcare and other critical infrastructure functions where lives are at put at risk or lost.

If we call these attacks what they are – terrorist attacks meant to instill fear and further geopolitical goals – then we unlock a whole range of new options for both offensive cyber and even traditional kinetic military responses instead of just more alerts, guidelines and frameworks.

Ransomware attacks against critical infrastructure are a form of terrorism in and of themselves, and the fact that may of the attacks are so closely related to the geopolitical interests of adversarial nations - and provide them with plausible deniability - means we can no longer address these issues as simple criminal matters.

It’s time to call attacks on healthcare organizations and other critical infrastructure providers, where lives are literally on the line. what they really are: state-sponsored terrorism. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.