πŸ›‘οΈ SecOps

Anubis Ransomware Hits Signature Healthcare, Brockton Hospital Diverts Ambulances

A ransomware attack on Signature Healthcare's Brockton Hospital in Massachusetts forced the facility to divert ambulances to neighbouring hospitals and cancel chemotherapy treatments. The Anubis ransomware group claimed responsibility on April 9, marking another significant attack on US healthcare infrastructure at a time when the sector remains one of the most targeted by ransomware operators.

4 min read
#ransomware#healthcare#anubis#incident-response#operational-impact#hipaa

What Happened

Signature Healthcare’s Brockton Hospital β€” a 216-bed acute care facility serving southeast Massachusetts β€” detected a cyberattack on Monday 6 April that disrupted core clinical systems overnight into Tuesday 7 April. By the following morning, hospital leadership had activated downtime procedures, reverting to paper-based workflows, and issued a regional ambulance diversion order directing incoming emergency transports to South Shore Hospital and Boston Medical Center South.

Chemotherapy infusion treatments scheduled for Tuesday were cancelled as the pharmacy systems needed to verify drug interactions and dosing remained offline. Inpatient care and emergency walk-in services continued, but clinical staff were operating without electronic access to patient records, imaging, lab results, and medication history.

On 9 April, the Anubis ransomware group publicly claimed responsibility for the attack. The group did not initially publish any stolen data but indicated that negotiations were underway β€” consistent with Anubis’ documented double-extortion operating model, in which data exfiltration precedes encryption and is used as additional leverage.

Anubis Ransomware Group

Anubis is a relatively recent entrant to the ransomware-as-a-service ecosystem, having emerged in late 2025. The group operates a structured affiliate programme and has demonstrated a focus on healthcare and critical infrastructure targets β€” sectors where operational disruption creates immediate pressure on victim organisations to pay. Its ransom demands have ranged from $500,000 to several million dollars depending on victim revenue and data sensitivity.

Anubis payloads are designed to maximise encryption speed across Windows environments, targeting network shares and backup repositories in addition to local file systems. The group’s exfiltration tooling appears to be based on modified versions of open-source remote access toolkits, making network detection during the dwell period challenging.

Operational Impact on Patient Safety

The diversion of ambulances is the most acute patient-safety consequence of healthcare ransomware attacks and one that regulators and healthcare security bodies have consistently highlighted as a red line. When a hospital diverts, the regional emergency response system must accommodate the additional load β€” increasing transport times for all patients in the affected area, not just those originally destined for Brockton Hospital.

The cancellation of chemotherapy treatments represents a direct clinical harm that cannot simply be rescheduled without medical consequence. Oncology regimens are timed to biological cycles, and disruptions increase both patient distress and the clinical complexity of resumption.

Immediate incident-level concerns:

  1. Backup integrity verification β€” confirm that your offline/air-gapped backup copies have not been reached by the attacker and are restoreable within your recovery time objective
  2. Privilege review β€” ransomware operators typically establish persistence and lateral movement over days to weeks before detonation; review privileged account activity for the past 30 days
  3. Vendor access audit β€” healthcare environments have extensive third-party access; review all active remote access sessions and revoke unnecessary vendor credentials

Structural resilience:

  • Maintain and regularly test downtime procedures β€” paper-based clinical workflows should be a practised capability, not a dusty binder
  • Implement network segmentation between clinical systems and administrative networks; lateral movement from office systems to clinical infrastructure is the most common attack path
  • Ensure that imaging, pharmacy, and lab systems have independent backup connectivity to EHR systems so that partial outages do not cause complete clinical blindness
  • Participate in H-ISAC (Health Information Sharing and Analysis Center) threat intelligence sharing to receive early indicators from peer organisations

On ransomware payment decisions:

Paying does not guarantee data deletion or prevent future disclosure. Healthcare organisations should engage legal counsel and cyber insurance providers before making any payment decision, and should notify HHS and law enforcement as required under HIPAA Breach Notification rules regardless of whether payment is made.