Health organisations ended 2025 facing a sharper cybersecurity squeeze than earlier in the year, with ransomware incidents rising and exploit activity expanding against widely deployed infrastructure. A Q4 threat brief from Health-ISAC tracked higher ransomware volumes in the health sector alongside targeted warnings about exposed systems and vulnerabilities under active exploitation. The reporting also highlighted persistent signals from underground forums where access to healthcare environments and allegedly stolen data are advertised for sale. The combination of escalating disruption risk, technical exposure and criminal market activity reinforces the need to align patching, access controls and incident readiness with operational continuity expectations.
Ransomware Totals Rise to a 2025 Peak in Q4
Ransomware activity against the health sector moved unevenly across 2025 but accelerated markedly in the final quarter. Quarterly counts were reported as 158 incidents in Q1, falling to 110 in Q2, increasing to 127 in Q3 and then rising to 190 in Q4. The Q4 figure represented the highest quarterly level recorded in 2025 for the health sector within the report’s tracking.
In parallel, the wider ransomware landscape also grew. Across all sectors in Q4, the report tracked 2,933 ransomware incidents, with 190 attributed to the health sector. That proportion was presented as 6.5% of all ransomware attacks in 2025 Q4. The geographic distribution for Q4 across all sectors was reported as 1,323 entities in the Americas, 434 in EMEA and 161 in APAC, corresponding to 69%, 22.6% and 8.4% respectively. Within the health sector subset, the distribution was reported as 133 entities in the Americas at 81.1%, 20 entities in EMEA at 12.2% and 11 entities in APAC at 6.7%, indicating a concentration of affected entities in the Americas for that quarter.
Must Read: Securing AI Agents Against System-Level Threats
The report also set Q4 within a rising annual trend. Across all sectors, incident volumes were reported as 4,043 in the first half of 2025 and 4,860 in the second half, producing an annual total of 8,903 incidents. The total exceeded the 5,744 incidents recorded in 2024 and was presented as a 55% increase. Health sector incidents were reported as rising from 476 in 2024 to 575 in 2025, described as a 21% increase. Breach tracking figures spanning 2021 to 2025 listed 29,942 total breaches tracked, with 1,935 attributed to the health sector, presented as 6.5% of the total.
Targeted Alerts Focus on Ivanti EPM and WSUS Exposure
During Q4 2025, the report listed 183 Targeted Alerts issued to member organisations assessed as having potentially vulnerable infrastructure. These alerts were described as highly specific and distinct from broader Threat and Vulnerability Bulletins, with some based on intelligence not yet public. The report highlighted recurring issues including open and exposed databases, exposed remote access tools, vulnerable Ivanti Endpoint Manager instances and Windows Server Update Services remote code execution risk.
Ivanti Endpoint Manager (EPM) was highlighted following a security advisory released on December 9, 2025 addressing four vulnerabilities, comprising one critical and three high-severity flaws. The vulnerabilities were described as enabling remote attackers to execute code, write arbitrary files on the server or hijack administrator sessions. The report characterised the exposure as particularly dangerous because it could allow unauthenticated attackers to gain full administrative control over the management console and, by extension, all devices managed by that server. On 10 December 2025, Health-ISAC, working with BlueVoyant, identified potentially affected member organisations and issued Targeted Alerts accordingly.
Windows Server Update Services (WSUS) was also flagged after a critical remote code execution vulnerability was disclosed. Microsoft released an out-of-band update on 23 October 2025 to address CVE-2025-59287, which carried a CVSS score of 9.8. Active exploitation was confirmed from 24 October 2025. Health-ISAC subsequently identified potentially vulnerable member organisations and distributed Targeted Alerts on 28 October 2025.
Underground Activity and Akira Tactics Signal Ongoing Risk
Underground forum activity continued to provide indicators of risk, with threat actors advertising stolen data or access to organisational networks for sale. Listings often referenced sector and revenue details to signal value, while payments were typically requested in cryptocurrency. In Q4 2025, several listings claimed access to health sector organisations.
One example involved a forum user identified as RAZOR-X, who posted in November claiming to sell initial network access to organisations across multiple regions, including two health sector entities. The listings described access via Fortinet VPNs, with differing privilege levels and no stated prices.
Health-ISAC also profiled Akira ransomware, a ransomware-as-a-service operation active since early 2023 and described as a successor to Conti following its dissolution in 2022. Akira was characterised by double extortion tactics and frequent exploitation of VPN and RDP weaknesses or stolen credentials. The group was reported to use living-off-the-land techniques, target backup systems and deploy both Rust-based and C++ variants, with a persistent focus on VMware ESXi environments.
The final quarter of 2025 combined increased ransomware activity with targeted exploitation of widely used infrastructure and visible underground market activity linked to the health sector. Reporting emphasised the need for layered defensive strategies encompassing patch management, access controls and incident readiness. The findings reinforce the importance of sustained investment in cybersecurity practices that support operational resilience, protect sensitive data and ensure continuity of care in an increasingly hostile threat landscape.
Source: Health-ISAC
Image Credit: iStock
