Shamir Medical Center, a major healthcare provider in Israel, fell victim to a Qilin ransomware attack in 2025, resulting in the theft of 8 TB of sensitive data, including patient records and operational information. The cybercriminals demanded $700,000 in exchange for deleting the stolen data, though it remains unclear whether the ransom was paid. The breach exposed over 300,000 individuals' personal and medical data, posing severe risks to patient privacy, trust, and the hospital’s operational continuity. The attack disrupted critical healthcare services, potentially delaying treatments and administrative processes. Given the scale of data exfiltration one of Qilin’s largest confirmed breaches in the healthcare sector the incident underscores the group’s focus on high-value targets where system downtime and data loss can have life-threatening consequences. The financial and reputational damage extends beyond immediate recovery costs, with long-term implications for cybersecurity investments and regulatory compliance in Israel’s healthcare infrastructure.
Source: https://www.comparitech.com/news/qilin-ransomware-stats-on-attacks-ransoms-data-breaches/
TPRM report: https://www.rankiteo.com/company/assaf-harofeh-medical-center-official-page
"id": "ass0992409102325",
"linkid": "assaf-harofeh-medical-center-official-page",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'aviation',
'location': 'Malaysia',
'name': 'Malaysia Airports Holdings Bhd (Kuala Lumpur '
'International Airport)',
'type': 'transportation'},
{'industry': 'legal',
'location': 'United States',
'name': 'Cleveland Municipal Court',
'type': 'government'},
{'industry': 'municipal services',
'location': 'Spain',
'name': 'Ciudad Autónoma de Melilla',
'type': 'government'},
{'industry': 'healthcare',
'location': 'Israel',
'name': 'Shamir Medical Center',
'type': 'healthcare'},
{'industry': 'law enforcement',
'location': 'United States',
'name': 'Hamilton County Sheriff’s Office',
'type': 'government'},
{'customers_affected': 300000,
'industry': 'healthcare',
'location': 'Japan',
'name': 'Utsunomiya Central Clinic',
'type': 'healthcare'},
{'industry': 'education (high schools)',
'location': 'France',
'name': 'Region Hauts-de-France',
'type': 'government'},
{'industry': 'K-12 education',
'location': 'United States',
'name': 'Uvalde Consolidated Independent School '
'District',
'type': 'education'},
{'industry': 'K-12 education',
'location': 'United States',
'name': 'Mecklenburg County Public Schools',
'type': 'education'},
{'industry': 'higher education',
'location': 'Australia',
'name': 'Belmont Christian College',
'type': 'education'},
{'industry': 'manufacturing (food/beverage)',
'location': 'Japan',
'name': 'Asahi Group Holdings',
'type': 'business'},
{'industry': 'manufacturing (aluminum)',
'location': 'France',
'name': 'Alu Perpignan',
'type': 'business'},
{'industry': 'automotive design',
'location': 'Japan',
'name': 'Nissan Creative Box Inc.',
'type': 'business'},
{'customers_affected': 60000,
'industry': 'retail',
'location': 'United States',
'name': 'Crossroads Trading Co., Inc.',
'type': 'business'},
{'industry': 'finance',
'location': 'South Korea',
'name': '30 South Korean Asset Management Companies',
'type': 'business'},
{'industry': 'law enforcement',
'location': 'United States',
'name': 'Orleans Parish Sheriff’s Office',
'type': 'government'},
{'industry': 'municipal services',
'location': 'United States',
'name': 'Town of Waxhaw',
'type': 'government'},
{'industry': 'public utility',
'location': 'United States',
'name': 'Lakehaven Water & Sewer District',
'type': 'government'},
{'industry': 'municipal services',
'location': 'France',
'name': 'Ville de Saint-Claude',
'type': 'government'},
{'industry': 'municipal services',
'location': 'France',
'name': 'Commune d’Elne',
'type': 'government'},
{'industry': 'public utility (water/sewer)',
'location': 'Aruba',
'name': 'N.V. ELMAR',
'type': 'government'},
{'customers_affected': 900000,
'industry': 'healthcare diagnostics',
'location': 'United Kingdom',
'name': 'Synnovis (2024 attack)',
'type': 'business'}],
'attack_vector': ['phishing',
'exploiting vulnerabilities',
'RaaS affiliates',
'supply chain (via mutual IT providers)'],
'customer_advisories': ['Monitor financial accounts for fraud (e.g., '
'Crossroads Trading Co. customers).',
'Healthcare patients: Watch for identity theft (e.g., '
'Utsunomiya Central Clinic breach).',
'Affected organizations will notify impacted '
'individuals per regulatory requirements.'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'file_types_exposed': ['databases',
'design files (e.g., Nissan Creative '
'Box)',
'health records',
'government documents',
'financial records'],
'number_of_records_exposed': 788377,
'personally_identifiable_information': True,
'sensitivity_of_data': ['high (healthcare, PII, proprietary '
'business data)'],
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'health records (e.g., Shamir '
'Medical Center: 8 TB)',
'design/proprietary data (e.g., '
'Nissan Creative Box: 4 TB)',
'financial data (e.g., asset '
'management firms)',
'government/legal documents '
'(e.g., Cleveland Municipal '
'Court)']},
'date_publicly_disclosed': '2025-10-01',
'description': 'Qilin, a Russia-based ransomware-as-a-service (RaaS) group, '
'claimed its 700th attack in 2025, surpassing RansomHub’s 2024 '
'total of 547 victims. The group has targeted critical sectors '
'globally, including healthcare, government, education, '
'finance, and manufacturing, with the US being the most '
'affected country (375 attacks). Qilin’s RaaS model, combined '
'with the migration of RansomHub affiliates after its shutdown '
'in April 2025, has fueled a 280% increase in attacks since '
'then. The group employs system encryption and data theft, '
'with confirmed breaches exposing 788,377 records and 47 TB of '
'stolen data. Ransom demands have ranged from $300,000 to $10 '
'million, though most victims refuse to pay. Notable incidents '
'include attacks on Malaysia Airports Holdings ($10M demand), '
'Shamir Medical Center (8 TB stolen, $700K demand), and '
'disruptions to education (e.g., Uvalde Consolidated ISD) and '
'government entities (e.g., Region Hauts-de-France, France).',
'impact': {'brand_reputation_impact': ['high (due to public disclosures and '
'media coverage)'],
'data_compromised': {'total_data_stolen': '47 TB (confirmed '
'attacks)',
'total_data_stolen_all_attacks': '116 TB',
'total_records': 788377},
'downtime': [{'duration': '3 days (September 15–18, 2025)',
'entity': 'Uvalde Consolidated Independent School '
'District'},
{'duration': '1 week',
'entity': 'Mecklenburg County Public Schools'},
{'duration': '3 weeks (system shutdown)',
'entity': 'Alu Perpignan'},
{'duration': 'ongoing (as of report date)',
'entity': 'Asahi Group Holdings'},
{'duration': 'weeks',
'entity': 'Cleveland Municipal Court'},
{'duration': None,
'entity': 'Kuala Lumpur International Airport'}],
'identity_theft_risk': ['high (788,377 records exposed)'],
'operational_impact': ['school closures (education sector)',
'POS/credit card terminal failures (retail)',
'loss of 3 months’ business (Alu Perpignan)',
'disruption to 80% of high schools (Region '
'Hauts-de-France)',
'airport system disruptions (Malaysia '
'Airports Holdings)'],
'payment_information_risk': ['moderate (e.g., Crossroads Trading '
'Co. POS/credit card terminal '
'issues)'],
'revenue_loss': [{'entity': 'Alu Perpignan',
'loss': '3 months’ worth of business'},
{'entity': 'Hamilton County Sheriff’s Office',
'loss': '$48,000 (recovery costs)'},
{'entity': 'Synnovis (2024 attack)',
'loss': '£33 million ($44 million)'}],
'systems_affected': ['manufacturing (e.g., Asahi Group, Alu '
'Perpignan)',
'healthcare (e.g., Shamir Medical Center, '
'Utsunomiya Central Clinic)',
'government (e.g., Region Hauts-de-France, '
'Orleans Parish Sheriff’s Office)',
'education (e.g., Uvalde Consolidated ISD, '
'Mecklenburg County Public Schools)',
'finance (e.g., 30 South Korean asset '
'management firms)',
'retail (e.g., Crossroads Trading Co.)',
'transportation (e.g., Kuala Lumpur '
'International Airport)',
'legal (e.g., Cleveland Municipal Court)']},
'initial_access_broker': {'data_sold_on_dark_web': ['likely (Qilin auctions '
'stolen data on its '
'site)'],
'entry_point': ['phishing',
'exploited vulnerabilities',
'RaaS affiliates',
'supply chain compromises (IT '
'providers)'],
'high_value_targets': ['healthcare (e.g., Shamir '
'Medical Center: 8 TB '
'stolen)',
'government (e.g., Region '
'Hauts-de-France: 1.1 TB '
'stolen)',
'manufacturing (e.g., Nissan '
'Creative Box: 4 TB design '
'data)']},
'investigation_status': 'ongoing (multiple incidents across sectors)',
'lessons_learned': ['RaaS models accelerate attack scalability (280% increase '
'post-RansomHub shutdown).',
'Supply chain vulnerabilities (e.g., 30 South Korean '
'asset management firms via mutual IT provider) are '
'critical attack vectors.',
'Refusal to pay ransoms does not eliminate '
'operational/financial costs (e.g., Hamilton County: $48K '
'recovery).',
'Education and government sectors are increasingly '
'targeted, with severe disruption risks (e.g., school '
'closures).',
'Proactive backup strategies and incident response plans '
'mitigate downtime (e.g., Mecklenburg County Public '
'Schools restored systems in 1 week).'],
'motivation': ['financial gain', 'disruption', 'data theft for extortion'],
'post_incident_analysis': {'corrective_actions': ['Mandate MFA for all remote '
'access and privileged '
'accounts.',
'Conduct red team '
'exercises to test '
'ransomware resilience.',
'Isolate high-value '
'data (e.g., healthcare '
'records, design IP) with '
'zero-trust controls.',
'Implement automated '
'threat hunting for '
'RaaS-affiliated IPs/TTPs.',
'Review insurance '
'policies to cover '
'ransomware recovery costs '
'(e.g., Hamilton County’s '
'$48K expense).'],
'root_causes': ['Lack of multi-factor '
'authentication (MFA) on '
'critical systems.',
'Insufficient endpoint detection '
'and response (EDR) '
'capabilities.',
'Third-party vendor risks '
'(e.g., shared IT providers in '
'South Korea attacks).',
'Delayed patch management for '
'known vulnerabilities.',
'Inadequate employee training '
'on phishing/social engineering.']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': [{'amount': '$10,000,000',
'entity': 'Malaysia Airports Holdings '
'Bhd'},
{'amount': '$4,000,000',
'entity': 'Cleveland Municipal Court'},
{'amount': '$2,120,000',
'entity': 'Ciudad Autónoma de Melilla'},
{'amount': '$700,000',
'entity': 'Shamir Medical Center'},
{'amount': '$300,000',
'entity': 'Hamilton County Sheriff’s '
'Office'},
{'amount': '$50,000,000',
'entity': 'Synnovis (2024)'}],
'ransom_paid': ['none reported (all known victims refused to '
'pay)'],
'ransomware_strain': 'Qilin'},
'recommendations': ['Implement network segmentation to limit lateral '
'movement during attacks.',
'Enhance third-party risk management, especially for '
'shared IT providers.',
'Adopt immutable backups to ensure rapid recovery '
'without paying ransoms.',
'Conduct regular phishing simulations and employee '
'training to reduce initial access risks.',
'Deploy behavioral-based detection tools (e.g., '
'adaptive WAFs) to identify anomalous activity.',
'Establish cross-sector threat intelligence sharing '
'to preempt RaaS affiliate campaigns.',
'Develop sector-specific playbooks for ransomware '
'response (e.g., healthcare vs. manufacturing).'],
'references': [{'date_accessed': '2025-10-01',
'source': 'Comparitech',
'url': 'https://www.comparitech.com/blog/information-security/qilin-ransomware-attacks-2025/'},
{'source': 'Qilin Ransomware Tracker',
'url': 'https://www.ransomwaretracker.com/groups/qilin'}],
'regulatory_compliance': {'regulations_violated': ['potential HIPAA '
'(healthcare breaches, '
'e.g., Utsunomiya Central '
'Clinic)',
'GDPR (EU entities, e.g., '
'Region Hauts-de-France)',
'state-level breach '
'notification laws (US)'],
'regulatory_notifications': ['likely (e.g., US '
'entities required to '
'disclose breaches)']},
'response': {'communication_strategy': ['public disclosures (e.g., Utsunomiya '
'Central Clinic, Hamilton County '
'Sheriff’s Office)',
'customer notifications (e.g., '
'Crossroads Trading Co.: 60,000 '
'notified)'],
'containment_measures': ['system shutdowns (e.g., Alu Perpignan, '
'3 weeks)',
'isolation of affected networks'],
'incident_response_plan_activated': ['likely (e.g., Hamilton '
'County Sheriff’s Office '
'hired external '
'cybersecurity firm)'],
'recovery_measures': ['gradual restoration of systems (e.g., '
'Mecklenburg County Public Schools: 1 '
'week)',
'manual processes for disrupted services '
'(e.g., POS terminals at Crossroads '
'Trading Co.)'],
'remediation_measures': ['data recovery from backups',
'external cybersecurity support (e.g., '
'Hamilton County Sheriff’s Office)'],
'third_party_assistance': ['cybersecurity firms (e.g., Hamilton '
'County Sheriff’s Office)']},
'stakeholder_advisories': ['Healthcare providers: Secure patient data and '
'test backup integrity.',
'Government agencies: Isolate critical systems and '
'monitor for exfiltration.',
'Educational institutions: Prioritize '
'cybersecurity hygiene to avoid disruptions.',
'Manufacturers: Protect intellectual property and '
'design data from theft.'],
'threat_actor': 'Qilin (Russia-based ransomware group)',
'title': "Qilin Ransomware Gang's 700th Attack in 2025: Global Surge in Cyber "
'Extortion',
'type': ['ransomware', 'data breach', 'system disruption']}