NHS: SonicWall: NHS hospitals hit by 10x cyber attack surge

NHS: SonicWall: NHS hospitals hit by 10x cyber attack surge

UK Healthcare Under Siege: Ransomware Reconnaissance Intensifies in 2026

New data from SonicWall reveals the UK’s healthcare sector is facing an unprecedented surge in cyberattacks, with more intrusion attempts per device than any other industry. Between January and May 2026, SonicWall’s Intrusion Prevention System (IPS) logged 264,000 attack events across NHS networks nearly 10 times the total for all of 2025 (27,000). On average, each monitored sensor recorded 11,000 hits, a rate unmatched in other UK sectors.

The threat landscape is dominated by 10 active ransomware families, the highest concentration of any vertical. While no ransomware detonations were detected during the monitoring period, SonicWall warns this lull is deceptive. Instead, attackers appear to be in a prolonged reconnaissance phase, systematically mapping NHS digital infrastructure before launching high-impact strikes. This shift aligns with a broader global trend of precision targeting in critical infrastructure, where threat actors prioritize stealth and preparation over immediate disruption.

Two Primary Attack Vectors

  1. Legacy Infrastructure: 41% of IPS events exploited Apache Log4j2, a vulnerability disclosed in late 2021 but still unpatched in many NHS clinical systems. Another 33% of sensors detected active exploitation attempts against F5 BIG-IP load balancers, highlighting persistent weaknesses in outdated technology.
  2. Digital Patient Portals: The rapid expansion of modern web frameworks (e.g., React, Next.js) in patient-facing systems has introduced new vulnerabilities. Attackers are probing these alongside legacy risks, exploiting the gap between old and new infrastructure.

Spencer Starkey, SonicWall’s EVP for EMEA, emphasizes the unique structural challenges facing the NHS: "Zombie tech, ancient unpatched systems, and legacy Java keep haunting the NHS. Administrators can’t just take a critical care system offline to patch it. Meanwhile, the rush to digitize has opened the door to brand-new web vulnerabilities in patient portals."

A False Sense of Security?

Despite the 87% drop in ransomware activations across UK businesses in 2025 as attackers shifted to fewer, higher-impact targets healthcare remains a prime focus. The absence of detonations in 2026 does not signal improved defenses but rather a calculated buildup. SonicWall’s data suggests attackers are stress-testing NHS systems, probing for weaknesses before executing large-scale attacks.

Past incidents underscore the stakes:

  • WannaCry (2017): Cost the NHS £92 million.
  • Synnovis (2024): Led to 1,500 canceled operations and was linked to one patient’s death.
  • Advanced Computer Software Group (2024): Disrupted emergency prescriptions, ambulance dispatches, and patient referrals across multiple trusts.

Regulatory and Operational Challenges

The Cyber Security and Resilience Bill, introduced in Parliament last November, aims to extend mandatory security requirements to 1,000 NHS suppliers. However, the bill does not address the core issue: legacy systems that cannot be taken offline for patching. NHS leadership must now determine how to govern persistent risk amid procurement cycles that struggle to match the speed of evolving threats.

Vendors are closely analyzing SonicWall’s findings, seeing opportunities in legacy remediation, Zero Trust adoption, medical IoT segmentation, and large-scale MFA enforcement. Yet the NHS’s complex digital supply chains and critical care dependencies make rapid overhauls difficult.

The data paints a clear picture: the UK’s healthcare sector is under sustained, methodical assault, with attackers biding their time before the next major strike.

Source: https://www.enterprisetimes.co.uk/2026/06/30/sonicwall-nhs-hospitals-hit-by-10x-cyber-attack-surge/

NHS England Digital Profession cybersecurity rating report: https://www.rankiteo.com/company/nhs-digital

"id": "NHS1782830096",
"linkid": "nhs-digital",
"type": "Ransomware",
"date": "1/2026",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"
{'affected_entities': [{'industry': 'Healthcare',
                        'location': 'United Kingdom',
                        'name': 'NHS (National Health Service)',
                        'size': 'Large',
                        'type': 'Healthcare Provider'}],
 'attack_vector': ['Legacy Infrastructure Exploitation',
                   'Digital Patient Portals'],
 'date_detected': '2026-01-01',
 'date_publicly_disclosed': '2026-05-31',
 'description': 'New data from SonicWall reveals the UK’s healthcare sector is '
                'facing an unprecedented surge in cyberattacks, with more '
                'intrusion attempts per device than any other industry. '
                'Between January and May 2026, SonicWall’s Intrusion '
                'Prevention System (IPS) logged 264,000 attack events across '
                'NHS networks—nearly 10 times the total for all of 2025 '
                '(27,000). Attackers are in a prolonged reconnaissance phase, '
                'systematically mapping NHS digital infrastructure before '
                'launching high-impact strikes. The threat landscape is '
                'dominated by 10 active ransomware families, with primary '
                'attack vectors being legacy infrastructure (e.g., Apache '
                'Log4j2, F5 BIG-IP) and digital patient portals (e.g., React, '
                'Next.js).',
 'impact': {'brand_reputation_impact': 'Potential future reputational damage '
                                       'to NHS and UK healthcare sector',
            'operational_impact': 'Potential future disruptions to critical '
                                  'care systems, canceled operations, and '
                                  'emergency services',
            'systems_affected': 'NHS networks, clinical systems, patient '
                                'portals'},
 'initial_access_broker': {'high_value_targets': 'NHS clinical systems, '
                                                 'patient portals',
                           'reconnaissance_period': 'January - May 2026'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Attackers are prioritizing stealth and preparation over '
                    'immediate disruption, exploiting legacy systems and '
                    'modern web frameworks in tandem. The NHS faces unique '
                    'structural challenges in patching critical systems that '
                    'cannot be taken offline.',
 'motivation': 'Precision targeting of critical infrastructure for future '
               'high-impact ransomware attacks',
 'post_incident_analysis': {'corrective_actions': ['Extend mandatory security '
                                                   'requirements to NHS '
                                                   'suppliers via Cyber '
                                                   'Security and Resilience '
                                                   'Bill',
                                                   'Prioritize legacy system '
                                                   'remediation and Zero Trust '
                                                   'adoption'],
                            'root_causes': ['Unpatched legacy systems (Apache '
                                            'Log4j2, F5 BIG-IP)',
                                            'Rapid digitization introducing '
                                            'new web vulnerabilities',
                                            'Complex digital supply chains']},
 'ransomware': {'ransomware_strain': ['10 active ransomware families']},
 'recommendations': ['Legacy system remediation',
                     'Zero Trust adoption',
                     'Medical IoT segmentation',
                     'Large-scale MFA enforcement'],
 'references': [{'date_accessed': '2026-05-31', 'source': 'SonicWall'}],
 'regulatory_compliance': {'regulatory_notifications': 'Cyber Security and '
                                                       'Resilience Bill '
                                                       '(proposed)'},
 'response': {'enhanced_monitoring': 'SonicWall Intrusion Prevention System '
                                     '(IPS)'},
 'stakeholder_advisories': 'NHS leadership and suppliers must address '
                           'persistent risks in legacy systems and digital '
                           'supply chains.',
 'title': 'UK Healthcare Under Siege: Ransomware Reconnaissance Intensifies in '
          '2026',
 'type': 'Reconnaissance',
 'vulnerability_exploited': ['Apache Log4j2',
                             'F5 BIG-IP load balancers',
                             'Web frameworks (React, Next.js)']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.