Over the United States Independence Day weekend, when many hospital and clinic IT teams run on skeleton staffing, several ransomware gangs quietly added a cluster of US healthcare providers to their dark web extortion sites. The listings, which range from a children's medicine practice to an orthopedic group, are unverified claims posted by the attackers themselves, but together they point to a familiar pattern: criminals timing their pressure campaigns for holidays, when victims are slowest to respond.
Who the gangs named
The crew tracked as Anubis posted two US medical targets in as many days, listing Northeast Pediatrics & Adolescent Medicine and an entity it named as Quest Healthcare Solutions. Separately, the Brain Cipher gang added a US orthopedics provider, Golden State Orthopedics, to its leak site. They were not alone: INC Ransom spent the same window loading its site with US medical names, including Colorado Rehabilitation and Occupational Medicine, the Hamilton Eye Institute and Horizon Eye Care, part of a broader spree of city governments and eye clinics we covered in a separate report.
None of the named organizations has confirmed a breach, and leak site entries are an extortion tactic, not proof of a successful intrusion. Gangs routinely inflate or mislabel victims, and some listings are later withdrawn after a quiet payment or a failed negotiation. Treat every name here as a claim until the organization or a regulator says otherwise.
Why healthcare, and why now
Medical providers are a recurring favourite for ransomware crews because they combine highly sensitive patient records with a low tolerance for downtime, a mix that raises the odds of a fast payout. Holiday weekends sharpen that pressure. With reduced staff watching the network, an intrusion has more time to spread before anyone notices, and a leak posted over a long weekend lands when a victim's leadership and legal teams are hardest to reach. The activity sits alongside an already busy stretch on the leak sites, including the Gentlemen crew, which named 41 organizations in a single day earlier in the week.
What defenders should do
Healthcare IT teams heading into a holiday should assume they are a target. Practical steps that blunt these campaigns include enforcing phishing resistant multi factor authentication on remote access and email, keeping internet facing systems and VPN appliances patched, and making sure backups are recent, tested and stored offline where an attacker cannot reach them. Just as important is a call tree that works on a holiday, so that a leak site listing or an encryption event does not sit unanswered for two or three days. Organizations that find their name on one of these sites should preserve logs, engage counsel and their incident response provider, and resist the urge to negotiate before understanding what, if anything, was actually taken.
The claims in this briefing were drawn from the gangs' own dark web leak sites as aggregated by ransomware.live; IntelFusions has not independently verified any individual intrusion.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.