FBI Cracks Down on Hospital Ransomware Threats Amid Record 2025 Attacks

The FBI has intensified its battle against ransomware gangs preying on the U.S. healthcare sector, which topped the list of cyberthreat targets in 2025 with 460 ransomware attacks and 182 data breaches, according to the bureau's latest annual internet crime report. In a landmark operation announced in January 2023, agents infiltrated the Hive ransomware network, one of the world's top five, seizing servers and websites used for leaking stolen data and negotiating payments. The effort, involving international partners and led by U.S. Attorney General Merrick Garland, prevented about $130 million in ransom demands after Hive had already extracted $100 million from over 1,300 global victims since June 2021, many in healthcare. Building on that success, FBI Director Christopher Wray declared the Hive takedown had "cut off the gas that was fueling Hive's fire," crippling the group's ability to launch new strikes. In July 2022, agents accessed Hive's network to distribute decryption keys directly to victims, restoring systems without payments. Just last week, on April 21, 2026, Deputy Director Andrew Bailey addressed the American Hospital Association conference in Washington, D.C., calling for greater hospital collaboration to share cyberthreat intelligence and disrupt criminal networks proactively rather than relying solely on arrests. The urgency stems from ongoing threats, including an FBI warning of "imminent" ransomware waves against hospitals using strains like Ryuk, spread via Trickbot botnets. Security firm Mandiant identified the group UNC1878 as deliberately targeting facilities, with ransoms exceeding $10 million per hit and plans to infect over 400 sites. In one wave coinciding with COVID spikes, at least five U.S. hospitals were hobbled, including three in New York's St. Lawrence County Health System and Sky Lakes Medical Center in Oregon, forcing patient diversions and delaying care. Healthcare disruptions have surged, with 59 U.S. providers hit by ransomware in a single recent year, affecting up to 510 facilities and compromising patient data for double extortion. FBI seizures in Los Angeles last year further dismantled Hive's infrastructure. As of 2026, officials continue probing Russian-speaking gangs like those deploying Zeppelin ransomware against Bay Area medical devices, emphasizing the sector's $ millions-per-incident recovery costs and risks to patient safety.