Sign In
Healthcare Ransomware Defense: How NDR Stops Attacks Like Tufts & Eurofins
Back to top
November 13, 2025
Anatomy of the Attack
Healthcare Ransomware Defense: How NDR Stops Attacks Like Tufts & Eurofins
Cybercriminals continue to target the healthcare sector. Two recent high-profile ransomware attacks, one on Tufts Medicine in the U.S. in September 2025 and another on Eurofins Scientific in the Netherlands in July 2025, serve as important reminders of the far-reaching consequences these ransomware attacks can have on an organization.
Tufts Medicine: A Major U.S. Healthcare Provider Under Attack
Tufts Medicine Inc., a Massachusetts health insurer and provider that encompasses facilities like Tufts Medical Center, Lowell General Hospital, and MelroseWakefield Hospital, fell victim to a ransomware attack by the Cloak group. While some sources suggest ongoing issues from 2023, the Cloak ransomware group widely reported the data breach around August 2025. Tufts Medicine officially reported a data breach to the state of Massachusetts' Office of Consumer Affairs and Business Regulation on August 26, 2025. The attack led to the exposure of sensitive patient information, including Social Security numbers (SSNs), financial accounts, and driver's license information.
Cloak (also known as GoodDay) is a ransomware group that emerged in late 2022, known for targeting small to medium-sized businesses (SMBs) primarily in Europe, with a notable focus on Germany. In 2025, they significantly expanded their operations and began attacking high-profile targets in the United States. The group operates on a double-extortion model, meaning they not only encrypt their victims' data but also exfiltrate it, threatening to publish the sensitive information on their dark web leak site if the victim does not pay the ransom.
Eurofins Scientific Dutch Lab: A Critical Cancer Screening Program Compromised
A Dutch lab operated by Eurofins Scientific in Rijswijk, integral to the national cervical cancer screening program, suffered a ransomware attack just a few weeks earlier. The incident, discovered between July 3-6, 2025, involved unauthorized access to the IT systems of Clinical Diagnostics NMDL and Clinical Diagnostics LCPL. Initial reports suggested hackers stole data of approximately 485,000 participants, but later estimates grew to 941,000 patients. The compromised data included names, addresses, dates of birth, citizen service numbers (BSN), test results, and healthcare provider names.
The ransomware group Nova claimed responsibility and reportedly threatened to leak the data on the dark web, with some reports indicating Eurofins may have paid a multi-million Euro ransom to prevent further publication. Security experts consider this breach high severity due to the compromise of sensitive medical data for a massive number of patients and its impact on a critical public health program.
Other cybersecurity and incident response firms actively track the Nova ransomware group. It is a newer Ransomware-as-a-Service (RaaS) operation that gained notoriety in 2025, notably for its high-profile attack on Eurofins Clinical Diagnostics NMDL in the Netherlands. Security researchers have identified Nova as a rebrand of a group previously known as RALord, which first appeared around March 2025. The group operates a double-extortion model, stealing sensitive data before encrypting files and then threatening to leak the data on their dark web site if they do not pay the ransom.
The Common Thread in Healthcare Cyberattacks
These attacks underscore that traditional perimeter defenses, which are blind to internal east-west traffic, are no longer sufficient to protect the modern, interconnected healthcare enterprise. Healthcare organizations are an escalating target, and attackers are often successful because they exploit consistent weaknesses.
Healthcare companies are attractive targets for many reasons:
Target-Rich Environments: They hold vast amounts of highly sensitive personal and medical data, making them prime targets for ransomware groups seeking lucrative payouts or data for sale on the dark web.
The Human Element and Social Engineering: Security experts widely consider this the most common and successful attack vector, which often stems from unintentional errors rather than malicious intent. Healthcare staff are high-value targets who communicate constantly with unknown parties such as patients, laboratories, and insurers. Their daily workflow conditions them to open attachments like "patient records" or "test results," making them uniquely vulnerable to sophisticated phishing and social engineering attacks that trick them into giving up credentials or running malware. A lack of security awareness often compounds this vulnerability, as clinical staff focus on patient care, not cybersecurity, creating a massive gap in training on password hygiene or spotting malicious emails.
Supply Chain Vulnerability: The security of critical data often depends on third-party vendors and partners. A weak link in the supply chain can expose critical data, aligning with tactics where attackers leverage trusted relationships to gain access.
Operational Impact: Beyond data theft, these attacks may have disrupted critical operations, leading to suspended services and delayed patient care. This puts extreme pressure on the impacted healthcare organization to pay the ransom and recover operations.
ExtraHop RevealX NDR Wins Against Ransomware
ExtraHop RevealX NDR provides a distinct advantage against ransomware by detecting attacker TTPs in real-time. While traditional perimeter security loses visibility once an attacker is inside, RevealX analyzes all internal east-west traffic to expose behavioral anomalies throughout the entire attack from initial access to the final impact.
High-speed decryption and deep protocol analysis power this comprehensive detection. RevealX decodes over 90 network protocols and decrypts encrypted traffic at 100 Gbps, allowing it to find malicious activity at line rate. As a key differentiator, its native decryption capabilities extend beyond standard TLS/SSL to include complex Microsoft protocols. This advanced analysis uncovers sophisticated lateral movement and provides the deep traffic visibility needed to stop ransomware.
This table lists common ransomware techniques and how NDR addresses them.
| MITRE ATT&CK Tactic | MITRE ATT&CK Techniques | Attacker Use | ExtraHop NDR Detections |
|---|---|---|---|
| Initial Access | Phishing T1566 | Using malicious emails to obtain a foothold. | Doesn’t block the email but it does detect the result, such as a new connection to a malicious C2 server or a download from a low reputation domain. |
| Initial Access | Exploit Public-Facing Application T1190 | Using a vulnerability in a web server or VPN to gain access. | Can detect known inbound exploits using IDS signatures. It detects the anomalous post-exploit behavior from the compromised server, such as C2 beaconing or internal scanning. |
| Initial Access | Valid Accounts T1078 | The act of using credentials that have already been stolen. Logging in with stolen credentials (e.g., VPN, RDP). | Can detect the anomalous behavior after the login, such as an unusual location accessing systems it never touches. |
| Execution | Command and Scripting Interpreter T1059 | Using a tool or command shell to run malicious code. | Observes the network traffic the script generates, such as downloading tools or performing remote enumeration. Can leverage deep protocol decryption to natively decrypt and analyze the commands themselves. This allows it to see an actual malicious PowerShell command being sent remotely, which is a much stronger detection than just seeing the subsequent C2 traffic. |
| Credential Access | Kerberos T1558.003 | The act of stealing or finding credentials. Requesting Kerberos service tickets for high-privilege accounts in an attempt to crack their passwords offline. | Performs deep analysis of the Kerberos protocol. It detects the specific, anomalous service principal name requests that are characteristic of a Kerberoasting attack. |
| Discovery | Network Scanning T1046 | Scanning the internal network to find other servers and file shares. | Mitigates network scanning by creating a baseline of east-west traffic and then detecting anomalous connection patterns of a scan. |
| Lateral Movement | Remote Services T1021 | Using RDP, PsExec, or WinRM to move from server to server. | Monitor and detect malicious east-west lateral movement by analyzing the protocols (e.g., RDP, SMB) between systems. |
| Exfiltration | Exfiltration Over C2 Channel T1041 | Stealing and sending data to an attacker-controlled server. | Baselines normal traffic and detects the exfiltration of data to a new, suspicious, or low-reputation external destination. |
| Impact | Inhibit System Recovery T1490 | Deleting network based backups to prevent recovery. | Detects anomalous network behavior, such as a host suddenly accessing and deleting files using backup protocols (e.g., SMB, NFS) that it normally doesn’t. |
| Impact | Data Encrypted for Impact T1486 | The final step of encrypting files on servers and file shares. | Detects the specific file access patterns of ransomware (e.g., rapid file read/write/rename over SMB) in real-time. |
Table 1: Ransomware Attack Chain and NDR Detections
Building Cyber Resilience: The ExtraHop Solution
The ExtraHop RevealX NDR platform provides the necessary foundation for a resilient defense.
Providing Complete Network Visibility: ExtraHop continuously analyzes all network traffic, including critical east-west traffic between servers and unmanaged devices, giving security teams a complete, high-fidelity view across the entire hybrid enterprise and all activity hidden behind encrypted communications, which is crucial for identifying initial access points and understanding compromised supply chain partners.
Delivering AI-Driven Behavioral Detection: Leveraging advanced, patented machine learning and AI, ExtraHop identifies suspicious activities indicative of attack phases. This approach establishes a dynamic baseline of normal behavior, triggering high-fidelity alerts when subtle deviations (like unauthorized scanning, abnormal exfiltration, or unusual protocol use) occur. This helps to catch threats early, before data encryption can start.
Enabling Rapid and Confident Response: The platform provides detailed forensic data, including packet-level visibility and identity-based attack investigation. This empowers incident responders to quickly pinpoint the origin and scope of an attack, assess the blast radius, and confidently ensure the network is completely clean to prevent re-infection and boost resilience.
The ransomware attacks on Tufts Medicine and Eurofins Scientific are important reminders of the persistent and evolving threat landscape facing the healthcare industry. As cybercriminals continue to target the complex interconnectedness of modern healthcare, organizations must prioritize proactive and comprehensive cybersecurity strategies that offer deep visibility and intelligent threat detection.
Discover more
Product Marketing Team
Michael Zuckerman is a seasoned B2B product marketing and marketing strategy consultant. Zuckerman’s domain experience in cybersecurity over the past 10 years includes DNS security, threat intelligence, threat intelligence platforms (TIP), container security, mobile device security, moving target defense, sandbox, deception technology, cloud access security brokers (CASB), SASE, data loss prevention (DLP), user and entity behavior analytics (UEBA), Network detection and response (NDR), and encryption.
Share
