Insomnia:

Written By Steve Fink

Why This New Cyber Threat is Worse Than Ransomware for Healthcare

The cybersecurity conversation in healthcare is changing. For years, the nightmare scenario was a ransomware attack. This is the loud, disruptive shutdown of IT systems until a fee was paid. Organizations have gotten better at preparing for this, primarily by improving their backups.

But the enemy is evolving, and the new threat actor, that goes by the name Insomnia (which is very fitting for CISOs), is far more dangerous precisely because they are quiet. They've shifted their focus from disruption to stealthy data theft, and the target is your most sensitive patient data (PHI and PII).

Why is this shift so critical? Because while you can restore encrypted files from a backup, you can't restore the confidentiality of stolen patient records. Once the data is gone, the damage is permanent, giving Insomnia maximum leverage for extortion and creating a catastrophic regulatory and reputational risk for your practice. “Who is Insomnia?” and “Why They're Targeting Us?”

Insomnia surfaced in October 2025 with a single, sharp focus: the US healthcare sector.

  • The Tactic: Quiet Exfiltration. Insomnia avoids the "noise" of ransomware lock-ups. Their goal is an extended, undetected stay in your network to identify and steal Protected Health Information (PHI). They know exposed data cannot be restored with a backup.

  • The Target: The "Mid-Tier provider." Insomnia is strategically attacking mid-sized healthcare organizations that manage massive amounts of data but often have smaller security budgets than large hospital systems. This includes:

    • Clinical Practices (e.g., Internal Medicine, Dialysis Centers)

    • Pathology Labs

    • Revenue Cycle Management/Billing Vendors (a critical "supply chain" vulnerability)

  • The Risk is Forever. Once stolen, Insomnia publishes the data on the dark web for free, ensuring the PHI is permanently accessible to other criminals. This leads to years of identity theft risk for patients and guaranteed regulatory fallout for your organization.

Their Sneakiest Trick: Abusing the IT Team’s Own Tools

The most concerning part of the Insomnia threat is its ability to hide in plain sight. They don't rely on custom, complex viruses; they weaponize the legitimate, trusted software your IT team uses every day.

  • Initial Access via Stolen Credentials. Their primary entry point is simply purchasing stolen login credentials on the dark web. They walk right past perimeter defenses by logging into your VPN or remote access systems with a valid username and password.

  • The WSUS Attack. Their signature technique is compromising your Windows Server Update Services (WSUS) server. WSUS is the tool that securely pushes Windows updates to every machine. Insomnia injects their malicious code into this trusted update pipeline. Because the code appears to be a legitimate Windows Update, it runs with the highest system privileges and is virtually invisible to standard network monitoring.

Immediate, Practical Steps for Every Healthcare Practice

A threat this stealthy requires a mindset shift. You must move your focus from preventing entry to aggressively monitoring for suspicious behavior once an attacker is inside.Action Item 1: Harden Your Management Infrastructure

The WSUS server is a critical attack vector that must be secured immediately.

  • Isolate the Server: Place your WSUS server in a restricted network segment. Monitor it intensely for any unauthorized changes to its configuration or update packages.

  • Implement Signed Updates: Configure your WSUS environment to deploy only updates that are digitally signed by a trusted authority. This prevents Insomnia from injecting its own malicious "updates" into your internal systems.

Strengthen Your Identity and Access Controls

Stolen credentials are the number one entry point for Insomnia.

  • Phishing-Resistant MFA: Move beyond simple SMS or mobile app-based Multi-Factor Authentication (MFA). Adopt hardware tokens that are resistant to advanced proxying and session hijacking attacks.

  • Privileged Access Management (PAM): Enforce strict controls on every administrative account (IT staff). If you use Microsoft Entra, implement Privileged Identity Management (PIM) immediately. This ensures high-level credentials are only active for the exact time they are needed and that all activity around them is constantly monitored.

Monitor for Data Theft

You must have the capability to detect when and what data is leaving your organization.

  • Data Classification and Discovery: Use automated tools to identify and tag all sensitive PHI across your network. You cannot protect data if you don't know where it resides.

  • Strict Egress Filtering (Outbound Traffic Control): Block all outbound network traffic to common file-sharing, temporary staging, or public data-sharing websites. Limit network communication to only known, authorized business destinations.

  • Behavioral Monitoring: Deploy AI-powered security monitoring to spot anomalies, such as an unusual increase in database read volumes or an administrative account accessing a sensitive patient directory outside of normal working hours.

The Insomnia group threat actor is a clear indicator that compliance with minimum HIPAA standards is no longer enough. Protecting patient data now requires a security culture that is proactive, hunt-centric, and understands that compromising your patient’s data is the greatest leverage for today’s most advanced cybercriminals.

Steve Fink
Next

Women’s Society of Cyberjutsu - Small Tribes Experience