{ "id": "892b143b-eb9e-4fe8-899b-557fdd0f1bc1", "created_at": "2026-04-06T00:14:02.987691Z", "updated_at": "2026-04-10T13:11:56.495918Z", "deleted_at": null, "sha1_hash": "03066a6b00d5e76c7ce11bca7a48557a79104b51", "title": "The Alphv ransomware gang stole 5TB of data from the Morrison Community Hospital", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 150810, "plain_text": "The Alphv ransomware gang stole 5TB of data from the Morrison\r\nCommunity Hospital\r\nBy Pierluigi Paganini\r\nPublished: 2023-10-15 · Archived: 2026-04-05 21:25:25 UTC\r\nThe Alphv ransomware group added the Morrison Community Hospital to its\r\ndark web leak site. Threat actors continue to target hospitals.\r\nThe ALPHV/BlackCat ransomware group claims to have hacked the Morrison Community Hospital and added it\r\nto its dark web Tor leak site.\r\nThe group claims to have stolen 5TB of patients’ and employee’s information, backups, PII documents, and more.\r\nThe gang also published a sample as proof of the stolen data.\r\nThe group states that it has started contacting journalists because the representatives of the Morrison Community\r\nHospital haven’t provided a clear response. The Alphv gang also threatens to initiate patient calls shortly.\r\nhttps://securityaffairs.com/152486/cyber-crime/alphv-ransomware-morrison-community-hospital.html\r\nPage 1 of 2\n\nThe popular researcher Brett Callow states that far this year, 29 US health systems with 90 hospitals between them\r\nhave been impacted by #ransomware, and at least 23/29 had data stolen.\r\nIn September, the LockBit ransomware group breached two hospitals, the Carthage Area Hospital and the\r\nClayton-Hepburn Medical Center in New York.\r\nThis isn’t the first time the Lockbit gang or its affiliates hit a hospital. In January, the LockBit ransomware gang\r\nformally apologized for the attack on the Hospital for Sick Children (SickKids) and released a free decryptor for\r\nthe Hospital.\r\nThe group is known to have a role for its affiliated that prohibits attacking healthcare organizations. Its policy\r\nforbids to encrypt systems of organizations where damage could lead to the death of individuals.\r\nThe gang explained that one of its partners attacked SickKids violating its rules, for this reason, it blocked the\r\naffiliate.\r\nAffiliates of the Lockbit gang have also hit other healthcare organizations in the past, in early December 2022,\r\nthe Hospital Centre of Versailles was hit by a cyber attack that was attributed to the group. Hospital Centre of\r\nVersailles, which includes Andre-Mignot Hospital, Richaud Hospital and the Despagne Retirement Home,\r\ncanceled operations and transferred some patients due to the cyberattack.\r\nIn August, the gang attacked the Center Hospitalier Sud Francilien (CHSF), a hospital southeast of Paris. The\r\nattack disrupted the emergency services and surgeries and forced the hospital to refer patients to other structures.\r\nAccording to local media, threat actors demand a $10 million ransom to provide the decryption key to restore\r\nencrypted data.\r\nOther ransomware attacks recently hit US hospitals. Recently the Rhysida ransomware group made the headlines\r\nbecause it announced the hack of Prospect Medical Holdings and the theft of sensitive information from the\r\norganization.\r\nThe Rhysida ransomware group threatened Prospect Medical Holdings to leak the stolen data if the company did\r\nnot pay a 50 Bitcoins ransom (worth $1.3 million). The same group this week claimed to have breached other\r\nthree US hospitals.\r\nThe systems at three hospitals and other medical facilities operated by Singing River Health System were hit by a\r\ncyber attack at the end of August.\r\nFollow me on Twitter: @securityaffairs and Facebook and Mastodon\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, ransomware)\r\nSource: https://securityaffairs.com/152486/cyber-crime/alphv-ransomware-morrison-community-hospital.html\r\nhttps://securityaffairs.com/152486/cyber-crime/alphv-ransomware-morrison-community-hospital.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securityaffairs.com/152486/cyber-crime/alphv-ransomware-morrison-community-hospital.html" ], "report_names": [ "alphv-ransomware-morrison-community-hospital.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "86ab9be8-ce67-4866-9f66-1df471e9d251", "created_at": "2024-05-29T02:00:03.942487Z", "updated_at": "2026-04-10T02:00:03.641939Z", "deleted_at": null, "main_name": "Alpha Spider", "aliases": [ "ALPHV Ransomware Group" ], "source_name": "MISPGALAXY:Alpha Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434442, "ts_updated_at": 1775826716, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/03066a6b00d5e76c7ce11bca7a48557a79104b51.pdf", "text": "https://archive.orkl.eu/03066a6b00d5e76c7ce11bca7a48557a79104b51.txt", "img": "https://archive.orkl.eu/03066a6b00d5e76c7ce11bca7a48557a79104b51.jpg" } }