{ "id": "e7e13ff8-59b5-41a2-ab44-c38f649be09f", "created_at": "2026-04-06T00:20:15.201281Z", "updated_at": "2026-04-10T03:26:47.112667Z", "deleted_at": null, "sha1_hash": "4eed0953e9ad4ba01fe99e313391eff52d922280", "title": "Siemens Healthineers responds to alleged data theft by LockBit ransomware gang", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 74456, "plain_text": "Siemens Healthineers responds to alleged data theft by LockBit\r\nransomware gang\r\nBy Jonathan Greig\r\nPublished: 2023-08-18 · Archived: 2026-04-02 12:39:38 UTC\r\nHealthcare technology giant Siemens Healthineers said it is investigating a potential ransomware incident at one\r\nof its subsidiaries after claims of an attack were made by the LockBit ransomware group.\r\nLast week, LockBit added to its leak site Varian — a radiation oncology treatments and software maker acquired\r\nby Siemens Healthineers two years ago.\r\nA Siemens Healthineers spokesperson acknowledged the LockBit claims without confirming data had been stolen,\r\nand said the corporation has “comprehensive measures in place to mitigate cybersecurity risk.”\r\n“We are aware that data has been published on the LockBit site. It alleges that the data is related to the Varian\r\nbusiness segment of Siemens Healthineers,” the spokesperson told Recorded Future News. Siemens Healthineers\r\nitself was spun off in 2017 from the namesake German conglomerate, which retains a 75 percent stake.\r\n“We have activated our incident response protocol and have a dedicated taskforce investigating the incident,”\r\nincluding “internal and external experts,” the spokesperson said.\r\nIt is unclear how much ransom LockBit seeks. The alleged attack on Varian was one in a series of recent incidents\r\ninvolving healthcare organizations based in the U.S.\r\nOn Thursday, the gang added United Medical Centers to its leak site. The healthcare facility, located in Southwest\r\nTexas on the U.S.-Mexico border, did not respond to requests for comment but announced issues with its network\r\ntwo weeks ago.\r\nOfficials said they were “experiencing technical difficulties” with their network and were “actively addressing the\r\nissue to restore normal operations as swiftly as possible.”\r\n“We want to reassure you that despite the network disruption, some of our providers are still available and\r\nworking diligently to continue providing essential medical services to our patients,” they said on July 27.\r\nLockBit on shaky ground?\r\nThe latest LockBit postings come as cybersecurity experts are questioning the cybercrime group’s operational\r\nstrength after the release of a bombshell report from Jon DiMaggio, chief security strategist at Analyst1.\r\nIn a followup to his previous report on the ransomware gang, DiMaggio said he not only infiltrated the group\r\nusing fake personas but communicated with several gang members, affiliates and victims.\r\nhttps://therecord.media/siemens-healthineers-alleged-ransomware-incident-lockbit\r\nPage 1 of 3\n\nAccording to DiMaggio, LockBit’s leadership vanished and was unreachable over the first two weeks of August\r\nbefore resurfacing on August 13.\r\nDue to issues with its backend infrastructure and available bandwidth, the group is struggling to publish the data it\r\nsteals during attacks, DiMaggio said. LockBit is essentially pressuring victims to pay ransoms purely off of its\r\nreputation as the most prolific ransomware group currently operating, he said.\r\n“Affiliates are leaving LockBit’s program for its competitors. They know that LockBit is unable to publish large\r\namounts of victim data, despite its claims,” DiMaggio explained.\r\n“Additionally, it takes them days to weeks to review the correspondence and reply to their affiliate partners. Some\r\nrequests simply go unaddressed by the LockBit gang.”\r\nDiMaggio added that the gang’s operation is degrading and has been “slow to expand its infrastructure and\r\ndevelopment needs” — causing affiliates to leave the group and join other ransomware organizations.\r\nIn June, the FBI arrested 20-year-old Russian national Ruslan Astamirov for allegedly targeting victims around the\r\nworld with the notorious LockBit ransomware. That arrest followed the detainment of another LockBit affiliate,\r\nMikhail Vasiliev, in Canada last November.\r\nSince emerging in 2020, the gang has launched over 1,400 attacks against victims in the U.S. and around the\r\nworld, issuing over $100 million in ransom demands and receiving at least tens of millions of dollars in actual\r\nransom payments, according to the U.S. Department of Justice.\r\nhttps://therecord.media/siemens-healthineers-alleged-ransomware-incident-lockbit\r\nPage 2 of 3\n\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/siemens-healthineers-alleged-ransomware-incident-lockbit\r\nhttps://therecord.media/siemens-healthineers-alleged-ransomware-incident-lockbit\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/siemens-healthineers-alleged-ransomware-incident-lockbit" ], "report_names": [ "siemens-healthineers-alleged-ransomware-incident-lockbit" ], "threat_actors": [ { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434815, "ts_updated_at": 1775791607, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4eed0953e9ad4ba01fe99e313391eff52d922280.pdf", "text": "https://archive.orkl.eu/4eed0953e9ad4ba01fe99e313391eff52d922280.txt", "img": "https://archive.orkl.eu/4eed0953e9ad4ba01fe99e313391eff52d922280.jpg" } }