Hillel Yaffe Medical Center DeepBlueMagic ransomware (Israel, 2021)

DeepBlueMagic ransomware — attributed by Israeli officials to a Chinese criminal group — hit Hillel Yaffe Medical Center in Hadera, becoming the first known successful ransomware attack on an Israeli healthcare entity. Recovery extended for months. Israeli authorities subsequently reported a wave of follow-on attempts against nine more hospitals.

On 13 October 2021, Hillel Yaffe Medical Center in Hadera became the first Israeli hospital known to suffer a successful ransomware attack. The malware was identified as DeepBlueMagic — a relatively new family first seen in August 2021. Israeli officials publicly attributed the operation to a Chinese criminal group acting on financial motives.

What happened

The attack hit early on 13 October 2021. DeepBlueMagic's first action on each compromised machine is to stop every third-party Windows service — effectively disabling security tooling — before it begins encryption. It then deletes Volume Shadow Copies, eliminating the routine Windows mechanism that would normally allow file restoration.

Investigators concluded the initial-access vector was an unpatched Pulse Connect Secure VPN appliance — most likely the long-disclosed CVE-2019-11510, the same flaw used in Travelex and several other major ransomware operations.

Because Hillel Yaffe is a government-owned hospital, it was prohibited from paying the ransom. The hospital operated on degraded systems while staff reverted to manual workflows. The incident triggered an immediate spike in attempted cyberattacks against the rest of the Israeli healthcare sector: within days, Israel's national cyber authority reported a 72% week-over-week increase in attempted attacks and identified attempts against nine more hospitals.

Impact

First confirmed successful ransomware attack on an Israeli healthcare entity.
Hospital IT paralysed; reverted to manual workflows.
Months of degraded operations before full recovery.
Triggered a 72% week-over-week spike in attempted attacks against Israeli healthcare.
Initial-access vector: unpatched Pulse Secure VPN appliance.

Why it matters

Hillel Yaffe became Israel's reference case for healthcare-sector ransomware preparedness. The attribution to a Chinese criminal group also distinguished the case from the more common Russian-speaking ransomware ecosystem and showed that healthcare is a target across the financially-motivated landscape, not only from one geography. The follow-on attempts against nine more hospitals — most defended successfully — became a case study in post-incident sector-wide alerting that other governments have adopted.

Timeline

October 13, 2021

Hillel Yaffe Medical Center in Hadera detects ransomware activity; the hospital's computer systems are paralysed. As a government-owned hospital, Hillel Yaffe is prohibited from paying.

October 14, 2021

DeepBlueMagic identified as the malware family. Researchers note the same TTPs used against earlier global victims: stops third-party Windows services to disable security tooling, then deletes Volume Shadow Copies to prevent restoration.

October 15, 2021

Initial-access vector assessed as exploitation of an unpatched Pulse Connect Secure VPN appliance (CVE-2019-11510).

October 17, 2021

Israel's national cyber authority reports a 72% week-over-week increase in attempted cyberattacks against healthcare; nine additional Israeli hospitals report attempted attacks.

October 1, 2021

Top Israeli cyber officials publicly assess the operation as financially motivated and likely conducted by a Chinese criminal group.

2021-10 — 2022-Q1

Hillel Yaffe operates on degraded systems for an extended period; full IT recovery takes months.

Sources

govinfosecurity.comhttps://www.govinfosecurity.com/ransomware-attack-on-israeli-medical-center-raises-alarm-a-17740

timesofisrael.comhttps://www.timesofisrael.com/top-cyber-official-hospital-attack-purely-financial-likely-by-chinese-group/

jpost.comhttps://www.jpost.com/breaking-news/hillel-yaffe-hospital-targeted-by-ransomware-attack-681842

inforisktoday.comhttps://www.inforisktoday.com/more-attempted-cyberattacks-on-israeli-healthcare-entities-a-17762

timesofisrael.comhttps://www.timesofisrael.com/hospital-has-no-idea-of-scale-of-cyberattack-havoc-recovery-could-take-months/

Related incidents

RansomwareContainedMay 14, 2021

HSE Ireland ransomware (Conti)

Conti ransomware paralysed Ireland's Health Service Executive, forcing cancellation of outpatient appointments nationwide for weeks. Conti released the decryptor for free; recovery still cost an estimated €100M+.

Victim: Health Service Executive (HSE) of Ireland
Loss: $130.0M
Records: 700.0K

RansomwareContainedMay 14, 2021

HSE Ireland Conti ransomware national healthcare shutdown (2021)

Conti operators tricked an HSE user into downloading a booby-trapped Excel attachment; the resulting ransomware forced the Health Service Executive to shut down all of Ireland's healthcare IT systems and exfiltrated 700 GB including COVID-19 vaccination PHI. Recovery cost exceeded €100 million.

Victim: Health Service Executive (HSE) of Ireland
Loss: $110.0M

RansomwareRansom paidFebruary 21, 2024

Change Healthcare ransomware (ALPHV/BlackCat)

ALPHV/BlackCat compromised Change Healthcare via Citrix portal lacking MFA, paralyzed U.S. prescription claims for weeks, and exfiltrated data on an estimated 100 million people.

Victim: Change Healthcare (UnitedHealth Group)
Loss: $2.87B
Records: 100.0M

RansomwareContainedNovember 23, 2022

AIIMS Delhi ransomware

Ransomware encrypted the All India Institute of Medical Sciences in New Delhi — India's most prestigious public hospital — taking patient registration and clinical records offline for two weeks during peak winter patient load.

Victim: All India Institute of Medical Sciences (AIIMS) New Delhi
Loss: $15.0M