Nonprofit OneBlood Notifies Individuals Impacted by Ransomware Attack

On July 31, 2024, OneBlood, a Florida-based nonprofit blood donation organization serving 350 hospitals in the Southeastern United States, announced it had suffered a ransomware attack.  

The breach disrupted its IT systems, forcing the organization to rely on slower manual processes for blood collection, testing, and distribution. As a result, hospitals implemented critical blood shortage protocols, with an urgent appeal for O-positive and O-negative blood and platelet donations.

The attack, attributed to the RansomHub ransomware group, compromised OneBlood’s VMware hypervisor infrastructure, with data encrypted over a two-week period from July 14 to July 29, 2024, HIPAA Journal reports.

While OneBlood initially claimed it was unclear if donor data was accessed, subsequent investigations confirmed the theft of personal information, including names and Social Security numbers of blood donors.  

Notification letters began reaching affected individuals in January 2025, nearly six months after the breach, offering 12 months of free credit monitoring and urging vigilance for fraudulent activity dating back to the breach’s onset.

The national blood community, led by the AABB Disaster Task Force, mobilized to assist OneBlood, directing additional blood supplies to mitigate shortages. Meanwhile, OneBlood worked around the clock with cybersecurity specialists to restore its systems.  

The attack is part of a troubling trend, with ransomware incidents targeting healthcare organizations like Synnovis in the UK and OctaPharma Plasma in the U.S., causing significant disruptions to blood supplies.

The OneBlood incident underscores the vulnerability of critical healthcare infrastructure, and the severe consequences ransomware attacks can have on public health and safety.

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, RansomHub is a ransomware-as-a-service (RaaS) platform that emerged in early 2024, has quickly established itself as a dominant force in the ransomware landscape.  

Initially thought to have ties to LockBit due to operational similarities, a closer analysis revealed its code is strongly influenced by the now-defunct Knight ransomware group. Written in Golang, RansomHub’s malware is capable of targeting both Windows and Linux systems.  

The Knight group’s code was reportedly sold in February 2024, a move that likely fueled RansomHub’s development by enabling rapid integration of advanced features.

RansomHub distinguishes itself through a highly lucrative affiliate program, offering partners up to 90% of ransom payments, making it one of the most attractive RaaS platforms. Affiliates are bound by strict policies requiring adherence to negotiated agreements with victims, with noncompliance resulting in permanent bans. This structured approach underscores RansomHub’s commitment to maintaining a reliable operational model.

Technically sophisticated, RansomHub exploits unpatched vulnerabilities such as Citrix NetScaler ADC and Gateway (CVE-2023-3519), Fortinet SSL-VPN (CVE-2023-27997), and Microsoft Netlogon (CVE-2020-1472). It complements these exploits with brute-force attacks on weak credentials, gaining unauthorized access to systems.  

Once inside, it disables Endpoint Detection and Response (EDR) systems using tools like EDRKillShifter and employs PowerShell and WMI for malicious commands, privilege escalation, and persistent access. RansomHub also uses network reconnaissance tools like Nmap and AngryIPScanner, alongside utilities such as PsExec and RDP for lateral movement.

RansomHub employs double extortion tactics, encrypting data with Curve25519, ChaCha20, and AES algorithms while stealing sensitive information to pressure victims. The group is particularly strategic, targeting high-value sectors like healthcare. Notable operations include a $22 million ransom demand from Change Healthcare.

By recruiting affiliates from disbanded groups and maintaining a regularly updated codebase, RansomHub has become one of the most active ransomware groups, topping attack volumes in Q4 2024. Its rapid growth signals a well-funded operation with a focus on long-term dominance.

Notable victims include Change Healthcare, City of Marietta Georgia, Bologna FC, Aras Group, Kovra, Computan, Scadea Solutions, Christie’s Auction House, NRS Healthcare, Frontier Communications.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.