Monthly threat intelligence for Indian healthcare CISOs, hospital boards, pharma security leaders, and SOC teams. This edition covers verified developments from January–July 2026: a sustained ransomware surge concentrated in healthcare, a large-scale credential-compromise campaign targeting Fortinet perimeter devices with India among the most affected geographies, structural exposure across connected medical device estates, and tightening regulatory deadlines under CERT-In and DPDP. Every item is tied to public reporting with a named source and publication date. India is the operating lens; figures are reported as published.
1. Sector Snapshot
Indian healthcare and pharma continue to rank among the country's most targeted verticals. The India Cyber Threat Report 2026 (Seqrite) found that education, healthcare, and manufacturing together accounted for nearly 47% of all malware detections across the October 2024–September 2025 reporting window. Globally, the Health-ISAC 2026 Annual Threat Report documented 455 ransomware incidents against health organisations in 2025 alone, with threat groups increasingly combining data exfiltration and encryption pressure against providers whose operations cannot tolerate extended downtime. The immediate risk drivers for Indian healthcare are four: ransomware operators actively targeting care delivery and pharma R&D networks, credential-compromise campaigns exposing Fortinet perimeter devices at scale, unmanaged connected medical device exposure within clinical networks, and converging compliance obligations under CERT-In and the Digital Personal Data Protection framework.
By June 2026, public reporting attributed 168 confirmed healthcare-sector victims to Qilin, its third-largest vertical after manufacturing and business services. The group operates as a ransomware-as-a-service with a distributed affiliate model; TTPs therefore vary by operator, but the consistent pattern is data exfiltration before encryption followed by leak-site pressure — a combination that exploits both patient care disruption and data-breach liability to maximise coercion. Ransomware incidents affecting healthcare globally rose approximately 30% in H1 2026 versus H1 2025, with patient records commanding up to ten times the value of financial records on criminal markets. For Indian hospitals and pharma networks, the risk is operational: HIS, PACS, EMR, billing, and lab systems are tightly coupled, and a single encrypted domain can cascade across clinical workflows.
India exposurehospital groups, diagnostics chains, and pharma R&D networks running tightly-coupled HIS, PACS, EMR, and billing systems with internet-facing remote access.
Actionenforce MFA on all clinical and vendor accounts, patch internet-facing VPN appliances, and validate immutable backups covering HIS, PACS, EMR, and billing before an incident forces the test.
SourceThe Cyber Express, "Qilin and INC Ransom Drive 2026 Ransomware Surge" (3 Jun 2026); Health-ISAC Annual Threat Report 2026, GlobeNewswire (26 Jan 2026).
2
FortiBleed credential-compromise campaign — India among the most affected geographies
In mid-June 2026, a large-scale credential-compromise campaign — dubbed FortiBleed — was identified targeting internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways. Threat actors assembled credentials from prior Fortinet-related breach dumps and infostealer malware logs, then tested them systematically against exposed devices. Reporting confirmed working administrator credentials for over 30,000 devices, with estimated total affected scope of approximately 75,000 devices across 194 countries. India appeared among the highest-concentration geographies, alongside the United States. Affected sectors included healthcare, government, finance, and critical infrastructure. The technical enabler: Fortinet's legacy SHA-256 credential hashing (used in FortiOS versions prior to 7.2.11, 7.4.8, and 7.6.1) is retained from earlier firmware until an administrator logs in post-upgrade — patching the firmware alone does not re-hash stored credentials. Compromised devices were observed being used as listening posts to capture additional VPN credentials in transit. CISA issued an alert urging hardening of Fortinet devices on 18 June 2026.
India exposurehospitals and diagnostics chains using Fortinet FortiGate and SSL-VPN perimeters for branch connectivity and remote access.
Actiontreat all credentials predating FortiOS 7.2.11/7.4.8/7.6.1 as compromised — rotate immediately, enforce phishing-resistant MFA, and confirm each device had a post-upgrade administrator login to trigger credential re-hashing.
SourceArctic Wolf, "Active FortiBleed Campaign Impacting Fortinet Devices Across 194 Countries" (17 Jun 2026); CISA alert, "CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure" (18 Jun 2026).
The Health-ISAC 2026 Annual Threat Report identified Qilin, INC Ransom, and SAFEPAY as the most active ransomware groups against health organisations in 2025. Alongside encryption and extortion, the report documented the growing use of ClickFix and FileFix social engineering techniques — which embed malicious execution steps in web-page overlays or fake file-handling prompts — and QR-code phishing (quishing) targeting clinical staff. These methods are notable because they bypass traditional email and endpoint controls by exploiting workflow urgency, a vulnerability healthcare environments face acutely. AI-assisted phishing was ranked as the top anticipated threat for 2026 by surveyed health executives.
India exposureclinical staff and shared clinical workstations vulnerable to overlay-based and QR-code social engineering that bypasses email and endpoint controls.
Actionbrief clinical staff on ClickFix, FileFix, and quishing patterns; extend detection to web-page overlay execution and fake file-handling prompts; assume AI-assisted phishing will defeat template-based email filtering.
SourceHealth-ISAC Annual Threat Report 2026, GlobeNewswire (26 Jan 2026).
3. Sector Tech & Exposures
IoMT and imaging device vulnerability posture. Claroty's "State of CPS Security: Healthcare Exposures 2025" analysed 2.25 million IoMT devices and 647,000 operational technology devices across 351 healthcare organisations, finding that 99% of hospitals managed at least one connected medical device with a known exploited vulnerability (KEV). Of imaging systems — MRI, CT, X-ray, ultrasound, and PACS — 28% contained KEVs; 11% of imaging systems carried KEVs linked to confirmed ransomware campaigns. Separately, 20% of hospital information systems contained KEVs tied to ransomware groups. For Indian hospitals, this maps onto PACS/DICOM workstations, infusion pumps, patient monitors, and HIS/EMR platforms, many of which run end-of-life Windows, are not covered by active endpoint protection, and reside on networks that permit clinical-to-corporate traversal.
Source (with date): Claroty Team82, "State of CPS Security: Healthcare Exposures 2025"; HIPAA Journal (27 Mar 2025).
PAN-OS GlobalProtect authentication bypass — CVE-2026-0257. CVE-2026-0257 (CVSS 9.1) in the GlobalProtect portal and gateway allows authentication bypass through forged session cookies when a shared TLS certificate is used for both HTTPS service and authentication override. Exploitation was observed by Rapid7 MDR from 17 May 2026. CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalogue on 29 May 2026. Healthcare VPN deployments using GlobalProtect should verify certificate configuration and apply available patches; any deployment where the authentication override certificate is shared with the HTTPS service certificate is directly vulnerable.
Source (with date): Palo Alto Networks Unit 42; CISA KEV (29 May 2026); Rapid7 MDR (17 May 2026).
4. Regulatory & Compliance Watch
CERT-In AI Blueprint CISG-2026-02 — 12-hour remediation for internet-facing systems. On 25–26 May 2026, CERT-In published a 38-page directive — "Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure" (CISG-2026-02) — establishing risk-based remediation timelines. The central requirement for healthcare organisations: known exploited vulnerabilities on internet-facing and crown-jewel systems must be contained, patched, or mitigated within 12 hours where feasible. The graduated timeline extends to one day for critical external exposures, three days for critical internal high-value systems, and five days for high-severity internal vulnerabilities. For Indian hospitals operating internet-facing patient portals, telemedicine platforms, ABDM integrations, and Fortinet or PAN-OS VPN gateways, these timelines are now the operational benchmark. The existing 6-hour incident reporting obligation to CERT-In remains separately in force.
Source (with date): The Hacker News, "CERT-In Recommends 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks" (26 May 2026); Medianama, "CERT-In releases blueprint for defending against AI-assisted cyber threats" (May 2026).
DPDP Rules 2025 — phased obligations, healthcare-specific pressure points. The Digital Personal Data Protection Rules were notified by MeitY on 13 November 2025, with phased implementation: the Data Protection Board of India became operational immediately; the Consent Manager framework registration provisions take effect 13 November 2026 — the next near-term milestone; substantive compliance obligations (breach notification, data-principal rights, retention and erasure mandates, and reasonable security safeguards) come into full enforcement at 13 May 2027. For healthcare, the critical obligations are the requirement to maintain reasonable security safeguards for high-value personal data including health records, and a 72-hour breach notification requirement. Non-compliance with security safeguard obligations carries a maximum penalty of ₹250 crore. Hospitals engaged in ABDM integrations and ABHA-linked data flows should map consent architecture to the November 2026 Consent Manager milestone now. The DPDP framework does not reproduce the "sensitive personal data" category from the older IT Rules 2011 in equivalent form; however, health data by nature requires explicit consent for processing and triggers the highest-consequence safeguard obligations.
Attribution confidence: Moderate-to-high. Qilin is publicly attributed to a Russia-linked ransomware-as-a-service operation. The affiliate model introduces TTP variation across campaigns.
Why Indian healthcare is at risk: With 168 publicly confirmed healthcare victims by June 2026, Qilin is the most active ransomware group targeting the sector. Indian hospitals with internet-facing remote access, unpatched VPN appliances, and insufficient MFA on clinical and vendor accounts match the access profile exploited in documented incidents. The group has been documented attracting displaced affiliates following disruption of other RaaS operations in 2025, expanding its operational capacity.
Hallmarks: Initial access via exposed remote services and valid or stolen credentials; data staging and exfiltration before deployment of the locker; Qilin/Agenda locker with Linux and ESXi variants capable of targeting hospital virtualisation clusters; double-extortion via leak site. No public source in this research window identified a named Indian hospital victim or India-specific Qilin indicator of compromise.
Relevant ATT&CK techniques: T1133 (External Remote Services), T1078 (Valid Accounts), T1486 (Data Encrypted for Impact), T1567 (Exfiltration Over Web Service), T1490 (Inhibit System Recovery).
Source (with date): The Cyber Express (3 Jun 2026); Barracuda Networks, "Qilin ransomware surges into 2026" (15 Jan 2026).
6. IOC Pack
No public source in this research window attributed a verified India-specific Qilin or FortiBleed-related indicator of compromise against a named Indian hospital or pharma organisation. Accordingly, host-specific IOCs are not reproduced here. Reference primary advisories for current hash, IP, and domain indicators:
- Qilin TTP and indicator references: The Cyber Express (3 Jun 2026); Barracuda Networks (15 Jan 2026); SOCRadar Qilin profile (2026) - FortiBleed device check and credential compromise: Arctic Wolf (17 Jun 2026); CISA alert (18 Jun 2026); SOCRadar FortiBleed analysis (2026) - CVE-2026-0257 (GlobalProtect): Palo Alto Networks Unit 42 advisory; CISA KEV catalogue entry (29 May 2026)
Behavioural detection focus (applicable to Qilin and similar operators): anomalous SMB/CIFS enumeration across clinical shares; mass file reads from HIS, EMR, or billing file stores; volume shadow copy deletion; new privileged account creation outside change windows; large outbound data transfers to cloud file-hosting or sharing services; new SSL-VPN sessions from unrecognised hosts or unusual geographies; ESXi management access outside maintenance windows. Map detections to ATT&CK T1133, T1078, T1486, T1567, T1490.
7. Recommended Actions
Board: Treat ransomware as a patient-safety and business-continuity risk at the same level as a physical infrastructure failure. Approve funding for clinical network segmentation separating IoMT/PACS environments from corporate IT. Confirm DPDP breach notification readiness ahead of the 13 May 2027 hard date; the 72-hour notification clock runs from detection, not containment. Engage the compliance programme now — the gap between current state and the substantive obligations is typically 12–18 months of preparation.
CISO: Treat all Fortinet VPN and firewall credentials predating FortiOS 7.2.11/7.4.8/7.6.1 as compromised; force rotation and enforce MFA on administrative and remote-access accounts immediately. Apply PAN-OS patches for CVE-2026-0257 and verify GlobalProtect certificate configuration. Inventory all IoMT, PACS, and HIS assets; identify those carrying CISA-listed KEVs; prioritise segmentation and patch deployment. Map internet-facing systems to the CERT-In CISG-2026-02 12-hour remediation SLA. Require SBOMs in medical device and HIS procurement contracts per CERT-In SBOM guidance. Align consent management architecture and data flows to ABDM and DPDP ahead of the November 2026 Consent Manager milestone.
SOC: Review FortiGate management logs and SSL-VPN authentication events from mid-June 2026 onwards for anomalous sessions; assume credentials may be compromised even on patched hardware if post-upgrade login was not completed. Activate detections for the Qilin behavioural patterns listed above. Validate immutable, tested backups covering HIS, PACS, EMR, and billing systems. Rehearse a healthcare-specific ransomware runbook that includes CERT-In's 6-hour incident reporting obligation and clinical failover procedures for radiology and emergency workflows. Extend EDR coverage to BOSS Linux and Windows-based clinical workstations; coverage gaps on clinical endpoints are a documented risk pattern in Indian healthcare.
8. Source Index
1. The Cyber Express — "Qilin and INC Ransom Drive 2026 Ransomware Surge," 3 June 2026. 2. Health-ISAC — Annual Threat Report 2026 (Global Health Sector Threat Landscape); GlobeNewswire, 26 January 2026. 3. Arctic Wolf — "Active FortiBleed Campaign Impacting Fortinet Devices Across 194 Countries," 17 June 2026. 4. CISA — Alert, "CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure," 18 June 2026. 5. Claroty Team82 — "State of CPS Security: Healthcare Exposures 2025"; HIPAA Journal, 27 March 2025. 6. Palo Alto Networks Unit 42 — CVE-2026-0257 GlobalProtect advisory, May 2026. 7. CISA KEV — CVE-2026-0257 entry, 29 May 2026; Rapid7 MDR exploitation observation, 17 May 2026. 8. The Hacker News — "CERT-In Recommends 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks," 26 May 2026. 9. Medianama — "CERT-In releases blueprint for defending against AI-assisted cyber threats," May 2026. 10. MeitY / PIB — Digital Personal Data Protection Rules 2025 notification, 13 November 2025. 11. Seqrite — India Cyber Threat Report 2026; itvoice.in, January 2026. 12. Barracuda Networks — "Qilin ransomware surges into 2026," 15 January 2026. 13. SOCRadar — "Dark Web Profile: Qilin (Agenda) Ransomware," 2026; "FortiBleed: 86,644 Fortinet Firewalls Compromised," 2026. 14. India Briefing — DPDP Rules 2025 implementation timeline, 2025–2026.
9. Byline
Compiled by the Nirad Threat Research team. Items verified against named public sources before inclusion; no leaked or stolen data is reproduced. Indicators referenced from public advisories only.
1
Nirad Threat Research
Bharat-first threat intelligence for healthcare. Segment clinical networks. Rotate credentials. Report on time.