Bell Ambulance ransomware attack: A critical hit to emergency services security

It's become clear that attackers will leave no avenue unexplored to gain access to healthcare data. As if targeting hospitals wasn't enough, threat actors have now turned their attention to emergency medical transportation services to carry out attacks, as witnessed by Bell Ambulance, Inc., which suffered a ransomware attack on February 13, 2025. This attack serves as a lesson for CISOs to strengthen cyber resilience across critical services in the healthcare industry to prevent similar incidents and protect patient care.

Bell Ambulance breach: An overview and timeline

In early 2025, Bell Ambulance, a prominent ambulance service provider based in Milwaukee, Wisconsin, fell victim to a cyberattack attributed to the Medusa ransomware group. On February 13, 2025, Bell Ambulance detected unauthorized activity within its network, indicating a potential security breach. Acknowledging the operational disruption that employees were facing because of this, Bell Ambulance notified employees that the company was working to restore IT systems and resume normal operations after a cybersecurity event. It also added that it was trying to identify if any information was impacted but that it was too early to tell.

On March 2, 2025, the Medusa ransomware group publicly claimed responsibility for the attack on the dark web, asserting it had exfiltrated 219.5GB of data. The group demanded a $400,000 ransom and warned that the stolen data would be auctioned if Bell Ambulance failed to comply with its demands (see Figure 1).

Image source: Comparitech

Figure 1: Medusa ransomware group demands ransom from Bell Ambulance, Inc.

The stolen data included the following information:

• First name
• Last name
• Date of birth
• Social Security numbers
• Driver license details
• Financial records
• Medical records
• Health insurance information

On April 14, 2025, Bell Ambulance publicly disclosed the data breach, stating that it had identified unauthorized activity on its network on February 13, 2025 and had immediately engaged the service of external forensic experts to determine the full extent and scope of the security incident. Additionally, it claims to have responded to the incident by resetting passwords, securing their network, and accounts. Bell Ambulance had started notifying the affected individuals and assisted them in preventing identity theft and fraud from April 14, 2025, as shown here.

While Bell Ambulance, Inc. didn't disclose the number of affected individuals, the Department of Health and Human Services revealed that a staggering 114,000 individuals were impacted by this breach.

While the details of how the attacker entered the network and took control have not been publicly disclosed, the Medusa ransomware group has been operating a certain way since its inception in 2021.

How does the Medusa ransomware group operate?

The Cybersecurity and Infrastructure Security Agency (CISA), in its advisory, #StopRansomware: Medusa Ransomware, explains how this group has been operating and evolving since its inception in June 2021. According to CISA, the RaaS Medusa variant is renowned for employing double extortion techniques to successfully execute its attack.

1. Initial access

Medusa actors use a variety of methods to gain initial access into target environments:

• Phishing emails: Medusa frequently initiates attacks through spear-phishing emails containing malicious attachments or links designed to steal credentials or deploy malware (e.g., remote access trojans).
• Exploiting unpatched vulnerabilities: It scans for known vulnerabilities in public-facing applications, VPNs, and remote desktop services such as Fortinet, Microsoft Exchange, or Citrix, to gain unauthorized access, notably exploiting unpatched vulnerabilities in:
  • Microsoft Exchange Server (ProxyShell, CVE-2021-34473)
  • ScreenConnect Authentication Bypass (CVE-2024-1709)
  • Fortinet EMS SQL Injection (CVE-2023-48788)
• Compromised credentials: Medusa affiliates acquire stolen credentials, often from initial access brokers, to gain unauthorized access to Remote Desktop Protocol (RDP) services.

2. Privilege escalation and lateral movement

Once inside the network, attackers escalate privileges and move laterally to locate sensitive data and prepare for ransomware deployment.

• Living off the land techniques: Medusa leverages legitimate tools such as PowerShell, PsExec, Windows Command Prompt, and WMI to evade detection and maintain persistence. Medusa employs tools such as PDQ Deploy, PDQ Inventory, and SimpleHelp, along with RDP for network reconnaissance and deployment of malicious binaries for exfiltration.
• Active Directory enumeration: Medusa actors map out the network and escalate privileges by extracting credentials, using tools like Mimikatz to harvest plaintext passwords and tokens.
• Disabling security tools: Before deploying ransomware, Medusa often uses techniques like Bring Your Own Vulnerable Driver to deploy signed vulnerable drivers that can disable security tools like antivirus and EDR/XDR agents.

3. Data exfiltration

Medusa employs a double extortion tactic, meaning it not only encrypts data but also exfiltrates it for additional leverage.

• Data theft: Using tools like Rclone, WinSCP, or FileZilla, Medusa actors transfer sensitive corporate and customer data to their command and control servers.
• Evidence of exfiltration: They typically leave proof of stolen files in ransom notes or private chat portals to increase pressure on victims to pay.

4. Ransomware deployment

Once data is exfiltrated and backups are neutralized, Medusa deploys the final ransomware payload.

• Encryption: Medusa deploys an encryptor, gaze.exe, across the network, terminating processes related to backups and security, deleting shadow copies, and encrypting files with AES-256 encryption. The ransomware then appends a .medusa extension.
• Ransom note: Victims receive a ransom note, usually named !!!READ_ME_MEDUSA!!!.txt, with instructions on how to negotiate payment. A Tor-based portal is provided for communication.

5. Extortion

If the victim refuses to pay, Medusa escalates pressure using several public tactics.

• Data leak site: Medusa operates a public leak site, .onion, listing victims and ransom demands.
• Countdown mechanism: Its leak site often includes a countdown timer showing when stolen data will be published if payment isn’t received. The countdown creates a sense of urgency, plays on the victims' desperation, and increases the chances of ransom payment. In some cases, Medusa offers options to delay leaks or delete data for partial payment. To get an extra day of mercy, victims will be asked to pay $10,000 in cryptocurrency.

Key takeaways for CISOs in the healthcare industry

The following takeaways are not limited to emergency medical services, but are also applicable for hospitals and other healthcare-related organizations.

1. Ensure clinical continuity with backup and disaster recovery plans

• Maintain encrypted, off-site backups of electronic health records (EHRs), imaging data, and other critical systems across separate physical or cloud environments.
• Regularly test backup restoration procedures to ensure minimal disruption to patient care and quick data recovery following a security incident like that of the Bell Ambulance ransomware attack.

2. Strengthen identity and access management

• Enforce MFA on all services, especially for critical systems, webmail, and VPNs, and on all access points including remote providers, patient portals, and third-party telehealth services.
• Require strong, NIST-compliant passwords for all user accounts and avoid overly frequent password changes that may compromise security.
• Continuously audit domain controllers, servers, and directories for the presence of suspicious or unrecognized accounts.
• Implement least privilege principles and role-based access control to ensure staff only access data relevant to their responsibilities, and conduct periodic audits of user privileges and immediately revoke access for departing personnel or role changes.

3. Limit the attack surface with network segmentation and monitoring

• Implement network segmentation to isolate medical devices, diagnostic systems, and EHR platforms from administrative systems to prevent the lateral spread of ransomware.
• Deploy UEBA-integrated SIEM, EDR and network monitoring tools to detect unusual activity, including privilege escalation or unauthorized movement between hosts. Use firewall rules and VLANs to separate and monitor traffic across different departments such as radiology, emergency medicine, surgery, and billing.
• Harden remote access and limit exposure by securing remote access via VPNs or jump hosts and disabling unused ports and services.

4. Disable exploitable tools and features

• Restrict or disable command-line and scripting capabilities such as PowerShell, WMI, and macros on clinical workstations where not needed.
• Closely monitor servers hosting EHRs, picture archiving and communication systems, or other sensitive applications for anomalous behavior.

5. Prioritize patch management and vulnerability remediation

• Rapidly patch known exploited vulnerabilities, especially in email gateways, remote access tools, and clinical software platforms.
• Track and manage medical software vendors’ patch cycles to ensure timely updates.

Related solutions