The “Sleeper” Threat Targeting U.S. Healthcare
Date: February 8, 2026
Threat Level: High (Active Campaign)
Classification: Ransomware-as-a-Service (RaaS) / Extortion Group
The ransomware landscape has been jolted by the sudden emergence of a new group calling itself Insomnia. First detected on February 7, 2026, the group executed a “mass-dump” strategy, listing 17 victims in a single 24-hour window.
Unlike “spray-and-pray” operations, Insomnia exhibits highly calculated behavior. Their defining characteristic is a massive dwell time (averaging ~70 days) between initial compromise and public extortion. They appear to specialize in the Healthcare and Legal sectors, targeting organizations where operational downtime is critical.
1. Executive Summary & Key Findings
- Sudden Emergence: Insomnia appeared on February 7, 2026, with a fully functional TOR leak site and 17 simultaneous victim postings.
- Sector Focus: The group is hyper-focused on Healthcare (53%), specifically small-to-mid-sized providers (nursing homes, dialysis centers, private practices).
- The “Sleeper” Tactic: Analysis of the “Estimated Attack Dates” reveals that Insomnia compromises networks months in advance (dating back to October 2025) but waits nearly 70 days before triggering the encryption or extortion phase.
- Geographic Bias: 88% of targets are based in the United States, with isolated incidents in Brazil and Singapore.
- Infostealer Anomaly: Despite the prevalence of infostealer-led attacks in 2026, Insomnia shows a 0.0% overlap with known infostealer logs for their current victims. This suggests they are gaining access via exploited vulnerabilities (VPN/RDP) or highly targeted phishing rather than buying commodity logs.
2. Victimology & Targeting
The victim profile of Insomnia is distinct and alarming. While many major RaaS groups (like BlackCat or LockBit) claim to avoid hospitals, Insomnia appears to actively hunt them.
Sector Breakdown
- Healthcare (9 Victims): The primary target. Victims include Carlyle Senior Care (Nursing Home), Flint Hills Dialysis (Critical Care), and SchureMed (Surgical Equipment). The targeting of dialysis and nursing facilities suggests a ruthless “pressure tactic” model—these organizations cannot afford downtime without risking patient lives.+1
- Legal (2 Victims): Law firms like Gruel Mills Nims Pylman and Dunn and Dunn. This indicates a focus on sensitive data exfiltration for leverage.
- Manufacturing (2 Victims): Specialized manufacturers like Parts Life, Inc. (Defense/Engineering) and DeVal LCS (Armament/Ground Support).
Geographic Heatmap
- United States: 15 Victims (Dominant)
- Brazil: 1 Victim (Chiarottino – Law Firm)
- Singapore: 1 Victim (Enviro-Hub Holdings)
3. Operational TTPs (Tactics, Techniques, Procedures)
Based on the forensic timeline of the 17 disclosed victims, we can reconstruct Insomnia’s operational rhythm.
Phase 1: Silent Infiltration (The “Insomnia” Phase)
- Dwell Time: The group sits on compromised networks for an average of 69.9 days.
- Example: Integrated Fresh Solutions was likely compromised on Oct 8, 2025, but was not listed until Feb 7, 2026.
- Objective: This long dwell time is likely used for:
- Backup Destruction: Slowly enumerating and corrupting backups to ensure encryption is irreversible.
- Data Mining: Identifying the most sensitive files (patient records, legal settlements) to maximize extortion leverage.
Phase 2: The Mass Wake-Up
- Batch Extortion: Rather than trickling victims out one by one, Insomnia “woke up” on Feb 7, posting a backlog of victims simultaneously. This tactic is designed to overwhelm threat intelligence researchers and create immediate brand notoriety.
Phase 3: Infrastructure
- Web Server: The leak site runs on
nginx 1.22.1. - Tor Address:
i62huw7ve22rpyw6lnq3kmfump2dmsg4xpveec3ere73njwatrz74gad.onion - Communication: They utilize the Tox protocol for negotiation, avoiding standard email which is easily blocked.
4. Technical Intelligence & IoCs
Security Operations Centers (SOCs) should hunt for the following indicators immediately.
Indicators of Compromise (IoCs)
| Type | Value | Context |
| Tor URL | i62huw7ve...gad.onion | Primary Data Leak Site (DLS) |
| TOX ID | FA21E360945F602504728A05A39758C38B6A5B5DA1969717AF05838D14FDCD3DE17455833F11 | Threat Actor Communication ID |
| Server | nginx 1.22.1 | Web Server Banner |
YARA / Hunting Rules
Currently, no unique binary samples have been publicly isolated for YARA rule generation. However, based on the target profile, defenders should monitor for:
- Unusual Outbound Traffic: Large data uploads (exfiltration) occurring 60-90 days prior to today.
- Lateral Movement: Review logs from Oct 2025 – Jan 2026 for suspicious RDP connections or new admin account creations.
5. Strategic Recommendations
1. Retroactive Log Review (90 Days)
Because of the ~70-day delay, current logs may show nothing. You must review logs from November 2025 and December 2025. Look for:
- Unrecognized VPN logins.
- “Low and slow” data exfiltration.
2. Healthcare Sector Alert
Organizations in the healthcare supply chain (specifically dialysis, nursing, and specialized clinics) should consider themselves active targets.
- Action: Verify all external-facing remote access (Citrix/VPN) is patched and MFA-enforced.
3. Negotiation Caution
Insomnia is a new brand. There is no historical data on whether they honor decryption agreements. Proceed with extreme caution in any negotiations.
Monitor This Threat
This article is based on the initial “Day 1” dump. The TTPs may evolve rapidly. Subscribe to our threat feed for real-time updates on Insomnia’s binary analysis and decryption capabilities.