logo

OneBlood's virtual machines encrypted in ransomware attack

OneBlood bud

OneBlood, a large not-for-profit blood center that serves hospitals and patients in the United States, is dealing with an IT systems outage caused by a ransomware attack.

The organization plays a critical role in ensuring a stable blood supply to the Southeastern part of the country, collecting, testing, and distributing a large volume of blood products. because of this, there are concerns about surgeries and treatments being impacted.

BleepingComputer has received an anonymous tip from one of our readers yesterday who reported that OneBlood was having issues collecting blood samples at its donor centers and through mobile donation buses.

Today, the organization disclosed that a ransomware attack has impacted its software systems and is working with local and federal agencies to respond to the situation appropriately.

"Our comprehensive response efforts are ongoing, and we are working diligently to restore full functionality to our systems as expeditiously as possible," stated OneBlood’s senior vice president, Susan Forbes.

Currently, the firm has fallen back to using manual processes, which are time-consuming and inevitably create inventory availability issues.

"Although OneBlood remains operational and continues to collect, test and distribute blood, they are operating at a significantly reduced capacity," said OneBlood.

A source told BleepingComputer that the attack occurred over the weekend and the ransomware gang encrypted the organization's VMware hypervisor infrastructure.

If you have any information regarding this incident or any other undisclosed attacks, you can contact us confidentially via Signal at 646-961-3731 or at [email protected].

Ransomware gangs commonly target organizations over weekends when there is limited staff available to disrupt the attack. Targeting VMware ESXi servers is an efficient method to encrypt as much data as possible, as these virtual machines are usually spread over a smaller number of physical devices.

Over 250 hospitals in the U.S. that are served by OneBlood have now been asked to activate their critical blood shortage protocols to ensure that existing supplies go to those who need them the most.

To lessen the impact of the cyberattack, a coalition of blood donation centers and the AABB Disaster Task Force are directing blood products to OneBlood so vital blood flow to hospitals and patients in need can continue.

Although OneBlood expresses the need for all blood types currently it highlights the need of O Positive, O Negative, and Platelet donations as urgent, so those eligible to donate are asked to arrange an appointment as soon as they can.

The situation is very similar to what the National Health Service (NHS) in the U.K. faced in early June 2024, when a Qilin ransomware attack on pathology provider Synnovis impacted blood transfusions in London.

Supply of O Negative and O Positive blood types quickly dried up there too, as those types are almost universally compatible with recipients and can be safely transfused without testing.

The effect resulting from the cyberattack on Synnovis caused the NHS to issue an amber alert, asking hospitals "to restrict the use of O type blood to essential cases and use substitutions where clinically safe to do so."

OneBlood has not provided many details about the ransomware incident, and the attack has not been claimed by any of the major threat groups yet.

The organization said it would inform potentially impacted individuals and offer credit monitoring services to mitigate the risk of their data exposure.

Donor Rewards have not been compromised but OneBlood has disabled them until work to restore systems is completed, by which time donor rewards will show the correct amount.


Free security scan for your website