Key Findings

• Payload Ransomware claims to have breached Royal Bahrain Hospital (RBH)

• 110 GB of data allegedly stolen

• Threat to release data if ransom not paid by March 23, 2026

• Attack targets a healthcare facility serving multiple Middle Eastern countries

Background

Royal Bahrain Hospital, established in 2011, is a 70-bed healthcare facility providing comprehensive medical services including surgery, maternity care, and diagnostics. Located in Bahrain, the hospital serves patients from multiple Middle Eastern countries, including Oman, Qatar, Saudi Arabia, and the United Arab Emirates.

Attack Details

The Payload Ransomware group has added RBH to its Tor data leak site and published images of allegedly compromised systems as evidence of the breach. The attack follows the group's typical double-extortion model, which involves both data theft and file encryption to pressure victims into paying the ransom.

Payload Ransomware Characteristics

Payload is a relatively new cybercrime operation characterized by:

• Targeting mid- to large-size companies

• Focusing on emerging markets

• Operating in sectors like real estate and logistics

• Using advanced technical capabilities including:

• ChaCha20 for file encryption

• Curve25519 for key exchange

• Ability to delete shadow copies

• Capability to disable security tools

Potential Implications

The attack on a healthcare facility raises significant concerns about:

• Patient data privacy

• Potential disruption of critical medical services

• Vulnerability of healthcare infrastructure to cybercrime

• Potential regional impact given the hospital's multi-country patient base

Operational Model

The group likely operates as a ransomware-as-a-service (RaaS) model, using a Tor-based leak site to publish data from victims who do not comply with ransom demands.

Sources

• https://securityaffairs.com/189467/cyber-crime/payload-ransomware-claims-the-hack-of-royal-bahrain-hospital.html

• https://unsafe.sh/go-402334.html