[QILIN] – Ransomware Victim: Samera Health

AI Generated Summary of the Ransomware Leak Page

On October 22, 2025, a ransomware leak post identifies Samera Health as a victim. Samera Health is described as a United States–based third-party administrator (TPA) that provides health, dental, and vision benefits for employer groups. The post implies that attackers gained access to Samera Health’s networks and exfiltrated data, signaling a data breach that could culminate in public data release, a pattern commonly seen in double-extortion campaigns. The page also presents a profile of the company’s offerings—self-funded and fully insured health plans, dental and vision plans, as well as life and investment annuities—illustrating the breadth of services impacted. A TOX token is listed, and a data-share FTP endpoint is referenced; the login credentials are redacted and the host address has been defanged to reduce risk. A claim URL is provided, suggesting the attackers invite negotiation or contact, and the page includes three images intended to illustrate the claim. The post date is 2025-10-22; no explicit compromise date is given beyond the post date.

The excerpt indicates the attackers’ intent to portray Samera Health’s business and services while signaling a data-exfiltration scenario, rather than a straightforward encryption event. The three accompanying images presumably depict internal visuals or documents, though their exact content is not described. An FTP data-share endpoint is cited and defanged for safety, using a placeholder defang format such as hxxp://datashare:[REDACTED_PASSWORD]@64[.]176[.]162[.]76 to illustrate access without exposing credentials. No ransom figure is shown in the available text. Overall, the leak page reinforces the ongoing ransomware risk to healthcare TPAs and the importance of robust data protection and incident-response readiness.