Anubis Ransomware Is Exploiting Citrix Bleed 2: What to Check
A Gateway Flaw and a Ransomware Crew, Working Together
The device that lets your staff log in from home can also be the quietest way into your network. New research this week is a sharp reminder: affiliates of the Anubis ransomware operation are exploiting a critical Citrix flaw to break in, then hiding inside the very remote-support tools that IT teams use every day. Healthcare is on their target list.
According to The Hacker News, reporting on an Arctic Wolf Labs investigation, Anubis affiliates have been exploiting Citrix Bleed 2 (CVE-2025-5777) — a critical flaw (CVSS 9.3) in Citrix NetScaler ADC and Gateway configured as a Gateway or AAA virtual server — to gain initial access. The bug lets an unauthenticated attacker read memory from the appliance and lift session tokens, which can be replayed to hijack a logged-in session and slip past multi-factor authentication. The crew has claimed 91 victims on its leak site, and the reported target sectors include healthcare.
A stolen session token is a skeleton key: it lets an attacker walk in as a real, already-authenticated user — no password prompt, no MFA challenge.
Living Off Your IT Team’s Own Tools
What makes this campaign worth a healthcare owner’s attention is not exotic malware — it is the opposite. The Hacker News reports that Anubis affiliates “repeatedly abused legitimate remote access and administration tools, including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment, to blend in with normal IT activity.” Once inside, they used valid VPN logins, RDP, and PsExec to move around, and cloud-transfer tools to steal data before encrypting it.
For a small practice, this is the uncomfortable part: the tools attackers hid behind are the same categories your MSP or IT provider legitimately uses to support you. That is not a reason to distrust remote support — it is a reason to know exactly which remote-access tools are installed, and to be able to tell an authorized one from a stranger.
Why a Small Medical or Dental Practice Should Care
It is easy to file “Citrix ransomware campaign” under enterprise problems. It is not one. If an attacker rides a hijacked session or valid VPN login into your network, they have a path to electronic protected health information (ePHI), practice systems, and — per Arctic Wolf’s findings via The Hacker News — the backups and NAS devices you would rely on to recover. Under HHS ransomware guidance, a ransomware event involving ePHI is presumed to be a reportable breach unless a risk assessment shows a low probability the data was compromised. One intrusion can trigger a breach analysis and possible patient notification.
This is exactly why remote access belongs in your HIPAA Security Rule picture, not just your IT to-do list.
What to Check for Citrix Bleed 2 This Week
You do not need to buy anything. Work through this with whoever manages your systems:
- Find out if you run Citrix NetScaler at all. Many small practices use a different VPN or firewall entirely. If you have no NetScaler Gateway, this specific bug does not apply — but the remote-access lesson does.
- If you do run it, patch and then kill active sessions. Patching alone does not evict an attacker who already grabbed a session token. Citrix’s guidance is to upgrade, then terminate existing ICA/PCoIP sessions so stolen tokens stop working.
- Inventory your remote-support tools. Ask your provider for a written list of the remote-access software they use (and why). Anything on your machines that is not on that list — a stray ScreenConnect, AnyDesk, or VNC agent — deserves an immediate question. Strong multi-factor authentication on remote access raises the bar even when a credential leaks.
- Watch the logs. New accounts, off-hours VPN logins, or a single session hopping between IP addresses are the anomalies Arctic Wolf flagged as the best early warning — before encryption starts.
The Byzantine Takeaway
The pattern here is bigger than one vendor: attackers increasingly get in through edge devices and then hide in trusted admin tools. Defense is not a single purchase — it is patching the gateway, enforcing MFA, keeping a clean inventory of who can reach in remotely, and watching for the anomalies. That is a team effort between a practice and its IT partner, and it is squarely within reach on a small-practice budget. For the full technical breakdown, read The Hacker News’s reporting and share it with your provider.