Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware attack. Show all posts
Ransomware attack
Cyber Security cybercrime Germany Einhaus Group insolvency mobile phone repair Ransomware attack

Einhaus Group Faces Insolvency After Devastating 2023 Ransomware Attack

 

German mobile phone insurance, repair, and logistics provider Einhaus Group has disclosed the severe financial toll of a crippling ransomware attack in 2023. At its peak, the company had a presence in more than 5,000 retail outlets across Germany, working with major telecom players such as Deutsche Telekom and 1&1, and generating annual revenues of up to €70 million.

In 2023, the notorious ransomware group “Royal” infiltrated the company’s systems, encrypting crucial data — including contracts, billing information, and internal communications — and bringing operations to a standstill. 

The attackers left chilling messages via office printers warning, “the company had been hacked”, and locked down critical infrastructure. The breach resulted in operational paralysis, millions in lost revenue, and total damages reaching the mid-seven-figure range. Reports indicate Einhaus paid a €200,000 ransom in Bitcoin to recover its data.

German cybercrime authorities have since identified three suspects. Although prosecutors seized the ransom-paid cryptocurrency, the funds were never returned, leaving Einhaus unable to achieve a full recovery.

The aftermath has been severe — staff numbers have plummeted from around 170 to just eight, while the company has sold off property and investments to offset losses. Three subsidiaries, including 24logistics, have filed for insolvency, and mobile phone repair operations have ceased entirely.

Einhaus Group now joins a growing list of high-profile businesses shuttered by ransomware incidents, including the UK’s Knights of Old transport firm, Stoli USA, and Finland’s Vastaamo. The case underscores the increasing frequency and financial devastation of cyberattacks, particularly ransomware, for businesses worldwide.
Read more »
SafePay ransomware
Data Breach Data Leak Ransomware attack Ridgefield Public Schools SafePay ransomware

Ridgefield Public Schools Faces 2-day Deadline After Hackers Threaten to Leak 90 GB of Stolen Data

 

Ridgefield Public Schools in Connecticut was hit by a ransomware attack on July 24, 2025, with the SafePay ransomware gang now threatening to release 90 GB of stolen data within two days if ransom demands aren't met.

The school district's cybersecurity tools detected attempts to deploy an encryption malware, prompting them to immediately take their computer network offline to investigate. While RPS confirmed that a ransom was demanded, they haven't revealed the amount or whether it was paid. The fact that SafePay has now published the school district on its leak site suggests negotiations have failed. 

Impact on school operations 

System restoration is ongoing, with RPS hoping teachers would regain email access this week. The district serves approximately 4,500 students across nine schools (six elementary, two middle schools, and one high school). They are investigating potential data breaches and offering advice on data protection in case sensitive personal information was stolen.

Broader education sector threats 

This attack is part of a concerning trend - 26 confirmed ransomware attacks have hit the US education sector in 2025 so far, with 49 more unconfirmed. Recent victims include School District 5 of Lexington and Richland Counties (1.3 TB stolen), Franklin Pierce Schools ($400,000 ransom demand), and Manassas Park City Schools where Social Security numbers and financial data may have been compromised.

In 2024 alone, nearly 3 million records were breached across 83 attacks on US educational institutions, highlighting the severe ongoing impact on schools, colleges, and universities. 

About SafePay ransomware group 

SafePay first emerged in November 2024 and has since conducted 278 tracked attacks, with 35 confirmed by victims. The group uses LockBit-based ransomware and employs a double-extortion technique - demanding payment both to decrypt systems and delete stolen data. RPS is the sixth educational institution confirmed to have fallen victim to SafePay, following attacks on Harrison County Board of Education and a Czech school this year.
Read more »
SafePay
Data Breach Ingram Micro IT Vendor Ransomware attack SafePay

SafePay Ransomware Threaten Public Disclosure of 3.5 TB Worth of Ingram Micro Files

 

Ingram Micro, one of the world's largest IT distributors, is facing a data leak threat from the SafePay ransomware group almost a month after the initial attack. The SafePay group has claimed to have stolen 3.5TB of data from the company and listed Ingram Micro on its dark web leak site, threatening to release the data unless the distributor pays the ransom. 

The attack first came to light on July 5, 2025, when Ingram Micro disclosed it had to take systems offline over the weekend. The company worked with cybersecurity experts to investigate and contain the incident, implementing additional safeguards while restoring affected systems. By July 9, Ingram Micro announced that global operations had been restored across all regions. 

However, SafePay's threat to leak data suggests that Ingram Micro chose not to pay the ransom demand. Peter King, a cybersecurity consultant, noted this follows an established pattern where threat actors use leak threats to pressure victims into paying. The 3.5TB of allegedly stolen data raises concerns about how the attackers gained access to such a large volume of information from a major channel company.

SafePay is identified as one of the most active ransomware groups, having struck over 200 victims worldwide in the first quarter of 2025, including managed service providers and small-to-medium enterprises. The group reportedly gained initial access through Ingram Micro's GlobalProtect VPN platform using compromised credentials rather than exploiting a software vulnerability.

The incident highlights the ongoing risk of supply chain attacks, with experts warning that organizations in the tech supply chain are attractive targets due to their interconnected nature and the potential for attacks to spread beyond their own environments.
Read more »
Ransomwares
breach recovery Cyber Attacks Cyber-recovery cybercriminals Ransomware Attack paid ransoms Ransom Demands Ransomware attack Ransomwares

Singapore Companies Struggle to Recover from Ransomware Despite Paying Hackers

 

Many businesses in Singapore continue to face prolonged and expensive recovery periods after ransomware attacks, even when they choose to pay the ransom. A new report from cybersecurity firm Sophos reveals that 50% of local organizations affected by ransomware opted to pay to regain access to their encrypted data. 

Despite this, more than half of these companies needed at least a week to resume operations, and nearly a quarter faced recovery times stretching up to six months. While paying the ransom is often viewed as a quick fix, the real costs and complications extend far beyond the initial transaction. The average total expense incurred by Singaporean firms to fully recover from a ransomware incident this year has reached an estimated US$1.54 million. 

Although the median ransom payment has decreased to approximately US$365,565—down from US$760,000 last year—this reduction in ransom size hasn’t translated into faster recoveries. Interestingly, around 39% of companies were able to negotiate lower ransom amounts, often by working with external experts or negotiators. According to Chester Wisniewski, Field CISO at Sophos, an increasing number of businesses are turning to incident response professionals to manage damage, contain threats, and potentially stop attacks mid-process. 

These experts not only help reduce the ransom amounts but also accelerate recovery timelines and fortify defences against future incidents. The study also sheds light on the primary causes of ransomware infections in Singapore. Phishing scams were identified as the top cause, accounting for 36% of cases, followed closely by malicious email attachments at 29% and compromised user credentials at 17%. 

On an organizational level, common challenges include insufficient cybersecurity tools and a shortage of trained personnel—issues that 47% and 43% of respondents, respectively, cited as major weaknesses. Experts emphasize that mitigating ransomware threats begins with addressing these underlying vulnerabilities. Proactive strategies such as implementing multi-factor authentication, keeping software up to date, and investing in Managed Detection and Response (MDR) services can significantly reduce the likelihood of a breach. 

MDR services, in particular, offer constant threat monitoring and rapid response, making them an increasingly popular choice for companies with limited in-house cybersecurity capacity. Additional findings highlight how Singapore firms differ from global counterparts. They are more likely to pay ransoms without attempting negotiation and are less transparent about breaches. 

Verizon Business reports further confirm that attackers are increasingly targeting software supply chains and exploiting known vulnerabilities. According to Robert Le Busque, the integration of Singapore’s economy into global trade networks and supply chains makes its companies especially vulnerable, with 72% having encountered email-based threats. 

Despite falling ransom demands, the broader financial and operational toll of ransomware in Singapore continues to rise, stressing the importance of preventive action and stronger cyber resilience.
Read more »
User Privacy
Cyber Security Legislative Amendment Ransomware attack UK Government User Privacy

UK Government Proposes Mandatory Reporting of Ransomware Attacks

 

The British government's proposals to amend its ransomware strategy marked a minor milestone on Tuesday, when the Home Office issued its formal answer to a survey on modifying the law, but questions remain regarding the effectiveness of the measures. 

The legislative process in the United Kingdom regularly involves public consultations. In order to address the ransomware issue, the Home Office outlined three main policy recommendations and asked for public input in order to support forthcoming legislation. 

The three main policy ideas are prohibiting payments from public sector or critical national infrastructure organisations; requiring victims to notify the government prior to making any extortion payments; and requiring all victims to report attacks to law enforcement.

Following a string of high-profile ransomware incidents that affected the nation, including several that left the shelves of several high-street grocery stores empty and one that contributed to the death of a hospital patient in London, the official response was published on Tuesday, cataloguing feedback for and against the measures.

Despite being labelled as part of the government's much-talked-about Plan for Change, the plans are identical to those made while the Conservative Party was in control prior to Rishi Sunak's snap election, which delayed the consultation's introduction. Even that plan in 2024 was late to the game. 

In 2022, ransomware attacks dominated the British government's crisis management COBR meetings. However, successive home secretaries prioritised responding to small boat crossings of migrants in the English Channel. Ransomware attacks on British organisations had increased year after year for the past five years. 

“The proposals are a sign that the government is taking ransomware more seriously, which after five years of punishing attacks on UK businesses and critical national infrastructure is very welcome,” stated Jamie MacColl, a senior research fellow at think tank RUSI. But MacColl said there remained numerous questions regarding how effective the response might be. 

Earlier this year, the government announced what the Cyber Security and Resilience Bill (CSRB) will include when it is brought to Parliament. The CSRB, which only applies to regulated critical infrastructure firms, is likely to overlap with the ransomware regulations by enhancing cyber incident reporting requirements, but it is unclear how.
Read more »
United States
Cyber Crime Extradition Federal Agency Ransomware attack United States

Armenian Man Extradited to US After Targeting Oregon Tech Firm

 

The Justice Department said Wednesday last week that an Armenian national is in federal custody on charges related to their alleged involvement in a wave of Ryuk ransomware attacks in 2019 and 2020. On June 18, Karen Serobovich Vardanyan, 33, was extradited to the United States from Ukraine. 

On June 20, he appeared in federal court and pleaded not guilty to the allegations. The seven-day jury trial Vardanyan is awaiting is set to start on August 26. The prosecution charged Vardanyan with conspiracy, computer-related fraud, and computer-related extortion Each charge carries a maximum penalty of five years in federal prison and a $250,000 fine. 

Vardanyan and his accomplices, who include 45-year-old Levon Georgiyovych Avetisyan of Armenia and two 53-year-old Ukrainians, Oleg Nikolayevich Lyulyava and Andrii Leonydovich Prykhodchenko, are charged with gaining unauthorised access to computer networks in order to install Ryuk ransomware on hundreds of compromised workstations and servers between March 2019 and September 2020. 

Lyulyava and Prykhodchenko are still at large, while Avetisyan is in France awaiting a request for extradition from the United States. According to authorities, the Ryuk ransomware was widespread in 2019 and 2020, infecting thousands of people worldwide in the private sector, state and local governments, local school districts, and critical infrastructure. 

Among these are a series of assaults on American hospitals and a technology company in Oregon, where Vardanyan is the subject of a trial by federal authorities. Ryuk ransomware attacks have affected Hollywood Presbyterian Medical Centre, Universal Health Services, Electronic Warfare Associates, a North Carolina water company, and several U.S. newspapers. 

Ryuk ransomware operators extorted victim firms by demanding Bitcoin ransom payments in exchange for decryption keys. According to Justice Department officials, Vardanyan and his co-conspirators received approximately 1,160 bitcoins in ransom payments from victim companies, totalling more than $15 million at the time.
Read more »
Ransomwares
Cyber Attacks Data Leak data security Data Theft DragonForce DragonForce Ransomware Group Hacker attack Hacking Group Ransomware attack Ransomware group Ransomwares

Belk Hit by Ransomware Attack as DragonForce Claims Responsibility for Data Breach

 

The department store chain Belk recently became the target of a ransomware attack, with the hacking group DragonForce taking responsibility for the breach. The cybercriminals claim to have stolen 156 GB of sensitive data from the company’s systems in early May. 

JP Castellanos, Director of Threat Intelligence at cybersecurity firm Binary Defense, stated with high confidence that DragonForce is indeed behind the incident. The company, based in Ohio, specializes in threat detection and digital forensics. During an investigation of dark web forums on behalf of The Charlotte Observer, Castellanos found that DragonForce had shared samples of the stolen data online. 

In a message directed at Belk, the group stated that its original aim wasn’t to damage the company but to push it into acknowledging its cybersecurity failures. DragonForce claims Belk declined to meet ransom demands, which ultimately led to the data being leaked, affecting numerous individuals. 

Following the breach, Belk has been named in multiple lawsuits. The complaints allege that the company not only failed to protect sensitive personal information but also delayed disclosing the breach to the public. Information accessed by the attackers included names, Social Security numbers, and internal documentation related to employees and their families. 

The cyberattack reportedly caused a complete systems shutdown across Belk locations between May 7 and May 11. According to a formal notice submitted to North Carolina’s Attorney General, the breach was discovered on May 8 and disclosed on June 4. The total number of affected individuals was 586, including 133 residents of North Carolina. 

The stolen files contained private details such as account numbers, driver’s license data, passport information, and medical records. Belk responded by initiating a full-scale investigation, collaborating with law enforcement, and enhancing their digital security defenses. On June 5, Belk began notifying those impacted by the attack, offering one year of free identity protection services. These services include credit and dark web monitoring, as well as identity restoration and insurance coverage worth up to $1 million. 

Despite these actions, Belk has yet to issue a public statement or respond to ongoing media inquiries. DragonForce, identified by experts as a hacktivist collective, typically exploits system vulnerabilities to lock down company networks, then demands cryptocurrency payments. If the demands go unmet, the stolen data is often leaked or sold. 

In Belk’s case, the group did not list a price for the compromised data. Castellanos advised anyone who has shopped at Belk to enroll in credit monitoring as a precaution. Belk, which was acquired by Sycamore Partners in 2015, has been working through financial challenges in recent years, including a short-lived bankruptcy filing in 2021. 

The retailer, now operating nearly 300 stores across 16 southeastern U.S. states, continues to rebuild its financial footing amid cybersecurity and operational pressures.
Read more »
SafePay ransomware
Cyber Attacks Cyber Outage Global IT Outage IT system Palo Alto Palo Alto Networks Ransomware attack Ransomwares SafePay ransomware

Ingram Micro Confirms SafePay Ransomware Attack and Global IT System Outage

 

Ingram Micro, one of the world’s largest IT distribution and services companies, has confirmed it was targeted in a ransomware attack by the SafePay group, causing major operational disruptions across its global network. The cyberattack, which began early on July 4, 2025, forced the company to take critical internal systems offline and suspend access to platforms such as its AI-powered Xvantage distribution system and the Impulse license provisioning platform. 

The attack came to light after employees discovered ransom notes on their devices. According to cybersecurity outlet BleepingComputer, the notes were linked to the SafePay ransomware operation—an increasingly active threat actor that has claimed over 220 victims since emerging in late 2024. Although the extent of data encryption remains unclear, sources suggest that the attackers likely accessed Ingram Micro’s network via compromised credentials on the company’s GlobalProtect VPN gateway. Initially, 

Ingram Micro refrained from publicly acknowledging the attack, stating only that it was experiencing “IT issues.” Employees in some regions were instructed to work from home, and the company advised against using the VPN service believed to be involved in the breach. 

On July 6, Ingram Micro officially confirmed the ransomware incident. In a statement, the company said it took immediate steps to secure affected systems, brought in cybersecurity experts to investigate, and notified law enforcement agencies. It also assured customers and partners that it was working urgently to restore operations and minimize further disruption. 

By July 8, the company had made significant progress in recovery. Subscription orders—including renewals and modifications—were once again being processed globally, with additional support for phone and email orders reinstated in key markets such as the UK, Germany, Brazil, India, and China. However, some hardware order functions remain limited. 

Palo Alto Network issued a clarification stating that none of its products were the source of the breach. The company emphasized that attackers likely exploited misconfigurations or stolen credentials, not any inherent flaws in the VPN software. 

This breach highlights the increasing sophistication of ransomware groups like SafePay and the risks faced by large IT infrastructure providers. Ingram Micro’s swift containment and recovery response may help mitigate long-term impacts, but the incident serves as a critical reminder of the importance of proactive cybersecurity measures, especially in environments reliant on remote access technologies.
Read more »
stolen employee data
Cybersecurity Incident Data Breach Hunters International leak IdeaLab identity theft protection Ransomware attack stolen employee data

IdeaLab Data Breach Exposes Sensitive Employee Information: Hackers Leak 137,000 Files Online

 

IdeaLab has begun notifying individuals whose personal data was compromised in a cybersecurity incident that occurred last October, when malicious actors infiltrated the company’s network and accessed confidential information.

Although the company did not specify the precise nature of the attack, the breach was claimed by the Hunters International ransomware group, which later published the stolen files on the dark web.

Founded in 1996, IdeaLab is a prominent California-based technology incubator known for launching over 150 companies, including GoTo.com, CitySearch, eToys, Authy, Pet.net, Heliogen, and Energy Vault. As one of the most established venture capital firms in the United States, IdeaLab has driven substantial economic growth, job creation, and investment returns over nearly three decades.

Suspicious activity was first detected on IdeaLab’s systems on October 7, 2024. A subsequent investigation revealed that unauthorized access began three days earlier. To respond, the company engaged external cybersecurity experts to conduct a thorough assessment, which concluded on June 26, 2025.

Investigators confirmed that data belonging to current and former employees, support service contractors, and their dependents had been stolen. In regulatory disclosures, IdeaLab stated that the compromised records included names along with various other sensitive details, though the exact types of data were not fully disclosed.

On October 23, 2024, after what appears to have been a failed extortion attempt, Hunters International published approximately 137,000 files—totaling 262.8 gigabytes. While the download link has since become inactive, security analysts believe other cybercriminals likely retrieved the files prior to removal.

Earlier today, the threat actor announced it was shutting down Hunters International operations, deleting all extortion-related data and offering free decryption keys to victims. However, cybersecurity researchers at Group-IB previously reported that the group had already begun transitioning to a new extortion-focused platform named World Leaks, suggesting this shutdown could be a strategic rebrand.

To help mitigate potential harm, IdeaLab is providing affected individuals with complimentary 24-month access to credit monitoring, identity theft protection, and dark web surveillance services through IDX. Impacted parties must enroll by October 1 to take advantage of these resources.
Read more »
Swiss Government
Data Breach Data Leak Radix Ransomware attack Swiss Government

Swiss Health Foundation Ransomware Attack Exposes Government Data

 

The Swiss government is announcing that a ransomware assault at the third-party company Radix has affected sensitive data from multiple federal offices.

The Swiss authorities claim that the hackers obtained information from Radix systems and then posted it on the dark web. The nation's National Cyber Security Centre (NCSC) is assisting in the analysis of the leaked data to determine which government agencies are affected and to what extent. 

“The foundation Radix has been targeted by a ransomware attack, during which data was stolen and encrypted,” the Swiss government noted. “Radix’s customers include various federal offices. The data has been published on the dark web and will now be analyzed by the relevant offices.” 

Radix is a Zurich-based non-profit focused on health promotion. It operates eight competence centres that carry out projects and services for the Swiss federal government, cantonal and municipal corporations, and other public and private organisations. 

According to the organization's statement, Sarcoma ransomware affiliates penetrated its systems on June 16. Sarcoma is a newly emerging ransomware outfit that began operations in October 2024 quickly became one of the most active, claiming 36 victims in its first month. One notable example was an attack on PCB giant Unimicron. 

Phishing, supply-chain attacks, and outdated flaws are some of the ways Sarcoma gains access. Once RDP connections are exploited, the hackers usually proceed laterally across the network. The threat actor may encrypt the data in addition to stealing it in the final phase of the attack. On June 29, the ransomware outfit uploaded the stolen Radix data on their leak portal on the dark web, most likely after extortion attempts failed. 

Personalised alerts were sent to affected individuals, according to Radix, which also states that there is no proof that critical information from partner organisations was compromised. Radix advises potentially vulnerable users to be on guard over the next few months and to be cautious of attempts to obtain their account credentials, credit card details, and passwords in order to mitigate this risk. 

In March 2024, the Swiss government confirmed it had experienced a similar exposure via third-party software services provider Xplain, which was attacked by the Play ransomware gang on May 23, 2023. As a result of that incident, 65,000 Federal Administration documents were leaked, many of which included private and sensitive data.
Read more »
Ransomwares
Data Breach Data Privacy data security Data Theft Healthcare Data healthcare data breach Healthcare Industry Personal Information Ransomware attack Ransomwares

Horizon Healthcare RCM Reports Ransomware Breach Impacting Patient Data

 

Horizon Healthcare RCM has confirmed it was the target of a ransomware attack involving the theft of sensitive health information, making it the latest revenue cycle management (RCM) vendor to report such a breach. Based on the company’s breach disclosure, it appears a ransom may have been paid to prevent the public release of stolen data. 

In a report filed with Maine’s Attorney General on June 27, Horizon disclosed that six state residents were impacted but did not provide a total number of affected individuals. As of Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights had not yet listed the incident on its breach portal, which logs healthcare data breaches affecting 500 or more people.  

However, the scope of the incident may be broader. It remains unclear whether Horizon is notifying patients directly on behalf of these clients or whether each will report the breach independently. 

In a public notice, Horizon explained that the breach was first detected on December 27, 2024, when ransomware locked access to some files. While systems were later restored, the company determined that certain data had also been copied without permission. 

Horizon noted that it “arranged for the responsible party to delete the copied data,” indicating a likely ransom negotiation. Notices are being sent to affected individuals where possible. The compromised data varies, but most records included a Horizon internal number, patient ID, or insurance claims data. 

In some cases, more sensitive details were exposed, such as Social Security numbers, driver’s license or passport numbers, payment card details, or financial account information. Despite the breach, Horizon stated that there have been no confirmed cases of identity theft linked to the incident. 

The matter has been reported to federal law enforcement. Multiple law firms have since announced investigations into the breach, raising the possibility of class-action litigation. This incident follows several high-profile breaches involving other RCM firms in recent months. 

In May, Nebraska-based ALN Medical Management updated a previously filed breach report, raising the number of affected individuals from 501 to over 1.3 million. Similarly, Gryphon Healthcare disclosed in October 2024 that nearly 400,000 people were impacted by a separate attack. 

Most recently, California-based Episource LLC revealed in June that a ransomware incident in February exposed the health information of roughly 5.42 million individuals. That event now ranks as the second-largest healthcare breach in the U.S. so far in 2025. Experts say that RCM vendors continue to be lucrative targets for cybercriminals due to their access to vast stores of healthcare data and their central role in financial operations. 

Bob Maley, Chief Security Officer at Black Kite, noted that targeting these firms offers hackers outsized rewards. “Hitting one RCM provider can affect dozens of healthcare facilities, exposing massive amounts of data and disrupting financial workflows all at once,” he said.  
Maley warned that many of these firms are still operating under outdated cybersecurity models. “They’re stuck in a compliance mindset, treating risk in vague terms. But boards want to know the real-world financial impact,” he said. 

He also emphasized the importance of supply chain transparency. “These vendors play a crucial role for hospitals, but how well do they know their own vendors? Relying on outdated assessments leaves them blind to emerging threats.” 

Maley concluded that until RCM providers prioritize cybersecurity as a business imperative—not just an IT issue—the industry will remain vulnerable to repeating breaches.
Read more »
User Security
Ahold Delhaize Data Breach Grocery Giant Ransomware attack User Security

2.2 Million People Impacted by Ahold Delhaize Data Breach

 

Ahold Delhaize, the Dutch grocery company, reported this week that a ransomware attack on its networks last year resulted in a data breach that affected more than 2.2 million customers. 

The cybersecurity breach was discovered in November 2024, when numerous US pharmacies and grocery chains controlled by Ahold Delhaize reported network troubles. The incident affected Giant Food pharmacies, Hannaford supermarkets, Food Lion, The Giant Company, and Stop & Shop.

In mid-April 2025, Ahold Delhaize was attacked by the Inc Ransom ransomware organisation. Shortly after, the company acknowledged that the hackers probably stole data from some of its internal business systems.

 Since then, Ahold Delhaize has determined that personal data has been hacked, and those affected are currently being notified. Internal employment records for both current and defunct Ahold Delhaize USA enterprises were included in the stolen files. The organization told the Maine Attorney General’s Office that 2,242,521 people are affected.

The compromised information differs from person to person, however it includes name, contact information, date of birth, Social Security number, passport number, driver's license number, financial account information, health information, and employment-related information. Affected consumers will receive free credit monitoring and identity protection services for two years. 

The attackers published around 800 Gb of data allegedly stolen from Ahold Delhaize on their Tor-based leak website, indicating that the corporation did not pay a ransom. Inc Ransom claimed to have stolen 6 TB of data from the company.

Cyberattacks on the retail industry, notably supermarkets, have increased in recent months. In April, cybercriminals believed to be affiliated with the Scattered Spider group targeted UK retailers Co-op, Harrods, and M&S. 

Earlier this month, United Natural Foods (UNFI), the primary distributor for Amazon's Whole Foods and many other North American grocery shops, was targeted by a hack that disrupted company operations and resulted in grocery shortages. According to UNFI, there is no evidence that personal or health information was compromised, and no ransomware group claimed responsibility for the attack.
Read more »
Scattered Spider
Cyber Attacks Cyber Breach DragonForce DragonForce Ransomware Group Hacker group Hacking Attack M&S Ransom Demand Ransomware attack Ransomwares Scattered Spider

M&S Faces £300M Loss After Cyberattack Involving DragonForce and Scattered Spider

 

Marks & Spencer has resumed its online services after a serious cyberattack earlier this year that disrupted its operations and is expected to slash profits by £300 million. The British retail giant’s digital operations were hit hard, and recent developments suggest the breach may have been orchestrated by multiple hacker groups. 

A hacking group known as DragonForce is now linked to the incident. According to reports by the BBC, the group sent an email to M&S CEO Stuart Machin shortly after the attack, boasting about their success and demanding ransom. The message, written in aggressive and alarming language, implied the group had encrypted the retailer’s servers. DragonForce, which has rebranded itself as a “Ransomware Cartel,” operates by offering malware tools to affiliates in exchange for a percentage of ransom earnings. 

Originally emerging in 2023, the group has become increasingly active on major dark web forums in recent months. While some cybersecurity experts believe the group is based in Malaysia, others speculate ties to Russia. They have also been linked to a similar attack on the Co-op. Meanwhile, another group, Scattered Spider, had earlier been suspected of executing the attack. Known for its advanced social engineering techniques, the group is composed primarily of young hackers from the US and UK. They have previously impersonated IT personnel and used SIM swapping tactics to breach organizations. 

In 2023, they gained notoriety after cyberattacks on major US casino operators like Caesars Entertainment and MGM Resorts, resulting in multi-million-dollar ransoms. The M&S cyberattack, disclosed on April 22, disrupted online orders and even stopped contactless payments in physical stores. As a result, hundreds of agency workers were temporarily relieved from duty. The company confirmed that customer data—including names, email addresses, addresses, and birth dates—was compromised during the breach. The cause, according to Machin, was human error by a third-party service provider. 

In response to the growing threat, the UK’s National Cyber Security Centre (NCSC) issued industry-wide guidance. Law enforcement agencies, including the National Crime Agency (NCA), are actively investigating the case and considering whether the incidents involving these hacker groups are interconnected. The financial impact has been significant. M&S’s market value dropped by £650 million in the days following the attack. Despite these setbacks, the company has now reopened its standard delivery service in England, Scotland, and Wales, with additional services like click-and-collect and international orders expected to follow soon. 

In a recent statement, M&S emphasized its commitment to restoring customer trust and maintaining high service standards. The company said, “Our stores have remained operational, and we’re now focused on delivering the quality and service our customers expect as we recover from this disruption.”
Read more »
Threat Landscape
Business Security Cyber Security Ransomware attack Threat Intelligence Threat Landscape

Understanding the Dynamic threat Landscape of Ransomware Attacks

 

The constant expansion of cyber threats, particularly malware and ransomware, necessitates our undivided attention. Our defence strategy must evolve in tandem with the threats. So far this year, ransomware has targeted Frederick Health Medical Group, Co-op Supermarkets, and Marks & Spencer. 

This meant that critical data got into the wrong hands, supply networks were interrupted, and online transactions were halted. Almost 400,000 PCs were attacked with Lumma Stealer malware, a ClickFix malware version went viral, and a new spyware dubbed 'LOSTKEYS' appeared.

The threat landscape is always evolving, making traditional security methods ineffective. Effective protection methods are not only useful; they are also required to protect against severe data loss, financial damage, and reputational impact that these attacks can cause. Understanding the nature of these enemies is a critical first step towards developing strong defences. 

Ransomware: An ongoing and profitable menace 

Ransomware deserves special attention. It encrypts data and demands payment for its release, frequently spreading through phishing or software weaknesses. More complex ransomware variations take data before encrypting it, combining the threat with blackmail. The effects of ransomware include:

Data loss: May be permanent without backups. 

Financial costs: Includes ransom, restoration, and penalties 

Reputational damage: If publicly exposed, trust is lost. 

Ransomware's profitability makes it particularly tenacious. It does not just impact huge companies; small firms, healthcare systems, and educational institutions are all common targets. Its ease of deployment and high return on investment continue to attract cybercriminals, resulting in more aggressive campaigns.

Ransomware attacks increasingly frequently use "double extortion," in which attackers exfiltrate data before encrypting it. Victims confront two threats: inaccessible data and public exposure. This strategy not only enhances the chance of ransom payment, but also raises the stakes for organisations who are already battling to recover.

Challenges

Malware and ransomware are challenging to detect due to evasive strategies. Attackers are getting more creative, using legitimate administrative tools, zero-day vulnerabilities, and social engineering to get around defences. A multi-layered security approach that includes behavioural detection, endpoint hardening, and regular system updates is necessary to defend against these threats.

In the end, protecting against malware and ransomware involves more than just technology; it also involves mentality. Professionals in cybersecurity need to be knowledgeable, proactive, and flexible. The defenders must adapt to the ever-changing threats.
Read more »
Social Engineering
Cyber Attacks Extortion FBI Luna Moth Ransomware attack Social Engineering

FBI Warns of Luna Moth Ransomware Attacks Targeting U.S. Law Firms

 

The FBI said that over the last two years, an extortion group known as the Silent Ransom Group has targeted U.S. law firms through callback phishing and social engineering tactics. 

This threat outfit, also known as Luna Moth, Chatty Spider, and UNC3753, has been active since 2022. It was also responsible for BazarCall campaigns, which provided initial access to corporate networks for Ryuk and Conti ransomware assaults. Following Conti's shutdown in March 2022, the threat actors broke away from the cybercrime syndicate and created their own operation known as the Silent Ransom Group.

In recent attacks, SRG mimics the targets' IT help via email, bogus websites, and phone conversations, gaining access to their networks via social engineering tactics. This extortion group does not encrypt victims' systems and is infamous for demanding ransoms in order to keep sensitive information stolen from hacked devices from being leaked online. 

"SRG will then direct the employee to join a remote access session, either through an email sent to them, or navigating to a web page. Once the employee grants access to their device, they are told that work needs to be done overnight," the FBI stated in a private industry notification.

"Once in the victim's device, a typical SRG attack involves minimal privilege escalation and quickly pivots to data exfiltration conducted through 'WinSCP' (Windows Secure Copy) or a hidden or renamed version of 'Rclone.'” 

After acquiring the victims' data, they use ransom emails to blackmail them, threatening to sell or publish the information. They frequently call employees of breached organisations and force them into ransom negotiations. While they have a dedicated website for disclosing their victims' data, the FBI claims the extortion ring does not always followup on its data leak promises. 

To guard against these attacks, the FBI recommends adopting strong passwords, activating two-factor authentication for all employees, performing regular data backups, and teaching personnel on recognising phishing efforts.

The FBI's warning follows a recent EclecticIQ report detailing SRG attacks targeting legal and financial institutions in the United States, with attackers observed registering domains to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns.”

A recent EclecticIQ report about SRG attacks against American legal and financial institutions revealed that the attackers were registering domains to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns." The FBI issued the warning in response to this information. 

Malicious emails with fake helpdesk numbers are being sent to victims, prompting them to call in order to fix a variety of non-existent issues. On the other hand, Luna Moth operators would try to deceive employees of targeted firms into installing remote monitoring & management (RMM) software via phoney IT help desk websites by posing as IT staff.

Once the RMM tool is installed and started, the threat actors have direct keyboard access, allowing them to search for valuable documents on compromised devices and shared drivers, which will then be exfiltrated via Rclone (cloud syncing) or WinSCP (SFTP). According to EclecticIQ, the Silent Ransom Group sends ransom demands ranging from one to eight million USD, depending on the size of the hacked company.
Read more »
Ransomwares
Cyberattack Data Breach Data Leak data security Employee Data Healthcare Interlock gang Interlock ransomware Kettering Health Ransomware attack Ransomware group Ransomwares

Kettering Health Ransomware Attack Linked to Interlock Group

 

Kettering Health, a prominent healthcare network based in Ohio, is still grappling with the aftermath of a disruptive ransomware attack that forced the organization to shut down its computer systems. The cyberattack, which occurred in mid-May 2025, affected operations across its hospitals, clinics, and medical centers. Now, two weeks later, the ransomware gang Interlock has officially taken responsibility for the breach, claiming to have exfiltrated more than 940 gigabytes of data.  

Interlock, an emerging cybercriminal group active since September 2024, has increasingly focused on targeting U.S.-based healthcare providers. When CNN first reported on the incident on May 20, Interlock had not yet confirmed its role, suggesting that ransom negotiations may have been in progress. With the group now openly taking credit and releasing some of the stolen data on its dark web site, it appears those negotiations either failed or stalled. 

Kettering Health has maintained a firm position that they are against paying ransoms. John Weimer, senior vice president of emergency operations, previously stated that no ransom had been paid. Despite this, the data breach appears extensive. Information shared by Interlock indicates that sensitive files were accessed, including private patient records and internal documents. Patient information such as names, identification numbers, medical histories, medications, and mental health notes were among the compromised data. 

The breach also impacted employee data, with files from shared network drives also exposed. One particularly concerning element involves files tied to Kettering Health’s in-house police department. Some documents reportedly include background checks, polygraph results, and personally identifiable details of law enforcement staff—raising serious privacy and safety concerns. In a recent public update, Kettering Health announced a key development in its recovery process. 

The organization confirmed it had restored core functionalities of its electronic health record (EHR) system, which is provided by healthcare technology firm Epic. Officials described this restoration as a significant step toward resuming normal operations, allowing teams to access patient records, coordinate care, and communicate effectively across departments once again. The full scope of the breach and the long-term consequences for affected individuals still remains uncertain. 

Meanwhile, Kettering Health has yet to comment on whether Interlock’s claims are fully accurate. The healthcare system is working closely with cybersecurity professionals and law enforcement agencies to assess the extent of the intrusion and prevent further damage.
Read more »
Ransomwares
Customer Data Cyberattack Data Breach Data Leak data security Personal Information personal information exposure Qilin Qilin Ransomware Ransomware attack Ransomware group Ransomwares

Lee Enterprises Ransomware Attack Exposes Data of 40,000 Individuals

 

Lee Enterprises, a major U.S. news publisher, is alerting nearly 40,000 individuals about a data breach following a ransomware attack that took place in early February 2025. The company, which owns and operates 77 daily newspapers and hundreds of weekly and special-interest publications across 26 states, reported that the cyberattack resulted in the theft of personal information belonging to thousands of people. 

Details of the breach were revealed in a recent disclosure to the Maine Attorney General’s office. According to the company, the attackers gained unauthorized access to internal documents on February 3, 2025. These files contained combinations of personal identifiers such as names, Social Security numbers, driver’s license details, bank account information, medical data, and health insurance policy numbers. The security incident caused widespread operational disruptions. 

Following the attack, Lee Enterprises was forced to shut down multiple parts of its IT infrastructure, impacting both the printing and delivery of its newspapers. Several internal tools and systems became inaccessible, including virtual private networks and cloud storage services, complicating daily workflows across its local newsrooms. In a filing with the U.S. Securities and Exchange Commission shortly after the breach, the company confirmed that critical systems had been encrypted and that a portion of its data had been copied by the attackers. 

The source of the attack is yet to be identified, a group known as Qilin has allegedly claimed responsibility near the end of February. The group alleged it had stolen over 120,000 internal files, totaling 350 gigabytes, and threatened to publish the material unless their demands were met. Soon after, Qilin posted a sample of the stolen data to a dark web leak site, which included scans of government-issued IDs, financial spreadsheets, contracts, and other confidential records. The group also listed Lee Enterprises as a victim on its public-facing extortion portal. 

When asked about the authenticity of the leaked data, a spokesperson for Lee Enterprises stated the company was aware of the claims and was actively investigating. This is not the first cybersecurity issue Lee Enterprises has faced. The company’s network was previously targeted by foreign actors during the lead-up to the 2020 U.S. presidential election, where hackers from Iran allegedly attempted to use compromised media outlets to spread disinformation. 

The ransomware attack highlights ongoing threats facing media companies, especially those handling high volumes of personal and financial data. As Lee Enterprises continues its recovery and legal steps, the incident serves as a reminder of the need for robust digital defenses in today’s information-driven landscape.
Read more »
User Privacy
Cyber Attacks MathWorks MATLAB Ransomware attack User Privacy

MathWorks Hit by Ransomware Attack Affecting Over 5 Million Clients

 

The renowned MATLAB programming language and numeric computing environment's developer has reported a ransomware attack on its IT systems. 

MathWorks, based in Massachusetts, sent an update to users after initially reporting issues on May 18, stating that the company had been hit by a ransomware attack that shut down online services and internal systems used by employees. 

“We have notified federal law enforcement of this matter,” the company noted. “We have brought many of these systems back online and are continuing to bring other systems back online with the assistance of cybersecurity experts.” 

MathWorks has millions of users, including engineers and scientists who use MATLAB for data analysis, calculation, and other purposes. MATLAB and other MathWorks products are utilised by nearly 6,500 colleges and universities, according to the company.

The firm has 6,500 employees and over 30 offices in Europe, Asia, and North America. This issue affected several MATLAB services as well as parts of the MathWorks website, such as the job page, cloud centre, store, and file exchange. MATLAB Online and MATLAB Mobile were restored on Friday.

MathWorks stated in a Tuesday update that the issue was still being investigated. Several pages on the MathWorks website are still offline. The firm did not immediately respond to a request for comment. 

Verizon's comprehensive data breach report released last month revealed that ransomware was utilised in nearly half of the 12,195 confirmed data breaches in 2024. The researchers discovered that 64% of ransomware victims did not pay the ransoms, up from 50% two years ago, and the typical amount paid to ransomware groups has dropped to $115,000 (down from $150,000 last year). 

“This could be partially responsible for the declining ransom amounts. Ransomware is also disproportionately affecting small organizations,” the researchers noted. “In larger organizations, ransomware is a component of 39% of breaches, while small and medium-sized businesses experienced ransomware-related breaches to the tune of 88% overall.” 

The number of large ransoms paid has also reduced, with Verizon estimating that 95% of ransoms paid will be less than $3 million by 2024. That value is a significant increase above the $9.9 million recorded in 2023.
Read more »
Ransomware attack
Cyber Attacks Cyberattack elective procedures Interlock gang Kettering Health Ohio hospitals Ransomware attack

Ransomware Attack Disrupts Kettering Health Network, Elective Procedures Canceled Across 14 Ohio Facilities

 

A ransomware incident has caused a significant “system-wide technology outage” at a network of over a dozen medical centers in Ohio, resulting in the cancellation of both inpatient and outpatient elective procedures. This information comes from a statement released by the health system and a ransom note obtained by CNN.

Kettering Health, which serves a substantial portion of Ohio and employs more than 1,800 physicians, confirmed in a statement that the cyberattack began Tuesday morning and has created “a number of challenges” across its 14 facilities. The disruption has also affected the network’s call center. Despite this, emergency rooms and outpatient clinics remain operational and continue to treat patients.

“Inpatient and outpatient procedures have been canceled for today,” the network said in its statement. “Scheduled procedures at Kettering Health medical centers will be rescheduled.” It added that contingency protocols are in place “for these types of situations” to maintain safe and high-quality patient care.

Internally, Kettering Health's IT teams and executives are working to limit the damage from the ransomware attack. According to the ransom note reviewed by CNN, hackers deployed ransomware on the network’s computer systems.

“Your network was compromised, and we have secured your most vital files,” the note reads. It warns that the attackers may release allegedly stolen data online unless negotiations for a ransom payment begin.

The note includes a link to an extortion platform tied to the ransomware group known as Interlock, which surfaced in late 2023. Since then, the group has reportedly targeted various sectors including technology, manufacturing, and government organizations, as per Cisco’s cyber-intelligence division, Talos.

A spokesperson for Kettering Health did not offer additional details beyond the network’s official statement.

Typically, major cyber incidents affecting U.S. healthcare providers involve responses from the FBI, the Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA). CNN has reached out to all three agencies for comment.

Cybercriminals have long targeted the U.S. healthcare sector, viewing hospitals as particularly vulnerable and likely to pay ransoms to prevent disruptions in patient care. Last year, healthcare organizations reported more than 440 ransomware incidents and data breaches to the FBI—more than any other critical infrastructure sector.

In the past 18 months, a string of high-profile cyberattacks on major health providers has directly affected patient care nationwide, prompting growing concern among lawmakers and federal authorities about the resilience of U.S. healthcare cybersecurity systems.

One such attack last year on Ascension, a nonprofit health system based in St. Louis with operations across 19 states, left nurses at some hospitals working without access to electronic health records, compromising patient safety, according to what two nurses told CNN. Similarly, a February 2024 ransomware attack on a UnitedHealth Group subsidiary disrupted pharmacy services across the country and exposed sensitive data belonging to a large number of Americans.
Read more »
UK
Cyber Attacks Logistics Firm Peter Green Chilled Ransomware attack UK

British supermarkets' Supplier of Refrigerated Goods Hit by a Ransomware Attack

 

Peter Green Chilled, a logistics firm, has announced that it has been attacked by a ransomware attack, interrupting deliveries of refrigerated goods to some of the country's top supermarkets.

Customers — largely smaller producers who provide food to regional stores in Somerset, such as Aldi, Tesco, and Sainsbury's — received an email last Thursday informing them that the company will be unable to complete part of their orders owing to the cyber incident.

Peter Green Chilled told the BBC that the attack occurred last Wednesday and had no effect on the company's transport business, but he declined to elaborate on how the incident affected the IT infrastructure via which orders are placed. 

A substantial part of the nation's frozen food is transported by Reed Boardall, a cold storage and refrigerated transport company that was attacked a number of years ago. Some of its customers have warned that they would be spoilt if they couldn't get their products delivered to retailers in time, despite the fact that Peter Green Chilled is a far smaller supplier than Reed Boardall.

After incidents involving Marks & Spencer, the Co-op, and the upscale London retailer Harrods, this attack is the most recent to affect the British retail industry. A string of recent attacks, including one revealed last week that could expose the personal information of domestic violence victims to their abusers, has prompted renewed calls for the British government to adopt a more active response to the ransomware threat. 

Law enforcement agencies should hack the criminals' systems and take them down as the "ideal response" to ransomware gangs' attempts at data extortion, in which the gangs steal data and threaten to release it unless a certain amount of money is paid in cryptocurrency, according to Gareth Mott, a research fellow at the Royal United Services Institute think tank.

It was not an easy task, Mott said. Even though the National Crime Agency and its allies had been successful in combating ransomware organisations such as LockBit, Mott stated that he was unsure if they currently have the ability to eliminate the most risky data breaches on a selective basis.
Read more »
Subscribe to: Posts (Atom)