Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware. Show all posts
Scams
AI Cyber Fraud Deepfake Identity Theft Keystrokes Ransomware Scams

AI Turns Personal: Criminals Now Cloning Loved Ones to Steal Money, Warns Police

 



Police forces in the United Kingdom are alerting the public to a surge in online fraud cases, warning that criminals are now exploiting artificial intelligence and deepfake technology to impersonate relatives, friends, and even public figures. The warning, issued by West Mercia Police, stresses upon how technology is being used to deceive people into sharing sensitive information or transferring money.

According to the force’s Economic Crime Unit, criminals are constantly developing new strategies to exploit internet users. With the rapid evolution of AI, scams are becoming more convincing and harder to detect. To help people stay informed, officers have shared a list of common fraud-related terms and explained how each method works.

One of the most alarming developments is the use of AI-generated deepfakes, realistic videos or voice clips that make it appear as if a known person is speaking. These are often used in romance scams, investment frauds, or emotional blackmail schemes to gain a victim’s trust before asking for money.

Another growing threat is keylogging, where fraudsters trick victims into downloading malicious software that secretly records every keystroke. This allows criminals to steal passwords, banking details, and other private information. The software is often installed through fake links or phishing emails that look legitimate.

Account takeover, or ATO, remains one of the most common types of identity theft. Once scammers access an individual’s online account, they can change login credentials, reset security settings, and impersonate the victim to access bank or credit card information.

Police also warned about SIM swapping, a method in which criminals gather personal details from social media or scam calls and use them to convince mobile providers to transfer a victim’s number to a new SIM card. This gives the fraudster control over the victim’s messages and verification codes, making it easier to access online accounts.

Other scams include courier fraud, where offenders pose as police officers or bank representatives and instruct victims to withdraw money or purchase expensive goods. A “courier” then collects the items directly from the victim’s home. In many cases, scammers even ask for bank cards and PIN numbers.

The force’s notice also included reminders about malware and ransomware, malicious programs that can steal or lock files. Criminals may also encourage victims to install legitimate-looking remote access tools such as AnyDesk, allowing them full control of a victim’s device.

Additionally, spoofing — the act of disguising phone numbers, email addresses, or website links to appear genuine, continues to deceive users. Fraudsters often combine spoofing with AI to make fake communication appear even more authentic.

Police advise the public to remain vigilant, verify any unusual requests, and avoid clicking on suspicious links. Anyone seeking more information or help can visit trusted resources such as Action Fraud or Get Safe Online, which provide updates on current scams and guidance on reporting cybercrime.



Read more »
Syn
BBC Reporter Cyber Attacks Medusa Ransomware Syn

Medusa Ransomware Gang Offers BBC Reporter Millions for Inside Hack Access

 

A ransomware operation claiming affiliation with the Medusa gang attempted to recruit BBC cybersecurity correspondent Joe Tidy as an insider threat, offering him substantial financial incentives in exchange for access to the broadcaster's systems. 

The threat actor, using the alias "Syndicate" (later shortened to "Syn"), contacted Tidy in July via the encrypted messaging app Signal, proposing an arrangement that would give him a percentage of the ransom proceeds. The initial proposition involved offering Tidy 15% of any ransom payment if he provided access to his work laptop and BBC systems. 

The cybercriminals planned to infiltrate the organization's network, exfiltrate sensitive data, and demand payment in cryptocurrency while threatening to release stolen information. As negotiations continued, Syn increased the offer to 25%, suggesting the total ransom demand could reach tens of millions of dollars and claiming Tidy "wouldn't need to work ever again".

To establish credibility, the threat actor offered 0.5 Bitcoin (approximately $55,000) as an upfront trust payment through escrow on a hacker forum. Syn referenced previous successful insider recruitment operations, citing cases involving a UK healthcare company and a US emergency services provider, suggesting such collaborations were common in their operations.

The Medusa ransomware operation has operated since January 2021 and evolved from a closed operation to a ransomware-as-a-service model with affiliates. According to a March report from CISA, the gang has compromised over 300 critical infrastructure organizations in the United States. The operation's core developers recruit initial access brokers through cybercrime forums and darknet marketplaces while maintaining central control over ransom negotiations.

Tidy, who reports on cybersecurity topics, believes the attackers likely mistook him for a technical employee with elevated system privileges rather than a journalist. After consulting with BBC editors, he engaged with the threat actor to gather intelligence on their methods. When Tidy delayed responding to their demands, the criminals launched an MFA bombing attack, flooding his phone with two-factor authentication requests in an attempt to force approval of a malicious login.

The journalist promptly contacted BBC's information security team and was disconnected from the organization's infrastructure as a precautionary measure. Following several days of silence from Tidy, the alleged Medusa representative deleted their Signal account.
Read more »
Vulnerabilities and Exploits
Akira Ransomware Arctic Wolf security research CVE-2024-40766 exploit Ransomware SonicWall SSL VPN vulnerability Vulnerabilities and Exploits

Akira Ransomware Breaches Networks in Under Four Hours via SonicWall VPN Exploit

 

Akira ransomware affiliates need less than four hours to breach organizations and launch attacks, according to researchers at Arctic Wolf. The group is exploiting stolen SonicWall SSL VPN credentials and has reportedly found ways to bypass multi-factor authentication (MFA).

Once inside, attackers quickly begin scanning networks to identify services and weak accounts. They leverage Impacket to establish SMB sessions, use RDP for lateral movement, and eventually target Domain Controllers, virtual machine storage, and backups. Additional accounts, including domain accounts, are created to install remote monitoring and management (RMM) tools and enable data theft. The process also includes establishing command-and-control channels, exfiltrating sensitive data, disabling legitimate RMM and EDR tools, deleting shadow copies and event logs, and using WinRAR with rclone or FileZilla for data transfers. The attack culminates with the deployment of Akira ransomware.

Akira activity has been rising since July 2025. Early reports suggested a SonicWall zero-day exploit, but investigations revealed attackers were abusing CVE-2024-40766, an improper access control flaw in SonicWall SonicOS management access and SSL VPN. Though SonicWall released a patch in August 2024, some organizations failed to reset SSL VPN passwords after upgrading from Gen 6 to Gen 7 firewalls, leaving them exposed.

Experts believe that attackers harvested privileged account credentials months earlier and are now reusing them against organizations that patched but never rotated passwords. Rapid7 also identified other weaknesses being exploited, including misconfigured SSLVPN Default User Group settings and the externally exposed Virtual Office Portal, which attackers use to configure OTP MFA on compromised accounts.

“In our investigation, we observed repeated malicious SSL VPN logins on accounts with OTP MFA enabled, ruling out scratch code usage in those cases. We also found no signs of malicious use of the compromised accounts prior to SSL VPN login (event ID 1080), nor did we observe unauthorized OTP unbinding events or other malicious configuration changes (event ID 1382) in the five days leading up to the intrusions,” Arctic Wolf researchers stated.

“Taken together, the evidence points to the use of valid credentials rather than modification of OTP configuration, though the exact method of authenticating against MFA-enabled accounts remains unclear.”

So far, victim organizations span multiple industries and sizes, indicating opportunistic targeting rather than focused campaigns. Researchers emphasize that the minimal time between breach and ransomware execution makes early detection and rapid response essential.

Defensive Measures

Arctic Wolf recommends organizations take the following steps:
  • Monitor or block logins originating from VPS hosting providers.
  • Watch for abnormal SMB and LDAP activity linked to Impacket and discovery tools.
  • Detect unusual execution of scanning and archival utilities on servers.
  • Leverage App Control for Business to restrict unauthorized remote tools and block execution from untrusted paths.
“If your SonicWall devices have previously run firmware versions vulnerable to CVE-2024-40766, we strongly recommend resetting all credentials stored on the firewall, including SSL VPN passwords and OTP MFA secrets,” Arctic Wolf advised. “This includes both local firewall accounts and LDAP-synchronised Active Directory accounts, especially where accounts have access to SSL VPN. Threat actors are abusing these credentials even when devices are fully patched, suggesting that credential theft may have occurred earlier in the lifecycle.”
Read more »
Social Engineering
Cyber Crime Ransom Payment Ransomware Scattered Spider Social Engineering

Teens Arrested Over Scattered Spider’s $115M Hacking Spree

 

Law enforcement authorities in the United States and United Kingdom have arrested two teenagers connected to the notorious Scattered Spider hacking collective, charging them with executing an extensive cybercrime operation that netted over $115 million in ransom payments.

The UK's National Crime Agency arrested 19-year-old Thalha Jubair of East London and 18-year-old Owen Flowers of Walsall, West Midlands, at their homes on Tuesday. Both suspects appeared in London court on Thursday to face charges related to their alleged involvement in a cyberattack against Transport for London (TfL) in August 2024 .

Scale of criminal activity

The US Justice Department has charged Jubair with participating in at least 120 computer network intrusions and extortion attempts targeting 47 US organizations from May 2022 to September 2025. Federal authorities allege these attacks caused victims to pay more than $115 million in ransom payments, with the malicious activities causing significant disruptions to US enterprises, critical infrastructure, and the federal judicial system.

Timeline of offenses

Investigators believe Jubair began his cybercriminal activities at age 14, with the hacking spree spanning from 2022 until last month. Flowers was initially arrested in September 2024 for the TfL attack but was released on bail before being rearrested l. Both suspects had previously been detained in July for data theft incidents targeting UK retailers including Marks & Spencer, Harrods, and Co-op Group.

Scattered Spider distinguishes itself from other cybercriminal organizations through the notably young age of its members and their English-speaking proficiency. The group employs sophisticated social engineering tactics, frequently impersonating IT support personnel to deceive employees into revealing passwords or installing remote access software. Their attacks have disrupted major organizations including MGM Resorts and Caesars Entertainment in Las Vegas during 2023.

Legal consequences 

Jubair faces multiple charges related to computer fraud and money laundering, with prosecutors indicating he could receive a maximum sentence of 95 years in prison if convicted. Investigators linked the breaches to Jubair through evidence showing he managed servers hosting cryptocurrency wallets used for receiving ransom payments. 

Flowers faces additional charges for conspiring to infiltrate and damage networks of US healthcare companies SSM Health Care Corporation and Sutter Health.
Read more »
Social Security Numbers
Data Breach Healthcare Data IT Systems NYBC Ransomware Social Security Numbers

New York Blood Center Data Breach Exposes Nearly 200,000 Records

 



The New York Blood Center Enterprises (NYBCe) has reported a major cybersecurity incident that compromised the personal information of nearly 194,000 people. The breach occurred between January 20 and January 26, 2025, when an unauthorized party gained access to the organization’s network and extracted copies of certain files.


What information was taken

The investigation confirmed that sensitive details were involved in the leak. These included names, Social Security numbers, driver’s license and other state-issued identification numbers, as well as bank account information for individuals who received payments by direct deposit. In some cases, health data and medical test results were also exposed.

NYBCe has not disclosed how the attackers infiltrated its systems, whether ransomware was used, or if any ransom demand was made. No known criminal group has claimed responsibility for the breach so far.


Why affected individuals may not receive notices

Unlike many healthcare providers, NYBCe does not maintain contact information for all of its patients and service users. As a result, it cannot directly notify every individual whose records were accessed. Instead, the organization has urged anyone who has received services to call a dedicated helpline at 877-250-2848 to confirm whether their data was compromised.

To support those impacted, NYBCe is offering complimentary access to Experian’s identity protection and credit monitoring services for one year. Additional details are available through a filing with the Vermont Attorney General’s office.


Scale of the incident

Cybersecurity researchers note that this is among the largest healthcare-related breaches of 2025. Data compiled by Comparitech shows that the incident ranks as the fourth-largest ransomware-related exposure this year in terms of records affected, with healthcare organizations remaining frequent targets. By mid-2025, more than 60 attacks on hospitals, clinics, and direct care providers had been recorded, exposing over 5 million patient records.


Steps individuals should take

Experts emphasize that people potentially affected by this breach should take immediate precautions:

1. Contact NYBCe: Call the helpline to verify if your records were involved.

2. Use identity protection tools: Enroll in the free Experian services being offered, and consider placing a credit freeze or fraud alert with the credit bureaus.

3. Stay alert for scams: Watch for phishing emails or phone calls pretending to be official messages. Avoid clicking links, opening attachments, or sharing personal information unless you can confirm the source.

4. Monitor financial accounts: Check bank statements and health insurance records regularly for unusual charges or activity.

5. Adopt cybersecurity practices like second nature: Use strong passwords, enable two-factor authentication, and keep antivirus software updated.


The breach at NYBCe is a testament to the growing threat facing healthcare organizations, which often hold large amounts of sensitive data but face challenges in securing complex IT systems. Security experts warn that similar incidents are likely to continue, making it critical for organizations to improve defenses and for individuals to remain vigilant about protecting their personal information.



Read more »
Vietnam
AI Artificial Intelligence Cloud Cyber Attacks Internet Panama Ransomware Vietnam

Panama and Vietnam Governments Suffer Cyber Attacks, Data Leaked


Hackers stole government data from organizations in Panama and Vietnam in multiple cyber attacks that surfaced recently.

About the incident

According to Vietnam’s state news outlet, the Cyber Emergency Response Team (VNCERT) confirmed reports of a breach targeting the National Credit Information Center (CIC) that manages credit information for businesses and people, an organization run by the State Bank of Vietnam. 

Personal data leaked

Earlier reports suggested that personal information was exposed due to the attack. VNCERT is now investigating and working with various agencies and Viettel, a state-owned telecom. It said, “Initial verification results show signs of cybercrime attacks and intrusions to steal personal data. The amount of illegally acquired data is still being counted and clarified.”

VNCERT has requested citizens to avoid downloading and sharing stolen data and also threatened legal charges against people who do so.

Who was behind the attack?

The statement has come after threat actors linked to the Shiny Hunters Group and Scattered Spider cybercriminal organization took responsibility for hacking the CIC and stealing around 160 million records. 

Threat actors put up stolen data for sale on the cybercriminal platforms, giving a sneak peek of a sample that included personal information. DataBreaches.net interviewed the hackers, who said they abused a bug in end-of-life software, and didn’t offer a ransom for the stolen information.

CIC told banks that the Shiny Hunters gang was behind the incident, Bloomberg News reported.

The attackers have gained the attention of law enforcement agencies globally for various high-profile attacks in 2025, including various campaigns attacking big enterprises in the insurance, retail, and airline sectors. 

The Finance Ministry of Panama also hit

The Ministry of Economy and Finance in Panam was also hit by a cyber attack, government officials confirmed. “The Ministry of Economy and Finance (MEF) informs the public that today it detected an incident involving malicious software at one of the offices of the Ministry,” they said in a statement. 

The INC ransomware group claimed responsibility for the incident and stole 1.5 terabytes of data, such as emails, budgets, etc., from the ministry.

Read more »
Ransomware
AI Anthropic Cyber Crime Extortion Ransomware

Cybercriminals Weaponize AI for Large-Scale Extortion and Ransomware Attacks

 

AI company Anthropic has uncovered alarming evidence that cybercriminals are weaponizing artificial intelligence tools for sophisticated criminal operations. The company's recent investigation revealed three particularly concerning applications of its Claude AI: large-scale extortion campaigns, fraudulent recruitment schemes linked to North Korea, and AI-generated ransomware development. 

Criminal AI applications emerge 

In what Anthropic describes as an "unprecedented" case, hackers utilized Claude to conduct comprehensive reconnaissance across 17 different organizations, systematically gathering usernames and passwords to infiltrate targeted networks.

The AI tool autonomously executed multiple malicious functions, including determining valuable data for exfiltration, calculating ransom demands based on victims' financial capabilities, and crafting threatening language to coerce compliance from targeted companies. 

The investigation also uncovered North Korean operatives employing Claude to create convincing fake personas capable of passing technical coding evaluations during job interviews with major U.S. technology firms. Once successfully hired, these operatives leveraged the AI to fulfill various technical responsibilities on their behalf, potentially gaining access to sensitive corporate systems and information. 

Additionally, Anthropic discovered that individuals with limited technical expertise were using Claude to develop complete ransomware packages, which were subsequently marketed online to other cybercriminals for prices reaching $1,200 per package. 

Defensive AI measures 

Recognizing AI's potential for both offense and defense, ethical security researchers and companies are racing to develop protective applications. XBOW, a prominent player in AI-driven vulnerability discovery, has demonstrated significant success using artificial intelligence to identify software flaws. The company's integration of OpenAI's GPT-5 model resulted in substantial performance improvements, enabling the discovery of "vastly more exploits" than previous methods.

Earlier this year, XBOW's AI-powered systems topped HackerOne's leaderboard for vulnerability identification, highlighting the technology's potential for legitimate security applications. Multiple organizations focused on offensive and defensive strategies are now exploring AI agents to infiltrate corporate networks for defense and intelligence purposes, assisting IT departments in identifying vulnerabilities before malicious actors can exploit them. 

Emerging cybersecurity arms race 

The simultaneous adoption of AI technologies by both cybersecurity defenders and criminal actors has initiated what experts characterize as a new arms race in digital security. This development represents a fundamental shift where AI systems are pitted against each other in an escalating battle between protection and exploitation. 

The race's outcome remains uncertain, but security experts emphasize the critical importance of equipping legitimate defenders with advanced AI tools before they fall into criminal hands. Success in this endeavor could prove instrumental in thwarting the emerging wave of AI-fueled cyberattacks that are becoming increasingly sophisticated and autonomous. 

This evolution marks a significant milestone in cybersecurity, as artificial intelligence transitions from merely advising on attack strategies to actively executing complex criminal operations independently.
Read more »
Trojan
Android cryptocurrency malware MFA NFC Ransomware RatON TikTok Trojan

RatOn Android Trojan Expands Into Full Remote Access Threat Targeting Banks and Crypto

 



A new Android malware strain called RatOn has rapidly evolved from a tool limited to NFC relay attacks into a sophisticated remote access trojan with the ability to steal banking credentials, hijack cryptocurrency wallets, and even lock users out of their phones with ransom-style screens. Researchers warn the malware is under active development and combines multiple attack methods rarely seen together in one mobile threat.

How It Spreads

RatOn is being distributed through fake websites designed to look like the Google Play Store. Some of these pages advertise an adult-themed version of TikTok called “TikTok 18+.” Once victims install the dropper app, it requests permission to install software from unknown sources, bypassing Android’s built-in safeguards. The second-stage payload then seeks administrator and accessibility permissions, along with access to contacts and system settings, giving it deep control of the device. From there, RatOn can download an additional component called NFSkate, a modified version of the NFCGate tool, enabling advanced relay attacks known as “ghost taps.”


Capabilities and Tactics

The trojan’s abilities are wide-ranging:

1. Overlays and ransomware screens: RatOn can display fake login pages to steal credentials or lock the device with alarming ransom notes. Some overlays falsely accuse users of viewing child exploitation content and demand $200 in cryptocurrency within two hours to regain access.

2. Banking and crypto theft: It specifically targets cryptocurrency wallets such as MetaMask, Trust Wallet, Blockchain.com, and Phantom. By capturing PIN codes and recovery phrases, the malware enables attackers to take over accounts and steal assets. It can also perform automated transfers inside George ÄŒesko, a Czech banking app, by simulating taps and inputs.

3. NFC relay attacks: Through NFSkate, RatOn can remotely use victims’ card data for contactless payments.

4. Remote commands: The malware can change device settings, send fake push notifications, send SMS messages, add contacts, record screens, launch apps like WhatsApp and Facebook, lock the phone, and update its target list of financial apps.

Researchers noted RatOn shares no code with other Android banking trojans and appears to have been built from scratch. A similar trend has been seen before: the HOOK trojan, another Android threat, also experimented with ransomware-style overlays.


Development and Targets

The first sample of RatOn was detected on July 5, 2025, with further versions appearing as recently as August 29, pointing to ongoing development. Current attacks focus mainly on users in the Czech Republic and Slovakia. Investigators believe the need for local bank account numbers in automated transfers suggests possible collaboration with regional money mules.


Why It Matters

RatOn’s integration of overlay fraud, ransomware intimidation, NFC relay, and automated transfers makes it unusually powerful. By combining old tactics with new automation, it raises the risk of large-scale theft from both traditional banking users and cryptocurrency holders.

Users can reduce exposure by downloading apps only from official stores, refusing risky permissions for unknown apps, keeping devices updated, and using strong multi-factor authentication on financial accounts. For cryptocurrency, hardware wallets that keep recovery phrases offline provide stronger protection. Anyone who suspects infection should immediately alert their bank and seek professional removal help.


Read more »
Technology
Conti Healthcare Hospital Monti Ransomware Technology

Hospital Notifies victims of a one-year old data breach, personal details stolen

Hospital Notifies victims of a one-year old data breach, personal details stolen

Hospital informs victims about data breach after a year

Wayne Memorial Hospital in the US has informed its 163,440 people about a year old data breach in May 2024 that exposed details such as: names, social security numbers, user IDs, and passwords, financial account numbers, credit and debit card numbers, expiration dates, and CVV codes, medical history, diagnoses, treatments, prescriptions, lab test results and images, health insurance, Medicare, and Medicaid numbers, healthcare provider numbers, state-issued ID numbers, and dates of birth. 

Initially, the hospital informed only 2,500 people about the attack in August 2024. Ransomware group Monti took responsibility for the attack and warned that it would leak the data by July 8, 2024.

Ransom and payment

Wayne Memorial Hospital, however, has not confirmed Monti’s claim. As of now, it is not known if the hospital paid a ransom, what amount Monti demanded, or why the hospital took more than a year to inform victims, or how the threat actors compromised the hospital infrastructure. 

According to the notice sent to victims, “On June 3, 2024, WMH detected a ransomware event, whereby an unauthorized third party gained access to WMH’s network, encrypted some of WMH’s data, and left a ransom note on WMH’s network.” The forensic investigation by WMH found evidence of unauthorized access to a few WMH systems between “May 30, 2024, and June 3, 2024.”

The hospital has offered victims a one-year free credit monitoring and fraud assistance via CyberScout. The deadline to apply is three months from the date of the notice letter.

What is the Monti group?

Monti is a ransomware gang that shares similarities with the Conti group. It was responsible for the first breach in February 2023. The group, however, has been working since June 2022. Monti is infamous for abusing software bugs like Log4Shell. Monti encrypts target systems and steals data as well. This pushes victims to pay ransom money in exchange for deleting stolen data and restoring the systems.

To date, Monti has claimed responsibility for 16 attacks. Out of these, two attacks hit healthcare providers. 

Monti attacks on health care providers

In April 2023, Avezzano Sulmona L’Aquila (Italy) reported a ransomware attack that resulted in large-scale disruption for a month. Monti asked for $3 million ransom for the 500 GB of stolen data. ASL denies payment of the ransom. 

Excelsior Othopedics informed 394,752 people about a June 2024 data compromise

Read more »
Ransomware
AI Cloud Cyber Security Data Organization Ransomware

How cybersecurity debts can damage your organization and finances

How cybersecurity debts can damage your organization and finances

A new term has emerged in the tech industry: “cybersecurity debt.” Similar to technical debt, cybersecurity debt refers to the accumulation of unaddressed security bugs and outdated systems resulting from inadequate investments in cybersecurity services. 

Delaying these expenditures can provide short-term financial gains, but long-term repercussions can be severe, causing greater dangers and exponential costs.

What causes cybersecurity debt?

Cybersecurity debt happens when organizations don’t update their systems frequently, ignoring software patches and neglecting security improvements for short-term financial gains. Slowly, this leads to a backlog of bugs that threat actors can abuse- leading to severe consequences. 

Contrary to financial debt that accumulates predictable interest, cybersecurity debt compounds in uncertain and hazardous ways. Even a single ignored bug can cause a massive data breach, a regulatory fine that can cost millions, or a ransomware attack. 

A 2024 IBM study about data breaches cost revealed that the average data breach cost had increased to $4.9 million, a record high. And even worse, 83% of organizations surveyed had suffered multiple breaches, suggesting that many businesses keep operating with cybersecurity debt. The more an organization avoids addressing problems, the greater the chances of cyber threats.

What can CEOs do?

Short-term gain vs long-term security

CEOs and CFOs are under constant pressure to give strong quarterly profits and increase revenue. As cybersecurity is a “cost center” and non-revenue-generating expenditure, it is sometimes seen as a service where costs can be cut without severe consequences. 

A CEO or CFO may opt for this short-term security gain, failing to address the long-term risks involved with rising cybersecurity debt. In some cases, the consequences are only visible when a business suffers a data breach. 

Philip D. Harris, Research Director, GRC Software & Services, IDC, suggests, “Executive management and the board of directors must support the strategic direction of IT and cybersecurity. Consider implementing cyber-risk quantification to accomplish this goal. When IT and cybersecurity leaders speak to executives and board members, from a financial perspective, it is easier to garner interest and support for investments to reduce cybersecurity debt.”

Limiting cybersecurity debt

CEOs and leaders should consider reassessing the risks. This can be achieved by adopting a comprehensive approach that adds cybersecurity debt into an organization’s wider risk management plans.

Read more »
Ransomware
AI tools Anthropic Claude Cyber Attacks Data Extortion Ransomware

Hackers Used Anthropic’s Claude to Run a Large Data-Extortion Campaign

 



A security bulletin from Anthropic describes a recent cybercrime campaign in which a threat actor used the company’s Claude AI system to steal data and demand payment. According to Anthropic’s technical report, the attacker targeted at least 17 organizations across healthcare, emergency services, government and religious sectors. 

This operation did not follow the familiar ransomware pattern of encrypting files. Instead, the intruder quietly removed sensitive information and threatened to publish it unless victims paid. Some demands were very large, with reported ransom asks reaching into the hundreds of thousands of dollars. 

Anthropic says the attacker ran Claude inside a coding environment called Claude Code, and used it to automate many parts of the hack. The AI helped find weak points, harvest login credentials, move through victim networks and select which documents to take. The criminal also used the model to analyze stolen financial records and set tailored ransom amounts. The campaign generated alarming HTML ransom notices that were shown to victims. 

Anthropic discovered the activity and took steps to stop it. The company suspended the accounts involved, expanded its detection tools and shared technical indicators with law enforcement and other defenders so similar attacks can be detected and blocked. News outlets and industry analysts say this case is a clear example of how AI tools can be misused to speed up and scale cybercrime operations. 


Why this matters for organizations and the public

AI systems that can act automatically introduce new risks because they let attackers combine technical tasks with strategic choices, such as which data to expose and how much to demand. Experts warn defenders must upgrade monitoring, enforce strong authentication, segment networks and treat AI misuse as a real threat that can evolve quickly. 

The incident shows threat actors are experimenting with agent-like AI to make attacks faster and more precise. Companies and public institutions should assume this capability exists and strengthen basic cyber hygiene while working with vendors and authorities to detect and respond to AI-assisted threats.



Read more »
VPN
Agent AI AI Anthropic Anthropic Report Artificial Intelligence Cryptocurrency Crime Cybersecurity Threats FBI IT North Korea Cybercrime Ransomware Technology Vibe Hacking VPN

Misuse of AI Agents Sparks Alarm Over Vibe Hacking


 

Once considered a means of safeguarding digital battlefields, artificial intelligence has now become a double-edged sword —a tool that can not only arm defenders but also the adversaries it was supposed to deter, giving them both a tactical advantage in the digital fight. According to Anthropic's latest Threat Intelligence Report for August 2025, shown below, this evolving reality has been painted in a starkly harsh light. 

It illustrates how cybercriminals are developing AI as a product of choice, no longer using it to support their attacks, but instead executing them as a central instrument of attack orchestration. As a matter of fact, according to the report, malicious actors are now using advanced artificial intelligence in order to automate phishing campaigns on a large scale, circumvent traditional security measures, and obtain sensitive information very efficiently, with very little human oversight needed. As a result of AI's precision and scalability, the threat landscape is escalating in troubling ways. 

By leveraging AI's accuracy and scalability, modern cyberattacks are being accelerated, reaching, and sophistication. A disturbing evolution of cybercrime is being documented by Anthropologic, as it turns out that artificial intelligence is no longer just used to assist with small tasks such as composing phishing emails or generating malicious code fragments, but is also serving as a force multiplier for lone actors, giving them the capacity to carry out operations at scale and with precision that was once reserved for organized criminal syndicates to accomplish. 

Investigators have been able to track down a sweeping extortion campaign back to a single perpetrator in one particular instance. This perpetrator used Claude Code's execution environment as a means of automating key stages of intrusion, such as reconnaissance, credential theft, and network penetration, to carry out the operation. The individual compromised at least 17 organisations, ranging from government agencies to hospitals to financial institutions, and he has made ransom demands that have sometimes exceeded half a million dollars in some instances. 

It was recently revealed that researchers have conceived of a technique called “vibe hacking” in which coding agents can be used not just as tools but as active participants in attacks, marking a profound shift in both cybercriminal activity’s speed and reach. It is believed by many researchers that the concept of “vibe hacking” has emerged as a major evolution in cyberattacks, as instead of exploiting conventional network vulnerabilities, it focuses on the logic and decision-making processes of artificial intelligence systems. 

In the year 2025, Andrej Karpathy started a research initiative called “vibe coding” - an experiment in artificial intelligence-generated problem-solving. Since then, the concept has been co-opted by cybercriminals to manipulate advanced language models and chatbots for unauthorised access, disruption of operations, or the generation of malicious outputs, originating from a research initiative. 

By using AI, as opposed to traditional hacking, in which technical defences are breached, this method exploits the trust and reasoning capabilities of machine learning itself, making detection especially challenging. Furthermore, the tactic is reshaping social engineering as well: attackers can create convincing phishing emails, mimic human speech, build fraudulent websites, create clones of voices, and automate whole scam campaigns at an unprecedented level using large language models that simulate human conversations with uncanny realism. 

With tools such as artificial intelligence-driven vulnerability scanners and deepfake platforms, the threat is amplified even further, creating a new frontier of automated deception, according to experts. In one notable variant of scamming, known as “vibe scamming,” adversaries can launch large-scale fraud operations in which they generate fake portals, manage stolen credentials, and coordinate follow-up communications all from a single dashboard, which is known as "vibe scamming." 

Vibe hacking is one of the most challenging cybersecurity tasks people face right now because it is a combination of automation, realism, and speed. The attackers are not relying on conventional ransomware tactics anymore; they are instead using artificial intelligence systems like Claude to carry out all aspects of an intrusion, from reconnaissance and credential harvesting to network penetration and data extraction.

A significant difference from earlier AI-assisted attacks was that Claude demonstrated "on-keyboard" capability as well, performing tasks such as scanning VPN endpoints, generating custom malware, and analysing stolen datasets to prioritise the victims with the highest payout potential. As soon as the system was installed, it created tailored ransom notes in HTML, containing the specific financial requirements, workforce statistics, and regulatory threats of each organisation, all based on the data that had been collected. 

The amount of payments requested ranged from $75,000 to $500,000 in Bitcoin, which illustrates that with the assistance of artificial intelligence, one individual could control the entire cybercrime network. Additionally, the report emphasises how artificial intelligence and cryptocurrency have increasingly become intertwined. For example, ransom notes include wallet addresses in ransom notes, and dark web forums are exclusively selling AI-generated malware kits in cryptocurrency. 

An investigation by the FBI has revealed that North Korea is increasingly using artificial intelligence (AI) to evade sanctions, which is used to secure fraudulent positions at Western tech companies by state-backed IT operatives who use it for the fabrication of summaries, passing interviews, debugging software, and managing day-to-day tasks. 

According to officials in the United States, these operations channel hundreds of millions of dollars every year into Pyongyang's technical weapon program, replacing years of training with on-demand artificial intelligence assistance. This reveals a troubling shift: artificial intelligence is not only enabling cybercrime but is also amplifying its speed, scale, and global reach, as evidenced by these revelations. A report published by Anthropological documents how Claude Code has been used not just for breaching systems, but for monetising stolen information at large scales as well. 

As a result of using the software, thousands of records containing sensitive identifiers, financial information, and even medical information were sifted through, and then customised ransom notes and multilayered extortion strategies were generated based on the victim's characteristics. As the company pointed out, so-called "agent AI" tools now provide attackers with both technical expertise and hands-on operational support, which effectively eliminates the need to coordinate teams of human operators, which is an important factor in preventing cyberattackers from taking advantage of these tools. 

Researchers warn that these systems can be dynamically adapted to defensive countermeasures, such as malware detection, in real time, thus making traditional enforcement efforts increasingly difficult. There are a number of cases to illustrate the breadth of abuse that occurs in the workplace, and there is a classifier developed by Anthropic to identify the behaviour. However, a series of case studies indicates this behaviour occurs in a multitude of ways. 

In the North Korean case, Claude was used to fabricate summaries and support fraudulent IT worker schemes. In the U.K., a criminal known as GTG-5004 was selling ransomware variants based on artificial intelligence on darknet forums; Chinese actors utilised artificial intelligence to compromise Vietnamese critical infrastructure; and Russian and Spanish-speaking groups were using the software to create malicious software and steal credit card information. 

In order to facilitate sophisticated fraud campaigns, even low-skilled actors have begun integrating AI into Telegram bots around romance scams as well as false identity services, significantly expanding the number of fraud campaigns available. A new report by Anthropic researchers Alex Moix, Ken Lebedev, and Jacob Klein argues that artificial intelligence, based on the results of their research, is continually lowering the barriers to entry for cybercriminals, enabling fraudsters to create profiles of victims, automate identity theft, and orchestrate operations at a speed and scale that is unimaginable with traditional methods. 

It is a disturbing truth that is highlighted in Anthropic’s report: although artificial intelligence was once hailed as a shield for defenders, it is now increasingly being used as a weapon, putting digital security at risk. Nevertheless, people must not retreat from AI adoption, but instead develop defensive strategies in parallel that are geared toward keeping up with AI adoption. Proactive guardrails must be set up in order to prevent artificial intelligence from being misused, including stricter oversight and transparency by developers, as well as continuous monitoring and real-time detection systems to recognise abnormal AI behaviour before it escalates into a serious problem. 

A company's resilience should go beyond its technical defences, and that means investing in employee training, incident response readiness, and partnerships that enable data sharing across sectors. In addition to this, governments are also under mounting pressure to update their regulatory frameworks in order to keep pace with the evolution of threat actors in terms of policy.

By harnessing artificial intelligence responsibly, people can still make it a powerful ally—automating defensive operations, detecting anomalies, and even predicting threats before they are even visible. In order to ensure that it continues in a manner that favours protection over exploitation, protecting not just individual enterprises, but the overall trust people have in the future of the digital world. 

A significant difference from earlier AI-assisted attacks was that Claude demonstrated "on-keyboard" capability as well, performing tasks such as scanning VPN endpoints, generating custom malware, and analysing stolen datasets in order to prioritise the victims with the highest payout potential. As soon as the system was installed, it created tailored ransom notes in HTML, containing the specific financial requirements, workforce statistics, and regulatory threats of each organisation, all based on the data that had been collected. 

The amount of payments requested ranged from $75,000 to $500,000 in Bitcoin, which illustrates that with the assistance of artificial intelligence, one individual could control the entire cybercrime network. Additionally, the report emphasises how artificial intelligence and cryptocurrency have increasingly become intertwined. 

For example, ransom notes include wallet addresses in ransom notes, and dark web forums are exclusively selling AI-generated malware kits in cryptocurrency. An investigation by the FBI has revealed that North Korea is increasingly using artificial intelligence (AI) to evade sanctions, which is used to secure fraudulent positions at Western tech companies by state-backed IT operatives who use it for the fabrication of summaries, passing interviews, debugging software, and managing day-to-day tasks. 

According to U.S. officials, these operations funnel hundreds of millions of dollars a year into Pyongyang's technical weapons development program, replacing years of training with on-demand AI assistance. All in all, these revelations indicate an alarming trend: artificial intelligence is not simply enabling cybercrime, but amplifying its scale, speed, and global reach. 

According to the report by Anthropic, Claude Code has been weaponised not only to breach systems, but also to monetise stolen data. This particular tool has been used in several instances to sort through thousands of documents containing sensitive information, including identifying information, financial details, and even medical records, before generating customised ransom notes and layering extortion strategies based on each victim's profile. 

The company explained that so-called “agent AI” tools are now providing attackers with both technical expertise and hands-on operational support, effectively eliminating the need for coordinated teams of human operators to perform the same functions. Despite the warnings of researchers, these systems are capable of dynamically adapting to defensive countermeasures like malware detection in real time, making traditional enforcement efforts increasingly difficult, they warned. 

Using a classifier built by Anthropic to identify this type of behaviour, the company has shared technical indicators with trusted partners in an attempt to combat the threat. The breadth of abuse is still evident through a series of case studies: North Korean operatives use Claude to create false summaries and maintain fraud schemes involving IT workers; a UK-based criminal with the name GTG-5004 is selling AI-based ransomware variants on darknet forums. 

Some Chinese actors use artificial intelligence to penetrate Vietnamese critical infrastructure, while Russians and Spanish-speaking groups use Claude to create malware and commit credit card fraud. The use of artificial intelligence in Telegram bots marketed for romance scams or synthetic identity services has even reached the level of low-skilled actors, allowing sophisticated fraud campaigns to become more accessible to the masses. 

A new report by Anthropic researchers Alex Moix, Ken Lebedev, and Jacob Klein argues that artificial intelligence, based on the results of their research, is continually lowering the barriers to entry for cybercriminals, enabling fraudsters to create profiles of victims, automate identity theft, and orchestrate operations at a speed and scale that is unimaginable with traditional methods. In the report published by Anthropic, it appears to be revealed that artificial intelligence is increasingly being used as a weapon to challenge the foundations of digital security, despite being once seen as a shield for defenders. 

There is a solution to this, but it is not in retreating from AI adoption, but by accelerating the parallel development of defensive strategies that are at the same pace as AI adoption. According to experts, proactive guardrails are necessary to ensure that AI deployments are monitored, developers are held more accountable, and there is continuous monitoring and real-time detection systems available that can be used to identify abnormal AI behaviour before it becomes a serious problemOrganisationss must not only focus on technical defences; they must also invest in employee training, incident response readiness, and partnerships that facilitate intelligence sharing between sectors as well.

Governments are also under increasing pressure to update regulatory frameworks to keep pace with the evolving threat actors, in order to ensure that policy is updated at the same pace as they evolve. By harnessing artificial intelligence responsibly, people can still make it a powerful ally—automating defensive operations, detecting anomalies, and even predicting threats before they are even visible. In order to ensure that it continues in a manner that favours protection over exploitation, protecting not just individual enterprises, but the overall trust people have in the future of the digital world.
Read more »
Ransomware
AI Cyber Attacks ESET Research Ollama API attack PromptLock Ransomware

PromptLock: the new AI-powered ransomware and what to do about it

 



Security researchers recently identified a piece of malware named PromptLock that uses a local artificial intelligence model to help create and run harmful code on infected machines. The finding comes from ESET researchers and has been reported by multiple security outlets; investigators say PromptLock can scan files, copy or steal selected data, and encrypt user files, with code for destructive deletion present but not active in analysed samples. 


What does “AI-powered” mean here?

Instead of a human writing every malicious script in advance, PromptLock stores fixed text prompts on the victim machine and feeds them to a locally running language model. That model then generates small programs, written in the lightweight Lua language, which the malware executes immediately. Researchers report the tool uses a locally accessible open-weight model called gpt-oss:20b through the Ollama API to produce those scripts. Because the AI runs on the infected computer rather than contacting a remote service, the activity can be harder to spot. 


How the malware works

According to the technical analysis, PromptLock is written in Go, produces cross-platform Lua scripts that work on Windows, macOS and Linux, and uses a SPECK 128-bit encryption routine to lock files in flagged samples. The malware’s prompts include a Bitcoin address that investigators linked to an address associated with the pseudonymous Bitcoin creator known as Satoshi Nakamoto. Early variants have been uploaded to public analysis sites, and ESET treats this discovery as a proof of concept rather than evidence of widespread live attacks. 


Why this matters

Two features make this approach worrying for defenders. First, generated scripts vary each time, which reduces the effectiveness of signature or behaviour rules that rely on consistent patterns. Second, a local model produces no network traces to cloud providers, so defenders lose one common source of detection and takedown. Together, these traits could make automated malware harder to detect and classify. 

Practical, plain steps to protect yourself:

1. Do not run files or installers you do not trust.

2. Keep current, tested backups offline or on immutable storage.

3. Maintain up-to-date operating system and antivirus software.

4. Avoid running untrusted local AI models or services on critical machines, and restrict access to local model APIs.

These steps will reduce the risk from this specific technique and from ransomware in general. 


Bottom line

PromptLock is a clear signal that attackers are experimenting with local AI to automate malicious tasks. At present it appears to be a work in progress and not an active campaign, but the researchers stress vigilance and standard defensive practices while security teams continue monitoring developments. 



Read more »
Technology
AI Cloud Data PromptLock Ransomware Technology

Experts discover first-ever AI-powered ransomware called "PromptLock"

Experts discover first-ever AI-powered ransomware called "PromptLock"

A ransomware attack is an organization’s worst nightmare. Not only does it harm the confidentiality of the organizations and their customers, but it also drains money and causes damage to the reputation. Defenders have been trying to address this serious threat, but threat actors keep developing new tactics to launch attacks. To make things worse, we have a new AI-powered ransomware strain. 

First AI ransomware

Cybersecurity experts have found the first-ever AI-powered ransomware strain. Experts Peter Strycek and Anton Cherepanov from ESET found the strain and have termed it “PromptLock.” "During infection, the AI autonomously decides which files to search, copy, or encrypt — marking a potential turning point in how cybercriminals operate," ESET said.

The malware has not been spotted in any cyberattack as of yet, experts say. Promptlock appears to be in development and is poised for launch. 

Although cyber criminals used GenAI tools to create malware in the past, PromptLock is the first ransomware case that is based on an AI model. According to Cherepanov’s LinkedIn post, Promptlock exploits the gpt-oss:20b model from OpenAI through the Ollama API to make new scripts.

About PromptLock

Cherepanov’s LinkedIn post highlighted that the ransomware script can exfiltrate files and encrypt data, but may destroy files in the future. He said that “while multiple indicators suggest that the sample is a proof-of-concept (PoC) or a work-in-progress rather than an operational threat in the wild, we believe it is crucial to raise awareness within the cybersecurity community about such emerging risks.

AI and ransomware threat

According to Dark Reading’s conversation with ESET experts, the AI-based ransomware is a serious threat to security teams. Strycek and Cherepanov are trying to find out more about PromptLock, but they want to warn the security teams immediately about the ransomware. 

ESET on X noted that "the PromptLock ransomware is written in #Golang, and we have identified both Windows and Linux variants uploaded to VirusTotal."

Threat actors have started using AI tools to launch phishing campaigns by creating fake content and malicious websites, thanks to the rapid adoption across the industry. However, AI-powered ransomware will be a worse challenge for cybersecurity defenders.

Read more »
Ransomware
Cache CBI Data Breach Nissan Qilin Ransomware

Nissan Confirms Data Leak After Ransomware Attack on Design Unit





Nissan’s Tokyo-based design subsidiary, Creative Box Inc. (CBI), has launched an investigation into a cyberattack after a ransomware group claimed to have stolen a large cache of internal files. The company confirmed that some design data has been compromised but said the breach affects only Nissan itself, as CBI’s work is exclusively for the automaker.

CBI is a specialized design studio established in 1987 as part of Nissan’s global creative network. Unlike mainstream production teams, the unit is often described as a “think tank” where designers experiment with bold and futuristic concepts. This makes the data stored on its systems particularly valuable, as early sketches, 3D models, and conceptual ideas can reveal strategic directions for future vehicles.

The ransomware group behind the attack alleges it copied more than 400,000 files, amounting to around four terabytes of information. According to their claims, the stolen material includes design files, reports, photos, videos, and other documents connected to Nissan’s projects. While the attackers say they have not released the full dataset yet, they have threatened to make it public if their demands are ignored.

Nissan, in its official statement, confirmed the unauthorized access and the leakage of some design material. “A detailed investigation is underway, and it has been confirmed that some design data has been leaked. Nissan and CBI will continue the investigation and take appropriate measures as needed,” the company said. Importantly, Nissan clarified that the stolen information does not affect external clients, contractors, or other organizations, as CBI serves Nissan alone.

The incident illustrates the growing use of ransomware against global companies. Ransomware is a type of malicious software that enables attackers to lock or steal sensitive data and then demand payment in exchange for restoring access or withholding its public release. Beyond financial loss, the exposure of confidential design material carries strategic risks: competitors, counterfeiters, or malicious actors could exploit these files, potentially weakening Nissan’s competitive edge.

The group behind this incident, known as Qilin, has been active in targeting organizations across different sectors. In recent years, security researchers have observed the gang exploiting vulnerabilities in widely used software tools and network devices to gain unauthorized entry. Once inside, they exfiltrate data before applying pressure with public leak threats. This tactic, known as “double extortion,” has become common in the ransomware infrastructure.

Cybersecurity experts stress that incidents like this serve as reminders for companies to remain vigilant. Timely patching of known software vulnerabilities, close monitoring of employee access tools, and strong data backup practices are among the key defenses against ransomware.

For Nissan, the priority now is understanding the full scope of the breach and ensuring no further leaks occur. As investigations continue, the company has pledged to take corrective steps and reinforce its systems against similar threats in the future.


Read more »
Ransomware
AI AI-Healthcare system Cyber Hygiene CyberCrime Cybersecurity Da Vita Data Breach Digital threats Healthcare Security patient privacy Ransomware

Millions of Patient Records Compromised After Ransomware Strike on DaVita


 Healthcare Faces Growing Cyber Threats

A ransomware attack that affected nearly 2.7 million patients has been confirmed by kidney care giant DaVita, revealing that one of the most significant cyberattacks of the year has taken place. There are over 2,600 outpatient dialysis centres across the United States operated by the company, which stated that the breach was first detected on April 12, 2025, when the security team found unauthorised activity within the company's computer systems. In the aftermath of this attack, Interlock was revealed to have been responsible, marking another high-profile attack on the healthcare industry. 

Although DaVita stressed the uninterrupted delivery of patient care throughout the incident, and that all major systems have since been fully restored - according to an official notice issued on August 1 - a broad range of sensitive personal and clinical information was still exposed through the compromise. An attacker was able to gain access to a variety of information, such as name, address, date of birth, Social Security number, insurance data, clinical histories, dialysis treatment details, and laboratory results, among others. 

It represents a deep invasion of privacy for millions of patients who depend on kidney care for life-sustaining purposes and raises new concerns about the security of healthcare systems in general. 

Healthcare Becomes A Cyber Battlefield 

The hospital and healthcare industry, which has traditionally been seen as a place of healing, is becoming increasingly at the centre of digital warfare. Patient records are packed with rich financial and medical information, which can be extremely valuable on dark web markets, as compared to credit card information. 

While hospitals are under a tremendous amount of pressure to maintain uninterrupted access to their systems, any downtime in the system could threaten patients' lives, which makes them prime targets for ransomware attacks. 

Over the past few months, millions of patients worldwide have been affected by breaches that have ranged from the theft of medical records to ransomware-driven disruptions of services. As well as compromising privacy, these attacks have also disrupted treatment, shaken public trust, and increased financial burdens on healthcare organisations already stressed out by increasing demand. 

A troubling trend is emerging with the DaVita case: in the last few years, cybercriminals have progressively increased both the scale and sophistication of their campaigns, threatening patient safety and health. DaVita’s Ransomware Ordeal.  It was reported that DaVita had confirmed the breach in detail on August 21, 2025, and that it filed disclosures with the Office for Civil Rights of the U.S. Department of Health and Human Services. 

Intruders started attacking DaVita's facility on March 24, 2025, but were only removed by April 12 after DaVita's internal response teams contained the attack. Several reports indicate that Interlock, the ransomware gang that was responsible for the theft of the data, released portions of the data online after failing to negotiate with the firm. Although the critical dialysis services continued uninterrupted, as is a priority given the fact that dialysis is an essential treatment, the attack did temporarily disrupt laboratory systems. There was an exceptionally significant financial cost involved. 

According to DaVita's report for the second quarter of 2025, the breach had already incurred a total of $13.5 million in costs associated with it. Among these $1 million, $1 million has been allocated to patient care costs relating to the incident, while $12.5 million has been allocated to administrative recovery, system restoration, and cybersecurity services provided by professional third-party service providers. 

Expansion of the Investigation 

According to DaVita's Securities and Exchange Commission filings in April 2025, it first acknowledged that there had been a security incident, but it said that the scope of the data stolen had not yet been determined. During the months that followed, forensic analysis and investigations expanded. State Attorneys General were notified, and the extent of the problem began to be revealed: it was estimated that at least one million patients were affected by the virus. As more information came to light, the figures grew, with OCR's breach portal later confirming 2,688,826 victims. 

DaVita, based on internal assessments, believed that the actual number of victims may be slightly lower, closer to 2.4 million, and the agency intends to update its portal in accordance with those findings. Although the company is struggling with operational strains, it has assured its patients that it will continue providing dialysis services through its 3,000 outpatient centres and home-based programs worldwide – a sign of stability in the face of crisis, given that kidney failure patients require life-saving treatment that cannot be avoided. 

Even so, the attack underscored just how severe financial and reputational damage such incidents can have. This will mean that the cost of restoring systems, engaging cybersecurity experts and providing patients with resources such as credit monitoring and data protection will likely continue to climb in the coming months. 

Data Theft And Interlock’s Role 

It appears that Interlock has become one of the most aggressive ransomware groups out there since it appeared in 2024. In the DaVita case, it is said that the gang stole nearly 1.5 terabytes of data, including approximately 700,000 files. In addition to the patient records, the stolen files were also suspected to contain insurance documents, user credentials, and financial information as well. 

A failed negotiation with DaVita caused Interlock to publish parts of the data on its dark web portal, after which parts of the data were published. On June 18, DaVita confirmed that some of the files were genuine, tracing them back to the dialysis laboratory systems they use. As part of its public statement, the company stated that it had acknowledged that the lab's database had been accessed by unauthorised persons and that it would notify both current and former patients. 

Additionally, DaVita has begun to provide complimentary credit monitoring services as part of its efforts to reduce risks. Interlock's services go well beyond DaVita as well. Several universities in the United Kingdom have been attacked by a remote access trojan referred to as NodeSnake, which was deployed by the group in recent campaigns. 

Recent reports indicate that the gang has also claimed responsibility for various attacks on major U.S. healthcare providers, including a major organisation with more than 120 outpatient facilities and 15,000 employees, known as Kettering Health. Cyberattacks on healthcare have already proven to be a sobering reminder of how varied and destructive they can be. Each major breach has its own particular lessons that need to be taken into account:

The Ascension case shows how a small mistake made by a single employee can escalate into a huge problem that affects every employee. The Yale New Haven Health System shows that institutions that have well-prepared strategies are vulnerable to persistent adversaries despite their best efforts. It was revealed by Episource that third-party and supply chain vulnerabilities can result in significant damage to a network, showing how the impact of a single vendor breach may ripple outward. 

Putting one example on display, DaVita shows how the disruption caused by ransomware is different from other disruptions, as it involves both data theft and operational paralysis. There have been incidents when hackers have accessed sensitive healthcare records at scale, but there have also been incidents where simple data configuration issues have led to these breaches.

In view of these incidents, it is clear that compliance-based checklists and standard security frameworks may not be sufficient for the industry anymore. Instead, the industry must be more proactive and utilise intelligence-driven defences that anticipate threats rather than merely reacting to them as they occur. 

The Road Ahead For Healthcare Security 

The DaVita breach is an example of a growing consensus among healthcare providers that their cybersecurity strategies must be strengthened to match the sophistication of modern attackers. 

Cybercriminals value patient records as one of their most valuable assets, and every time this happens, patients' trust in their providers is undermined directly. Additionally, the operational stakes are higher than in most industries, as any disruption can put patients' lives at risk, which is why every disruption can be extremely dangerous. 

Healthcare organisations in emerging countries, as well as hospitals in India, need to invest in layered defences, integrate threat intelligence platforms, and strengthen supply chain monitoring, according to security experts. Increasingly, proactive approaches are viewed as a necessity rather than an option for managing attack surfaces, prioritising vulnerabilities, and continually monitoring the dark web. Consequently, the DaVita case is more than just an example of how a single company suffered from ransomware. 

It's also a part of a wider pattern shaping what the future of healthcare will look like. There is no doubt that in this digital age, where a breach of any record can lead to death or injury, it is imperative to have foresight, invest in cybersecurity, and recognise that it is on an equal footing with patient care. It has become evident that healthcare cybersecurity needs to evolve beyond reactive measures and fragmented defences as a result of these developments. 

In today's world, digital security cannot simply be treated as a side concern, but rather must be integrated into the very core of a patient care strategy, which is why the industry must pay close attention to it. Taking a forward-looking approach to cyber hygiene should prioritise investments in continuous cyber hygiene, workforce awareness in cybersecurity, and leveraging new technologies such as zero-trust frameworks, advanced threat intelligence platforms, and artificial intelligence (AI)-driven anomaly detection systems. 

The importance of cross-industry collaboration cannot be overstated: it requires shared standards to be established and the exchange of real-time intelligence to be achieved, so hospitals, vendors, regulators, and cybersecurity providers can collectively resist adversaries who operate no matter what borders or industries are involved.

By reducing risks, such measures will also allow people to build patient trust, reduce recovery costs, and ensure uninterrupted delivery of essential care, as well as create long-term value. In the healthcare sector that is becoming increasingly digitalised and interdependent, the organisations that proactively adopt layered defences and transparent communication practices will not only be able to mitigate threats but also position themselves as leaders in a hostile cyber environment that is ripe with cyber threats. 

Clearly, if the patients' lives are to be protected in the future, the protection of their data must equally be paramount.
Read more »
SIM Swapping
cryptocurrency Cyber Security FBI phishing Ransomware SIM Swapping

FBI Warns of Rising Online Threats Targeting Youth and Digital Assets





The Federal Bureau of Investigation (FBI) has raised concern over what it describes as a fast-expanding online threat, warning that criminal groups are becoming more organized and dangerous in cyberspace. The activity includes ransomware, phishing scams, cryptocurrency theft, and even violent real-world crimes linked to online networks.

According to the FBI, one of the most concerning groups involved in these activities is part of an online collective often referred to as “The Com,” short for “The Community.” This loosely connected network is made up of several subgroups, including one known as “Hacker Com.” The collective primarily communicates in English and has members spread across different countries.

A striking detail is that many individuals taking part are very young, with ages ranging from early teens to their mid-20s. Recruitment often happens on online gaming platforms, social media channels, or through existing members who look for people with shared interests.

The FBI notes that the scale and sophistication of these groups has increased substantially over the past four years. Members use advanced tools such as phishing kits, voice changers, and other techniques to disguise their identities and hide illegal financial dealings. These methods make it difficult for law enforcement to trace stolen funds or identify those responsible.

Much of the activity is financially motivated, especially through schemes involving cryptocurrency. Offenses include SIM swapping, hacking into networks, and in some cases, direct physical threats. The FBI has reported that criminal actors have resorted to extreme methods such as coercion, intimidation, and even violence to force victims into giving up access to digital accounts.

Beyond theft, some members also carry out dangerous acts such as swatting: making false emergency reports that lead armed law enforcement to a target’s home or issuing bomb threats. These tactics are sometimes used to distract authorities during larger cyberattacks or thefts. Disturbingly, certain groups have extended their activities into the offline world, where crimes can escalate into real-world violence.

Given the scope of the threat, the FBI is advising the public to be cautious when sharing personal details online. Posting photos, videos, or sensitive information on social media, dating platforms, or gaming forums can make individuals and families targets. Parents are especially encouraged to stay alert to their children’s online activity and to have open conversations about the potential risks.

For those who believe they may have been targeted or victimized, the FBI recommends keeping all available evidence, such as messages or transaction details, and reporting incidents promptly through its Internet Crime Complaint Center (ic3.gov) or by contacting a local FBI field office.

The Bureau emphasizes that awareness and vigilance are key defenses against these developing online dangers.


Read more »
Subscribe to: Posts (Atom)