Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ransomware attacks. Show all posts
Rhysida
California Databreach Exposed Patient Records Healthcare Privacy ransomware attacks Rhysida

Tribal Health Clinics in California Report Patient Data Exposure

 


Patients receiving care at several tribal healthcare clinics in California have been warned that a cyber incident led to the exposure of both personal identification details and private medical information. The clinics are operated by a regional health organization that runs multiple facilities across the Sierra Foothills and primarily serves American Indian communities in that area.

A ransomware group known as Rhysida has publicly claimed responsibility for a cyberattack that took place in November 2025 and affected the MACT Health Board. The organization manages several clinics in the Sierra Foothills region of California that provide healthcare services to Indigenous populations living in nearby communities.

In January, the MACT Health Board informed an unspecified number of patients that their information had been involved in a data breach. The organization stated that the compromised data included several categories of sensitive personal information. This exposed data may include patients’ full names and government-issued Social Security numbers. In addition to identity information, highly confidential medical details were affected. These medical records can include information about treating doctors, medical diagnoses, insurance coverage details, prescribed medications, laboratory and diagnostic test results, stored medical images, and documentation related to ongoing care and treatment.

The cyber incident caused operational disruptions across MACT clinic systems starting on November 20, 2025. During this period, essential digital services became unavailable, including phone communication systems, platforms used to process prescription requests, and scheduling tools used to manage patient appointments. Telephone services were brought back online by December 1. However, as of January 22, some specialized imaging-related services were still not functioning normally, indicating that certain technical systems had not yet fully recovered.

Rhysida later added the MACT Health Board to its online data leak platform and demanded payment in cryptocurrency. The amount requested was eight units of digital currency, which was valued at approximately six hundred sixty-two thousand dollars at the time the demand was reported. To support its claim of responsibility, the group released sample files online, stating that the materials were taken from MACT’s systems. The files shared publicly reportedly included scans of passports and other internal documents.

The MACT Health Board has not confirmed that Rhysida’s claims are accurate. There is also no independent verification that the files published by the group genuinely originated from MACT’s internal systems. At this time, it remains unclear how many individuals received breach notifications, what method was used by the attackers to access MACT’s network, or whether any ransom payment was made. The organization declined to provide further information when questioned.

In its written notification to affected individuals, MACT stated that it experienced an incident that disrupted its information technology operations. The organization reported that an internal investigation found that unauthorized access occurred to certain files stored on its systems during a defined time window between November 12 and November 20, 2025.

The health organization is offering eligible individuals complimentary identity monitoring services. These services are intended to help patients detect possible misuse of personal or financial information following the exposure of sensitive records.

Rhysida is a cybercriminal group that first became active in public reporting in May 2023. The group deploys ransomware designed to both extract sensitive data from victim organizations and prevent access to internal systems by encrypting files. After carrying out an attack, the group demands payment in exchange for deleting stolen data and providing decryption tools that allow victims to regain access to locked systems. Rhysida operates under a ransomware-as-a-service model, in which external partners pay to use its malware and technical infrastructure to carry out attacks and collect ransom payments.

The group has claimed responsibility for more than one hundred confirmed ransomware incidents, along with additional claims that have not been publicly acknowledged by affected organizations. On average, the group’s ransom demands amount to several hundred thousand dollars per incident.

A significant portion of Rhysida’s confirmed attacks have targeted hospitals, clinics, and other healthcare providers. These healthcare-related incidents have resulted in the exposure of millions of sensitive records. Past cases linked to the group include attacks on healthcare organizations in multiple U.S. states, with ransom demands ranging from over one million dollars to several million dollars. In at least one case, the group claimed to have sold stolen data after a breach.

Researchers tracking cybersecurity incidents have recorded more than one hundred confirmed ransomware attacks on hospitals, clinics, and other healthcare providers across the United States in 2025 alone. These attacks collectively led to the exposure of nearly nine million patient records. In a separate incident reported during the same week, another healthcare organization confirmed a 2025 breach that was claimed by a different ransomware group, which demanded a six-figure ransom payment.

Ransomware attacks against healthcare organizations often involve both data theft and system disruption. Such incidents can disable critical medical systems, interfere with patient care, and create risks to patient safety and privacy. When hospitals and clinics lose access to digital systems, staff may be forced to rely on manual processes, delay or cancel appointments, and redirect patients to other facilities until systems are restored. These disruptions can increase operational strain and place patients and healthcare workers at heightened risk.

The MACT Health Board is named after the five California counties it serves: Mariposa, Amador, Alpine, Calaveras, and Tuolumne. The organization operates approximately a dozen healthcare facilities that primarily serve American Indian communities in the region. These clinics provide a range of services, including general medical care, dental treatment, behavioral health support, vision and eye care, and chiropractic services.


Read more »
Third Party Risk
Cyber Risk Management Data Breach Healthcare cybersecurity Healthcare IT Systems Healthcare Ransomware Medical Data Security patient data protection ransomware attacks Third Party Risk

Cybercriminals Report Monetizing Stolen Data From US Medical Company


Modern healthcare operations are frequently plagued by ransomware attacks, but the recent attack on Change Healthcare marks a major turning point in terms of scale and consequence. In the context of an industry that is increasingly relying on digital platforms, there is a growing threat environment characterized by organized cybercrime, fragile third-party dependency, and an increasing data footprint as a result of an increasingly hostile threat environment. 

With hundreds of ransomware incidents and broader security incidents already occurring in a matter of months, recent figures from 2025 illustrate just how serious this shift is. It is important to note that a breach will not only disrupt clinical and administrative workflows, but also put highly sensitive patient information at risk, which can result in cascading operational, financial, and legal consequences for organizations. 

The developments highlighted here highlight a stark reality: safeguarding healthcare data does not just require technical safeguards; it now requires a coordinated risk management strategy that anticipates breaches, limits their impacts, and ensures institutional resilience should prevention fail. 

Connecticut's Community Health Center (CHC) recently disclosed a significant data breach that occurred when an unauthorized access to its internal systems was allowed to result in a significant data breach, which exemplifies the sector's ongoing vulnerability to cyber risk. 

In January 2025, the organization was alerted to irregular network activity, resulting in an urgent forensic investigation that confirmed there was a criminal on site. Upon further analysis, it was found that the attacker had maintained undetected access to the system from mid-October 2024, thereby allowing a longer window for data exfiltration before the breach was contained and publicly disclosed later that month. 

There was no ransomware or disruption of operations during the incident, but the extent of the data accessed was significant, including names, dates of birth, Social Security numbers, health insurance details, and clinical records of patients and employees, which included sensitive patient and employee information.

More than one million people, including several thousand employees, were affected according to CHC, demonstrating the difficulties that persist in early detection of threats and data protection across healthcare networks, and highlighting the urgent need for strengthened security measures as medical records continue to attract cybercriminals. 

According to Cytek Biosciences' notification to affected individuals, it was learned in early November 2025 that an outside party had gained access to portions of the Biotechnology company's systems and that the company later determined that personal information had been obtained by an outside party. 

As soon as the company became aware of the extent of the exposure, it took immediate steps to respond, including offering free identity theft protection and credit monitoring services for up to two years to eligible individuals, which the company said it had been working on. 

As part of efforts to mitigate potential harm resulting from the incident, enrollment in the program continues to be open up until the end of April 2026. Threat intelligence sources have identified the breach as being connected to Rhysida, which is known for being a ransomware group that first emerged in 2023 and has since established itself as a prolific operation within the cybercrime ecosystem.

A ransomware-as-a-service model is employed by the group which combines data theft with system encryption, as well as allowing affiliates to conduct attacks using its malware and infrastructure in return for a share of the revenue. 

The Rhysida malware has been responsible for a number of attacks across several sectors since its inception, and healthcare is one of the most frequent targets. A number of the group's intrusions have previously been credited to hospitals and care providers, but the Cytek incident is the group's first confirmed attack on a healthcare manufacturer, aligning with a trend which is increasingly involving ransomware activity that extends beyond direct patient care companies to include medical suppliers and technology companies. 

Research indicates that these types of attacks are capable of exposing millions of records, disrupting critical services, and amplifying risks to patient privacy as well as operational continuity, which highlights that the threat landscape facing the U.S. healthcare system is becoming increasingly complex. 

As a result of the disruption that occurred in the U.S. healthcare system, organizations and individuals affected by the incident have stepped back and examined how Change Healthcare fits into the system and why its outage was so widespread. 

With over 15 years of experience in healthcare technology and payment processing under the UnitedHealth Group umbrella, Change Healthcare has played a critical role as a vital intermediary between healthcare providers, insurers, and pharmacists by verifying eligibility, getting prior authorizations, submitting claims, and facilitating payment processes. 

A failure of this organization in its role at the heart of these transactions can lead to cascading delays in prescription, reimbursement, and claim processing across the country when its operational failure extends far beyond the institution at fault. 

According to findings from a survey conducted by the American Medical Association, which documented widespread financial and administrative stress among physician practices, this impact was of a significant magnitude. There have been numerous reports of suspended or delayed claims payments, the inability to submit claims, or the inability to receive electronic remittance advice, and widespread service interruptions as a consequence. 

Several practices cited significant revenue losses, forcing some to rely on personal funds or find an alternative clearinghouse in order to continue to operate. There have been some relief measures relating to emergency funding and advance payments, but disruptions continue to persist, prompting UnitedHealth Group to disburse more than $2 billion towards these efforts. 

Moreover, patients have suffered indirect effects not only through billing delays, unexpected charges, and notifications about potential data exposures but also outside the provider community. This has contributed to increased public concern and renewed scrutiny of the systemic risks posed by the compromise of an organization's central healthcare infrastructure provider. 

The fact that the incidents have been combined in this fashion highlights a clear and cautionary message for healthcare stakeholders: it is imperative to treat cyber resilience as a strategic priority, rather than a purely technical function. 

Considering that large-scale ransomware campaigns have been running for some time now, undetected intrusions for a prolonged period of time, as well as failures at critical intermediaries, it is evident that even a single breach can escalate into a systemic disruption that affects providers, manufacturers, and patients. 

A growing number of industry leaders and regulators are called upon to improve the oversight of third parties, enhance the tools available for breach detection, and integrate financial, legal, and operational preparedness into their cybersecurity strategies. 

It is imperative that healthcare organizations adopt proactive, enterprise-wide approaches to risk management as the volume and value of healthcare data continues to grow. Organizations that fail to adopt this approach may not only find themselves unable to cope with cyber incidents, but also struggle to maintain trust, continuity, and care delivery in the aftermath of them.
Read more »
Ransomware group
Black Basta Conti Ransomware Cyber Extortion Cybercrime Investigation Data Breach Interpol Red Notice Oleg Nefedov ransomware attacks Ransomware group

Black Basta Under Pressure After Ukraine Germany Enforcement Operation


 

Investigators say the Black Basta ransomware campaign left a trail of disruption that extended across Europe and beyond, impacting everything from hospital wards to industrial production lines that were abruptly halted, resulting in a temporary ban of internet and phone use.

Prosecutors from the German Federal Ministry of Justice, along with international law enforcement partners, now believe that the trail of this extortion, the most damaging in recent years, can be traced back to one individual who they describe as the driving force behind one of these operations. 

There has been an investigation into whether Oleg Nefedov was the architect and operational leader of the Black Basta group. Authorities have identified him as a Russian national. 

Authorities accuse him of coordinating a massive ransomware campaign against companies and public institutions across multiple continents by forming and leading an overseas criminal organization.

There is a suspicion among investigators that Nefedov was responsible for leading the organization's core activities, including selecting targets, recruiting affiliates, orchestrating intrusions, and negotiating ransoms, while the proceeds of the transactions were laundered via cryptocurrency wallets and distributed among all participants in the scheme.

Black Basta was also analyzed from an online alias perspective and suspected ties to a now-defunct ransomware collective named Conti. This reinforces the assessment that Black Basta arose from an advanced and interconnected cybercrime ecosystem that has matured over many years. 

Officials from the Federal Republic of Germany have confirmed that Nefedov still resides in Russia and that he has been placed on Interpol's international wanted list, an indication that European authorities have intensified their efforts to identify and pursue the individuals behind cyber extortion committed in large scale industrial scales. 

The Federal Criminal Police Office of Germany has confirmed that Oleg Nefedov, a 36-year-old Russian national suspected of leading the Black Basta ransomware group, is one of the suspected leaders of the ransomware. He is charged with forming criminal organizations abroad, orchestrating large-scale extortion crimes, and committing related cyber crimes. 

A central coordinator was alleged by investigators to be Nefedov. During his time at the group, Nefedov selected targets, recruited and managed members, assigned operational roles, negotiated ransom demands, and distributed extorted proceeds, which were usually paid in cryptocurrency, according to the investigation. 

There were several aliases he operated under on the internet-including tramp, tr, gg, kurva, AA, Washingt0n, and S.Jimmi-and authorities say he may have maintained a connection to the now-defunct Conti ransomware group. 

According to German authorities, Nefedov is believed to be in Russia at the moment, though his exact location remains unclear. Interpol has also added him to a global wanted list. In recent months, the investigation has been further strengthened by numerous disclosures and enforcement actions that have heightened the investigation. 

A leaked internal chat log attributed to Black Basta, which gave rare insights into the group's organization, operations, and communications, as well as exposing identifying information about the individuals involved. This information provided an insight into the organization's inner workings and daily operations. 

According to cybersecurity researchers, many of the Black Basta members previously operated within criminal networks that were closely linked to the Conti and Ryuk ransomware strains, as well as the TrickBot banking trojan — operations that have led Western governments to identify and sanction more than a dozen individuals for their involvement in such attacks. 

According to researchers and investigators, Black Basta is the result of the collapse of Conti, a ransomware operation which fragmented into smaller, semi-autonomous cells after it shut down. In a recent study published by the International Security Agency, Black Basta has been widely interpreted as a rebranding of the former Conti infrastructure, with many of those splinter groups either embedding themselves into existing ransomware schemes or controlling existing operations. 

It has been demonstrated that this view has been reinforced by a review of leaked internal communications by Trellix researchers. According to those who reviewed the Black Basta chat logs, GG and Chuck were exchanging emails about a purported $10 million reward for information about an individual, referred to as “tr” or “-amp,” an individual which researchers believe corresponds to a bounty offered by the U.S. Government for information that will lead to the identification of key Conti figures, including Tramp, the hacker. 

Additionally, Trellix researchers found that within the leaked conversations, GG was identified as Tramp, who had been regarded as Conti's leader for some time, by a participant called "bio," sometimes known as "pumba," a figure who was previously connected to the Conti organization. 

These findings echo those released earlier in February 2022, when a researcher revealed Conti's internal chats in the aftermath of the Russian invasion of Ukraine, revealing internal dynamics and explicitly referring to Tramp as leader of the group. 

It is well-known that such leaks have long been a source of attribution efforts within the cybersecurity industry, but German authorities say that their current case rests on evidence gathered through intelligence and investigation on the German side. 

Oleg Nefedov has been identified formally as the head of the Black Basta ransomware group by Europol, and the Interpol red notice database has been updated with his name. This is a crucial step in the international effort to enquire about the group's activities, marking a decisive step in the effort to enshrine accountability for the group. 

The data breach is the result of an attack on more than 500 organizations across North America, Europe, and Australia by means of Black Basta's ransomware-as-a-service model, which was active since April 2022 and caused hundreds of millions of dollars in damage in the process.

Two suspects in western Ukraine, which were allegedly acting as hash crackers in order to help facilitate network intrusions, data theft, and ransomware deployment, were also announced by German authorities. The police seized digital devices and cryptocurrency during raids that are related to the incident, and are currently conducting forensic analysis of the evidence. 

Official figures underscore the scale of the damage attributed to the group. An official press release from the German authorities stated that documented Black Basta attacks have caused prolonged operational disruptions at over 100 companies in Germany, as well as over 700 organizations worldwide, including hospitals, public institutions, and government agencies. 

In Germany, it is estimated that losses will exceed 20 million euros in the next few years. Research conducted in December 2023 by blockchain analytics firm Elliptic and Corvus Insurance found that over the course of the past four years, the group accumulates at least $107 million in Bitcoin ransom payments, which has been determined to be paid by over 329 victims in 31 countries across the world. 

A detailed analysis of blockchain transactions also revealed a clear financial and operational link between Black Basta and Conti, which supported the conclusions of law enforcement that this syndicate grew out of a well-established, interconnected cybercrime ecosystem that was well-established and interconnected. 

In light of the scope and selectivity of Black Basta's operations, it is evident why it has been a top priority for law enforcement and security researchers to investigate. A number of victims have been confirmed, including Rheinmetall, Hyundai, BT Group, Ascension, ABB, the American Dental Association, U.K.-based outsourcing company Capita, the Toronto Public Library, the Yellow Pages Canada, and others. 

These victims include German defense contractor Rheinmetall, Hyundai's European division, BT Group, as well as the United States healthcare provider Ascension. According to the researchers, the group did not operate in an indiscriminate manner, but applied a targeted strategy based on geography, industry, and organizational revenue, while also closely tracking geopolitical developments in order to reduce the likelihood of retaliation from law enforcement agencies. 

A ransomware operation known as Black Basta, which is characterized by a focus on large, high-revenue organizations with the ability to pay large ransoms, was known to be targeting large, high-revenue organizations. Based on internal communications, it appears that entities in both the United States and Germany were the most likely to pay a ransom. 

There are 57 percent of victims in the United States who had reported a leak between April 2022 and January 2025, with Germany accounting for 12 percent, while additional victims were observed throughout Europe, Asia Pacific and the Americas as well. 

Accordingly, that assessment is reflected in activity observed on the group's leak site. Several leaks of internal chats in the group have introduced rare insights into the group's internal structure, its financial management, and its extortion practices, which have strengthened efforts to identify key actors and disrupt their operations by exposing real-world names and financial transactions. 

Despite the fact that Black Basta’s data leak site is currently offline, analysts warn that the group still has the resources and incentives to re-emerge, either by adopting a new name or partnering with other ransomware crews, illustrating how authorities continue to face challenges in dismantling entrenched cybercrime networks rather than simply disrupting them, even when the site is offline. 

Together, these findings present a detailed portrayal of a ransomware operation that developed out of a fractured but resilient cybercrime ecosystem into a global enterprise that has far-reaching consequences. Having identified an alleged leader along with financial tracing, leaking internal communications, and coordinated international enforcement, German authorities state that the investigation has matured—with an emphasis not only on disruption, but also on attribution and accountability for ransomware. 

It should be noted that while law enforcement actions have slowed Black Basta's visible activities, experts and officials agree that dismantling such networks will take years, especially when key figures are believed to be operating in jurisdictions that are beyond the reach of law enforcement officials. 

In addition to demonstrating the extent of the harm caused by ransomware campaigns, the case also highlights the growing determination of governments to pursue those responsible, even through the broader cybercrime landscape continues to evolve, fragment, and resurface.
Read more »
supply chain security
Cybersecurity Education Cybersecurity Workforce Data Breach Data Breaches Digital Espionage Emerging Market Cyber Risks global cybercrime ransomware attacks Regulatory Cyber Frameworks supply chain security

Surge in Cybercrime Undermines Online Safety Efforts


 

With data breaches, ransomware incidents, and state-sponsored digital espionage increasingly dominating global headlines, cybersecurity has become a strategic priority for governments and corporations alike, moving from a back-office concern to a front-line concern. 

A widening gap between risk and readiness is visible in almost all industries due to the rapid acceleration of the threat landscape. This has resulted in a global demand for qualified cybersecurity professionals. 

Among the findings of the 2024 ISC2 Cybersecurity Workforce Study, which underscores the magnitude of the problem, is the finding that the shortage has now exceeded four million cybersecurity professionals worldwide, and it is only expected to increase. 

Currently, this imbalance is affecting both job seekers and career changers, reshaping the workforce and positioning cybersecurity as a field of unparalleled resilience and opportunity in the digital economy. In a world where skilled personnel are scarce, but essential to safeguarding critical infrastructure and sensitive data worldwide, cybersecurity has become one of the most valuable and resilient fields. 

The concept of cybercrime, which consists of criminal activity that targets or exploits computers, networks, or connected devices, has evolved into a complex and globally networked threat ecosystem. 

Cybercriminals continue to be motivated primarily by financial gain, but they are also influenced by political, ideological, or personal goals, such as espionage and disruption, which contributes to the increase in cybercrime attacks. 

There are many kinds of threat actors, from loosely organized novice hackers to highly coordinated criminal syndicates with sophisticated tools and techniques. In emerging economies, internet penetration has steadily increased.

As a result, regions like Africa have become increasingly the testing ground for new cyberattack techniques as they have deepened across emerging economies. GI-TOC (Global Initiative Against Transnational Organized Crime) published a report that revealed that cybercrime has been rising steadily over the African continent in recent years, with Kenya, Nigeria, and South Africa, which is among the most digitally connected countries in sub-Saharan Africa, facing a constant attack from cybercriminals.

There is evidence that malicious actors are testing new strains of ransomware and cyber-based attacks in these environments before they are deployed elsewhere, underscoring the global nature and adaptiveness of the threat. However, India is faced with a parallel challenge that is shaped by its digital transformation on a scale and at a pace that cannot be matched. 

With the advent of online banking, e-commerce, government platforms, and mobile services, the country has seen a surge in cybercrime, affecting individuals and businesses alike. This is a result of the ongoing implementation of technology in everyday life. 

According to official data released by the National Cyber Reporting Platform in 2024, over 1.7 million complaints about cybercrime were filed, an increase of more than 10 percent from last year. This is a result of a growing awareness of cybercrime and an increase in attacks. 

It has been found that a significant proportion of these incidents were linked to transnational cybercrime hubs located in Southeast Asia. Thus, it highlights the limitations of purely domestic defenses against cybercrime. Several reports, such as PwC's Global Digital Trust Insights for India for 2025, rank cyber and digital risks among the top concerns for corporate leaders across the country. 

Cyber and digital risks have also been ranked high in the assessment as prevalent concerns among Indian businesses. In addition to this, security researchers report that Indian websites receive millions of malicious requests every year, while attackers are increasingly targeting mobile applications and potentially exposed APIs, pointing to a strategic shift to disrupt connected and consumer-facing digital services and networks as a result. 

As cybercrime becomes more sophisticated and sophisticated across Africa, structural weaknesses in law enforcement and regulatory capacity are compounding this problem, so there is an increasingly uneven playing field between the states and the sophisticated criminal networks that are well funded. 

GI-TOC analysts noted that a number of law enforcement agencies in the continent lack advanced digital forensics capabilities, secure evidence storage systems, and real-time network monitoring technologies, as well as advanced digital forensics capabilities. 

These limitations have a significant impact on the ability of law enforcement agencies to investigate cybercriminal activities and dismantle transnational cybercriminals in a timely manner. 

Due to this capability gap, attackers have enhanced their techniques by targeting vulnerable government institutions and businesses in critical sectors such as finance, energy, and manufacturing, so that they can then export these techniques to jurisdictions with strengthened defenses. 

It is generally believed that ransomware and distributed denial-of-service attacks remain some of the most prevalent ways for hackers to disrupt economic and social systems, causing severe economic and social disruption. In terms of the financial toll, cyber incidents have cost African economies billions of dollars each year, and are causing a great deal of damage. 

As a result of high-profile attacks, Ghana's national power distribution system has been disrupted, health and statistical agencies in Nigeria and South Africa have been compromised, sensitive customer data has been exposed in Namibia, and the Ugandan central bank has sustained considerable losses. 

The incidents underscore the fragmentation of regulations, underdeveloped infrastructure, and lack of policy coordination that have made some parts of the African continent a hub of illicit activity. This includes the large-scale online fraud and the digitally enabled transnational crimes that are taking place there. 

The GI-TOC estimates that in 2025, cybercrime would account for nearly one-third of reported criminal activity in West and East Africa, totaling approximately $3 billion in lost revenue and reputational damages, figures which, the organization warns may be understated due to systemic transparency gaps. 

Cybercrime has emerged as one of the biggest vulnerabilities in the cybersecurity industry against this backdrop, and the shortage of cybersecurity professionals has become an even more critical concern. 

A well-structured cybersecurity education has become a cornerstone of resilience, giving individuals the technical skills to identify weaknesses in systems, respond to evolving threats, and maintain ethical and regulatory standards as well as enabling them to identify system weaknesses. 

It is now possible to take courses ranging from foundational courses covering networks, operating systems, to advanced, role-specific courses in cloud security, application protection, and governance, risk, and compliance, among others. 

It is becoming increasingly important for national security and economic stability to develop a skilled, well-trained workforce in order to combat cyber threats that are becoming more complex and interconnected. 

In addition to deploying technical defenses themselves, a single cyber incident can result in severe consequences, which extend well beyond the financial losses caused by the incident, ranging from data breaches to malware infections to ransomware attacks. 

Based on the findings of the Hiscox Cyber Readiness Report 2024, there are a large number of businesses that have suffered a cyberattack over the past year. More than two-thirds of them report that they have experienced a rise in cyberattacks since the previous 12-month period, while half also report that they have experienced a rise in incidents during that period. 

It is often difficult for organizations to attract new customers and retain existing clients due to a long-term fallout. Many organizations reported experiencing erosion of existing client relationships, and sustained reputational damage due to negative publicity. 

There are many aspects of these attacks that are not limited to businesses, but also individuals caught in them, who may face identity theft, direct financial loss, and a loss of trust in digital systems as a result. 

The emergence of remote work and hybrid work models has made small and medium-sized enterprises or SME's particularly attractive targets, especially due to the greater digital attack surfaces they offer and the increase in security resources they already have. 

There have been a significant number of high-profile incidents involving widely used service providers and their trusted third-party vendors, highlighting the fact that cybercriminals are increasingly exploiting supply chain vulnerabilities to compromise multiple organizations simultaneously. As reported by a number of industry experts, SMEs are often unable to cope with the financial and operational shocks resulting from a successful cyberattack. 

In fact, a substantial number are indicating that they may have to suspend operations if such an event occurs. In response to the escalating threat environment, governments and international bodies have increased their efforts to coordinate and regulate.

A growing number of law enforcement agencies across borders are collaborating more closely with one another, while new legislative frameworks, including strengthened European network security directives and global cybercrime conventions, are bringing greater accountability to organizations regarding the safeguarding and strengthening of information, and the timely disclosure of breaches as part of a broad effort to reduce cybercrime's economic and social costs.

The combination of all of these developments suggests that the world is entering a turning point in its digital economy, where cybersecurity is no longer just a niche function, but has become a fundamental element needed for sustained growth and public trust. 

Despite the fact that cyber threats continue to transcend borders, sectors, and technologies, the effective governance and response to future cyber threats will be dependent on ensuring that strong policy frameworks are in place, cross-border cooperation is encouraged, and sustained investments in human capital are made. 

Cybersecurity education and reskilling programs can help to create inclusive economic opportunities as well as close workforce gaps, particularly in regions that are most vulnerable to digital threats. 

While organizations need to move beyond reactive security models in order to remain compliant with the threat landscape, they should also make sure they build cyber resilience into their business strategies, supply chain governance practices, and technology designs from the very beginning. 

Having clear accountability, regular risk assessments, and transparent incident reporting can further strengthen collective defenses. 

In the end, as digital systems become more intertwined with daily life and critical infrastructure, it is imperative to create a cybersecurity ecosystem that is resilient so that not only financial and operational losses can be minimized, but confidence in the digital transformation that is shaping economies globally will also be reinforced.
Read more »
South Africa
Cyber Fraud Festive Scams Online fraud ransomware attacks South Africa

South Africa Warns of Cybercrime Surge Amid Festive Season

 

South Africa is experiencing a sudden and deeply concerning rise in cybercrime this holiday season, with consumers and businesses being warned to prepare for more aggressive attacks on digital banking, mobile applications and online services. 

Surge in festive-season attacks

The law firm Cox Yeats has witnessed a significant rise in cyberattacks themed around online shopping and digital payments, criminals are leveraging fake online shops, phishing emails, malicious QR codes and AI-powered impersonation scams to trick people into handing over credentials and payment data. They are encouraged to confirm any communications, transact only in official channels, avoid public Wi‑Fi when conducting transactions and use VPNs or mobile data, and report any suspicious activity as soon as possible.

The Information Regulator logged a total of 2 374 data breach cases that were officially reported for the 2024/25 period, averaging at a high of 200 incidents a month and increasing to about 300 monthly notifications in the current financial year—a 40% increase in security breaches. No organization is immune, as recent attacks have compromised government agencies, healthcare providers, financial institutions, retailers and telecommunication providers in ransomware, data theft and extortion. 

Financial and human cost 

The economic impact is devastating, with the median cost of a data breach to a local business now hovering near R49 million, a sum that can lay waste to even the most well-run small or medium-sized business. South African consumers lost more than R1 billion in 2023 alone through digital banking and mobile app scams, while SABRIC reckons annual losses to cyber-attacks could be as high as R3.3 billion, accompanied by 45% rise in digital banking fraud and a 47% increase in such related financial losses. 

Surveys cited by Mpahlwa show that 70% of South African consumers have fallen victim to cybercrime, compared with 50% globally, with 35% admitting to losing money in scams and 32% acknowledging that they clicked on phishing emails. The emotional strain is mounting too, with 58% of people expressing deep concern about becoming victims, a trend worsened by AI tools that make it easier for criminals to convincingly impersonate brands, colleagues and even family members. 

As ransomware continues to be a highly disruptive threat, with South Africa being the second most targeted country in Africa and third globally for cyberattacks, including double extortion attacks in which stolen data is threatened with being released to the public. Organisations are being advised to harden defences and have strong cyber insurance that covers loss of money, liability, business interruption, incidents relating to ransomware, breaches involving data, and the potential for fines from regulators as the threat landscape rapidly shifts.
Read more »
UK ransomware payment ban
Cyber Attacks cyber resilience ransomware attacks ransomware statistics 2025 UK ransomware payment ban

UK’s Proposed Ransomware Payment Ban Sparks New Debate as Attacks Surge in 2025

 

Ransomware incidents are climbing at an alarming rate, reigniting discussions around whether organizations should be allowed to pay attackers at all.

Cybercriminals are increasingly turning to ransomware to extort large sums of money from organizations desperate to protect sensitive employee and customer data. Recent findings revealed a 126% increase in ransomware incidents in Q1 2025 compared to the previous quarter, a surge that has captured global attention.

In response, the UK government has unveiled a proposal to prohibit ransomware payments, aiming to stop public bodies and Critical National Infrastructure (CNI) providers from transferring large amounts of money to cybercriminals in hopes of regaining stolen data or avoiding public embarrassment. Many experts believe this ban could eventually expand to cover every organization operating in the UK.

If the restriction becomes universal, businesses will be forced to operate in an environment where paying attackers is no longer an option. This shift would require a stronger emphasis on resilience, incident response, and rapid recovery strategies.

The debate now centers on a key question: Is banning ransomware payments a wise move? And if the ban comes into effect, how can organizations safeguard their data without relying on a ransom fund?

Many companies have long viewed ransom payments as a quick, albeit risky, solution — almost a “get out of jail free” card. They see it as a seemingly reliable way to recover stolen data without formal disclosure or regulatory reporting.

However, negotiations with criminals come with no certainty. Paying a ransom only strengthens the broader cybercrime ecosystem and incentivizes further attacks.

Yet the practice persists. Research from 2025 reveals that 41% of organizations have paid a ransom, but only 67% of those regained full access to their data. These figures highlight that companies are still funneling large budgets into ransom payments — money that could instead be invested in preventing attacks through stronger cyber infrastructure.

The UK’s proposed ban brings both advantages and disadvantages. On the positive side, organizations would no longer be pushed into negotiating with unreliable cybercriminals. Since attackers may not return the data even after receiving payment, the ban eliminates that particular risk entirely.

Additionally, many organizations prefer to quietly pay ransoms to avoid reputational damage associated with admitting an attack. This secrecy not only benefits attackers but also leaves authorities unaware of crimes being committed. A payment ban, however, would force almost all affected organizations to formally report incidents — encouraging more accurate investigations and accountability.

Supporters of the ban argue that if attackers know ransom payments are impossible, the financial incentive behind ransomware will eventually disappear. While optimistic, the UK government sees the ban as a strong step toward reducing or even eliminating ransomware threats.

But opponents highlight an undeniable concern: ransomware attacks will continue, at least in the near term. If payment is no longer an option, organizations may struggle to recover highly sensitive information — often involving customer data — and may be left without any practical alternatives, even if negotiating feels morally uncomfortable.

If the UK enforces a nationwide prohibition on ransom payments, businesses must prioritize strengthening their cyber resilience. Increasing investment in preventive strategies will be crucial.

For SMEs — many of which lack dedicated cybersecurity teams — partnering with a Managed Service Provider (MSP) is one of the simplest ways to boost security. MSPs oversee IT operations and cybersecurity defenses, allowing business leaders to focus on innovation and growth. Recent studies show that over 80% of SMEs now rely on MSPs for cybersecurity support.

Regular employee security awareness training is also essential, helping staff identify early warning signs of cyberattacks and avoid mistakes that commonly lead to ransomware infections.

Organizations should also create and routinely test a detailed incident response plan. Although often overlooked, a well-rehearsed plan is critical for minimizing the damage when an attack occurs.

With the UK considering a nationwide ban on ransom payments, companies cannot afford to wait. The most effective approach is to build strong cyber resilience now.

This includes leveraging MSP services, upgrading security tools, and establishing a clear incident response strategy. Proactive planning will lower the chances of falling victim to ransomware and ensure smoother recovery if an attack does occur.
Read more »
Threat Intelligence
Cybercrime Ecosystem Cybersecurity Threats Data Breach European Cybersecurity Malware As A Service Network Security ransomware attacks State-Sponsored Attacks Threat Intelligence

Europe struggles with record-breaking spike in ransomware attacks

 


Europe is increasingly being targeted by ransomware groups, driving attacks to unprecedented levels as criminal operations become more industrialised and sophisticated. Threat actors have established themselves in this region as a prime hunting ground, and are now relying on a growing ecosystem of underground marketplaces that sell everything from Malware-as-a-Service subscriptions to stolen network access and turnkey phishing kits to Malware-as-a-Service subscriptions. 

New findings from CrowdStrike's 2025 European Threat Landscape Report reveal that nearly 22 per cent of all ransomware and extortion incidents that occurred globally this year have involved European organisations. Accordingly, European organizations are more likely than those in Asia-Pacific to be targeted by cybercriminals than those in North America, placing them second only to North America. 

According to these statistics, there is a troubling shift affecting Europe's public and private networks. An increasing threat model is being used by cybercriminals on the continent that makes it easier, cheaper, and quicker to attack their victims. This leaves thousands of victims of attacks increasingly sophisticated and financially motivated across the continent. 

Throughout CrowdStrike's latest analysis, a clear picture emerges of just how heavily Europeans have been affected by ransomware and extortion attacks, with the continent managing to absorb over 22% of all global extortion and ransomware attacks. As stated in the report, the UK, Germany, France, Italy, and Spain are the most frequently targeted nations. It also notes that dedicated leak sites linked to European victims have increased by nearly 13% on an annual basis, a trend driven by groups such as Scattered Spider, a group that has shortened its attack-to-deployment window to a mere 24 hours from when the attack started. 

According to the study, companies in the manufacturing, professional services, technology, industrial, engineering and retail industries are still the most heavily pursued sectors, as prominent gangs such as Akira, LockBit, RansomHub, INC, Lynx, and Sinobi continue to dominate the landscape, making big game hunting tactics, aimed at high-value enterprises, remain prevalent and have intensified throughout the continent as well. 

It has been suggested in the study that because of the wide and lucrative corporate base of Europe, the complex regulatory and legal structure, and the geopolitical motivations of some threat actors, the region is a target for well-funded e-crime operations that are well-resourced. State-aligned threat activity continues to add an element of volatility to the already troubled cyber landscape of Europe.

In the past two years, Russian operators have intensified their operations against Ukraine, combining credential phishing with intelligence gathering and disrupting attacks targeted at the power grid, the government, the military, the energy grid, the telecommunications grid, the utility grid, and so forth. The North Koreans have, at the same time, expanded their reach to Europe, attacking defence, diplomatic, and financial institutions in operations that fuse classic espionage with cryptocurrency theft to finance their strategic projects. 

Moreover, Chinese state-sponsored actors have been extorting valuable intellectual property from industries across eleven nations by exploiting cloud environments and software supply chains to siphon intellectual property from the nation that enables them to expand their footprint. 

A number of these operations have demonstrated a sustained commitment to biotechnology and healthcare, while Vixen Panda is now considered one of the most persistent threats to European government and defence organisations, emphasising the degree to which state-backed intrusion campaigns are increasing the region's risk of infection.

There has been a dramatic acceleration in the speed at which ransomware attacks are being carried out in Europe, with CrowdStrike noting that groups such as Scattered Spider have reduced their ransomware deployment cycles to unprecedented levels, which has driven up the levels of infection. Through the group's efforts, the time between an initial intrusion and full encryption has been reduced from 35.5 hours in 2024 to roughly 24 hours by mid-2025, meaning that defenders are likely to have fewer chances to detect or contain intrusions. 

Despite being actively under investigation by law enforcement agencies, eCrime actors based in Western countries, like the United States and the United Kingdom, are developing resilient criminal networks despite active scrutiny by law enforcement. The arrest of four individuals recently by the National Crime Agency in connection with attacks on major retailers, as well as the rearrest of the four individuals for involvement in a breach at Transport for London, underscores the persistence of these groups despite coordinated enforcement efforts. 

In addition to this rapid operational tempo, cybercrime has also been transformed into a commodity-driven industry as a result of a thriving underground economy. The Russian- and English-speaking forums, together with encrypted messaging platforms, offer threat actors the opportunity to exchange access to tools, access points, and operational support with the efficiency of commercial storefronts. 

A total of 260 initial access brokers were seen by investigators during the review period, advertising entry points into more than 1,400 European organizations during the review period. This effectively outsourced the initial stages of a breach to outside sources. Through subscription or affiliate models of malware-as-a-service, companies can offer ready-made loaders, stealers, and financial malware as a service, further lowering the barrier to entry. 

It has been noted that even after major disruptions by law enforcement, including the seizure of prominent forums, many operators have continued to trade without interruption, thanks to safe-haven jurisdictions and established networks of trustworthiness. Aside from eCrime, the report highlights an increasingly complex threat environment caused by state-sponsored actors such as Russia, China, North Korea and Iran. 

Russian actors are concentrating their efforts on Ukraine, committing credential-phishing attacks, obtaining intelligence, and undertaking destructive activities targeting the military, government, energy, telecommunications, and utility sectors, and simultaneously conducting extensive espionage across NATO member countries.

For the purpose of providing plausible deniability, groups tied to Moscow have conducted extensive phishing campaigns, set up hundreds of spoofed domains, and even recruited "throwaway agents" through Telegram to carry out sabotage operations. As Iranian groups continued to conduct hack-and-leak, phishing, and DDoS attacks, often masking state intent behind hacktivist personas, their hack-and-leak campaigns branched into the UK, Germany, and the Netherlands, and they stepped up their efforts. 

With these converging nation-state operations, European institutions have been put under increased strategic pressure, adding an element of geopolitical complexity to an already overloaded cyber-defence environment. It is clear from the findings that for Europe to navigate this escalating threat landscape, a more unified and forward-leaning security posture is urgently needed. According to experts, traditional perimeter defences and slow incident response models are no longer adequate to deal with actors operating at an industrial speed, due to the rapid pace of technology. 

Companies need to share regional intelligence, invest in continuous monitoring, and adopt AI-driven detection capabilities in order to narrow the attackers' widening advantage. Keeping up with the innovation and sophistication of criminal and state-backed adversaries is a difficult task for any organisation, but for organisations that fail to modernise their defences, they run the risk of being left defenceless in an increasingly unforgiving digital battlefield.
Read more »
State-backed criminal groups
cyber attack News ransomware attacks State-backed criminal groups

Ransomware Surge Poses Geopolitical and Economic Risks, Warns Joint Cybersecurity Report

 

A new joint report released this week by Northwave Cyber Security and Marsh, a division of Marsh McLennan, warns that ransomware attacks targeting small and medium-sized businesses have sharply increased, creating serious geopolitical, economic, and national security concerns. Northwave Cyber Security, a leading European cyber resilience firm, and Marsh, one of the world’s largest insurance brokers and risk advisers, analyzed thousands of cyber incidents across Europe and Israel to reveal how ransomware threats are turning into a structured global industry. 

The report finds that many ransomware operators, often linked to Russia, Iran, North Korea, and China, have intensified their attacks on small and mid-sized businesses that form the backbone of Western economies. Instead of focusing only on large corporations or government agencies, these groups are increasingly targeting vulnerable firms in sectors such as IT services, retail, logistics, and construction. 

Peter Teishev, head of the Special Risks Department at Marsh Israel, said the threat landscape has changed significantly. “As ransomware attacks become more sophisticated and decentralized, organizations must shift from responding after incidents to building proactive defense strategies,” he explained. 

He added that Israel has faced particularly high levels of cyberattacks over the past two years, making preparedness a national priority. The report estimates that global ransom payments reached nearly €700 million in 2024, with the average ransom demand standing at €172,000, which equals about 2 percent of a company’s annual revenue. 

In Europe, ransomware incidents increased by 34 percent in the first half of 2025 compared with the same period in 2024. Northwave and Marsh attribute this rapid growth to the rise of Ransomware-as-a-Service (RaaS) models, which allow criminal groups to rent out their hacking tools to others, turning ransomware into a profitable business. 

When authorities disrupt such groups, they often split and rebrand, continuing their activities under new identities. Recent attacks in Israel highlight the geopolitical aspects of ransomware. The Israel National Cyber Directorate (INCD) recently warned of a wave of intrusions against IT service providers, likely linked to Iran. 

One major incident targeted Shamir Medical Center in Tzrifin, where hackers leaked sensitive patient emails. Although an Eastern European ransomware group initially claimed responsibility, Israeli investigators later traced the attack to Iranian actors. 

Cyber experts say this collaboration between state-sponsored hackers and criminal groups shows how ransomware is now used as a tool of hybrid warfare to disrupt healthcare, energy, and transport systems for political purposes. 

The report also discusses divisions among hacker networks following Russia’s invasion of Ukraine. Some ransomware groups sided with Moscow and joined state-backed operations against NATO and EU countries. Others opposed this alignment, which led to the breakup of the infamous Conti Group. 

The exposure of more than 60,000 internal chat logs in what became known as ContiLeaks revealed the internal workings of the ransomware industry and forced several groups to reorganize under new names. Even with these internal divisions, ransomware operations have become more competitive and unpredictable. 

According to Marsh and Northwave, this has made it harder to anticipate their next moves. At the same time, cyber insurance prices fell globally by about 12 percent in the last quarter, making protection more accessible for many organizations. 

The report concludes that ransomware is no longer only a criminal enterprise but also an instrument of global power politics that can undermine economic stability and national security. As Teishev summarized, “The threat is growing, but so is the ability to prepare. The next phase of cybersecurity will focus not on recovery but on resilience.”
Read more »
VPN vulnerabilities
Akira Ransomware APAC Cybercrime cyber resilience Cybersecurity Threats Data Breach Network Security ransomware attacks SonicWall Exploit VPN vulnerabilities

Growing VPN Exploits Trigger Fresh Ransomware Crisis in APAC


 

Despite the growing cyber risk landscape in Asia-Pacific, ransomware operations continue to tighten their grip on India and the broader region, as threat actors more often seek to exploit network vulnerabilities and target critical sectors in order to get a foothold in the region. 

It is essential to note that Cyble's Monthly Threat Landscape Report for July 2025 highlights a concerning trend: cybercriminals are no longer merely encrypting systems for ransom; they are systematically extracting sensitive information, selling network access, and exposing victims to the public in underground marketplaces. 

In recent weeks, India has been a focal point of this escalation, with a string of damaging breaches taking place across a number of key industries. Recently, the Warlock ransomware group released sensitive information concerning a domestic manufacturing company. This information included employee records, financial reports, and internal HR files. Parallel to this, two Indian companies – a technology consulting firm and a SaaS provider – have been found posting stolen data on dark web forums that revealed information on customers, payment credentials, and server usage logs. 

Further compounding the threat, the report claims that credentials granting administrative control over an Indian telecommunications provider’s infrastructure were being sold for an estimated US$35,000 as a way of monetizing network intrusions, highlighting the increasing monetization of network hacking. 

Throughout the region, Thailand, Japan, and Singapore are the most targeted nations for ransomware, followed by India and the Philippines, with manufacturing, government, and critical infrastructure proving to be the most targeted sectors. As the region's digital volatility continues, the pro-India hacktivist group Team Pelican Hackers has been claiming responsibility for hacking multiple Pakistani institutions and leaking sensitive academic data and administrative data related to research projects, which demonstrates that cyber-crime is going beyond financial motives in order to serve as a form of geopolitical signaling in the region. 

Security experts across the region are warning about renewed exploitation of SonicWall devices by threat actors linked to the Akira ransomware group among a growing number of ransomware incidents that have swept across the region. Since the resurgence of Akira's activity occurred in late July 2025, there has been a noticeable increase in intrusions leveraging SonicWall appliances as entry points. Rapid7 researchers have documented this increase.

An attacker, according to the firm, is exploiting a critical vulnerability that dates back a year—identified as CVE-2024-40766 with a CVSS score of 9.3—that is linked to a vulnerability in the SSL VPN configuration on the device. It is clear that this issue, which led to local user passwords persisting rather than being reset after migration, has provided cybercriminals with a convenient way to compromise network defenses. 

It was SonicWall who acknowledged the targeted activity, and confirmed that malicious actors were attempting to gain unauthorized access to the network using brute force. According to the company, administrators should activate Botnet Filtering for the purpose of blocking known malicious IP addresses as well as enforce strict Account Lockout policies to take immediate measures. As ransomware campaigns that exploit VPN vulnerabilities continue to increase, proactive security hygiene is becoming increasingly important. 

The increasing cybercrime challenges in the Asia-Pacific region are being exacerbated by recent findings from Barracuda's SOC Threat Radar Report, which indicate a significant increase in attacks exploiting vulnerabilities in VPN infrastructures and Microsoft 365 accounts. Throughout the study, threat actors are becoming increasingly stealthy and adopting Python-based scripts to avoid detection and maintain persistence within targeted networks in order to evade detection. 

It has been determined that the Akira ransomware syndicate has increased its operations significantly, compromising outdated or unpatched systems rapidly, leading to significant losses for the syndicate. A number of intrusions have been traced back to exploitation of a known flaw in SonicWall VPN appliances — CVE-2024-40766 — that allows attackers to manipulate legacy credentials that haven’t been reset after migration as a result of this flaw. 

A month ago, there was a patch released which addressed the issue. However, many organizations across the APAC region have yet to implement corrective measures, leaving them vulnerable to renewed exploitation in the coming months. In multiple instances, Akira operators have been observed intercepting one-time passwords and generating valid session tokens using previously stolen credentials, effectively bypassing multi-factor authentication protocols, even on patched networks. 

In order to achieve such a level of sophistication, the group often deploys legitimate remote monitoring and management tools in order to disable security software, wipe backups, and obstruct remediation attempts, allowing the group to effectively infiltrate systems without being detected. There has been a sustained outbreak of such attacks in Australia and other Asian countries, which indicates how lapses in patch management, the use of legacy accounts, and the unrotation of high-privilege credentials continue to amplify risk exposure, according to security researchers. 

There is no doubt that a prompt application of patches, a rigorous password reset, and a strict credential management regime are crucial defenses against ransomware threats as they evolve. There is no doubt that manufacturing is one of the most frequently targeted industries in the Asia-Pacific region, as more than 40 percent of all reported cyber incidents have been related to manufacturing industries. 

Several researchers attribute this sustained attention to the sector's intricate supply chains, its dependence on outdated technologies, and the high value of proprietary data and intellectual property that resides within operational networks, which makes it a target for cybercriminals. It has been common for attackers to exploit weak server configurations, steal credentials, and deploy ransomware to disrupt production and gain financial gain by exploiting weak server configurations. 

Approximately 16 percent of observed attacks occurred in the financial sector and insurance industry, with adversaries infiltrating high-value systems through sophisticated phishing campaigns and malware. The purpose of these intrusions was not only to steal sensitive information, such as customer and payment information, but also to maintain persistent access for prolonged reconnaissance. 

Among the targeted entities, the transportation industry, which accounts for around 11 percent of all companies targeted, suffered from an increase in attacks intended to disrupt logistics and operational continuity as a consequence of its reliance on remote connectivity and third-party digital infrastructure as a consequence of its heavy reliance on remote connectivity. 

In the wider APAC context, cybercriminals are increasingly pursuing both operational and financial goals in these attacks, aiming to disrupt as well as monetize. It is still very common for threats actors to steal trade secrets, customer records, and confidential enterprise information, making data theft one of the most common outcomes of these attacks. 

Despite the fact that credential harvesting is often facilitated by malware that steals information from compromised systems, this method of extorting continues to enable subsequent breaches and lateral movements within compromised systems. Furthermore, the extortion-based operation has evolved, with many adversaries now turning to non-encrypting extortion schemes for coercing victims, rather than using ransomware encryption to coerce victims, emphasizing the change in cyber threats within the region. 

Several experts have stressed that there is no substitute for a multilayered and intelligence-driven approach to security in the Asia-Pacific region that goes beyond conventional security frameworks in order to defend against the increasing tide of ransomware. Static defenses are not sufficient in an era in which threat actors have evolved their tactics in a speed and precision that is unprecedented in history. 

A defence posture that is based on intelligence must be adopted by organizations, continuously monitoring the tactics, techniques, and procedures used by ransomware operators and initial access brokers in order to identify potential intrusions before they arise. As modern "sprinter" ransomware campaigns have been exploiting vulnerabilities within hours of public disclosure, agile patch management is a critical part of this approach.

There is no doubt that timely identification of vulnerable systems and remediation of those vulnerabilities, as well as close collaboration with third party vendors and suppliers to ensure consistency in patching, are critical components of an effective cyber hygiene program. It is equally important to take human factors into consideration. 

The most common attack vector that continues to be exploited is social engineering. Therefore, it is important to conduct continuous awareness training tailored to employees who are in sensitive or high-privilege roles, such as IT and helpdesk workers, to reduce the potential for compromise. Furthermore, security leaders advise organizations to adopt a breach-ready mindset, which means accepting the possibility of a breach of even the most advanced defenses.

If an attack occurs, containing damage and ensuring continuity of operations can be achieved through the use of network segmentation, immutable data backups, and a rigorously tested incident response plan to strengthen resilience. Using actionable intelligence combined with proactive risk management, as well as developing a culture of security awareness, APAC enterprises can be better prepared to cope with the relentless wave of ransomware threats that continue to shape the digital threat landscape and recover from them. 

A defining moment in the Asia-Pacific cybersecurity landscape is the current refinement of ransomware groups' tactics as they continue to exploit every weakness in enterprise defenses. Those recent incidents of cyber-attacks using VPNs and data exfiltration incidents should serve as a reminder that cyber resilience is no longer just an ambition; it is a business imperative as well. Organizations are being encouraged to shift away from reactive patching and adopt a culture that emphasizes visibility, adaptability, and intelligence sharing as the keys to continuous security maturity. 

Collaboration between government, the private sector, and the cybersecurity community can make a significant contribution to the development of early warning systems and collective response abilities. A number of measures can help organizations detect threats more efficiently, enforce zero-trust architectures, and conduct regular penetration tests, which will help them identify any vulnerabilities before adversaries take advantage of them. 

Increasingly, digital transformation is accelerating across industries, which makes the importance of integrating security by design—from supply chains to cloud environments—more pressing than ever before. Cybersecurity can be treated by APAC organizations as an enabler rather than as a compliance exercise, which is important since such enterprises are able to not only mitigate risks, but also build digital trust and operational resilience during an age in which ransomware threats are persistent and sophisticated.
Read more »
ransomware attacks
AI in cybersecurity Cyber Attacks Cyber Extortion Microsoft Digital Defense Report nation-state hackers ransomware attacks

Microsoft Warns: Over Half of Cyberattacks Driven by Extortion and Ransomware, Legacy Security Failing to Keep Up

 


More than 50% of cyberattacks are now motivated by extortion and ransomware, according to Microsoft’s latest Digital Defense Report. The tech giant revealed that outdated security systems are no longer capable of defending against today’s evolving cyber threats.

In its sixth annual report, Microsoft highlighted that around 80% of the cyber incidents its security teams investigated last year were financially motivated.

"That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%," said Amy Hogan-Burney, CVP for Customer Security and Trust at Microsoft.

She added, "Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit."

The report noted that critical public sectors, including hospitals and local governments, are prime targets. These institutions often handle highly sensitive information but operate with limited cybersecurity resources and response capabilities. In many cases, healthcare and other essential services are more likely to pay ransoms due to the critical nature of their operations.

Although nation-state-driven attacks account for a smaller share of total incidents, their volume is steadily increasing. Microsoft’s findings show that China continues its aggressive campaigns across industries to steal sensitive data, using covert systems and exploiting internet vulnerabilities to avoid detection.

Iran has widened its scope, targeting sectors from the Middle East to North America, including shipping and logistics companies in Europe and the Persian Gulf to gain access to valuable commercial data.

Meanwhile, Russia has extended its operations beyond Ukraine, focusing on small businesses in pro-Ukraine countries, perceiving them as softer targets compared to larger corporations.

Microsoft also identified North Korea as a major concern for both espionage and revenue-driven cyber operations. Thousands of North Korean IT workers are reportedly employed remotely by global companies, funneling their salaries back to the regime. When exposed, some of these operatives have shifted to extortion tactics.

"The cyber threats posed by nation-states are becoming more expansive and unpredictable," Hogan-Burney warned. "In addition, the shift by at least some nation-state actors to further leveraging the cybercriminal ecosystem will make attribution even more complicated."

She stressed the importance of collaboration: "This underscores the need for organizations to stay abreast of the threats to their industries and work with both industry peers and governments to confront the threats posed by nation-state actors."

Microsoft’s report also underscored how artificial intelligence and automation have empowered cybercriminals, even those with minimal expertise, to execute more complex attacks. AI tools are being used to develop malware faster, generate convincing fake content, and enhance phishing and ransomware campaigns.

More than 97% of identity attacks are now password-related, with a 32% surge in the first half of 2025 alone. Attackers commonly exploit leaked credentials and use large-scale password guessing.

"However, credential leaks aren’t the only place where attackers can obtain credentials," Hogan-Burney explained. "This year, we saw a surge in the use of infostealer malware by cyber criminals. Infostealers can secretly gather credentials and information about your online accounts, like browser session tokens, at scale."

She added, "Cyber criminals can then buy this stolen information on cyber crime forums, making it easy for anyone to access accounts for purposes such as the delivery of ransomware."

The report concludes by urging governments to establish stronger frameworks to ensure credible consequences for cyber activities that breach international laws and norms.


Read more »
ransomware attacks
Clinical Safety cyber resilience cybersecurity in healthcare Data Breach Digital Health Threats Health ISAC Medical Device Security patient data protection ransomware attacks

Cyber Risks Emerge as a Direct Threat to Clinical Care

 


Even though almost every aspect of modern medicine is supported by digital infrastructure, the healthcare sector finds itself at the epicentre of an escalating cybersecurity crisis at the same time. Cyberattacks have now evolved from being just a financial or corporate problem to a serious clinical concern, causing patients' safety to be directly put at risk as well as disrupting essential healthcare. 

With the increasing use of interconnected systems in hospitals and diagnostic equipment, as well as cloud-based patient records, the attack surface on medical institutions is expanding, making them increasingly susceptible to ransomware and data breaches posed by the increasing use of interconnected systems. 

The frequency and sophistication of such attacks have skyrocketed in recent years, and the number of attacks has almost doubled compared to 2023, when the number of ransomware attacks in the United States alone climbed by a staggering 128 per cent in the same year. As far as data loss and financial damage are concerned, the consequences of these breaches do not stop there. 

There are estimates of healthcare organisations losing up to $900,000 per day because of operational outages linked to ransomware, which excludes the millions—or billions—that are spent on ransom payments. In IBM's 2024 Cost of a Data Breach Report, healthcare was ranked as the highest cost per incident in the world, with an average cost of $9.8 million. This was significantly more than the $6.1 million average cost per incident within the financial sector. 

In spite of this fact, the most devastating toll of cyberattacks is not in currency, but rather in the lives of victims. Studies indicate that cyberattacks have resulted in delayed procedures, compromised care delivery, and, in some cases, increased mortality rates of patients. There has been a troubling increase from the previous year, since 71 per cent of healthcare organisations affected by cyber incidents reported negative patient outcomes due to service disruptions in 2023. 

With the rapid growth of digital transformation in healthcare, the line between data security and clinical safety is fast disappearing - making cybersecurity an urgent issue of patient survival rather than mere IT resilience as digital transformation continues to redefine healthcare. With cyber threats growing more sophisticated, healthcare is experiencing a troubling convergence of digital vulnerability and human consequences that is becoming more and more troubling. 

There was once a time in healthcare when cybersecurity was viewed solely as a matter of data protection; however, today, it has become an integral part of patient safety and wellbeing, which is why experts are predicting that the threat of cybersecurity attacks will escalate significantly by the year 2025, with hospitals and health systems facing increasing financial losses as well as the threat of escalating risks. 

Recent reports have highlighted hospitals being incapacitated by ransomware attacks, which have compromised critical care, eroded public trust, and left healthcare staff unable to provide care. "Patient safety is inseparable from cyber safety," emphasised Ryan Witt, Proofpoint's healthcare leader, emphasising that when digital systems fail, life-saving care can be compromised. Statistics behind these incidents reveal a frightening reality. 

A study found that nearly seventy-eight per cent of healthcare organisations experienced disruptions in patient care as a result of ransomware, email compromise, cloud infiltration, and supply chain attacks. More than half of these patients experienced extended stays in the hospital or medical complications, while almost a third saw a rise in death rates. 

Financial figures often overshadow the human toll of a major attack: although the average cost has fallen to $3.9 million from $4.7 million, ransom payments have risen to $1.2 million from $4.7 million. It is important to remember that there are no monetary figures that can fully capture the true impacts of systems that go dark-missing diagnoses, delays in surgery, and the lives put at risk of clinicians, nurses, and technicians. 

Considering that time and precision are synonymous with survival in the healthcare sector, it has become clear that the encroachment of cybercrime is more than merely a technology nuisance and has become a profound threat to the very concept of care itself. Health Information Sharing and Analysis Centre (Health-ISAC) continues to play an important role in strengthening the industry's defences amidst increasing global cyber threats targeting the healthcare sector. 

It serves as an important nexus for collaboration, intelligence sharing, and real-time threat mitigation across healthcare networks worldwide. Health-ISAC is a non-profit organisation run by its members. A vital resource for safeguarding both digital and physical health infrastructures, Health-ISAC has disseminated actionable intelligence and strengthened organizational resilience through the distribution of actionable intelligence and strengthening of organisational resilience. 

It has recently been reported that the organisation has identified several security threats, including critical vulnerabilities found within Citrix NetScaler ADC, NetScaler Gateway, and Cisco Adaptive Security Appliances (ASA) that could potentially be exploited. Immediately after the identification of these flaws, Health-ISAC issued over a hundred targeted alerts to member institutions in order to minimise the risk of exploitation. 

These vulnerabilities have been exploited by threat actors since then, highlighting how the healthcare sector needs to be monitored continuously and provide rapid response mechanisms. As well as detecting threats, Health-ISAC has also been involved in regulatory alignment, particularly addressing FDA guidance regarding cybersecurity for medical devices that was recently updated. 

Revisions to the quality system considerations and the content of premarket submissions, issued in June 2025, have replaced the earlier version, which was issued in 2023, and incorporate Section VII of the Federal Food, Drug, and Cosmetic Act (FD&C Act). In this section, manufacturers are outlined in detail about their specific compliance obligations, including the use of cybersecurity assurance procedures, Software Bills of Materials (SBOMs), and secure development methods. 

It has also been emphasised by Health-ISAC that there are related regulatory frameworks that will affect AI-enabled medical devices, such as the FDA Quality Management System Regulation, the EU Cyber Resilience Act, and emerging standards such as AI-enabled data providers. In the organisation's latest analysis, the organisation explored how the geopolitical climate has been shifting in the Asia Pacific region, where growing tensions between the Philippines and China, particularly over the Scarborough Shoal, which has now been designated by China as a maritime wildlife refuge, are reshaping regional security. 

The significant investment Australia has made in asymmetric warfare capabilities is a further indication of the interconnectedness between geopolitics and cybersecurity threats. Denise Anderson, President and CEO of Health-ISAC, commented on the organisation's 15-year milestone and stated that the accomplishments of the organisation demonstrate the importance of collective defence and shared responsibility. She added, "Our growth and success are a testament to the power of collaboration and to our members' passion to improve the welfare of patients," she expressed.

"With the emergence of sophisticated threats, a unified defence has never been more needed." In the near future, Health-ISAC plans to strengthen the intelligence sharing capabilities of the organisation, expand its partnerships throughout the world, and continue promoting cybersecurity awareness - all of which will strengthen the organisation's commitment to making healthcare safer and more resilient throughout the world. 

The healthcare landscape is becoming increasingly digitalised, and preserving it will require not only a proactive defence but a coordinated, unified approach as well. As technology and patient care have converged, cybersecurity has become a clinical imperative, one that will require the collaboration of policymakers, hospital administrators, medical device manufacturers, and cybersecurity specialists. 

Various experts highlight that through investment in secure infrastructure, workforce training, and continuous monitoring and assessment of risks, there is no longer an option but instead a necessity to maintain the trust of patients and ensure the continuity of operations. 

There is a significant reduction in vulnerabilities across complex healthcare ecosystems when zero-trust frameworks are implemented, timely software patches are made, and transparent data governance takes place. Moreover, fostering global intelligence-sharing alliances, such as the one promoted by Health-ISAC, can strengthen our collective resilience to emerging cyber threats.

With the sector facing a number of emerging challenges in the future - from ransomware to artificial intelligence-enabled attacks - it is imperative that cyber safety is treated as an integral part of patient safety in order to survive. In addition to protecting data, healthcare delivery is also preserving its most vital mission: saving lives in a world where the next medical emergency could be just as easily caused by malicious code as it would be caused by the hospital.
Read more »
Subscribe to: Comments (Atom)