The State of Ransomware 2025

We kicked off 2025 with a record-breaking 92 disclosed ransomware attacks in January, a 21% increase over last year and the highest we’ve recorded since we began tracking ransomware back in 2020. We counted 32 different ransomware groups behind the attacks, with RansomHub leading the way. Some of the bigger news stories included the Codefinger ransomware attack on AWS, the disruption caused to the education sector following a hack on Power Schools, and RansomHub’s claims involving MetLife.

Discover who else made ransomware headlines in January:

1. The threat actor Omid16B claimed responsibility for a breach at UK-based photo company DEphoto, alleging the theft of a large volume of confidential data. The attack which occurred on Christmas day reportedly exfiltrated personal details of 555,952 customers, 429,597 orders with personal and credit card information, as well as customer photographs. A ransom demand of £50,000 was made, but the threat actor did not receive a response. DEphoto began notifying affected customers in late December.
2. Lian Beng Group Ltd, a prominent investment holding company in Singapore, was targeted in a RansomHub attack at the beginning of the year. The notorious ransomware group claimed to have stolen 2TB of data from the company but did not release a ransom demand. The allegedly exfiltrated data included 1,500 employee NRICs, passports, insurance details, bank statements, corporate emails, contracts, and other sensitive business documents.
3. The State Child Protection Society (SCPS) of Madhya Pradesh fell victim to the Funksec ransomware group, which emerged in December of the previous year. Funksec took responsibility for the attack, claiming to have exfiltrated 2GB of sensitive data from SCPS’s systems. While the exact details of the stolen data remain unclear, experts and stakeholders are particularly concerned about the potential exposure of sensitive child welfare information.
4. Westend Dental in Indianapolis agreed to pay $350,000 to enhance its data protection and patient privacy measures following a state investigation into a ransomware attack that led to the unauthorized disclosure of patient information. The company failed to report the October 2020 breach within the HIPAA-mandated timeframe, waiting two years before officially notifying authorities. During the attack, health information was encrypted and then exfiltrated, affecting approximately 17,000 patients.
5. RansomHub claimed responsibility for breaching the Latin American division of insurance giant MetLife on December 31st, though the company denies the incident. The ransomware group asserts it exfiltrated 1TB of data, adding documents written in Spanish as proof of claims to its leak site. A MetLife spokesperson stated that “there is no incident that we’re aware of,” and suggested the breach may be related to an incident involving Fondo Genesis, a MetLife subsidiary.
6. Peikko Group Corporation, based in Finland, experienced a disruptive cyberattack at the end of December 2024. Several tools and systems became unavailable to employees, prompting the company to report the incident to police and other relevant authorities. While the company acknowledged the possibility that some customer-related data may have been accessed and stolen, an investigation is still underway. The Akira group claimed responsibility for the attack, alleging the theft of 30GB of data. On its dark web site, the group suggested the stolen information included internal finance documents, disclosure agreements, employee contact details, and HR records.
7. Modern Automotive Network, a North Carolina car dealership chain, recently confirmed it notified individuals about a data breach that took place in July 2024. The company did not disclose what personal information was compromised in its breach notification. BlackByte ransomware gang claimed responsibility for the attack shortly after it occurred, sharing images of what they claimed were stolen files and directories as evidence.
8. It has been confirmed that a ransomware attack, which the Richmond University Medical Center has been investigating since May 2023, resulted in a data breach affecting over 670,000 individuals . The attack led to major disruptions, with the organization taking several weeks to restore affected services. Investigators found that at least one of the exposed files contained personal information, including PII and PHI. The identity of those responsible for the attack remains unknown.
9. In January, the Hunters International ransomware group added Nikki-Universal Co. Ltd, a major chemical manufacturer, to its list of victims. The organization confirmed the attack, stating that an investigation is ongoing. The ransomware group claimed to have exfiltrated 476,342 files during the incident, totalling 761.8GB. Although a ransom demand was not posted the organization was given until January 10^th to meet the hacker’s demands.
10. The Fraunhofer Institute for Industrial Engineering (IAO) in Stuttgart confirmed that it was the target of a cyberattack on December 27th. The attack compromised certain systems and data, but the full extent of the damage is still unclear. The institute is collaborating with IT security experts and relevant authorities to investigate the incident. It is currently unknown whether personal data was exposed to the attackers.
11. Hunter, Taubman Fischer & Li LLC has reportedly fallen victim to a ransomware attack orchestrated by Lynx. The group allegedly successfully infiltrated the firm’s systems and exfiltrated confidential data. Specific details about the nature and volume of stolen information have not yet been disclosed. The organization has not yet made a public statement addressing these claims.
12. South Portland Public Schools took its network offline to safeguard student data and other sensitive information amid an ongoing cyberattack. While suspicious activity was detected and a firewall was breached, the school district believes that no student or staff data was compromised. It is not yet known who is responsible for the attack.
13. Teton Orthopaedics, a Wyoming clinic, recently confirmed that it notified 13,409 individuals about a data breach that exposed names, addresses, dates of birth, health insurance details, and medical information. In March last year the hacking group DragonForce claimed responsibility for the breach, stating they had stolen 5.5GB of data from the healthcare provider. DragonForce reportedly gave Teton Orthopaedics one week to pay an undisclosed ransom, though it remains unclear whether the organization met these demands.
14. Rhysida listed Canada’s Montréal-Nord borough on its dark web blog, posting several samples of documents it claims were stolen from the borough’s government network. The gang set a four-day deadline for a ransom of 10 BTC (around $1 million), warning that after the deadline they would sell the data to the highest bidder. The proof of claims included illegible files containing an email, administrative contract, and one Canadian passport.
15. Austin’s Financial Solutions became a victim of Kairos ransomware gang, with the gang publishing 147GB of data stolen during the cyberattack. The initial post on the dark web, published in mid-December, included several files as proof of claims including scans of passports, payroll data, and an employee contract. The Australian wealth management firm has not yet publicly addressed these claims.
16. Notorious ransomware gang Clop claimed to have breached US-based mobile and wireless software company Velocitor Solutions. The ransomware group published sensitive data stolen from the organization but at this time there is no further information available.
17. Qilin ransomware group claimed to have exfiltrated 29,843 files, totalling 22GB of data, from Australian freight forwarding firm Globelink International. The dark web posting stated that all company data would be published on 03/01/2025, though no proof of claims was provided. However, the data was uploaded to Qilin’s FTP server as threatened. The data includes details of company’s debtors and creditors, bank statements, and other internal documents.
18. The Indian division of global travel booking agency Thomas Cook experienced a serious cybersecurity incident that disrupted its IT systems. Upon detection, the company promptly launched an investigation to assess the nature and extent of the attack while taking impacted systems offline. At this time, no hacker group has claimed responsibility for the incident.
19. PowerSchool, an education software provider, informed individuals in the U.S. and Canada that their personal information was exposed in a ransomware attack that occurred in late December 2024. During the breach, attackers gained unauthorized access to one of the company’s customer support portals and stole sensitive data from 6,505 school districts. The stolen information included a variety of data including full names, physical addresses, contact details, Social Security numbers (SSNs), medical records, and grades. A threat actor involved in the attack claimed in their extortion demand to have stolen data on 62,488,628 students and 9,506,624 teachers, suggesting the breach affected a significant number of individuals.
20. New York clinic Excelsior Orthopaedics confirmed it notified 357,000 people about a June 2024 data breach that compromised employee and patient information. Initial results of a forensic investigation indicated that the incident had resulted in the compromise of data. Monti took credit for the attack, giving the healthcare provider until July 16^th to pay an undisclosed ransom demand. Excelsior has not verified Monti’s claim.
21. Over 3TB of data was reportedly stolen from Kansas-based healthcare provider Sunflower Medical Group. The Rhysida group posted the organization on its darknet leak site, claiming to have over 400,000 driver’s licenses, insurance cards, Social Security numbers, and an SQL database in its possession. A sample of the allegedly stolen data was shared alongside a ransom demand of 10 BTC, equivalent to just under $10 million.
22. New ransomware group Morpheus claimed to have compromised PUS GmbH on December 20^th. The group who posts victims on its dedicated leak site, claimed that data including technical and personal documents, customer database and backups of customer databases has been stolen during the attack. The organization has not responded to these claims.
23. Termite launched an attack on U.S. hospitality management company, The Huntington Group, in January. The ransomware group alleges that it successfully infiltrated the company’s systems and extracted nearly 39GB of sensitive data. While specific details about the stolen data was not disclosed, various screenshots were added to the dark web post as proof of claims.
24. In Slovakia, the Land Registry Office was crippled by a large-scale ransomware attack. The UGKK experienced disruption, with its services remaining unavailable for a number of days. The UGKK chairman stated that there were no alternations made to the database and that multi-layered backups gave the option to restore data for providing critical systems. It is not yet known who is behind the incident, which is being reported as one of the worst cyberattacks in the country’s history.
25. Addison Northwest School District in Vermont issued a clear public notice on its website, addressing a recent cyberattack. The incident locked district officials, teachers, and other employees out of servers and shut down internet services. One of the compromised servers including old payroll information for employees spanning 2008 to 2022. ThreeAM ransomware group claimed the attack.
26. In Wyoming, the Lamarie County Library System was targeted by a ransomware attack that shut down library servers and immobilized most digital services. The library’s IT team reverted the system to a previous state and was able to resume full services. Patrons’ records were not compromised or accessed by hackers.
27. In October of last year, Australian health and wellness company DBG Health announced a cybersecurity incident on its website, revealing that data had been exfiltrated from its server. The server contained clinical consent forms collected through its clinical services. The Morpheus ransomware group recently claimed responsibility for the attack, naming Arrotex Pharmaceuticals – one of DBG Health’s business units – as a victim. The group stated that the stolen data, totalling 2.5TB, is either ready to be sold or published.
28. A threat actor has claimed responsibility for breaching Gravy Analytics and leaking around 1.4GB of data. The claim was made on a Russian-language forum where screenshots of what is allegedly stolen data from the U.S.-based location tracking company were shared. While the claims have not been verified, the company’s website was offline for an extended period.
29. Rent-2-Own was added to Medusa’s leak site this month, with claims that sensitive data was stolen from the organization. Although no specific details were published on the dark web listing, the group did set a ransom of $200,000 for either the deletion or download of exfiltrated information. A timer counting down a nine day deadline was also added to the post.
30. It was recently disclosed that 360,934 individuals were impacted by a December 2023 ransomware attack on Florida-based medical billing firm Medusind. Upon discovering suspicious activity in its internal server, the company launched an investigation, took all systems offline and notified relevant law enforcement authorities. The investigation concluded that certain files containing PII, PHI and financial information were compromised as a result of the incident.
31. Ransomware group RansomHouse was behind a cyberattack on Cell C that compromised the data of some of its clients. Cell C provided little information about the attack, saying that initial findings suggest that data relating to a limited number of individuals may have been accessed by an unauthorized party. RansomHouse claims to have stolen 2TB of data belonging to the company.
32. BayMark Health Services revealed that a significant data security incident late last year compromised the sensitive personal information of its patients and staff. When suspicious activity caused service disruptions, the healthcare provider immediately launched an investigation to determine the nature and scope of the incident. Compromised data is said to include names, SSNs, insurance documentation and treatment information. In October, RansomHub claimed responsibility for the attack, claiming to be in possession of 1.5TB of confidential data and giving BayMark a deadline of 36 days to fulfil it ransom demand.
33. A new ransomware campaign targeting Amazon Web Services users by a threat actor known as Codefinger dominated the news this month. The attack leveraged AWS’s server-side encryption in order to encrypt data and then demand payment for decryption keys. The attack campaign relies upon obtaining an AWS customer’s account credentials. Amazon stated that it is aware of exposed keys and that customers would be notified.
34. The government of Turks and Caicos reported progress in its recovery following a pre-Christmas ransomware attack. The impact of the incident caused widespread issues and outages on the islands, with the government confirming that several segments of its network had been compromised. Attackers gained access to the government’s revenue collection and payment systems, impacting numerous business operations. No ransomware group has taken credit for the attack.
35. Funksec ransomware group preyed on Indian edtech platform Wissenhive, accessing and exfiltrating data from the company. The attackers claim to have leaked over 32,000 records containing sensitive data from 2021 to 2022. The leak involves data such as emails, contact names and other identifying information.
36. According to claims made by Everest ransomware group. 50GB of data was exfiltrated from applied behaviour science firm Evidn. The gang posted its claim on its darknet leak site on January 9^th, adding that a company representative should follow the instructions before the two week countdown runs out. A ransom was not disclosed on the post, nor was any evidence of the hack provided. Evidn is yet to publicly address these claims.
37. Popular US-based cannabis company, Stiizy, suffered a third-party breach that exposed its customers’ ID information and transaction history. Personal information, passport numbers and signatures were also among the data types stolen. It was confirmed that Everest was behind the leak after the dispensary disregarded its ransom demands.
38. It was confirmed that the City of West Haven in Connecticut experienced a cyberattack that forced the IT department to shut down all of its systems. Impacted systems were backed up and disruption was limited to a few days, but it was suggested that data might have been compromised. Qilin took credit for the attack and gave the city until January 19^th to pay an undisclosed ransom amount. Officials from West Haven have not verified the gang’s claims.
39. Bangladeshi private commercial bank, City Bank PLC, confirmed that sensitive client financial statements were exposed during a significant cybersecurity breach. The breach was traced back to a vulnerability in the bank’s session management system, allowing threat actors to gain access to client account statements. Funksec claimed the attack on January 21^st but did not disclose the nature or volume of data stolen.
40. RansomHub claim to have launched a cyberattack on Community Health Northwest Florida on Christmas Eve, exfiltrating information during the attack. The ransomware gang claimed to have stolen 68GB of data, giving CHNWF one week to pay an undisclosed ransom amount. The healthcare provider acknowledged that it had been hit by a cyberattack which disrupted phones, internet and servers, preventing patients from making appointments and filling prescriptions.
41. Although Spectrum Medical Imaging were unaware that it had been targeted by a cyberattack, INC ransomware gang claims to have infiltrated the radiology practice’s systems and exfiltrated data. The data reportedly includes financial and customer information, with the claims backed up by screenshots of documents with names and medical information. The Australian company stated that it had not been contacted by threat actors and that in the event of a ransomware incident, its policy is not to pay.
42. Following a summer cyberattack, students and parents at Natomas Unified School District were informed that they would temporarily lose access to their school accounts due to annual IT maintenance. Following the discovery of suspicious activity, the school district was forced to shut down its network system, WiFi network. VPN services and phone lines. These services stayed down for a number of weeks over the summer while the IT department attempted to resolve the issues. Investigations recently revealed that there was no evidence that data was accessed or taken during the incident.
43. EuroCert released an official statement on its website addressing a cyberattack that took place overnight on 12^th The confirmed ransomware attack resulted in a breach of personal data protection due to the malicious software encrypting files stored in the company’s servers. Upon discovery of the incident, necessary measures were taken, relevant authorities notified, and an investigation was launched. The company also stated that there was a possibility that PII, government issued ID information and photographs were exfiltrated, but that this could not be confirmed initially. RansomHub claimed the attack two days later, allegedly stealing 65GB of data from the Polish technology company.
44. In Australia, construction company Novati was claimed by Lynx, with the ransomware gang adding the company to its leak site on January 15^th. The group claimed to have exfiltrated data including contracts, financial information and incidents. The organization was given a four day deadline to pay an undisclosed ransom amount. Alongside the claims, the leak site posting contained several documents as evidence of the hack, including planning emails and correspondence, tender results and a death certificate.
45. RansomHub claimed to have exfiltrated 1TB of data from the Musicians Institute, a prestigious music school in Hollywood, California. The group added the school to its leak site as a victim on 13^th January, giving a four day deadline to meet an undisclosed ransom demand. A sample of the data shared by the group contained alleged documents and images, some of which are invoices which could include personal information.
46. Gateshead Council in the UK confirmed that police were investigating a cybersecurity incident which took place on January 8^th. This statement was made a few short hours after Medusa ransomware gang added stolen documents belonging to the council to the dark web. A spokesperson confirmed that personal data had been “infringed.” Medusa added a 31-page slide show of various documents to its dark web site, all of which included some form of PII. Job applications, department budgets and reports about individuals’ eligibility for public housing were among the data types on display. The council’s investigation is still ongoing.
47. Major Spanish multinational telecommunications company Telefónica had its internal ticketing system compromised by Hellcat through information-stealing malware and social engineering tactics. The infiltration of the Jira platform was achieved through infostealer theft of credentials belonging to over a dozen of the firm’s employees was followed by the targeting of employees with admin privileges. This resulted in the eventual exfiltration of 24,000 employee names and emails, 5000 internal files and half a million internal Jira issue summaries.
48. Tennessee- based Mortgage Investors Group had customers’ data exposed following a network cyberattack claimed by Black Basta. A breach notice on the lender’s website stated that information such as full names and financial data were compromised during the incident. The breach notice did not specify the nature of the intrusion, or the number of customers affected.
49. Fog ransomware group allegedly hacked the University of Oklahoma, claiming to have exfiltrated 91GB of sensitive data belonging to employees and senators. The stolen data is said to include employee contact information, financial records (such as audits, payment details, and reports) and contact details of state senators. The university has not publicly disclosed a ransomware attack or verified claims made by the threat actors.
50. Law firm Wolf Haldenstein confirmed that it notified 3,445,537 people of a December 2023 data breach. The attack compromised SSNs, employee ID numbers, medical diagnoses, and medical claim information. Black Basta claimed the attack shortly after it occurred, giving the law firm just over two weeks to pay an undisclosed ransom before the data was sold to a third party. Most of those individuals impacted have been notified, but in December a small subset of potentially affected people unable to receive direct notice, was identified.
51. On the 11^th January, American cycling clothing company Primal Wear discovered a ransomware attack which was carried out by RansomHub in late December. The ransomware attack resulted in the unauthorized access to and exfiltration of 10,513 files, amounting to more than 17GB of data. This data allegedly included financial records, employee information, sales data and invoice documentation. The company claims that there is currently no indication that customer data was affected by the breach.
52. Safepay added New Zealand law firm Bell & Graham to its victim list, claiming to have exfiltrated 15GB of data. The published dataset appeared to include legal correspondence and a large amount of identification documents. Bell & Graham confirmed that it identified the issue and its IT provider and a specialist cyber incident response team worked together to respond. Actions taken included restricted access to elements of its IT system while remediation and containment was completed.
53. A threat actor named “Omid16B” reported to several news outlets that it had exfiltrated 561GB of databases from MedSave Health Insurance in India. Data including corporate, accounts, employee’s info, sales and personal health data relating to 10,617,943 people is among the files stolen. A screenshot was attached the claim as proof of hack. The TPA has not yet comment on or respond to the claims made.
54. Taylor Regional Hospital in Georgia became a victim of INC ransomware attack in late December 2024. The incident forced hospital staff to resort to paper medical charts in order to maintain levels of patient care. The hospital stated that it had no indication that patient records were compromised but that investigations are still ongoing. INC posted screenshots of hospital documents on its leak site as proof of claims.
55. Italian management solutions company Divimast was claimed as a victim of an Akira ransomware attack on January 17^th. The group claimed to be in possession of 8GB of data including private corporate documents, confidential agreements, internal finances and HR documents. Personal information belonging to employees and customers is also at risk of being exposed. Divimast has not yet publicly acknowledged Akira’s claims.
56. Blacon High School in the UK had to temporarily close following a ransomware attack in mid-January. The school informed parents and students that it would remain closed for at least two days while a cybersecurity firm investigates the data breach. No additional details about the attack have been released at this time.
57. 3TB of sensitive information belonging to Zuk Group was stolen by Handala, as the group targeted the company’s owner Moshe Zuk, a senior officer in the Israeli Mossad. The group reported that the data included financial and intelligence data such as secret transactions and covert operations. The group also claimed to have wiped and destroyed over one thousand employee systems.
58. Morrison Community Hospital recently agreed to a $675,000 settlement to resolve a lawsuit filed in response to a 2023 ransomware attack and data breach. In September 2023 BlackCat encrypted files on the healthcare provider’s network after exfiltrating sensitive data. It was reported that 122,488 current and former patients were impacted by the breach. A lawsuit was then brought forward by affected patients, with Morrison Community hospital agreeing to pay claims of up to $5,000 for class members.
59. Non-profit opioid treatment provider CODAC Behavioral Health began issuing data breach notifications following a cyberattack in July 2024. The notification states that suspicious activity was detected in the network environment and certain information was accessed and copied without authorization. The data compromised included personal information of patients along with some medical data. Qilin claimed the attack, suggesting it had stolen 9GB of data and adding documentation as proof of claims. CODAC has not confirmed the ransomware gang’s claims or how many people were impacted in total.
60. The Levy Group of Companies announced that on November 1^st,2023, Levy was the target of a ransomware attack. In response, Levy reported the incident to law enforcement and launched an investigation though which it learned that certain files containing confidential information has been accessed. Compromised files have since been reviewed and this month personalized data breach letters were sent out to those affected by the data security incident.
61. Some Pick n Pay clients have had their personal information leaked on the dark web following a cyberattack on one of its service providers. Claim Expert recently announced that an incident occurred in July when a document containing personally identifiable information was exposed online. Bashe ransomware gang threatened Pick n Pay with releasing the data unless the company pay an undisclosed ransom. With the company failing to pay, personal information of 100,000 customers was published on the dark web.
62. Marina Family Medical, located in Queensland, became the target of a successful Money Message ransomware attack. Although Money Message claimed responsibility for the hack, their dark web post offered minimal details, only showing the phrase “wait for data” and a brief company description. The healthcare provider has not yet publicly acknowledged the possibility of a ransomware attack.
63. Australian auto parts manufacturer, Clutch Industries, confirmed it was the victim of a cyberattack days after Lynx listed the company on its darknet leak site. The organization released a statement acknowledging the claims made by Lynx, stating that it believes the potentially compromised data is limited to company and operational information. The ransomware group responsible has claimed to have stolen 350GB of data, which allegedly includes user and business data, employee details, and financial information. The group also leaked shared folders, purchasing and stock data, engineering files, and sales and marketing information.
64. More than 60,000 individuals were impacted by a ransomware attack on Avery Products Corporation in December last year. The company stated that it became aware of an attack on its network on December 9^th which prompted them to launch an investigation to determine the nature and scope of the incident. The investigation determined that credit card information was stolen alongside customers personal information.
65. Canadian foam manufacturer Jacobs & Thompson Inc became a victim of notorious Lynx ransomware group. The attack was confirmed via social media, highlighting that the company’s systems were compromised, potentially exposing sensitive corporate data. The full extent of the breach remains unknown.
66. One of the first high-profile victims of 2025 was American Standard, one of North America’s leading kitchen and bathroom manufacturers. RansomHub added the organization to its leak site on 22^nd Jan, with a countdown clock displaying just over five days left on it. The gang claims to have stolen 400GB of data from American Standard network services, but this has not yet been confirmed by the organization.
67. US-based missile system and aerial weapons manufacturer Stark Aerospace was added to INC ransomware group’s dark leak blog. The threat actors claimed to have 4TB of data including source code, design plans, employee passports, and firmware for all the UAV’s produced. INC also posted a proof pack containing close to 40 files samples allegedly exfiltrated from the aerospace company.
68. Bashe ransomware gang added ICICI Bank, a major financial institution in India, to its victim site on the dark web. Bashe threatened to release customer data unless its demands were met before January 31^st. A sample of data appears to include names, phone numbers, addresses, ages, genders, types of credit cards and timestamps from March 2024. ICICI Bank has not confirmed the attack.
69. RansomHub claimed responsibility for a December 2024 data breach at Mission Bank in California. The bank notified an undisclosed number of people that information including PII, passport numbers and financial account numbers was compromised. The bank also confirmed that an unauthorized third party gained access to certain systems within its network. RansomHub claims to have stolen 2.7TB of data relating to both employees and customers from the bank.
70. A ransomware attack on Topackt IT Solutions impacted 45 schools in various cities and districts in Germany. The external IT service provider appeared on LockBit’s darknet leak site, with claims that the gang exfiltrated 3TB of data. A deadline of January 30 was given to the organization to pay undisclosed ransom demands. At this time Topackt has not publicly acknowledged the claims made by LockBit.
71. BWFG Business and Forensics GmbH, an Austrian association of forensic experts was hit by a Cloak ransomware attack. In late November, Cloak initially hinted at its breach, posting about an unidentified victim, using a partially masked domain name. This month, the group confirmed that BWFG was the victim, claiming to have exfiltrated 102GB of data. Leaked data reportedly contains highly sensitive information such as confidential forensic reports and client details.
72. Healthcare facility management company HCF Management reportedly fell victim to a RansomHub ransomware attack, with the organization’s data now leaked on the dark web. In October RansomHub added HCF Inc to its leak site, claiming to have exfiltrated 250GB of files. Since January 9^th 23 HCF facilities have filed reports for the HHS, indicating that at least 70,089 patients have been impacted by the breach.
73. Argentina’s public healthcare system was dealt a severe blow when the Medusa ransomware gang announced Hospital El Cruce as a victim. The attack resulted in the compromise and loss of over 760GB of data. The ransom demanded by Medusa for the deletion of stolen files is $200,000 in BTC, with a deadline of February 6^th . The ransomware gang provided a sample of very sensitive medical information but stated that although it locked some files, it did not lock anything that would affect the hospital’s operations.
74. Matagorda County’s Emergency Operation Center published a statement warning that a cybersecurity breach had been discovered involving a virus that had affected several systems. Several services throughout the Texas county remained offline for a number of days. The county is still investigating the cause of the disruption, and no hacking group has publicly taken credit for the attack.
75. Kill ransomware gang claimed to have gained unauthorized access to Let’s Secure Insurance Broker’s data. There is limited information available about this attack, and Let’s Secure has yet to acknowledge the incident.
76. Leading Chinese data management company AISHU Technology Corp has reportedly fallen victim to a RansomHouse ransomware attack. The threat actors breached the company’s security defenses and gained access to and exfiltrated around 500GB of data. The sensitive data reportedly includes valuable proprietary information, customer data and confidential business documents.
77. Weeks, Brucker & Coleman Ltd was added to the leak site of notorious ransomware gang Everest this month. Everest claim to have infiltrated the firm’s systems, exfiltrating approximately 150GB of sensitive data. The group have threatened to publish the stolen information within the next ten days if undisclosed ransom demands are not met.
78. Ransomware gang INC claimed responsibility for a December 2024 attack on the International AIDS Vaccine Initiative (IAVI). IAVI started issuing breach notices in January, though the organization is yet to disclose the total number of people impacted and what data was compromised. Initial findings suggest that certain HR resources may have been involved in the attack. INC provided a number of screenshots of confidential documents as proof of claims.
79. Space Bears claim to have compromised NSW-based Christian Community Aid, threatening to release data if demands were not met before the 10 day deadline expired. Although the dark web post did not contain a lot of information about the attack, it did state that the group is in possession of “valuable information” in various file types including documents, images and PDFs.
80. This month, Florida real estate developer Stock Development confirmed that a data breach in 2023 and 2024 had compromised names, SSNs and bank account information. Stock stated that it discovered the breach in 2024 but believes that attackers first infiltrated its systems in April 2023. LockBit claimed the attack in March 2024, reportedly stealing 1TB of data and demanding $155,000 in ransom. Images of what seemed to be files and directories were posted as proof of claims.
81. Smiths Group, a global engineering firm, reported a cybersecurity incident involving unauthorized access to its systems. The London-listed company stated that it was managing the incident by isolating affected systems and activating its business continuity plans. The organization is working with cybersecurity experts to recover affected systems and determine any wider impact the incident may have on the business. No ransomware group has yet stepped forward to claim the attack.
82. Frederick Health Hospital’s systems were taken offline and ambulances diverted to other emergency departments due to a ransomware attack. The healthcare provider is working closely with third-party cybersecurity experts to get its systems back online as quickly as possible. A hospital spokesperson would not comment on if any data was compromised during the attack and no ransomware group has yet claimed the incident.
83. On January 26, New York Blood Center Enterprises identified suspicious activity impacting its IT systems. The organization immediately engaged third-party cybersecurity experts to investigate the activity, and it was confirmed that it was a result of a ransomware attack. Immediate steps were taken to contain the threat, and experts are working to restore systems as quickly and safely as possible.
84. A ransomware attack was responsible for the data breach that crippled Starkville-Oktibbeha Consolidated School District’s network in late December. The incident left students, faculty and staff without internet access on district campuses. The school district did not comment on whether student and employee data was accessed during the breach. The attack has been credited to Safepay.
85. Kansas law firm Berman & Rabin recently confirmed it notified 151,944 people about a July ransomware attack that compromised SSNs and financial account information. Although attackers first breached the firm in July, the breach was not discovered until October. No cybercriminal group has publicly claimed responsibility for the attack.
86. In late January, Omid16B tweeted that a US healthcare provider had been hacked, all the data within the server deleted and that all data would be published in 48 hours. Although posting information about Cardinal Health, the real victim of the attack was Apex Custom Software. The threat actor claims to have been in Apex’s network for four days, with the organization oblivious to its presence and the exfiltration of data. The amount of data stolen was not disclosed, but the group did post a number of documents as proof of hack including medication listings. According to the Omid16B, the organization responded but only offered $1,000, which was deemed unacceptable by the hackers.
87. RansomHub targeted the South African Weather Service’s IT systems in a recent attack. SAWS systems went down as a result of the attack, with the organization reporting that it was the second cyberattack that it had been targeted with within a two day period, after the first attempt failed. According to the SAWS, RansomHub has not demanded a specific amount for a file decryptor and protection against a further leak. Critical services were not impacted by the attack.
88. 20,997 people were notified of an August 2024 data breach involving Mississippi electric utility Yazoo Valley Electric Power Association. An investigation concluded that a limited amount of personal information was accessed by an unauthorized third party in connection with the incident. The process of obtaining information on those impacted ended in December 2024. Akira took credit for the attack, claiming to have stolen SSNs, internal corporate information, and financial records.
89. A recent attack on Health Centre, a network of cardiology clinics in Australia was claimed by DragonForce. The group claims to have breached the healthcare provider’s IT systems, successfully encrypting the data on the servers and exfiltrating approximately 5GB of documents. The documents allegedly included sensitive information such as patient data, diagnoses and other protected health data. The group specified that it had also stolen database backups, suggesting a significant compromise of the hospital’s IT infrastructure.
90. Community Health Center, which runs dozens of facilities across the state of Connecticut, announced that 1,060,936 current and former patients had data stolen during a cyberattack in early January. The cybercriminals did not delete or lock any of the data meaning that daily operations were not disrupted. The hacker accessed health records that included PII , treatment details, health insurance information and SSNs.
91. ARDEX Australia was listed as a victim on Medusa’s dark web leak site in late January, with the group claiming to have stolen a trove of business documents. The group posted a comprehensive sample of exfiltrated data including spreadsheets, product lists, prices, renumeration documents, employment information, policy documents and other information some of which was marked confidential. Medusa set a countdown for the release of data in roughly 22 days. The price to purchase or delete the information was set at $300,000.
92. A ransomware attack affected some IT assets at Tata Technologies Limited. According to a company statement, the ransomware incident led to the temporary suspension of some IT services, but client delivery services were not affected. Suspended services have since been restored. A detailed investigation is underway in consultation with experts to assess the root cause of the attack. It is not yet known who is responsible for the attack.