All news with #ransomware incident tag

🛏️ The Play ransomware group claims to have stolen confidential MyPillow data and threatened a public dump, while CEO Mike Lindell denies any breach and calls the allegations politically motivated. Lindell says MyPillow stores no sensitive data internally and has received no ransom demands, attributing data handling to third parties. The Play group's leak portal set a deadline for release, leaving the truth pending until the deadline passes. The article warns that third-party handling of data still exposes organisations and individuals to meaningful risk.

🔒 Foxconn confirmed a cyberattack affected some of its North American factories and says impacted sites are resuming normal production. The company said its cybersecurity team activated response measures to maintain continuity of operations and deliveries. Nitrogen ransomware operators claimed 8 TB of data and over 11 million documents were stolen, allegedly including files from Apple, Nvidia, Intel and Google. Foxconn has faced prior ransomware incidents.

🔒 A ShinyHunters “pay or leak” extortion campaign has targeted the education sector after the compromise of Instructure, operator of the Canvas LMS. The April 25 breach reportedly exposed around 275 million records and more than 3.65 TB of data via a vulnerability in the Free‑For‑Teacher Canvas version. After an initial ransom demand and a May 8 deadline, the group extended its timeline and began school‑by‑school extortion, defacing roughly 330 institutional login pages. Affected organizations are urged to change Canvas‑related passwords, enable multi‑factor authentication and heighten phishing awareness.

🚨 An emergency update for cPanel and WHM addresses a critical authentication bypass (CVE-2026-41940) that has been actively exploited to access control panels. Security researchers report attackers have breached thousands of servers and deployed a Go-based Linux encryptor tied to the "Sorry" ransomware, which appends the .sorry extension. The encryptor uses ChaCha20 for file encryption with the symmetric key protected by an embedded RSA-2048 public key, and victims receive a README.md ransom note directing contact via a fixed Tox ID. Administrators should install the update and verify backups immediately.

🔍 Austrian and Albanian authorities, supported by Europol and Eurojust, dismantled a large-scale cryptocurrency investment fraud operation responsible for estimated losses of €50 million. The coordinated action, which began in June 2023 and culminated in raids on April 17, resulted in 10 arrests and seizures of cash, hundreds of computers and mobile devices for forensic analysis. The ring operated professional call centres with up to 450 employees, using fake trading platforms and "retention agents" who used remote-access tools and psychological pressure to extract funds and later re-scam victims with bogus recovery fees.

🔒 41-year-old Angelo Martino, a former negotiator at DigitalMint, pleaded guilty to participating in BlackCat (ALPHV) ransomware operations that targeted U.S. companies in 2023. Prosecutors say Martino shared confidential victim negotiation positions and insurance limits with the operators, enabling larger extortion demands, and worked with accomplices Ryan Goldberg and Kevin Martin. The trio operated as affiliates, paying administrators a 20% cut, and targeted at least five U.S. organizations, including firms and nonprofits that paid multimillion-dollar ransoms. DigitalMint condemned the conduct and said the employees were fired when the activity was discovered.

🔒 Cookeville Regional Medical Center has notified 337,917 patients that personal and medical data were accessed during a July 11–14, 2025 intrusion tied to the ransomware group Rhysida. The hospital began mailing breach letters in April 2026, roughly nine months after detection, and said files may include Social Security numbers, driver’s license data, treatment and insurance information. Rhysida claimed the attack in August 2025 and posted sample files; it demanded 10 Bitcoin. CRMC is offering 12 months of identity protection through Experian and reports additional security measures are in place.

🔒 Dutch healthcare software vendor ChipSoft has confirmed a ransomware incident that forced it to take its website and patient-facing digital services offline. The provider of the HiX EHR platform warned of "possible unauthorized access" and advised customers to disconnect affected systems while it investigates. The national healthcare CERT, Z-CERT, is coordinating response efforts with ChipSoft and impacted hospitals.

🔒 Die Linke, a German democratic socialist party, has confirmed that the Russian-speaking ransomware group Qilin stole data from its network and is threatening to leak it. The party stated its membership database was not impacted, but attackers sought sensitive internal documents and employee personal information. Die Linke notified German authorities, filed a criminal complaint, and retained independent IT experts to restore affected systems. Qilin added the party to its leak site on April 1 but had not published any data samples.

🔍 In 2025 Japan reported 134 ransomware incidents—a 17.5% increase from 2024—with Qilin responsible for 22 cases (16.4%). Talos highlights Qilin’s growing automation, credential‑based access, and use of an EDR‑killer that targets 300+ drivers and employs locale-based geo‑fencing. The blog focuses on detecting activity during the pre‑ransomware phase (average six days to execution) and shares Sigma/YARA rules plus correlation guidance to reduce false positives.

🔒Bearlyfy, a pro-Ukrainian group also tracked as Labubu, has been linked to more than 70 attacks on Russian companies and began deploying a proprietary Windows ransomware called GenieLocker in March 2026. The group combines extortion and sabotage, often gaining initial access via vulnerable external services and deploying remote tools like MeshAgent. According to vendor F6, about one in five victims pay ransoms, and demand amounts have grown substantially.

⚖️ The U.S. Department of Justice sentenced Russian national Ilya Angelov to two years in prison and fined him $100,000 for operating a botnet that enabled ransomware attacks against American companies. Angelov, 40, of Tolyatti, used aliases "milan" and "okart" and co‑managed the Russia‑based cybercriminal group TA551, which distributed malware-laden spam and sold access to compromised machines. Prosecutors say TA551 sold bot access to groups behind BitPaymer and IcedID, contributing to millions in extortion payments.

🔒 A PowerShell backdoor called Slopoly, likely generated with an LLM, was used in an Interlock ransomware intrusion that allowed attackers to persist on a compromised server for over a week and exfiltrate data. IBM X-Force observed developer-style comments, structured logging, clear variable names, and robust error handling that suggest AI-assisted creation. Deployed to C:\ProgramData\Microsoft\Windows\Runtime\, Slopoly beacons to a C2 endpoint, polls for commands, executes them via cmd.exe, and establishes persistence as a scheduled task.

🏥 Leading medical technology company Stryker is experiencing a severe, global outage after a wiper malware attack claimed by Handala, an Iran-linked hacktivist group. The attackers say they stole 50 TB of data and remotely wiped over 200,000 systems, servers, and mobile devices, forcing shutdowns across 79 countries. Employees report managed Windows and mobile devices were reset, internal services were disrupted, and some sites reverted to pen-and-paper workflows while Stryker works with Microsoft to restore systems.

🛡️A hacktivist group with reported ties to Iran's intelligence services has claimed responsibility for a large-scale data-wiping incident against Stryker, a global medical technology company. The group, known as Handala, said it erased data from more than 200,000 systems and forced shutdowns across 79 countries while Stryker sent thousands of staff in Ireland home and reported a building emergency at its U.S. headquarters. Reporting and internal sources indicate attackers may have used Microsoft Intune to issue remote wipe commands; some employee devices were reportedly wiped and defaced.

🏥 The University of Mississippi Medical Center (UMMC) says it has resumed normal operations nine days after a ransomware attack that disrupted electronic medical records and multiple IT systems. Phone lines were restored and clinics reopened with extended hours to reschedule missed appointments. UMMC is investigating the intrusion with FBI and CISA, and confirmed attackers had communicated with staff; no group has claimed responsibility.

🔓AkzoNobel confirmed a security incident at a U.S. site after the Anubis ransomware group posted a partial data leak. The company says the intrusion was contained locally and the impact is limited, and it is notifying and supporting affected parties. Anubis claims about 170GB and nearly 170,000 files were stolen, including confidential agreements and passport scans.

🔒 The University of Hawaii Cancer Center confirmed a ransomware breach that exposed data for nearly 1.2 million individuals after attackers accessed systems supporting its Epidemiology Division. Compromised files include names, Social Security numbers, driver's license numbers, and historical research health records collected in the 1990s and 2000s. UH says clinical operations, patient care, and student records were not affected and that it paid the actors for a decryption tool and to secure destruction of the stolen information.

🔒 Advantest Corporation, the Tokyo-based maker of semiconductor test equipment, disclosed on 19 February that it is responding to a cybersecurity incident involving ransomware after detecting unusual activity in its IT environment on 15 February. The company says it isolated affected systems and engaged third-party cybersecurity experts to investigate and contain the event; preliminary findings indicate unauthorized access and possible ransomware deployment. As of 23 February no data breach has been confirmed, and Advantest says it will notify impacted customers or employees if exposure is found.

🔒 The University of Mississippi Medical Center (UMMC) has taken many IT systems offline following a ransomware attack that disrupted access to electronic medical records and forced clinics and elective procedures to be cancelled. UMMC activated its Emergency Operations Plan and is working with the FBI and the Department of Homeland Security while hospitals operate using downtime procedures. The organisation has taken network systems offline for risk assessments and has not confirmed whether patient or employee data was exfiltrated.