All news with #ransomware incident tag

🔒 Cookeville Regional Medical Center has notified 337,917 patients that personal and medical data were accessed during a July 11–14, 2025 intrusion tied to the ransomware group Rhysida. The hospital began mailing breach letters in April 2026, roughly nine months after detection, and said files may include Social Security numbers, driver’s license data, treatment and insurance information. Rhysida claimed the attack in August 2025 and posted sample files; it demanded 10 Bitcoin. CRMC is offering 12 months of identity protection through Experian and reports additional security measures are in place.

🔒 Dutch healthcare software vendor ChipSoft has confirmed a ransomware incident that forced it to take its website and patient-facing digital services offline. The provider of the HiX EHR platform warned of "possible unauthorized access" and advised customers to disconnect affected systems while it investigates. The national healthcare CERT, Z-CERT, is coordinating response efforts with ChipSoft and impacted hospitals.

🔒 Die Linke, a German democratic socialist party, has confirmed that the Russian-speaking ransomware group Qilin stole data from its network and is threatening to leak it. The party stated its membership database was not impacted, but attackers sought sensitive internal documents and employee personal information. Die Linke notified German authorities, filed a criminal complaint, and retained independent IT experts to restore affected systems. Qilin added the party to its leak site on April 1 but had not published any data samples.

🔍 In 2025 Japan reported 134 ransomware incidents—a 17.5% increase from 2024—with Qilin responsible for 22 cases (16.4%). Talos highlights Qilin’s growing automation, credential‑based access, and use of an EDR‑killer that targets 300+ drivers and employs locale-based geo‑fencing. The blog focuses on detecting activity during the pre‑ransomware phase (average six days to execution) and shares Sigma/YARA rules plus correlation guidance to reduce false positives.

🔒Bearlyfy, a pro-Ukrainian group also tracked as Labubu, has been linked to more than 70 attacks on Russian companies and began deploying a proprietary Windows ransomware called GenieLocker in March 2026. The group combines extortion and sabotage, often gaining initial access via vulnerable external services and deploying remote tools like MeshAgent. According to vendor F6, about one in five victims pay ransoms, and demand amounts have grown substantially.

⚖️ The U.S. Department of Justice sentenced Russian national Ilya Angelov to two years in prison and fined him $100,000 for operating a botnet that enabled ransomware attacks against American companies. Angelov, 40, of Tolyatti, used aliases "milan" and "okart" and co‑managed the Russia‑based cybercriminal group TA551, which distributed malware-laden spam and sold access to compromised machines. Prosecutors say TA551 sold bot access to groups behind BitPaymer and IcedID, contributing to millions in extortion payments.

🔒 A PowerShell backdoor called Slopoly, likely generated with an LLM, was used in an Interlock ransomware intrusion that allowed attackers to persist on a compromised server for over a week and exfiltrate data. IBM X-Force observed developer-style comments, structured logging, clear variable names, and robust error handling that suggest AI-assisted creation. Deployed to C:\ProgramData\Microsoft\Windows\Runtime\, Slopoly beacons to a C2 endpoint, polls for commands, executes them via cmd.exe, and establishes persistence as a scheduled task.

🏥 Leading medical technology company Stryker is experiencing a severe, global outage after a wiper malware attack claimed by Handala, an Iran-linked hacktivist group. The attackers say they stole 50 TB of data and remotely wiped over 200,000 systems, servers, and mobile devices, forcing shutdowns across 79 countries. Employees report managed Windows and mobile devices were reset, internal services were disrupted, and some sites reverted to pen-and-paper workflows while Stryker works with Microsoft to restore systems.

🛡️A hacktivist group with reported ties to Iran's intelligence services has claimed responsibility for a large-scale data-wiping incident against Stryker, a global medical technology company. The group, known as Handala, said it erased data from more than 200,000 systems and forced shutdowns across 79 countries while Stryker sent thousands of staff in Ireland home and reported a building emergency at its U.S. headquarters. Reporting and internal sources indicate attackers may have used Microsoft Intune to issue remote wipe commands; some employee devices were reportedly wiped and defaced.

🏥 The University of Mississippi Medical Center (UMMC) says it has resumed normal operations nine days after a ransomware attack that disrupted electronic medical records and multiple IT systems. Phone lines were restored and clinics reopened with extended hours to reschedule missed appointments. UMMC is investigating the intrusion with FBI and CISA, and confirmed attackers had communicated with staff; no group has claimed responsibility.

🔓AkzoNobel confirmed a security incident at a U.S. site after the Anubis ransomware group posted a partial data leak. The company says the intrusion was contained locally and the impact is limited, and it is notifying and supporting affected parties. Anubis claims about 170GB and nearly 170,000 files were stolen, including confidential agreements and passport scans.

🔒 The University of Hawaii Cancer Center confirmed a ransomware breach that exposed data for nearly 1.2 million individuals after attackers accessed systems supporting its Epidemiology Division. Compromised files include names, Social Security numbers, driver's license numbers, and historical research health records collected in the 1990s and 2000s. UH says clinical operations, patient care, and student records were not affected and that it paid the actors for a decryption tool and to secure destruction of the stolen information.

🔒 Advantest Corporation, the Tokyo-based maker of semiconductor test equipment, disclosed on 19 February that it is responding to a cybersecurity incident involving ransomware after detecting unusual activity in its IT environment on 15 February. The company says it isolated affected systems and engaged third-party cybersecurity experts to investigate and contain the event; preliminary findings indicate unauthorized access and possible ransomware deployment. As of 23 February no data breach has been confirmed, and Advantest says it will notify impacted customers or employees if exposure is found.

🔒 The University of Mississippi Medical Center (UMMC) has taken many IT systems offline following a ransomware attack that disrupted access to electronic medical records and forced clinics and elective procedures to be cancelled. UMMC activated its Emergency Operations Plan and is working with the FBI and the Department of Homeland Security while hospitals operate using downtime procedures. The organisation has taken network systems offline for risk assessments and has not confirmed whether patient or employee data was exfiltrated.

🔒 Advantest Corporation reported that its corporate network experienced a ransomware intrusion detected on February 15, prompting immediate isolation of affected systems and the engagement of third-party cybersecurity specialists. Preliminary findings indicate an unauthorized party may have deployed ransomware in portions of the network, though no data theft has been confirmed. The company says it will notify and advise any customers or employees if their information is determined to be impacted. The investigation is ongoing and, to date, no ransomware group has claimed responsibility.

🔒 The University of Mississippi Medical Center (UMMC) closed all clinic locations statewide after a ransomware attack disrupted multiple IT systems and blocked access to the Epic electronic medical record. Outpatient and ambulatory surgeries, procedures, and imaging appointments were canceled while inpatient and emergency care continue using established downtime procedures. UMMC said it has taken network systems offline, is working with the FBI and CISA, and that attackers have communicated and may be negotiating an extortion demand.

🛡️ Polish police have detained a 47-year-old suspect alleged to have ties to the Phobos ransomware group and seized computers and mobile phones containing credentials, credit card numbers, and server access data. The arrest in Małopolska was carried out by the Central Bureau of Cybercrime Control as part of Operation Aether, an international Europol-coordinated disruption. Authorities say the suspect used encrypted messaging to communicate with Phobos and now faces charges under Article 269b of Poland’s Criminal Code.

🔒 Washington Hotel, a business brand of Fujita Kanko Inc., disclosed a ransomware infection after an intrusion on Friday, February 13, 2026 at 22:00 local time. The company says it immediately disconnected affected servers, formed an internal task force, and engaged external cybersecurity experts to assess impact and coordinate recovery; preliminary findings indicate attackers accessed various business data. Customer records are unlikely to have been exposed because those are held by a separate vendor, but some properties experienced operational effects such as temporarily unavailable credit-card terminals.

🔒Conpet S.A., Romania's national oil pipeline operator, confirmed that the Qilin ransomware gang exfiltrated company data following a breach of its corporate IT environment. The company said operational systems remained unaffected and it is cooperating with the Romanian National Cyber Security Directorate (DNSC) as investigators assess the incident. Qilin claims nearly 1TB of documents and published a proof sample of 16 images containing internal financial records and passport scans; some files are marked confidential and dated as recently as November 2025. Conpet warned that compromised data may be used for fraud and advised potentially impacted individuals to verify any urgent contact using official channels.

🔒 BridgePay Network Solutions has confirmed a ransomware attack triggered a system-wide IT outage, according to security alerts published on February 6. Initial forensic work indicates no payment card data appears to have been compromised and that any accessed files were encrypted. The company said it is working with cybersecurity specialists, the FBI and the US Secret Service and that recovery may be lengthy; it will provide regular updates to affected customers and partners.