All news with #ransomware incident tag

🔒 Oltenia Energy Complex, Romania's largest coal-based energy producer, suffered a ransomware attack on the second day of Christmas that disrupted its IT infrastructure. Some documents were encrypted and key applications — including ERP, document management, email, and the corporate website — became temporarily unavailable. The company said operations were only partially affected and the National Energy System was not jeopardized while teams rebuild systems from backups and cooperate with authorities.

🛡️ INTERPOL coordinated Operation Sentinel between Oct. 27 and Nov. 27, 2025, recovering $3 million and prompting the arrest of 574 suspects across 19 African countries. The campaign targeted business email compromise, digital extortion and ransomware, taking down over 6,000 malicious links and decrypting six ransomware variants. Authorities disrupted fraud rings that stole more than $400,000 and seized devices and servers. Separately, a Ukrainian national pleaded guilty for his role as a Nefilim ransomware affiliate.

🔍 Operation Sentinel, coordinated by Interpol, resulted in 574 arrests across Africa during the month-long campaign from 27 October to 27 November. Authorities recovered $3m in alleged cybercrime proceeds, decrypted six ransomware variants and removed around 6,000 malicious links and domains. Key interventions included halting a $7.9m fraudulent wire transfer in Senegal and recovering 30TB of data encrypted in an attack on a Ghanaian financial institution. The operation involved national forces and industry partners such as Team Cymru and Trend Micro.

🔒 Romanian Waters (Administrația Națională Apele Române) reported a ransomware incident over the weekend that affected roughly 1,000 computer systems across the national authority and 10 of its 11 regional offices. Investigators said servers running GIS, databases, email, web services, Windows workstations and DNS were impacted, while operational technology and water infrastructure controls remained operational. Authorities reported attackers used the built-in Windows BitLocker feature to lock files and left a ransom note demanding contact within seven days; the investigation is ongoing.

🔒A Ukrainian national has pleaded guilty to participating as an affiliate in the Nefilim ransomware operation after being extradited from Barcelona following his June 2024 arrest. He joined the group in June 2021, received an account for a 20% cut and used databases such as ZoomInfo to identify large corporate victims in the US, Canada and Australia. Operators exfiltrated data, encrypted networks and threatened publication on a 'corporate leaks' site; the defendant faces up to 10 years and will be sentenced in May 2026. A known co-conspirator, Volodymyr Tymoshchuk, remains at large and is subject to an up-to-$11m reward.

🛡️Ukrainian national Artem Aleksandrovych Stryzhak, 35, pleaded guilty to participating as an affiliate in the Nefilim ransomware operation, admitting he obtained access to the ransomware code in June 2021 in exchange for a 20% share of ransom proceeds. He targeted high-revenue corporations across the United States, Canada, Australia and several European countries using custom-tailored malware and coordinating data-exfiltration and leak threats to coerce payment. Arrested in Spain in June 2024 and extradited to the U.S. in April 2025, Stryzhak faces up to 10 years in prison; sentencing is scheduled for May 6, 2026.

🔒 Askul Corporation confirmed that the RansomHouse extortion group stole approximately 740,000 customer and partner records during an October ransomware incident. Compromised data types include business and individual customer service records, partner data, and employee information. Askul says attackers likely used compromised administrator credentials for an outsourced partner that lacked MFA, disabled EDR, moved laterally, deployed multiple ransomware variants, and wiped backups. The company has isolated affected networks, enforced MFA, reset admin passwords, begun individual notifications and established long-term monitoring.

🔒 Ideal Group has reported a cyberattack that forced several systems offline as a precaution, leaving business operations running in a limited capacity. The group's affiliate Ahorn AG is affected while subsidiary myLife Lebensversicherung reportedly remains unaffected. The ransomware group Akira is blamed; investigators and external specialists, together with law enforcement, are analysing the incident and currently report no indications of customer data misuse.

🔒 In mid-October the Untereisesheim town hall was hit by a cyberattack that encrypted IT systems and led to data theft from servers. Investigations indicate portions of the stolen material, including older personnel files and employee image drives, have appeared on the darknet, while the municipality stresses that sensitive citizen data and central document systems were not affected. No ransom was paid; the town is working with Cybersecurity Agency Baden-Württemberg (CSBW) and the State Criminal Police Office, has rebuilt and secured systems, and informed supervisory and data protection authorities.

🔒 The Health Service Executive (HSE) has offered €750 to individuals whose personal data was exposed in the May 2021 Conti ransomware attack, plus an additional €650 toward legal costs. The intrusion began with a malicious Microsoft Excel file that bypassed outdated anti‑malware defenses, forcing a full IT shutdown and widespread disruption to hospital services. A later PwC review criticised the HSE's unpatched systems and frail infrastructure, while the organisation says it has found no evidence of fraud stemming from the breach after more than four years.

📊 A FinCEN analysis of 4,194 Bank Secrecy Act filings found organizations paid more than $2.1 billion in ransom between January 2022 and December 2024. Ransomware incidents peaked in 2023 before falling in 2024 after law enforcement actions disrupted ALPHV/BlackCat and LockBit. Most ransom payments were under $250,000 and roughly 97% were made in Bitcoin. Manufacturing, financial services, and healthcare were the most targeted industries.

🔒 Inotiv, an Indiana-based contract research organization, disclosed an August ransomware attack that disrupted operations after networks, databases, and internal applications were taken offline. The company says it has 'restored availability and access' to impacted systems and is notifying 9,542 individuals whose information was stolen. The incident, dated to approximately August 5–8, 2025, was claimed by the Qilin ransomware group, which published alleged samples and asserted it exfiltrated roughly 162,000 files totaling about 176 GB, though Inotiv has not confirmed the specific data types or publicly attributed the attack.

🔒 Asahi Group Holdings confirmed that a ransomware attack on 29 September, attributed to the Qilin group, resulted in a major data breach affecting over 1.5 million customers and roughly 275,000 employees and family members. The incident disrupted ordering, shipping and production systems across Japan and caused widespread product shortages. Asahi says it did not pay a ransom, has found no evidence the data has been posted publicly, and is strengthening its cybersecurity while notifying those impacted.

🔒 Asahi Group Holdings has confirmed that personal data for approximately 1.914 million people, including 1.525 million customers, may have been exposed after a September ransomware incident that forced temporary suspension of operations. The company spent two months on containment, integrity checks and system restoration, and says credit card details were not affected. Qilin has claimed responsibility; Asahi warns customers to monitor for unsolicited communications and anticipates ongoing operational impacts.

🛡️ A Reliaquest analysis of June–October incidents links multiple Akira ransomware intrusions to compromised SonicWall SSL VPNs that were inherited through acquisitions. In nearly every case, acquiring organizations did not know the devices remained on their networks and attackers leveraged legacy administrative credentials. The report warns that routine financial due diligence misses such cyber risks, and urges early security-led inventory, segmentation, and credential rotation during M&A onboarding.

🔒 The Royal Borough of Kensington and Chelsea and Westminster City Council are experiencing widespread service disruptions after a cybersecurity incident that also affected the London Borough of Hammersmith and Fulham. Several systems including phone lines were taken offline and councils activated emergency plans to preserve critical services. Officials say they shut down affected systems as a precaution while working with specialist incident responders and the National Cyber Security Centre. Security researchers indicate the outage stems from a ransomware attack on a shared services provider; investigations and efforts to restore services are ongoing.

⚠️ A cyber-attack on the OnSolve CodeRED platform disrupted emergency alerts used by state and local agencies across the US and exposed user data. Crisis24 shut down the legacy environment and is rebuilding the system in a new, isolated infrastructure. Investigators confirmed data theft — including names, addresses, emails, phone numbers and passwords — though there is no evidence the data has been posted online. The threat actor INC Ransom claims responsibility and has published screenshots and is selling samples of the files.

🔒 Mainz University of Applied Sciences reported a cyberattack on Monday, 24 November, and has shut down all IT systems. The university says most services are unavailable while IT teams and investigative authorities analyse the threat and potential damage. A crisis team was mobilised to maintain essential operations, but restoration timelines remain uncertain. No further details have been released and it is unclear how the attackers gained access.

🔒 An employee clicking a fake CAPTCHA (a ClickFix social-engineering lure) on a compromised car dealership site began a 42-day intrusion by Howling Scorpius that delivered the .NET remote access Trojan SectopRAT and ultimately Akira ransomware. Two enterprise EDRs recorded activity but produced few alerts, enabling lateral movement, privilege escalation and the exfiltration of roughly 1 TB. Unit 42 deployed Cortex XSIAM, rebuilt hardened infrastructure, tightened IAM controls and negotiated about a 68% reduction in the ransom demand.

🔒 Stadtwerke Detmold has reported a widespread IT outage following an apparent hacker attack that prompted the operator to take all systems offline. Online services are unavailable and the company cannot be reached by phone or email. The utility says the supply of drinking water, electricity, gas and district heating remains assured, and customers can report technical problems via a hotline. Authorities are investigating the incident and, so far, no ransom demand has been reported.