ransomware

Canada’s Cyber Centre flags rising ransomware risks for 2025 to 2027

The national cyber authority of Canada has warned that ransomware will remain one of the country’s most serious cyber threats through 2027, as attacks become faster, cheaper and harder to detect.

The Canadian Centre for Cyber Security, part of Communications Security Establishment Canada, says ransomware now operates as a highly interconnected criminal ecosystem driven by financial motives and opportunistic targeting.

According to the outlook, threat actors are increasingly using AI and cryptocurrency while expanding extortion techniques beyond simple data encryption.

Businesses, public institutions and critical infrastructure in Canada remain at risk, with attackers continuously adapting their tactics, techniques and procedures to maximise financial returns.

The Cyber Centre stresses that basic cyber hygiene still provides strong protection. Regular software updates, multi-factor authentication and vigilance against phishing attempts significantly reduce exposure, even as attack methods evolve.

A report that also highlights the importance of cooperation between government bodies, law enforcement, private organisations and the public.

Officials conclude that while ransomware threats will intensify over the next two years, early warnings, shared intelligence and preventive measures can limit damage.

Canada’s cyber authorities say continued investment in partnerships and guidance remains central to building national digital resilience.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Nova ransomware claims breach of KPMG Netherlands

KPMG Netherlands has allegedly become the latest target of the Nova ransomware group, following claims that sensitive data was accessed and exfiltrated.

The incident was reported by ransomware monitoring services on 23 January 2026, with attackers claiming the breach occurred on the same day.

Nova has reportedly issued a ten-day deadline for contact and ransom negotiations, a tactic commonly used by ransomware groups to pressure large organisations.

The group has established a reputation for targeting professional services firms and financial sector entities that manage high-value and confidential client information.

Threat intelligence sources indicate that Nova operates a distributed command and control infrastructure across the Tor network, alongside multiple leak platforms used to publish stolen data. Analysis suggests a standardised backend deployment, pointing to a mature and organised ransomware operation.

KPMG has not publicly confirmed the alleged breach at the time of writing. Clients and stakeholders are advised to follow official communications for clarity on potential exposure, response measures and remediation steps as investigations continue.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

WorldLeaks claims massive Nike data leak

Nike has launched an internal investigation following claims by the WorldLeaks cybercrime group that company data was stolen from its systems.

The sportswear giant said it is assessing a potential cybersecurity incident after the group listed Nike on its Tor leak site and published a large volume of files allegedly taken during the intrusion.

WorldLeaks claims to have released approximately 1.4 terabytes of data, comprising more than 188,000 files. The group is known for data theft and extortion tactics, pressuring organisations to pay by threatening public disclosure instead of encrypting systems with ransomware.

The cybercrime operation emerged in 2025 after rebranding from Hunters International, a ransomware gang active since 2023. Increased law enforcement pressure reportedly led the group to abandon encryption-based attacks and focus exclusively on stealing sensitive corporate data.

An incident that adds to growing concerns across the retail and apparel sector, following a recent breach affecting Under Armour that exposed tens of millions of customer records.

Nike has stated that consumer privacy and data protection remain priorities while the investigation continues.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ransomware attack on Under Armour leads to massive customer data exposure

Under Armour is facing growing scrutiny following the publication of customer data linked to a ransomware attack disclosed in late 2025.

According to breach verification platform Have I Been Pwned, a dataset associated with the incident appeared on a hacking forum in January, exposing information tied to tens of millions of customers.

The leaked material reportedly includes 72 million email addresses alongside names, dates of birth, location details and purchase histories. Security analysts warn that such datasets pose risks that extend far beyond immediate exposure, particularly when personal identifiers and behavioural data are combined.

Experts note that verified customer information linked to a recognised brand can enable compelling phishing and fraud campaigns powered by AI tools.

Messages referencing real transactions or purchase behaviour can blur the boundary between legitimate communication and malicious activity, increasing the likelihood of delayed victimisation.

The incident has also led to legal action against Under Armour, with plaintiffs alleging failures in safeguarding sensitive customer information. The case highlights how modern data breaches increasingly generate long-term consequences rather than immediate technical disruption.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Generative AI fuels surge in online fraud risks in 2026

Online scams are expected to surge in 2026, overtaking ransomware as the top cyber-risk, the World Economic Forum warned, driven by the growing use of generative AI.

Executives are increasingly concerned about AI-driven scams that are easier to launch and harder to detect than traditional cybercrime. WEF managing director Jeremy Jurgens said leaders now face the challenge of acting collectively to protect trust and stability in an AI-driven digital environment.

Consumers are also feeling the impact. An Experian report found 68% of people now see identity theft as their main concern, while US Federal Trade Commission data shows consumer fraud losses reached $12.5 billion in 2024, up 25% year on year.

Generative AI is enabling more convincing phishing, voice cloning, and impersonation attempts. The WEF reported that 62% of executives experienced phishing attacks, 37% encountered invoice fraud, and 32% reported identity theft, with vulnerable groups increasingly targeted through synthetic content abuse.

Experts warn that many organisations still lack the skills and resources to defend against evolving threats. Consumer groups advise slowing down, questioning urgent messages, avoiding unsolicited requests for information, and verifying contacts independently to reduce the risk of generative AI-powered scams.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Researchers report increased ransomware and hacktivist activities targeting industrial systems in 2025

Industrial technology environments experienced a higher volume of cyber incidents in 2025, alongside a reported doubling in the exploitation of industrial control system (ICS) vulnerabilities.

According to the Cyble Research & Intelligence Labs Annual Threat Landscape Report 2025, manufacturing and healthcare (both highly dependent on ICS) were the sectors most affected by ransomware. The report recorded a 37% increase in total ransomware incidents between 2024 and 2025.

The analysis shows that the increase in reported ICS vulnerabilities is partly linked to greater exploitation by threat actors targeting human–machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) systems. Over the reporting period, 600 manufacturing entities and 477 healthcare organizations were affected by ransomware incidents.

In parallel, hacktivist activity targeting ICT- and OT-reliant sectors, including energy, utilities, and transportation, increased in 2025. Several groups focused on ICS environments, primarily by exposing internet-accessible HMIs and other operational interfaces. Cyble further noted that 27 of the disclosed ICT vulnerabilities involved internet-exposed assets across multiple critical infrastructure sectors.

The report assessed hacktivism as increasingly coordinated across borders, with activity patterns aligning with geopolitical developments. Cyber operations linked to tensions between Israel and Iran involved 74 hacktivist groups, while India–Pakistan tensions were associated with approximately 1.5 million intrusion attempts.

Based on these observations, Cyble researchers assess that in 2026, threat actors are likely to continue focusing on exposed HMI and SCADA systems, including through virtual network computing (VNC) access, where such systems remain reachable from the internet.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Healthcare systems face mounting risk from CrazyHunter ransomware

CrazyHunter ransomware has emerged as a growing threat to healthcare organisations, with repeated attacks targeting hospitals and medical service providers. The campaign focuses on critical healthcare infrastructure, raising concerns about service disruption and the exposure of sensitive patient data.

The malware is developed in Go and demonstrates a high level of technical maturity. Attackers gain initial access by exploiting weak Active Directory credentials, then use Group Policy Objects to distribute the ransomware rapidly across compromised networks.

Healthcare institutions in Taiwan have been among the most affected, with multiple confirmed incidents reported by security researchers. The pattern suggests a targeted campaign rather than opportunistic attacks, increasing pressure on regional healthcare providers to strengthen defences.

Once deployed, CrazyHunter turns off security tools and encrypts files to conceal its activity. Analysts note the use of extensive evasion techniques, including memory-based execution and redundant encryption methods, to ensure the delivery of the payload.

CrazyHunter employs a hybrid encryption scheme that combines ChaCha20 and elliptic curve cryptography, utilising partial file encryption to expedite the impact. Encrypted files receive a ‘.Hunter’ extension, with recovery dependent on the attackers’ private keys, reinforcing the pressure to pay ransoms.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

AI malware emerges as major cybersecurity threat

Cybersecurity experts are raising alarms as AI transitions from a theoretical concern to an operational threat. The H2 2025 ESET Threat Report shows AI-powered malware is now targeting systems globally, raising attack sophistication.

PromptLock, the first AI-driven ransomware, uses a dual-component system to generate unique scripts for each target. The malware autonomously decides to exfiltrate, encrypt, or destroy data, using a feedback loop to ensure reliable execution.

Other AI threats include PromptFlux, which rewrites malware for persistence, and PromptSteal, which harvests sensitive files. These developments highlight the growing capabilities of attackers using machine learning models to evade traditional defences.

The ransomware-as-a-service market is growing, with Qilin, Akira, and Warlock using advanced evasion techniques. The convergence of AI-driven malware and thriving ransomware economies presents an urgent challenge for organisations globally.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Romania’s Oltenia Energy Complex reports a serious ransomware breach

A ransomware attack has disrupted the Oltenia Energy Complex, Romania’s largest coal-based power producer, after hackers encrypted key IT systems in the early hours of 26 December.

The state-controlled company confirmed that the Gentlemen ransomware strain locked corporate files and disabled core services, including ERP platforms, document management tools, email and the official website.

The organisation isolated affected infrastructure and began restoring services from backups on new systems instead of paying a ransom. Operations were only partially impacted and officials stressed that the national energy system remained secure, despite the disruption across business networks.

A criminal complaint has been filed. Additionally, both the National Directorate of Cyber Security of Romania and the Ministry of Energy have been notified.

Investigators are still assessing the scale of the breach and whether sensitive data was exfiltrated before encryption. The Gentlemen ransomware group has not yet listed the energy firm on its dark-web leak site, a sign that negotiations may still be underway.

An attack that follows a separate ransomware incident that recently hit Romania’s national water authority, underlining the rising pressure on critical infrastructure organisations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Romania investigates large scale cyber attack on national water body

Authorities in Romania have confirmed a severe ransomware attack on the national water administration ‘Apele Române’, which encrypted around 1,000 IT systems across most regional water basin offices.

Attackers used Microsoft’s BitLocker tool to lock files and then issued a ransom note demanding contact within seven days, although cybersecurity officials continue to reject any negotiation with criminals.

The disruption affected email systems, databases, servers and workstations instead of operational technology, meaning hydrotechnical structures and critical water management systems continued to function safely.

Staff coordinated activity by radio and telephone, and flood defence operations remained in normal working order while investigations and recovery progressed.

National cyber agencies, including the National Directorate of Cyber Security and the Romanian Intelligence Service’s cyber centre, are now restoring systems and moving to include water infrastructure within the state cyber protection framework.

The case underlines how ransomware groups increasingly target essential utilities rather than only private companies, making resilience and identity controls a strategic priority.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!