ransomware

Ransomware disrupts Ingram Micro’s systems and operations

Ingram Micro has confirmed a ransomware attack that affected internal systems and forced some services offline. The global IT distributor says it acted quickly to contain the incident, implemented mitigation steps, and involved cybersecurity experts.

The company is working with a third-party firm to investigate the breach and has informed law enforcement. Order processing and shipping operations have been disrupted while systems are being restored.

While details remain limited, the attack is reportedly linked to the SafePay ransomware group.

According to BleepingComputer, the gang exploited Ingram’s GlobalProtect VPN to gain access last Thursday.

In response, Ingram Micro shut down multiple platforms, including GlobalProtect VPN and its Xvantage AI platform. Employees were instructed to work remotely as a precaution during the response effort.

SafePay first appeared in late 2024 and has targeted over 220 companies. It often breaches networks using password spraying and compromised credentials, primarily through VPNs.

Ingram Micro has not disclosed what data was accessed or the size of the ransom demand.

The company apologised for the disruption and said it is working to restore systems as quickly as possible.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

BT launches cyber training as small businesses struggle with threats

Cyber attacks aren’t just a problem for big-name brands. Small and medium businesses are increasingly in the crosshairs, according to new research from BT and Be the Business.

Two in five SMEs have never provided cyber security training to their staff, despite a sharp increase in attacks. In the past year alone, 42% of small firms and 67% of medium-sized companies reported breaches.

Phishing remains the most common threat, affecting 85% of businesses. But more advanced tactics are spreading fast, including ransomware and ‘quishing’ scams — where fake QR codes are used to steal data.

Recovering from a breach is costly. Micro and small businesses spend nearly £8,000 on average to recover from their most serious incident. The figure excludes reputational damage and long-term disruption.

To help tackle the issue, BT has launched a new training programme with Be the Business. The course offers practical, low-cost cyber advice designed for companies without dedicated IT support.

The programme focuses on real-world threats, including AI-driven scams, and offers guidance on steps like password hygiene, two-factor authentication, and safe software practices.

Although 69% of SME leaders are now exploring AI tools to help defend their systems, 18% also list AI as one of their top cyber threats — a sign of both potential and risk.

Experts warn that basic precautions still matter most. With free and affordable training options now widely available, small firms have more tools than ever to improve their cyber defences.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Billing software firm hit by ransomware attack

Healthcare billing platform Horizon Healthcare RCM has confirmed it suffered a ransomware attack, where threat actors stole sensitive data before encrypting its systems. The cybercriminal group, suspected to be affiliated with LockBit, reportedly demanded a ransom, which the company is believed to have paid to prevent public exposure of the stolen data.

The breach occurred in June 2024 and affected Horizon’s cloud-based revenue-cycle management platform. Although the company has not disclosed how many clients were impacted, it has notified healthcare providers using its services and is working with cybersecurity experts to assess the full scope of the incident.

Security analysts believe the attackers exfiltrated significant data, including protected health information, before deploying ransomware. While systems were eventually restored, concerns remain over long-term privacy risks and potential regulatory consequences for affected healthcare organisations.

Ransomware attacks on third-party vendors pose significant risks to the healthcare sector. Experts stress the importance of vendor risk assessments, data encryption, and secure system configurations to limit exposure.

As ransomware actors increasingly target supply-chain providers, proactive monitoring and resilience strategies are becoming essential for safeguarding critical data infrastructure.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Researchers track financial cyberattacks in Africa and spot new ransomware group

Cybersecurity researchers have identified a series of cyberattacks targeting African financial institutions since at least July 2023. The campaign, attributed to a threat cluster named CL-CRI-1014 by Palo Alto Networks Unit 42, involves using open-source and publicly available tools to maintain unauthorised access to compromised systems.

According to Unit 42, ‘CL’ stands for ‘cluster’ and ‘CRI’ refers to ‘criminal motivation.’ The threat actor is believed to be operating as an initial access broker (IAB), seeking to obtain entry into networks and sell access to other cybercriminals on underground forums.

Researchers noted that the group employs methods to evade detection by spoofing legitimate software, including copying digital signatures and using application icons from Microsoft Teams, Palo Alto Networks Cortex, and VMware Tools to disguise malicious payloads. Tools deployed include PoshC2 for command-and-control, Chisel for network tunnelling, and Classroom Spy for remote access.

While the initial intrusion vector remains unclear, once access is achieved, the attackers reportedly use MeshCentral Agent and Classroom Spy to control machines, with Chisel deployed to bypass firewalls. PoshC2 is propagated across Windows hosts and persisted through various techniques, including services, scheduled tasks, and startup shortcuts. In some cases, stolen user credentials were used to set up proxies via PoshC2.

Trustwave SpiderLabs has reported the emergence of a new ransomware group named Dire Wolf, which has claimed 16 victims across multiple countries, including the United States, India, and Italy, with primary targets in the technology, manufacturing, and financial sectors.

Dire Wolf ransomware was developed in Golang. It includes disabling system logging, terminating a predefined list of services and applications, and deleting shadow copies to hinder recovery. Although details about the group’s initial access or lateral movement techniques are unknown, Trustwave advises organisations to maintain standard cybersecurity practices and monitor for the techniques observed during the analysis.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ransomware victims still paying, Sophos finds

Nearly half of ransomware victims paid the attackers last year, according to Sophos. In its 2025 survey of 3,400 IT pros, 49% admitted to making payments—just below last year’s record.

Ransom amounts dropped significantly, with median payments falling 50% and demand amounts down a third. Yet backup usage also hit a six-year low, used by just 54% of firms for recovery.

Attackers often exploited known vulnerabilities (32%) or unknown security gaps (40%), highlighting persistent weaknesses. Sophos noted many companies now accept ransomware as a business risk.

CISA warned that CVE-2024-54085 in AMI MegaRAC firmware is under active exploitation elsewhere. The bug allows attackers to bypass authenticating remotely.

Varonis flagged abuse of Microsoft’s Direct Send email feature in a phishing campaign affecting over 70 organisations. Disabling it is advised if not essential.

Rapid7 also found critical vulnerabilities in Brother printers. One flaw rated CVSS 9.8, allows password theft and cannot be patched—users must change defaults.

Finally, Google will roll out new Gemini AI features to Android users starting on July 7, even for those with app activity disabled.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

McLaren Health Care confirms major ransomware attack and data breach

McLaren Health Care in Michigan has begun notifying over 743,000 individuals that their personal and health data may have been compromised in a ransomware attack in August 2024.

The health system confirmed that unauthorised access to its systems began on 17 July and continued until 3 August 2024, affecting McLaren Health Care and its Karmanos Cancer Centers.

A forensic investigation concluded on 5 May 2025 revealed that files containing names, Social Security numbers, driver’s licence details, medical information, and insurance data were accessed.

Notification letters began going out on 20 June 2025, and recipients are being offered 12 months of complimentary credit monitoring and identity theft protection.

Although the incident has not been officially attributed to a specific ransomware group, industry reports have previously linked the attack to the Inc. Ransom group. However, McLaren Health Care has not confirmed this, and the group has not publicly listed McLaren on its leak site.

However, this is McLaren’s second ransomware incident within a year. A previous attack by the ALPHV/BlackCat group compromised the data of more than 2.1 million individuals.

Following the August 2024 attack, McLaren Health Care restored its IT systems ahead of schedule and resumed normal operations, including reopening emergency departments and rescheduling postponed appointments and surgeries.

However, data collected manually during the outage is still being integrated into the electronic health record (EHR) system, a process expected to take several weeks.

McLaren Health Care has stated that it continues to investigate the full scope of the breach and will issue further notifications if additional data exposures are identified. The organisation works with external cybersecurity experts to strengthen its systems and prevent future incidents.

The attack caused disruptions across all 13 hospitals in the McLaren system and affiliated cancer centres, surgery centres, and clinics. While systems have been restored, McLaren has encouraged patients to remain prepared by bringing essential documents and information to appointments.

The health system expressed appreciation for its staff’s efforts and patients’ patience during the response and recovery efforts.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Episource data breach impacts patients at Sharp Healthcare

Episource, a UnitedHealth Group-owned health analytics firm, has confirmed that patient data was compromised during a ransomware attack earlier this year.

The breach affected customers, including Sharp Healthcare and Sharp Community Medical Group, who have started notifying impacted patients. Although electronic health records and patient portals remained untouched, sensitive data such as health plan details, diagnoses and test results were exposed.

The cyberattack, which occurred between 27 January and 6 February, involved unauthorised access to Episource’s internal systems.

A forensic investigation verified that cybercriminals viewed and copied files containing personal information, including insurance plan data, treatment plans, and medical imaging. Financial details and payment card data, however, were mostly unaffected.

Sharp Healthcare confirmed that it was informed of the breach on 24 April and has since worked closely with Episource to identify which patients were impacted.

Compromised information may include names, addresses, insurance ID numbers, doctors’ names, prescribed medications, and other protected health data.

The breach follows a troubling trend of ransomware attacks targeting healthcare-related businesses, including Change Healthcare in 2024, which disrupted services for months. Comparitech reports at least three confirmed ransomware attacks on healthcare firms already in 2025, with 24 more suspected.

Given the scale of patient data involved, experts warn of growing risks tied to third-party healthcare service providers.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

UBS employee data leaked after Chain IQ ransomware attack

UBS Group AG has confirmed a serious data breach affecting around 130,000 of its employees, following a cyberattack on its third-party supplier, Chain IQ Group AG.

The exposed information included employee names, emails, phone numbers, roles, office locations, and preferred languages. No client data has been impacted, according to UBS.

Chain IQ, a procurement services firm spun off from UBS in 2013, was reportedly targeted by the cybercrime group World Leaks, previously known as Hunters International.

Unlike traditional ransomware operators, World Leaks avoids encryption and instead steals data, threatening public release if ransoms are not paid.

While Chain IQ has acknowledged the breach, it has not disclosed the extent of the stolen data or named all affected clients. Notably, companies such as Swiss Life, AXA, FedEx, IBM, KPMG, Swisscom, and Pictet are among its clients—only Pictet has confirmed it was impacted.

Cybersecurity experts warn that the breach may have long-term implications for the Swiss banking sector. Leaked employee data could be exploited for impersonation, fraud, phishing scams, or even blackmail.

The increasing availability of generative AI may further amplify the risks through voice and video impersonation, potentially aiding in money laundering and social engineering attacks.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ryuk ransomware hacker extradited to US after arrest in Ukraine

A key member of the infamous Ryuk ransomware gang has been extradited to the US after his arrest in Kyiv, Ukraine.

The 33-year-old man was detained in April 2025 at the request of the FBI and arrived in the US on 18 June to face multiple charges.

The suspect played a critical role within Ryuk by gaining initial access to corporate networks, which he then passed on to accomplices who stole data and launched ransomware attacks.

Ukrainian authorities identified him during a larger investigation into ransomware groups like LockerGoga, Dharma, Hive, and MegaCortex that targeted companies across Europe and North America.

According to Ukraine’s National Police, forensic analysis revealed the man’s responsibility for locating security flaws in enterprise networks.

Information gathered by the hacker allowed others in the gang to infiltrate systems, steal data, and deploy ransomware payloads that disrupted various industries, including healthcare, during the COVID pandemic.

Ryuk operated from 2018 until mid-2020 before rebranding as the notorious Conti gang, which later fractured into several smaller but still active groups. Researchers estimate that Ryuk alone collected over $150 million in ransom payments before shutting down.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Anubis ransomware threatens permanent data loss

A new ransomware threat known as Anubis is making waves in the cybersecurity world, combining file encryption with aggressive monetisation tactics and a rare file-wiping feature that prevents data recovery.

Victims discover their files renamed with the .anubis extension and are presented with a ransom note warning that stolen data will be leaked unless payment is made.

What sets Anubis apart is its ability to permanently erase file contents using a command that overwrites them with zero-byte shells. Although the filenames remain, the data inside is lost forever, rendering recovery impossible.

Researchers have flagged the destructive feature as highly unusual for ransomware, typically seen in cyberespionage rather than financially motivated attacks.

The malware also attempts to change the victim’s desktop wallpaper to reinforce the impact, although in current samples, the image file was missing. Anubis spreads through phishing emails and uses tactics like command-line scripting and stolen tokens to escalate privileges and evade defences.

It operates as a ransomware-as-a-service model, meaning less-skilled cybercriminals can rent and use it easily.

Security experts urge organisations to treat Anubis as more than a typical ransomware threat. Besides strong backup practices, firms are advised to improve email security, limit user privileges, and train staff to spot phishing attempts.

As attackers look to profit from stolen access and unrecoverable destruction, prevention becomes the only true line of defence.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!