Tata Technologies, a multinational engineering firm and subsidiary of Tata Motors, recently experienced a ransomware attack that led to the temporary suspension of certain IT services. The company promptly launched an investigation into the incident and assured stakeholders that its operations remained unaffected. In a statement to Recorded Future News, Tata Technologies confirmed the cyberattack but refrained from sharing specifics, including the identity of the ransomware gang responsible, the divisions impacted, or whether any sensitive data was compromised.
On Friday, Tata Technologies filed an official report with the National Stock Exchange of India (NSE), confirming that only a few IT assets were affected. The company stated that it had taken precautionary measures by temporarily suspending some IT services, which have since been restored. Despite the attack, Tata Technologies emphasized that its client delivery services continued without interruption. As of now, no ransomware group has publicly claimed responsibility for the attack.
Ransomware attacks often involve data exfiltration, raising concerns about the potential exposure of sensitive corporate or customer information. Cybercriminal gangs typically take credit for breaches to pressure organizations into paying ransoms, but in this case, there has been no such acknowledgment. Tata Technologies specializes in providing engineering services to industries such as automotive, aerospace, and industrial manufacturing. Operating in 27 countries, the company plays a critical role in supporting the global automotive sector with advanced digital solutions.
In its latest financial report, Tata Technologies reported a revenue of $156.6 million in the last quarter, underscoring its significant market presence. This incident is not the first time a Tata Group company has faced cybersecurity challenges. In 2022, Tata Power, a major energy subsidiary, reported a cyberattack that affected parts of its IT infrastructure. That breach raised concerns about the cybersecurity preparedness of Tata Group companies, given their extensive global operations and reliance on digital technologies.
The attack on Tata Technologies highlights the increasing cybersecurity risks faced by multinational corporations. Ransomware groups continue to target high-value organizations, exploiting vulnerabilities in IT systems to disrupt operations and steal sensitive data. While Tata Technologies has managed to maintain business continuity, the incident serves as a reminder of the importance of robust cybersecurity measures.
Organizations facing ransomware threats typically invest in enhanced security protocols, such as:
Additionally, cybersecurity experts recommend that companies establish comprehensive incident response plans to mitigate the impact of potential cyberattacks. These plans should include steps for identifying, containing, and recovering from breaches, as well as communication strategies to keep stakeholders informed.
The ransomware attack on Tata Technologies underscores the growing threat of cyberattacks targeting multinational corporations. While the company has managed to restore its IT services and maintain business continuity, the incident highlights the need for proactive cybersecurity measures. As Tata Technologies continues its investigation, further details may emerge regarding the extent of the attack and any measures being taken to prevent future incidents. In an era of escalating cyber threats, organizations must remain vigilant and invest in robust security frameworks to protect their operations and sensitive data.
ENGlobal Corporation, a prominent contractor in the energy sector, has disclosed that a ransomware attack in November 2024 led to the exposure of sensitive personal data. The incident, which occurred on November 25, forced the company to take certain systems offline as a containment measure, limiting access to only critical business processes.
In early December, ENGlobal reported the incident to the U.S. Securities and Exchange Commission (SEC), stating that some data on its systems had been encrypted during the attack. However, at the time, the company did not confirm whether any data had been stolen. In a subsequent regulatory filing, ENGlobal revealed that the attackers had indeed accessed sensitive personal information stored on its systems, though it did not provide specific details about the nature or scope of the breach.
“The cybersecurity incident involved the threat actor’s access to a portion of the company’s IT system that contained sensitive personal information. The company intends to provide notifications to affected and potentially affected parties and applicable regulatory agencies as required by federal and state law,” ENGlobal stated.
ENGlobal assured stakeholders that the threat actor had been removed from its network and that all systems had been fully restored. The company also confirmed that its business operations and functions have resumed as usual. However, the attack significantly disrupted the company’s operations for approximately six weeks, limiting access to critical business applications, including financial and operating reporting systems.
Despite the disruption, ENGlobal stated that the incident is not expected to have a material impact on its financial position or operational results. The company emphasized its commitment to notifying affected individuals and regulatory agencies in compliance with federal and state laws.
The ENGlobal incident highlights the escalating threat of ransomware attacks, particularly against critical infrastructure and energy sector companies. Ransomware attacks not only disrupt operations but also expose sensitive data, putting individuals and organizations at risk of identity theft, financial fraud, and other cybercrimes.
To mitigate such risks, cybersecurity experts recommend the following measures:
As of now, no known ransomware group has claimed responsibility for the attack, and ENGlobal has not disclosed any information about the threat actor behind the incident. This lack of attribution is not uncommon in ransomware cases, as attackers often operate anonymously to avoid legal repercussions.
The ransomware attack on ENGlobal Corporation serves as a stark reminder of the vulnerabilities faced by organizations in the energy sector and beyond. While the company has managed to restore its systems and resume operations, the incident underscores the importance of robust cybersecurity measures and proactive threat mitigation strategies. As ransomware attacks continue to evolve, organizations must remain vigilant and prepared to defend against increasingly sophisticated threats.
French technology giant Atos has refuted claims by the ransomware group Space Bears that its systems were compromised, asserting that no evidence of a breach or ransom demand has been found. In a statement released on December 28, Atos clarified the results of its investigation, addressing concerns raised by the allegations.
“At this stage, the initial analysis shows no evidence of any compromise or ransomware affecting any Atos/Eviden systems in any country, and no ransom demand has been received to date,” the company stated.
Investigation and Clarifications
Although no compromise has been confirmed, Atos has deployed a dedicated cybersecurity team to thoroughly investigate the matter. The claims originated from Space Bears, a ransomware group with ties to Phobos Ransomware as a Service (RaaS). The group alleged that it had breached Atos' internal database and accessed sensitive data.
Atos clarified that the breach targeted “external third-party infrastructure, unconnected to Atos,” which “contained data mentioning the Atos company name but is not managed nor secured by Atos.”
The company emphasized its robust security operations, highlighting its global network of over 6,500 specialized cybersecurity experts and 17 next-generation security operations centers (SOCs) that operate around the clock to protect Atos and its customers.
“Atos has a global network of more than 6,500 specialized experts and 17 new-generation security operations centers (SOCs) operating 24/7 to ensure the security of the Group and its customers,” the statement emphasized.
Space Bears: A Rising Ransomware Threat
Space Bears, which emerged in April 2024, has gained notoriety for its sophisticated and aggressive extortion tactics. The group employs double extortion methods, encrypting victims’ data while threatening to release it publicly unless demands are met. Space Bears operates data leak sites on both the dark web and clearnet, leveraging tactics such as corporate imagery and “walls of shame” to maximize reputational damage.
The ransomware group has previously targeted organizations like Canadian software firm Haylem, orthophonics clinic Un Museau Vaut Mille Mots, and Lexibar, a language disorder provider. More recently, Space Bears claimed responsibility for attacks on Canada’s JRT Automatisation and India’s Aptus in December 2024.
While Atos maintains that no proprietary data, source code, or intellectual property was accessed, the company acknowledged the gravity of the situation. “We take such threats very seriously,” Atos affirmed.
This incident underscores the ever-evolving cyber threat landscape faced by multinational corporations and the growing sophistication of ransomware groups like Space Bears, highlighting the need for constant vigilance and robust cybersecurity measures.
The evolving threat landscape continues to present new challenges, with NCC Group’s latest Threat Pulse report uncovering the emergence of Ymir ransomware. This new ransomware strain showcases the growing collaboration among cybercriminals to execute highly sophisticated attacks.
First documented during the summer of 2024, Ymir initiates its attack cycle by deploying RustyStealer, an infostealer designed to extract credentials and serve as a spyware dropper. Ymir then enters its locker phase, executing swiftly to avoid detection. According to an analysis by Kaspersky, based on an attack in Colombia, Ymir’s ransomware locker employs a configurable, victim-tailored approach, focusing on a single-extortion model, where data is encrypted but not stolen.
Unlike many modern ransomware groups, Ymir’s operators lack a dedicated leak site for stolen data, further distinguishing them. Linguistic analysis of the code revealed Lingala language strings, suggesting a possible connection to Central Africa. However, experts remain divided on whether Ymir operates independently or collaborates with other threat actors.
Matt Hull, NCC Group’s Head of Threat Intelligence, emphasized the challenges of attribution in modern cybercrime, noting that blurred lines between criminal groups and state-sponsored actors often complicate motivations. Geopolitical tensions are a driving factor behind these dynamic threat patterns, as highlighted by the UK’s National Cyber Security Centre (NCSC).
Recent incidents exemplify this evolving threat landscape:
NCC Group’s report indicates a 16% rise in ransomware incidents in November 2024, with 565 attacks recorded. The industrial sector remains the most targeted, followed by consumer discretionary and IT. Geographically, Europe and North America experienced the highest number of incidents. Akira ransomware overtook RansomHub as the most active group during this period.
State-backed cyber groups continue to escalate their operations:
Ransomware is evolving into a multipurpose tool, used by hacktivists to fund operations or to obfuscate advanced persistent threats (APTs). With its trajectory pointing to continued growth and sophistication in 2025, heightened vigilance and proactive measures will be essential to mitigate these risks.
Ransomware hackers have disrupted emergency services, compromised several hospitals, and exposed private patient data in an ongoing cyberattack targeting National Health Service (NHS) trusts across the United Kingdom. The attacks, which have raised serious concerns about cybersecurity in critical infrastructure, highlight vulnerabilities in the healthcare sector.
After claiming responsibility for an earlier attack on NHS Scotland, the ransomware gang Inc Ransom, known for its alleged ties to Russia, now claims to have infiltrated the Alder Hey Children's Hospital Trust, one of Europe’s largest children’s hospitals. In a post on its dark web leak site, the gang claimed to have stolen donor reports, procurement data, and patient records spanning from 2018 to 2024.
The stolen records reportedly include sensitive health information and personally identifiable data such as patient addresses and dates of birth. Samples of the data have allegedly been shared to substantiate the breach, increasing concerns over the privacy of vulnerable patients.
Alder Hey acknowledged the cybersecurity incident on November 28, confirming that hackers had infiltrated a "digital gateway service" used by multiple hospitals. This breach affected Alder Hey Children’s Hospital, Liverpool Heart and Chest Hospital, and Royal Liverpool University Hospital. The hospital issued a statement, noting:
"The attacker has claimed to have extracted data from impacted systems. We are continuing to take this issue very seriously while investigations continue into whether the attacker has obtained confidential data."
While Alder Hey assured that hospital services remain operational, it cautioned that the perpetrators might publish the stolen data before the investigation concludes. This underscores the need for immediate cybersecurity measures to prevent further fallout.
Just miles from Alder Hey, the Wirral University Teaching Hospital faced a separate ransomware attack, prompting it to declare a "major incident" after shutting down its systems. The network, which oversees Arrowe Park Hospital, Clatterbridge Hospital, and Wirral Women and Children’s Hospital, is working to restore clinical systems while acknowledging that some services remain disrupted.
In a statement issued on Wednesday, the Wirral Hospital Trust said:
"Emergency treatment is being prioritized but there are still likely to be longer than usual waiting times in our Emergency Department and assessment areas. We urge all members of the public to attend the Emergency Department only for genuine emergencies."
The incidents affecting Alder Hey and Wirral University Teaching Hospital highlight the broader risks of ransomware attacks in healthcare. The potential exposure of private patient data and operational disruptions can have life-threatening consequences, particularly in emergency care settings.
While Alder Hey continues to investigate, it remains unclear whether data extracted from affected systems has been leaked or sold. The situation underscores the urgency for robust cybersecurity frameworks to safeguard critical healthcare infrastructure. Hospitals must adopt advanced threat detection and mitigation strategies to protect sensitive patient data and maintain operational integrity.
In response to the attacks, hospitals are advised to:
As ransomware attacks on healthcare organizations increase in frequency and sophistication, it is imperative for hospitals to invest in robust cybersecurity measures. Governments and regulatory bodies must also introduce stricter policies and provide support to enhance the resilience of healthcare systems.
The attacks on Alder Hey and Wirral Teaching Hospital serve as a stark reminder of the devastating impact cyber threats can have on healthcare services. Proactive measures and collaborative efforts are essential to prevent similar incidents and protect patient trust in the digital age.