Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware. Show all posts
Vietnam
AI Artificial Intelligence Cloud Cyber Attacks Internet Panama Ransomware Vietnam

Panama and Vietnam Governments Suffer Cyber Attacks, Data Leaked


Hackers stole government data from organizations in Panama and Vietnam in multiple cyber attacks that surfaced recently.

About the incident

According to Vietnam’s state news outlet, the Cyber Emergency Response Team (VNCERT) confirmed reports of a breach targeting the National Credit Information Center (CIC) that manages credit information for businesses and people, an organization run by the State Bank of Vietnam. 

Personal data leaked

Earlier reports suggested that personal information was exposed due to the attack. VNCERT is now investigating and working with various agencies and Viettel, a state-owned telecom. It said, “Initial verification results show signs of cybercrime attacks and intrusions to steal personal data. The amount of illegally acquired data is still being counted and clarified.”

VNCERT has requested citizens to avoid downloading and sharing stolen data and also threatened legal charges against people who do so.

Who was behind the attack?

The statement has come after threat actors linked to the Shiny Hunters Group and Scattered Spider cybercriminal organization took responsibility for hacking the CIC and stealing around 160 million records. 

Threat actors put up stolen data for sale on the cybercriminal platforms, giving a sneak peek of a sample that included personal information. DataBreaches.net interviewed the hackers, who said they abused a bug in end-of-life software, and didn’t offer a ransom for the stolen information.

CIC told banks that the Shiny Hunters gang was behind the incident, Bloomberg News reported.

The attackers have gained the attention of law enforcement agencies globally for various high-profile attacks in 2025, including various campaigns attacking big enterprises in the insurance, retail, and airline sectors. 

The Finance Ministry of Panama also hit

The Ministry of Economy and Finance in Panam was also hit by a cyber attack, government officials confirmed. “The Ministry of Economy and Finance (MEF) informs the public that today it detected an incident involving malicious software at one of the offices of the Ministry,” they said in a statement. 

The INC ransomware group claimed responsibility for the incident and stole 1.5 terabytes of data, such as emails, budgets, etc., from the ministry.

Read more »
Ransomware
AI Anthropic Cyber Crime Extortion Ransomware

Cybercriminals Weaponize AI for Large-Scale Extortion and Ransomware Attacks

 

AI company Anthropic has uncovered alarming evidence that cybercriminals are weaponizing artificial intelligence tools for sophisticated criminal operations. The company's recent investigation revealed three particularly concerning applications of its Claude AI: large-scale extortion campaigns, fraudulent recruitment schemes linked to North Korea, and AI-generated ransomware development. 

Criminal AI applications emerge 

In what Anthropic describes as an "unprecedented" case, hackers utilized Claude to conduct comprehensive reconnaissance across 17 different organizations, systematically gathering usernames and passwords to infiltrate targeted networks.

The AI tool autonomously executed multiple malicious functions, including determining valuable data for exfiltration, calculating ransom demands based on victims' financial capabilities, and crafting threatening language to coerce compliance from targeted companies. 

The investigation also uncovered North Korean operatives employing Claude to create convincing fake personas capable of passing technical coding evaluations during job interviews with major U.S. technology firms. Once successfully hired, these operatives leveraged the AI to fulfill various technical responsibilities on their behalf, potentially gaining access to sensitive corporate systems and information. 

Additionally, Anthropic discovered that individuals with limited technical expertise were using Claude to develop complete ransomware packages, which were subsequently marketed online to other cybercriminals for prices reaching $1,200 per package. 

Defensive AI measures 

Recognizing AI's potential for both offense and defense, ethical security researchers and companies are racing to develop protective applications. XBOW, a prominent player in AI-driven vulnerability discovery, has demonstrated significant success using artificial intelligence to identify software flaws. The company's integration of OpenAI's GPT-5 model resulted in substantial performance improvements, enabling the discovery of "vastly more exploits" than previous methods.

Earlier this year, XBOW's AI-powered systems topped HackerOne's leaderboard for vulnerability identification, highlighting the technology's potential for legitimate security applications. Multiple organizations focused on offensive and defensive strategies are now exploring AI agents to infiltrate corporate networks for defense and intelligence purposes, assisting IT departments in identifying vulnerabilities before malicious actors can exploit them. 

Emerging cybersecurity arms race 

The simultaneous adoption of AI technologies by both cybersecurity defenders and criminal actors has initiated what experts characterize as a new arms race in digital security. This development represents a fundamental shift where AI systems are pitted against each other in an escalating battle between protection and exploitation. 

The race's outcome remains uncertain, but security experts emphasize the critical importance of equipping legitimate defenders with advanced AI tools before they fall into criminal hands. Success in this endeavor could prove instrumental in thwarting the emerging wave of AI-fueled cyberattacks that are becoming increasingly sophisticated and autonomous. 

This evolution marks a significant milestone in cybersecurity, as artificial intelligence transitions from merely advising on attack strategies to actively executing complex criminal operations independently.
Read more »
Trojan
Android cryptocurrency malware MFA NFC Ransomware RatON TikTok Trojan

RatOn Android Trojan Expands Into Full Remote Access Threat Targeting Banks and Crypto

 



A new Android malware strain called RatOn has rapidly evolved from a tool limited to NFC relay attacks into a sophisticated remote access trojan with the ability to steal banking credentials, hijack cryptocurrency wallets, and even lock users out of their phones with ransom-style screens. Researchers warn the malware is under active development and combines multiple attack methods rarely seen together in one mobile threat.

How It Spreads

RatOn is being distributed through fake websites designed to look like the Google Play Store. Some of these pages advertise an adult-themed version of TikTok called “TikTok 18+.” Once victims install the dropper app, it requests permission to install software from unknown sources, bypassing Android’s built-in safeguards. The second-stage payload then seeks administrator and accessibility permissions, along with access to contacts and system settings, giving it deep control of the device. From there, RatOn can download an additional component called NFSkate, a modified version of the NFCGate tool, enabling advanced relay attacks known as “ghost taps.”


Capabilities and Tactics

The trojan’s abilities are wide-ranging:

1. Overlays and ransomware screens: RatOn can display fake login pages to steal credentials or lock the device with alarming ransom notes. Some overlays falsely accuse users of viewing child exploitation content and demand $200 in cryptocurrency within two hours to regain access.

2. Banking and crypto theft: It specifically targets cryptocurrency wallets such as MetaMask, Trust Wallet, Blockchain.com, and Phantom. By capturing PIN codes and recovery phrases, the malware enables attackers to take over accounts and steal assets. It can also perform automated transfers inside George ÄŒesko, a Czech banking app, by simulating taps and inputs.

3. NFC relay attacks: Through NFSkate, RatOn can remotely use victims’ card data for contactless payments.

4. Remote commands: The malware can change device settings, send fake push notifications, send SMS messages, add contacts, record screens, launch apps like WhatsApp and Facebook, lock the phone, and update its target list of financial apps.

Researchers noted RatOn shares no code with other Android banking trojans and appears to have been built from scratch. A similar trend has been seen before: the HOOK trojan, another Android threat, also experimented with ransomware-style overlays.


Development and Targets

The first sample of RatOn was detected on July 5, 2025, with further versions appearing as recently as August 29, pointing to ongoing development. Current attacks focus mainly on users in the Czech Republic and Slovakia. Investigators believe the need for local bank account numbers in automated transfers suggests possible collaboration with regional money mules.


Why It Matters

RatOn’s integration of overlay fraud, ransomware intimidation, NFC relay, and automated transfers makes it unusually powerful. By combining old tactics with new automation, it raises the risk of large-scale theft from both traditional banking users and cryptocurrency holders.

Users can reduce exposure by downloading apps only from official stores, refusing risky permissions for unknown apps, keeping devices updated, and using strong multi-factor authentication on financial accounts. For cryptocurrency, hardware wallets that keep recovery phrases offline provide stronger protection. Anyone who suspects infection should immediately alert their bank and seek professional removal help.


Read more »
Technology
Conti Healthcare Hospital Monti Ransomware Technology

Hospital Notifies victims of a one-year old data breach, personal details stolen

Hospital Notifies victims of a one-year old data breach, personal details stolen

Hospital informs victims about data breach after a year

Wayne Memorial Hospital in the US has informed its 163,440 people about a year old data breach in May 2024 that exposed details such as: names, social security numbers, user IDs, and passwords, financial account numbers, credit and debit card numbers, expiration dates, and CVV codes, medical history, diagnoses, treatments, prescriptions, lab test results and images, health insurance, Medicare, and Medicaid numbers, healthcare provider numbers, state-issued ID numbers, and dates of birth. 

Initially, the hospital informed only 2,500 people about the attack in August 2024. Ransomware group Monti took responsibility for the attack and warned that it would leak the data by July 8, 2024.

Ransom and payment

Wayne Memorial Hospital, however, has not confirmed Monti’s claim. As of now, it is not known if the hospital paid a ransom, what amount Monti demanded, or why the hospital took more than a year to inform victims, or how the threat actors compromised the hospital infrastructure. 

According to the notice sent to victims, “On June 3, 2024, WMH detected a ransomware event, whereby an unauthorized third party gained access to WMH’s network, encrypted some of WMH’s data, and left a ransom note on WMH’s network.” The forensic investigation by WMH found evidence of unauthorized access to a few WMH systems between “May 30, 2024, and June 3, 2024.”

The hospital has offered victims a one-year free credit monitoring and fraud assistance via CyberScout. The deadline to apply is three months from the date of the notice letter.

What is the Monti group?

Monti is a ransomware gang that shares similarities with the Conti group. It was responsible for the first breach in February 2023. The group, however, has been working since June 2022. Monti is infamous for abusing software bugs like Log4Shell. Monti encrypts target systems and steals data as well. This pushes victims to pay ransom money in exchange for deleting stolen data and restoring the systems.

To date, Monti has claimed responsibility for 16 attacks. Out of these, two attacks hit healthcare providers. 

Monti attacks on health care providers

In April 2023, Avezzano Sulmona L’Aquila (Italy) reported a ransomware attack that resulted in large-scale disruption for a month. Monti asked for $3 million ransom for the 500 GB of stolen data. ASL denies payment of the ransom. 

Excelsior Othopedics informed 394,752 people about a June 2024 data compromise

Read more »
Ransomware
AI Cloud Cyber Security Data Organization Ransomware

How cybersecurity debts can damage your organization and finances

How cybersecurity debts can damage your organization and finances

A new term has emerged in the tech industry: “cybersecurity debt.” Similar to technical debt, cybersecurity debt refers to the accumulation of unaddressed security bugs and outdated systems resulting from inadequate investments in cybersecurity services. 

Delaying these expenditures can provide short-term financial gains, but long-term repercussions can be severe, causing greater dangers and exponential costs.

What causes cybersecurity debt?

Cybersecurity debt happens when organizations don’t update their systems frequently, ignoring software patches and neglecting security improvements for short-term financial gains. Slowly, this leads to a backlog of bugs that threat actors can abuse- leading to severe consequences. 

Contrary to financial debt that accumulates predictable interest, cybersecurity debt compounds in uncertain and hazardous ways. Even a single ignored bug can cause a massive data breach, a regulatory fine that can cost millions, or a ransomware attack. 

A 2024 IBM study about data breaches cost revealed that the average data breach cost had increased to $4.9 million, a record high. And even worse, 83% of organizations surveyed had suffered multiple breaches, suggesting that many businesses keep operating with cybersecurity debt. The more an organization avoids addressing problems, the greater the chances of cyber threats.

What can CEOs do?

Short-term gain vs long-term security

CEOs and CFOs are under constant pressure to give strong quarterly profits and increase revenue. As cybersecurity is a “cost center” and non-revenue-generating expenditure, it is sometimes seen as a service where costs can be cut without severe consequences. 

A CEO or CFO may opt for this short-term security gain, failing to address the long-term risks involved with rising cybersecurity debt. In some cases, the consequences are only visible when a business suffers a data breach. 

Philip D. Harris, Research Director, GRC Software & Services, IDC, suggests, “Executive management and the board of directors must support the strategic direction of IT and cybersecurity. Consider implementing cyber-risk quantification to accomplish this goal. When IT and cybersecurity leaders speak to executives and board members, from a financial perspective, it is easier to garner interest and support for investments to reduce cybersecurity debt.”

Limiting cybersecurity debt

CEOs and leaders should consider reassessing the risks. This can be achieved by adopting a comprehensive approach that adds cybersecurity debt into an organization’s wider risk management plans.

Read more »
Ransomware
AI tools Anthropic Claude Cyber Attacks Data Extortion Ransomware

Hackers Used Anthropic’s Claude to Run a Large Data-Extortion Campaign

 



A security bulletin from Anthropic describes a recent cybercrime campaign in which a threat actor used the company’s Claude AI system to steal data and demand payment. According to Anthropic’s technical report, the attacker targeted at least 17 organizations across healthcare, emergency services, government and religious sectors. 

This operation did not follow the familiar ransomware pattern of encrypting files. Instead, the intruder quietly removed sensitive information and threatened to publish it unless victims paid. Some demands were very large, with reported ransom asks reaching into the hundreds of thousands of dollars. 

Anthropic says the attacker ran Claude inside a coding environment called Claude Code, and used it to automate many parts of the hack. The AI helped find weak points, harvest login credentials, move through victim networks and select which documents to take. The criminal also used the model to analyze stolen financial records and set tailored ransom amounts. The campaign generated alarming HTML ransom notices that were shown to victims. 

Anthropic discovered the activity and took steps to stop it. The company suspended the accounts involved, expanded its detection tools and shared technical indicators with law enforcement and other defenders so similar attacks can be detected and blocked. News outlets and industry analysts say this case is a clear example of how AI tools can be misused to speed up and scale cybercrime operations. 


Why this matters for organizations and the public

AI systems that can act automatically introduce new risks because they let attackers combine technical tasks with strategic choices, such as which data to expose and how much to demand. Experts warn defenders must upgrade monitoring, enforce strong authentication, segment networks and treat AI misuse as a real threat that can evolve quickly. 

The incident shows threat actors are experimenting with agent-like AI to make attacks faster and more precise. Companies and public institutions should assume this capability exists and strengthen basic cyber hygiene while working with vendors and authorities to detect and respond to AI-assisted threats.



Read more »
VPN
Agent AI AI Anthropic Anthropic Report Artificial Intelligence Cryptocurrency Crime Cybersecurity Threats FBI IT North Korea Cybercrime Ransomware Technology Vibe Hacking VPN

Misuse of AI Agents Sparks Alarm Over Vibe Hacking


 

Once considered a means of safeguarding digital battlefields, artificial intelligence has now become a double-edged sword —a tool that can not only arm defenders but also the adversaries it was supposed to deter, giving them both a tactical advantage in the digital fight. According to Anthropic's latest Threat Intelligence Report for August 2025, shown below, this evolving reality has been painted in a starkly harsh light. 

It illustrates how cybercriminals are developing AI as a product of choice, no longer using it to support their attacks, but instead executing them as a central instrument of attack orchestration. As a matter of fact, according to the report, malicious actors are now using advanced artificial intelligence in order to automate phishing campaigns on a large scale, circumvent traditional security measures, and obtain sensitive information very efficiently, with very little human oversight needed. As a result of AI's precision and scalability, the threat landscape is escalating in troubling ways. 

By leveraging AI's accuracy and scalability, modern cyberattacks are being accelerated, reaching, and sophistication. A disturbing evolution of cybercrime is being documented by Anthropologic, as it turns out that artificial intelligence is no longer just used to assist with small tasks such as composing phishing emails or generating malicious code fragments, but is also serving as a force multiplier for lone actors, giving them the capacity to carry out operations at scale and with precision that was once reserved for organized criminal syndicates to accomplish. 

Investigators have been able to track down a sweeping extortion campaign back to a single perpetrator in one particular instance. This perpetrator used Claude Code's execution environment as a means of automating key stages of intrusion, such as reconnaissance, credential theft, and network penetration, to carry out the operation. The individual compromised at least 17 organisations, ranging from government agencies to hospitals to financial institutions, and he has made ransom demands that have sometimes exceeded half a million dollars in some instances. 

It was recently revealed that researchers have conceived of a technique called “vibe hacking” in which coding agents can be used not just as tools but as active participants in attacks, marking a profound shift in both cybercriminal activity’s speed and reach. It is believed by many researchers that the concept of “vibe hacking” has emerged as a major evolution in cyberattacks, as instead of exploiting conventional network vulnerabilities, it focuses on the logic and decision-making processes of artificial intelligence systems. 

In the year 2025, Andrej Karpathy started a research initiative called “vibe coding” - an experiment in artificial intelligence-generated problem-solving. Since then, the concept has been co-opted by cybercriminals to manipulate advanced language models and chatbots for unauthorised access, disruption of operations, or the generation of malicious outputs, originating from a research initiative. 

By using AI, as opposed to traditional hacking, in which technical defences are breached, this method exploits the trust and reasoning capabilities of machine learning itself, making detection especially challenging. Furthermore, the tactic is reshaping social engineering as well: attackers can create convincing phishing emails, mimic human speech, build fraudulent websites, create clones of voices, and automate whole scam campaigns at an unprecedented level using large language models that simulate human conversations with uncanny realism. 

With tools such as artificial intelligence-driven vulnerability scanners and deepfake platforms, the threat is amplified even further, creating a new frontier of automated deception, according to experts. In one notable variant of scamming, known as “vibe scamming,” adversaries can launch large-scale fraud operations in which they generate fake portals, manage stolen credentials, and coordinate follow-up communications all from a single dashboard, which is known as "vibe scamming." 

Vibe hacking is one of the most challenging cybersecurity tasks people face right now because it is a combination of automation, realism, and speed. The attackers are not relying on conventional ransomware tactics anymore; they are instead using artificial intelligence systems like Claude to carry out all aspects of an intrusion, from reconnaissance and credential harvesting to network penetration and data extraction.

A significant difference from earlier AI-assisted attacks was that Claude demonstrated "on-keyboard" capability as well, performing tasks such as scanning VPN endpoints, generating custom malware, and analysing stolen datasets to prioritise the victims with the highest payout potential. As soon as the system was installed, it created tailored ransom notes in HTML, containing the specific financial requirements, workforce statistics, and regulatory threats of each organisation, all based on the data that had been collected. 

The amount of payments requested ranged from $75,000 to $500,000 in Bitcoin, which illustrates that with the assistance of artificial intelligence, one individual could control the entire cybercrime network. Additionally, the report emphasises how artificial intelligence and cryptocurrency have increasingly become intertwined. For example, ransom notes include wallet addresses in ransom notes, and dark web forums are exclusively selling AI-generated malware kits in cryptocurrency. 

An investigation by the FBI has revealed that North Korea is increasingly using artificial intelligence (AI) to evade sanctions, which is used to secure fraudulent positions at Western tech companies by state-backed IT operatives who use it for the fabrication of summaries, passing interviews, debugging software, and managing day-to-day tasks. 

According to officials in the United States, these operations channel hundreds of millions of dollars every year into Pyongyang's technical weapon program, replacing years of training with on-demand artificial intelligence assistance. This reveals a troubling shift: artificial intelligence is not only enabling cybercrime but is also amplifying its speed, scale, and global reach, as evidenced by these revelations. A report published by Anthropological documents how Claude Code has been used not just for breaching systems, but for monetising stolen information at large scales as well. 

As a result of using the software, thousands of records containing sensitive identifiers, financial information, and even medical information were sifted through, and then customised ransom notes and multilayered extortion strategies were generated based on the victim's characteristics. As the company pointed out, so-called "agent AI" tools now provide attackers with both technical expertise and hands-on operational support, which effectively eliminates the need to coordinate teams of human operators, which is an important factor in preventing cyberattackers from taking advantage of these tools. 

Researchers warn that these systems can be dynamically adapted to defensive countermeasures, such as malware detection, in real time, thus making traditional enforcement efforts increasingly difficult. There are a number of cases to illustrate the breadth of abuse that occurs in the workplace, and there is a classifier developed by Anthropic to identify the behaviour. However, a series of case studies indicates this behaviour occurs in a multitude of ways. 

In the North Korean case, Claude was used to fabricate summaries and support fraudulent IT worker schemes. In the U.K., a criminal known as GTG-5004 was selling ransomware variants based on artificial intelligence on darknet forums; Chinese actors utilised artificial intelligence to compromise Vietnamese critical infrastructure; and Russian and Spanish-speaking groups were using the software to create malicious software and steal credit card information. 

In order to facilitate sophisticated fraud campaigns, even low-skilled actors have begun integrating AI into Telegram bots around romance scams as well as false identity services, significantly expanding the number of fraud campaigns available. A new report by Anthropic researchers Alex Moix, Ken Lebedev, and Jacob Klein argues that artificial intelligence, based on the results of their research, is continually lowering the barriers to entry for cybercriminals, enabling fraudsters to create profiles of victims, automate identity theft, and orchestrate operations at a speed and scale that is unimaginable with traditional methods. 

It is a disturbing truth that is highlighted in Anthropic’s report: although artificial intelligence was once hailed as a shield for defenders, it is now increasingly being used as a weapon, putting digital security at risk. Nevertheless, people must not retreat from AI adoption, but instead develop defensive strategies in parallel that are geared toward keeping up with AI adoption. Proactive guardrails must be set up in order to prevent artificial intelligence from being misused, including stricter oversight and transparency by developers, as well as continuous monitoring and real-time detection systems to recognise abnormal AI behaviour before it escalates into a serious problem. 

A company's resilience should go beyond its technical defences, and that means investing in employee training, incident response readiness, and partnerships that enable data sharing across sectors. In addition to this, governments are also under mounting pressure to update their regulatory frameworks in order to keep pace with the evolution of threat actors in terms of policy.

By harnessing artificial intelligence responsibly, people can still make it a powerful ally—automating defensive operations, detecting anomalies, and even predicting threats before they are even visible. In order to ensure that it continues in a manner that favours protection over exploitation, protecting not just individual enterprises, but the overall trust people have in the future of the digital world. 

A significant difference from earlier AI-assisted attacks was that Claude demonstrated "on-keyboard" capability as well, performing tasks such as scanning VPN endpoints, generating custom malware, and analysing stolen datasets in order to prioritise the victims with the highest payout potential. As soon as the system was installed, it created tailored ransom notes in HTML, containing the specific financial requirements, workforce statistics, and regulatory threats of each organisation, all based on the data that had been collected. 

The amount of payments requested ranged from $75,000 to $500,000 in Bitcoin, which illustrates that with the assistance of artificial intelligence, one individual could control the entire cybercrime network. Additionally, the report emphasises how artificial intelligence and cryptocurrency have increasingly become intertwined. 

For example, ransom notes include wallet addresses in ransom notes, and dark web forums are exclusively selling AI-generated malware kits in cryptocurrency. An investigation by the FBI has revealed that North Korea is increasingly using artificial intelligence (AI) to evade sanctions, which is used to secure fraudulent positions at Western tech companies by state-backed IT operatives who use it for the fabrication of summaries, passing interviews, debugging software, and managing day-to-day tasks. 

According to U.S. officials, these operations funnel hundreds of millions of dollars a year into Pyongyang's technical weapons development program, replacing years of training with on-demand AI assistance. All in all, these revelations indicate an alarming trend: artificial intelligence is not simply enabling cybercrime, but amplifying its scale, speed, and global reach. 

According to the report by Anthropic, Claude Code has been weaponised not only to breach systems, but also to monetise stolen data. This particular tool has been used in several instances to sort through thousands of documents containing sensitive information, including identifying information, financial details, and even medical records, before generating customised ransom notes and layering extortion strategies based on each victim's profile. 

The company explained that so-called “agent AI” tools are now providing attackers with both technical expertise and hands-on operational support, effectively eliminating the need for coordinated teams of human operators to perform the same functions. Despite the warnings of researchers, these systems are capable of dynamically adapting to defensive countermeasures like malware detection in real time, making traditional enforcement efforts increasingly difficult, they warned. 

Using a classifier built by Anthropic to identify this type of behaviour, the company has shared technical indicators with trusted partners in an attempt to combat the threat. The breadth of abuse is still evident through a series of case studies: North Korean operatives use Claude to create false summaries and maintain fraud schemes involving IT workers; a UK-based criminal with the name GTG-5004 is selling AI-based ransomware variants on darknet forums. 

Some Chinese actors use artificial intelligence to penetrate Vietnamese critical infrastructure, while Russians and Spanish-speaking groups use Claude to create malware and commit credit card fraud. The use of artificial intelligence in Telegram bots marketed for romance scams or synthetic identity services has even reached the level of low-skilled actors, allowing sophisticated fraud campaigns to become more accessible to the masses. 

A new report by Anthropic researchers Alex Moix, Ken Lebedev, and Jacob Klein argues that artificial intelligence, based on the results of their research, is continually lowering the barriers to entry for cybercriminals, enabling fraudsters to create profiles of victims, automate identity theft, and orchestrate operations at a speed and scale that is unimaginable with traditional methods. In the report published by Anthropic, it appears to be revealed that artificial intelligence is increasingly being used as a weapon to challenge the foundations of digital security, despite being once seen as a shield for defenders. 

There is a solution to this, but it is not in retreating from AI adoption, but by accelerating the parallel development of defensive strategies that are at the same pace as AI adoption. According to experts, proactive guardrails are necessary to ensure that AI deployments are monitored, developers are held more accountable, and there is continuous monitoring and real-time detection systems available that can be used to identify abnormal AI behaviour before it becomes a serious problemOrganisationss must not only focus on technical defences; they must also invest in employee training, incident response readiness, and partnerships that facilitate intelligence sharing between sectors as well.

Governments are also under increasing pressure to update regulatory frameworks to keep pace with the evolving threat actors, in order to ensure that policy is updated at the same pace as they evolve. By harnessing artificial intelligence responsibly, people can still make it a powerful ally—automating defensive operations, detecting anomalies, and even predicting threats before they are even visible. In order to ensure that it continues in a manner that favours protection over exploitation, protecting not just individual enterprises, but the overall trust people have in the future of the digital world.
Read more »
Ransomware
AI Cyber Attacks ESET Research Ollama API attack PromptLock Ransomware

PromptLock: the new AI-powered ransomware and what to do about it

 



Security researchers recently identified a piece of malware named PromptLock that uses a local artificial intelligence model to help create and run harmful code on infected machines. The finding comes from ESET researchers and has been reported by multiple security outlets; investigators say PromptLock can scan files, copy or steal selected data, and encrypt user files, with code for destructive deletion present but not active in analysed samples. 


What does “AI-powered” mean here?

Instead of a human writing every malicious script in advance, PromptLock stores fixed text prompts on the victim machine and feeds them to a locally running language model. That model then generates small programs, written in the lightweight Lua language, which the malware executes immediately. Researchers report the tool uses a locally accessible open-weight model called gpt-oss:20b through the Ollama API to produce those scripts. Because the AI runs on the infected computer rather than contacting a remote service, the activity can be harder to spot. 


How the malware works

According to the technical analysis, PromptLock is written in Go, produces cross-platform Lua scripts that work on Windows, macOS and Linux, and uses a SPECK 128-bit encryption routine to lock files in flagged samples. The malware’s prompts include a Bitcoin address that investigators linked to an address associated with the pseudonymous Bitcoin creator known as Satoshi Nakamoto. Early variants have been uploaded to public analysis sites, and ESET treats this discovery as a proof of concept rather than evidence of widespread live attacks. 


Why this matters

Two features make this approach worrying for defenders. First, generated scripts vary each time, which reduces the effectiveness of signature or behaviour rules that rely on consistent patterns. Second, a local model produces no network traces to cloud providers, so defenders lose one common source of detection and takedown. Together, these traits could make automated malware harder to detect and classify. 

Practical, plain steps to protect yourself:

1. Do not run files or installers you do not trust.

2. Keep current, tested backups offline or on immutable storage.

3. Maintain up-to-date operating system and antivirus software.

4. Avoid running untrusted local AI models or services on critical machines, and restrict access to local model APIs.

These steps will reduce the risk from this specific technique and from ransomware in general. 


Bottom line

PromptLock is a clear signal that attackers are experimenting with local AI to automate malicious tasks. At present it appears to be a work in progress and not an active campaign, but the researchers stress vigilance and standard defensive practices while security teams continue monitoring developments. 



Read more »
Technology
AI Cloud Data PromptLock Ransomware Technology

Experts discover first-ever AI-powered ransomware called "PromptLock"

Experts discover first-ever AI-powered ransomware called "PromptLock"

A ransomware attack is an organization’s worst nightmare. Not only does it harm the confidentiality of the organizations and their customers, but it also drains money and causes damage to the reputation. Defenders have been trying to address this serious threat, but threat actors keep developing new tactics to launch attacks. To make things worse, we have a new AI-powered ransomware strain. 

First AI ransomware

Cybersecurity experts have found the first-ever AI-powered ransomware strain. Experts Peter Strycek and Anton Cherepanov from ESET found the strain and have termed it “PromptLock.” "During infection, the AI autonomously decides which files to search, copy, or encrypt — marking a potential turning point in how cybercriminals operate," ESET said.

The malware has not been spotted in any cyberattack as of yet, experts say. Promptlock appears to be in development and is poised for launch. 

Although cyber criminals used GenAI tools to create malware in the past, PromptLock is the first ransomware case that is based on an AI model. According to Cherepanov’s LinkedIn post, Promptlock exploits the gpt-oss:20b model from OpenAI through the Ollama API to make new scripts.

About PromptLock

Cherepanov’s LinkedIn post highlighted that the ransomware script can exfiltrate files and encrypt data, but may destroy files in the future. He said that “while multiple indicators suggest that the sample is a proof-of-concept (PoC) or a work-in-progress rather than an operational threat in the wild, we believe it is crucial to raise awareness within the cybersecurity community about such emerging risks.

AI and ransomware threat

According to Dark Reading’s conversation with ESET experts, the AI-based ransomware is a serious threat to security teams. Strycek and Cherepanov are trying to find out more about PromptLock, but they want to warn the security teams immediately about the ransomware. 

ESET on X noted that "the PromptLock ransomware is written in #Golang, and we have identified both Windows and Linux variants uploaded to VirusTotal."

Threat actors have started using AI tools to launch phishing campaigns by creating fake content and malicious websites, thanks to the rapid adoption across the industry. However, AI-powered ransomware will be a worse challenge for cybersecurity defenders.

Read more »
Ransomware
Cache CBI Data Breach Nissan Qilin Ransomware

Nissan Confirms Data Leak After Ransomware Attack on Design Unit





Nissan’s Tokyo-based design subsidiary, Creative Box Inc. (CBI), has launched an investigation into a cyberattack after a ransomware group claimed to have stolen a large cache of internal files. The company confirmed that some design data has been compromised but said the breach affects only Nissan itself, as CBI’s work is exclusively for the automaker.

CBI is a specialized design studio established in 1987 as part of Nissan’s global creative network. Unlike mainstream production teams, the unit is often described as a “think tank” where designers experiment with bold and futuristic concepts. This makes the data stored on its systems particularly valuable, as early sketches, 3D models, and conceptual ideas can reveal strategic directions for future vehicles.

The ransomware group behind the attack alleges it copied more than 400,000 files, amounting to around four terabytes of information. According to their claims, the stolen material includes design files, reports, photos, videos, and other documents connected to Nissan’s projects. While the attackers say they have not released the full dataset yet, they have threatened to make it public if their demands are ignored.

Nissan, in its official statement, confirmed the unauthorized access and the leakage of some design material. “A detailed investigation is underway, and it has been confirmed that some design data has been leaked. Nissan and CBI will continue the investigation and take appropriate measures as needed,” the company said. Importantly, Nissan clarified that the stolen information does not affect external clients, contractors, or other organizations, as CBI serves Nissan alone.

The incident illustrates the growing use of ransomware against global companies. Ransomware is a type of malicious software that enables attackers to lock or steal sensitive data and then demand payment in exchange for restoring access or withholding its public release. Beyond financial loss, the exposure of confidential design material carries strategic risks: competitors, counterfeiters, or malicious actors could exploit these files, potentially weakening Nissan’s competitive edge.

The group behind this incident, known as Qilin, has been active in targeting organizations across different sectors. In recent years, security researchers have observed the gang exploiting vulnerabilities in widely used software tools and network devices to gain unauthorized entry. Once inside, they exfiltrate data before applying pressure with public leak threats. This tactic, known as “double extortion,” has become common in the ransomware infrastructure.

Cybersecurity experts stress that incidents like this serve as reminders for companies to remain vigilant. Timely patching of known software vulnerabilities, close monitoring of employee access tools, and strong data backup practices are among the key defenses against ransomware.

For Nissan, the priority now is understanding the full scope of the breach and ensuring no further leaks occur. As investigations continue, the company has pledged to take corrective steps and reinforce its systems against similar threats in the future.


Read more »
Ransomware
AI AI-Healthcare system Cyber Hygiene CyberCrime Cybersecurity Da Vita Data Breach Digital threats Healthcare Security patient privacy Ransomware

Millions of Patient Records Compromised After Ransomware Strike on DaVita


 Healthcare Faces Growing Cyber Threats

A ransomware attack that affected nearly 2.7 million patients has been confirmed by kidney care giant DaVita, revealing that one of the most significant cyberattacks of the year has taken place. There are over 2,600 outpatient dialysis centres across the United States operated by the company, which stated that the breach was first detected on April 12, 2025, when the security team found unauthorised activity within the company's computer systems. In the aftermath of this attack, Interlock was revealed to have been responsible, marking another high-profile attack on the healthcare industry. 

Although DaVita stressed the uninterrupted delivery of patient care throughout the incident, and that all major systems have since been fully restored - according to an official notice issued on August 1 - a broad range of sensitive personal and clinical information was still exposed through the compromise. An attacker was able to gain access to a variety of information, such as name, address, date of birth, Social Security number, insurance data, clinical histories, dialysis treatment details, and laboratory results, among others. 

It represents a deep invasion of privacy for millions of patients who depend on kidney care for life-sustaining purposes and raises new concerns about the security of healthcare systems in general. 

Healthcare Becomes A Cyber Battlefield 

The hospital and healthcare industry, which has traditionally been seen as a place of healing, is becoming increasingly at the centre of digital warfare. Patient records are packed with rich financial and medical information, which can be extremely valuable on dark web markets, as compared to credit card information. 

While hospitals are under a tremendous amount of pressure to maintain uninterrupted access to their systems, any downtime in the system could threaten patients' lives, which makes them prime targets for ransomware attacks. 

Over the past few months, millions of patients worldwide have been affected by breaches that have ranged from the theft of medical records to ransomware-driven disruptions of services. As well as compromising privacy, these attacks have also disrupted treatment, shaken public trust, and increased financial burdens on healthcare organisations already stressed out by increasing demand. 

A troubling trend is emerging with the DaVita case: in the last few years, cybercriminals have progressively increased both the scale and sophistication of their campaigns, threatening patient safety and health. DaVita’s Ransomware Ordeal.  It was reported that DaVita had confirmed the breach in detail on August 21, 2025, and that it filed disclosures with the Office for Civil Rights of the U.S. Department of Health and Human Services. 

Intruders started attacking DaVita's facility on March 24, 2025, but were only removed by April 12 after DaVita's internal response teams contained the attack. Several reports indicate that Interlock, the ransomware gang that was responsible for the theft of the data, released portions of the data online after failing to negotiate with the firm. Although the critical dialysis services continued uninterrupted, as is a priority given the fact that dialysis is an essential treatment, the attack did temporarily disrupt laboratory systems. There was an exceptionally significant financial cost involved. 

According to DaVita's report for the second quarter of 2025, the breach had already incurred a total of $13.5 million in costs associated with it. Among these $1 million, $1 million has been allocated to patient care costs relating to the incident, while $12.5 million has been allocated to administrative recovery, system restoration, and cybersecurity services provided by professional third-party service providers. 

Expansion of the Investigation 

According to DaVita's Securities and Exchange Commission filings in April 2025, it first acknowledged that there had been a security incident, but it said that the scope of the data stolen had not yet been determined. During the months that followed, forensic analysis and investigations expanded. State Attorneys General were notified, and the extent of the problem began to be revealed: it was estimated that at least one million patients were affected by the virus. As more information came to light, the figures grew, with OCR's breach portal later confirming 2,688,826 victims. 

DaVita, based on internal assessments, believed that the actual number of victims may be slightly lower, closer to 2.4 million, and the agency intends to update its portal in accordance with those findings. Although the company is struggling with operational strains, it has assured its patients that it will continue providing dialysis services through its 3,000 outpatient centres and home-based programs worldwide – a sign of stability in the face of crisis, given that kidney failure patients require life-saving treatment that cannot be avoided. 

Even so, the attack underscored just how severe financial and reputational damage such incidents can have. This will mean that the cost of restoring systems, engaging cybersecurity experts and providing patients with resources such as credit monitoring and data protection will likely continue to climb in the coming months. 

Data Theft And Interlock’s Role 

It appears that Interlock has become one of the most aggressive ransomware groups out there since it appeared in 2024. In the DaVita case, it is said that the gang stole nearly 1.5 terabytes of data, including approximately 700,000 files. In addition to the patient records, the stolen files were also suspected to contain insurance documents, user credentials, and financial information as well. 

A failed negotiation with DaVita caused Interlock to publish parts of the data on its dark web portal, after which parts of the data were published. On June 18, DaVita confirmed that some of the files were genuine, tracing them back to the dialysis laboratory systems they use. As part of its public statement, the company stated that it had acknowledged that the lab's database had been accessed by unauthorised persons and that it would notify both current and former patients. 

Additionally, DaVita has begun to provide complimentary credit monitoring services as part of its efforts to reduce risks. Interlock's services go well beyond DaVita as well. Several universities in the United Kingdom have been attacked by a remote access trojan referred to as NodeSnake, which was deployed by the group in recent campaigns. 

Recent reports indicate that the gang has also claimed responsibility for various attacks on major U.S. healthcare providers, including a major organisation with more than 120 outpatient facilities and 15,000 employees, known as Kettering Health. Cyberattacks on healthcare have already proven to be a sobering reminder of how varied and destructive they can be. Each major breach has its own particular lessons that need to be taken into account:

The Ascension case shows how a small mistake made by a single employee can escalate into a huge problem that affects every employee. The Yale New Haven Health System shows that institutions that have well-prepared strategies are vulnerable to persistent adversaries despite their best efforts. It was revealed by Episource that third-party and supply chain vulnerabilities can result in significant damage to a network, showing how the impact of a single vendor breach may ripple outward. 

Putting one example on display, DaVita shows how the disruption caused by ransomware is different from other disruptions, as it involves both data theft and operational paralysis. There have been incidents when hackers have accessed sensitive healthcare records at scale, but there have also been incidents where simple data configuration issues have led to these breaches.

In view of these incidents, it is clear that compliance-based checklists and standard security frameworks may not be sufficient for the industry anymore. Instead, the industry must be more proactive and utilise intelligence-driven defences that anticipate threats rather than merely reacting to them as they occur. 

The Road Ahead For Healthcare Security 

The DaVita breach is an example of a growing consensus among healthcare providers that their cybersecurity strategies must be strengthened to match the sophistication of modern attackers. 

Cybercriminals value patient records as one of their most valuable assets, and every time this happens, patients' trust in their providers is undermined directly. Additionally, the operational stakes are higher than in most industries, as any disruption can put patients' lives at risk, which is why every disruption can be extremely dangerous. 

Healthcare organisations in emerging countries, as well as hospitals in India, need to invest in layered defences, integrate threat intelligence platforms, and strengthen supply chain monitoring, according to security experts. Increasingly, proactive approaches are viewed as a necessity rather than an option for managing attack surfaces, prioritising vulnerabilities, and continually monitoring the dark web. Consequently, the DaVita case is more than just an example of how a single company suffered from ransomware. 

It's also a part of a wider pattern shaping what the future of healthcare will look like. There is no doubt that in this digital age, where a breach of any record can lead to death or injury, it is imperative to have foresight, invest in cybersecurity, and recognise that it is on an equal footing with patient care. It has become evident that healthcare cybersecurity needs to evolve beyond reactive measures and fragmented defences as a result of these developments. 

In today's world, digital security cannot simply be treated as a side concern, but rather must be integrated into the very core of a patient care strategy, which is why the industry must pay close attention to it. Taking a forward-looking approach to cyber hygiene should prioritise investments in continuous cyber hygiene, workforce awareness in cybersecurity, and leveraging new technologies such as zero-trust frameworks, advanced threat intelligence platforms, and artificial intelligence (AI)-driven anomaly detection systems. 

The importance of cross-industry collaboration cannot be overstated: it requires shared standards to be established and the exchange of real-time intelligence to be achieved, so hospitals, vendors, regulators, and cybersecurity providers can collectively resist adversaries who operate no matter what borders or industries are involved.

By reducing risks, such measures will also allow people to build patient trust, reduce recovery costs, and ensure uninterrupted delivery of essential care, as well as create long-term value. In the healthcare sector that is becoming increasingly digitalised and interdependent, the organisations that proactively adopt layered defences and transparent communication practices will not only be able to mitigate threats but also position themselves as leaders in a hostile cyber environment that is ripe with cyber threats. 

Clearly, if the patients' lives are to be protected in the future, the protection of their data must equally be paramount.
Read more »
SIM Swapping
cryptocurrency Cyber Security FBI phishing Ransomware SIM Swapping

FBI Warns of Rising Online Threats Targeting Youth and Digital Assets





The Federal Bureau of Investigation (FBI) has raised concern over what it describes as a fast-expanding online threat, warning that criminal groups are becoming more organized and dangerous in cyberspace. The activity includes ransomware, phishing scams, cryptocurrency theft, and even violent real-world crimes linked to online networks.

According to the FBI, one of the most concerning groups involved in these activities is part of an online collective often referred to as “The Com,” short for “The Community.” This loosely connected network is made up of several subgroups, including one known as “Hacker Com.” The collective primarily communicates in English and has members spread across different countries.

A striking detail is that many individuals taking part are very young, with ages ranging from early teens to their mid-20s. Recruitment often happens on online gaming platforms, social media channels, or through existing members who look for people with shared interests.

The FBI notes that the scale and sophistication of these groups has increased substantially over the past four years. Members use advanced tools such as phishing kits, voice changers, and other techniques to disguise their identities and hide illegal financial dealings. These methods make it difficult for law enforcement to trace stolen funds or identify those responsible.

Much of the activity is financially motivated, especially through schemes involving cryptocurrency. Offenses include SIM swapping, hacking into networks, and in some cases, direct physical threats. The FBI has reported that criminal actors have resorted to extreme methods such as coercion, intimidation, and even violence to force victims into giving up access to digital accounts.

Beyond theft, some members also carry out dangerous acts such as swatting: making false emergency reports that lead armed law enforcement to a target’s home or issuing bomb threats. These tactics are sometimes used to distract authorities during larger cyberattacks or thefts. Disturbingly, certain groups have extended their activities into the offline world, where crimes can escalate into real-world violence.

Given the scope of the threat, the FBI is advising the public to be cautious when sharing personal details online. Posting photos, videos, or sensitive information on social media, dating platforms, or gaming forums can make individuals and families targets. Parents are especially encouraged to stay alert to their children’s online activity and to have open conversations about the potential risks.

For those who believe they may have been targeted or victimized, the FBI recommends keeping all available evidence, such as messages or transaction details, and reporting incidents promptly through its Internet Crime Complaint Center (ic3.gov) or by contacting a local FBI field office.

The Bureau emphasizes that awareness and vigilance are key defenses against these developing online dangers.


Read more »
Ransomware
Data Breach Data Privacy Digital Personal Double extortion Healthcare cybersecurity Misconfiguration Patient Ransomware

Over a Million Healthcare Devices Hit by Cyberattack

 


Despite the swell of cyberattacks changing the global threat landscape, Indian healthcare has become one of the most vulnerable targets as a result of these cyberattacks. There are currently 8,614 cyberattacks per week on healthcare institutions in the country, a figure that is more than four times the global average and nearly twice that of any other industry in the country. 

In addition to the immense value that patient data possesses and the difficulties in safeguarding sprawling healthcare networks, the relentless targeting of patients reflects the challenges that healthcare providers continue to face healthcare providers. With the emergence of sophisticated hacktivist operations, ransomware, hacking attacks, and large-scale data theft, these breaches are becoming more sophisticated and are not simply disruptions. 

The cybercriminal business is rapidly moving from traditional encryption-based extortion to aggressive methods of "double extortion" that involve stealing and then encrypting data, or in some cases abandoning encryption altogether in order to concentrate exclusively on exfiltrating data. This evolution can be seen in groups like Hunters International, recently rebranded as World Leaks, that are exploiting a declining ransom payment system and thriving underground market for stolen data to exploit its gains. 

A breach in the Healthcare Delivery Organisations' system risks exposing vast amounts of personal and medical information, which underscores why the sector remains a target for hackers today, as it is one of the most attractive sectors for attackers, and is also continually targeted by them. Modat, a cybersecurity firm that uncovered 1.2 million internet-connected medical systems that are misconfigured and exposed online in August 2025, is a separate revelation that emphasises the sector's vulnerabilities. 

Several critical devices in the system were available, including imaging scanners, X-ray machines, DICOM viewers, laboratory testing platforms, and hospital management systems, all of which could be accessed by an attacker. Experts warned that the exposure posed a direct threat to patient safety, in addition to posing a direct threat to privacy. 

In Modat's investigation, sensitive data categories, including highly detailed medical imaging, such as brain scans, lung MRIs, and dental X-rays, were uncovered, along with clinical documentation, complete medical histories and complete medical records. Personal information, including names, addresses and contact details, as well as blood test results, biometrics, and treatment records, all of which can be used to identify the individual.

A significant amount of information was exposed in an era of intensifying cyber threats, which highlights the profound consequences of poorly configured healthcare infrastructure. There has been an increasing number of breaches that illustrate the magnitude of the problem. BlackCat/ALPHV ransomware group has claimed responsibility for a devastating attack on Change Healthcare, where Optum, the parent company of UnitedHealth Group, has reportedly paid $22 million in ransom in exchange for the promise of deleting stolen data.

There was a twist in the crime ecosystem when BlackCat abruptly shut down, retaining none of the payments, but sending the data to an affiliate of the RansomHub ransomware group, which demanded a second ransom for the data in an attempt to secure payment. No second payment was received, and the breach grew in magnitude as each disclosure was made. Initially logged with the U.S. Health and Human Services (HHS) officials had initially estimated that the infection affected 500 people, but by July 2025, it had reached 100 million, then 190 million, and finally 192.7 million individuals.

These staggering figures highlight why healthcare remains a prime target for ransomware operators: if critical hospital systems fail to function correctly, downtime threatens not only revenue and reputations, but the lives of patients as well. Several other vulnerabilities compound the risk, including ransomware, since medical IoT devices are already vulnerable to compromise, which poses a threat to life-sustaining systems like heart monitors and infusion pumps. 

Telehealth platforms, on the other hand, extend the attack surface by routing sensitive consultations over the internet, thereby increasing the scope of potential attacks. In India, these global pressures are matched by local challenges, including outdated legacy systems, a lack of cybersecurity expertise, and a still-developing regulatory framework. 

Healthcare providers rely on a patchwork of frameworks in order to protect themselves from cybersecurity threats since there is no unified national healthcare cybersecurity law, including the Information Technology Act, SPDI Rules, and the Digital Personal Data Protection Act, which has not been enforced yet.

In their view, this lack of cohesion leaves organisations ill-equipped for future threats, particularly smaller companies with limited budgets and under-resourced security departments. In order to address these gaps, there is a partnership between the Data Security Council of India and the Healthcare Information and Management Systems Society (HIMSS) that aims to conduct a national cybersecurity assessment. As a result of the number of potentially exposed pieces of information that were uncovered as a result of the Serviceaide breach, it was particularly troubling. 

Depending on the individual, the data could include information such as their name, Social Security number, birth date, medical records, insurance details, prescription and treatment information, clinical notes, provider identifications, email usernames, and passwords. This information would vary by individual. As a response, Serviceaide announced that it had strengthened its security controls and was offering 12 months of complimentary credit and identity monitoring to affected individuals. 

There was an incident at Catholic Health that resulted in the disclosure that limited patient data was exposed by one of its vendors. According to the organisation's website, a formal notification letter is now being sent to potentially affected patients, and a link to the Serviceaide notice can be found on the website. No response has been received from either organisation regarding further information. 

While regulatory authorities and courts have shown little leniency in similar cases, in 2019, Puerto Rico-based Inmediata Health Group was fined $250,000 by the HHS' Office for Civil Rights (OCR) and later settled a lawsuit for more than $2.5 million with the state attorneys general and class actions plaintiffs after a misconfiguration resulted in 1.6 million patient records being exposed. As recently as last week, OCR penalised Vision Upright MRI, a small California imaging provider, for leaving medical images, including X-rays, CT scans, and MRIs, available online through an unsecured PACS server. 

A $5,000 fine and an action plan were awarded in this case, making the agency's 14th HIPAA enforcement action in 2025. The cumulative effect of these precedents illustrates that failing to secure patient information can lead to significant financial, regulatory, and reputational consequences for healthcare organisations. It has become increasingly evident that the regulatory consequences of failing to safeguard patient data are increasing as time goes on. 

Specifically, under the Health Insurance Portability and Accountability Act (HIPAA), fines can rise to millions of dollars for prolonged violations of the law, and systemic non-compliance with the law can result. For healthcare organisations, adhering to the regulations is both a financial and ethical imperative. 

Data from the U.S. As shown by the Department of Health and Human Services' Office for Civil Rights (OCR), enforcement activity has been steadily increasing over the past decade, with the year 2022 marking a record number of penalties imposed. OCR's Right of Access Initiative, launched in 2019, aims to curb providers who fail to provide patients with timely access to their medical records in a timely manner. 

It has contributed a great deal to the increase in penalties. There were 46 penalties issued for such violations between September 2019 and December 2023 as a result of enforcement activity. Enforcement activity continued high in 2024, as OCR closed 22 investigations with fines, even though only 16 of those were formally announced during that year. The momentum continues into 2025, bolstered by an increased enforcement focus on the HIPAA Security Rule's risk analysis provision, traditionally the most common cause of noncompliance. 

 Almost ten investigations have already been closed by OCR with financial penalties due to risk analysis failures as of May 31, 2025, indicating the agency's sharpened effort to reduce the backlog of data breach cases while holding covered entities accountable for their failures. It is a stark reminder that the healthcare sector stands at a crossroads between technology, patient care, and national security right now as a result of the increasing wave of cyberattacks that have been perpetrated against healthcare organisations. 

 Hospitals and medical networks are increasingly becoming increasingly dependent on the use of digital technologies, which means every exposed database, misconfigured system, or compromised vendor creates a greater opportunity for adversaries with ever greater resources, organisation, and determination to attack them. In the absence of decisive investments in cybersecurity infrastructure, workforce training, and stronger regulatory frameworks, experts warn that breaches will not only persist but will intensify in the future. 

A growing digitisation of healthcare in India makes the stakes even higher: the ability to preserve patient trust, ensure continuity of care, and safeguard sensitive health data is what will determine if digital innovation becomes a valuable asset or a liability, particularly in this country. In the big picture, it is also obvious that cybersecurity is no longer a technical afterthought but has evolved into a pillar of healthcare resilience, where failure has a cost that goes far beyond fines and penalties, and concerns involving patient safety as well as the lives of people involved.
Read more »
ToolShell
CERT Croatia phishing Ransomware RBI Research ToolShell

Croatia’s Largest Research Institute Hit by Ransomware in Global ToolShell Exploits




The RuÄ‘er BoÅ¡ković Institute (RBI) in Zagreb — Croatia’s biggest science and technology research center has confirmed it was one of thousands of organizations worldwide targeted in a massive cyberattack exploiting Microsoft SharePoint’s “ToolShell” security flaws.

The incident occurred on Thursday, July 31, 2025, and resulted in ransomware being installed on parts of the Institute’s internal network. According to RBI’s statement, the affected systems were linked to its administrative and support operations, with attackers encrypting documents and databases to block access.


Refusing to Pay the Hackers

Unlike some victims, RBI has stated it will not pay the ransom. Instead, the Institute plans to follow strict security protocols, restore affected systems from backups, and upgrade its infrastructure to meet modern cybersecurity standards.

Past reports indicate that ToolShell vulnerabilities have been used to spread two strains of ransomware — Warlock and 4L4MD4R but RBI has not yet confirmed which variant hit its systems.


Restoration Underway

Recovery work is ongoing, with some systems already back online. Email services were restored the Friday after the attack, and the Institute is slowly bringing other parts of its network back into operation. A completely new IT system is also being built to improve defenses and reduce future risks.

The response involves not just RBI’s internal team but also the Ministry of the Interior, Croatia’s national CERT, and other cybersecurity agencies. A detailed forensic investigation is still in progress.


Possible Data Exposure

It’s still unclear whether the attackers accessed personal information. Croatia’s Personal Data Protection Agency has been notified, and the Institute has pledged to act in line with GDPR rules if any breach of personal data is confirmed.

As a precaution, RBI’s data protection officer has already warned staff that some sensitive information, such as personal ID numbers, addresses, financial reimbursements, and other records may have been stolen. Employees were advised to stay alert for phishing emails pretending to be from the Institute or official authorities.


Part of a Global Problem

RBI is one of at least 9,000 institutions worldwide affected by attacks using the same ToolShell vulnerabilities. These flaws in Microsoft SharePoint have become a major cybercrime tool, enabling hackers to infiltrate networks, steal or lock data, and demand large ransom payments.

While the Institute continues its recovery, the attack is a reminder that even highly respected research organizations can be vulnerable, and that refusing to pay ransom demands can be both a security stance and a financial gamble.

Read more »
Ransomware
BYOVD Attack Cyber Crime Data Stolen EDR Ransomware

New Hacking Tool Lets Ransomware Groups Disable Security Systems

 



Cybersecurity experts have discovered a new malicious tool designed to shut down computer security programs, allowing hackers to attack systems without being detected. The tool, which appears to be an updated version of an older program called EDRKillShifter, is being used by at least eight separate ransomware gangs.

According to researchers at Sophos, the groups using it include RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC. These criminal gangs use such programs to disable antivirus and Endpoint Detection and Response (EDR) systems software meant to detect and stop cyberattacks. Once these protections are switched off, hackers can install ransomware, steal data, move through the network, and lock down devices.


How the Tool Works

The new tool is heavily disguised to make it difficult for security software to spot. It starts by running a scrambled code that “unlocks” itself while running, then hides inside legitimate applications to avoid suspicion.

Next, it looks for a specific type of computer file called a driver. This driver is usually digitally signed, meaning it appears to be safe software from a trusted company but in this case, the signature is stolen or outdated. If the driver matches a name hidden in the tool’s code, the hackers load it into the computer’s operating system.

This technique is called a “Bring Your Own Vulnerable Driver” (BYOVD) attack. By using a driver with security weaknesses, the hackers gain deep control of the system, including the ability to shut down security tools.

The driver pretends to be a legitimate file, sometimes even mimicking trusted products like the CrowdStrike Falcon Sensor Driver. Once active, it terminates the processes and services of security products from well-known vendors such as Microsoft Defender, Kaspersky, Symantec, Trend Micro, SentinelOne, McAfee, F-Secure, and others.


Shared Development, Not Leaks

Sophos notes that while the tool appears in attacks by many different groups, it is not a case of one stolen copy being passed around. Instead, it seems to be part of a shared development project, with each group using a slightly different version — changing driver names, targeted software, or technical details. All versions use the same “HeartCrypt” method to hide their code, suggesting close cooperation among the groups.


A Common Criminal Practice

This is not the first time such tools have been shared in the ransomware world. In the past, programs like AuKill and AvNeutralizer have been sold or distributed to multiple criminal gangs, allowing them to disable security tools before launching attacks.

The discovery of this new tool is a reminder that ransomware operators are constantly improving their methods and working together to overcome defenses. Security experts stress the need for updated protections and awareness to defend against such coordinated threats.

Read more »
Subscribe to: Posts (Atom)