ransomware

On February 20, 2024, a 10-country task force seized LockBit's infrastructure, identified 194 affiliates, and froze $112 million in cryptocurrency in the most significant ransomware takedown in history.

The Clop ransomware group weaponized CVE-2025-61882 and CVE-2025-61884 to breach nearly 100 organizations including Allianz UK, GlobalLogic, Envoy Air, Harvard, and Washington Post, with ransom demands reaching $50 million.

The ShinyHunters cybercriminal group published stolen data from Harvard University and the University of Pennsylvania after ransom demands went unpaid, exposing over 2 million alumni, donor, and student records.

A Black Basta ransomware attack on Ascension Health, one of the largest US Catholic healthcare systems, forced hospitals to divert emergency patients, delay surgeries, and revert to paper records, affecting 5.6 million patients.

A LockBit ransomware attack on Evolve Bank & Trust, a banking-as-a-service provider for major fintechs, exposed data of 7.6 million individuals and rippled through partners including Affirm, Mercury, Wise, and others.

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will require critical infrastructure entities to report cyber incidents to CISA within 72 hours and ransomware payments within 24 hours, with the final rule now expected May 2026.

A single threat actor is conducting automated attacks against exposed MongoDB instances, wiping databases and demanding 0.005 BTC per server, with 208,500 instances publicly exposed worldwide.

The Russian-speaking Qilin ransomware group listed Tulsa International Airport as a victim, leaking financial documents, employee IDs, and executive communications in the aviation sector's first reported attack of 2026.

A comprehensive guide to designing backup strategies, implementing immutable backups, and building disaster recovery capabilities that withstand ransomware and destructive attacks.

The GootLoader malware loader now creates malformed ZIP files containing hundreds of concatenated archives, causing security tools to extract harmless files while Windows extracts malicious JavaScript.

The FBI has seized the notorious RAMP dark web forum in coordination with DOJ. The forum had 14,000+ users and facilitated hundreds of millions in ransomware damages. Leaked database may expose LockBit operator.

NordStellar research reveals 9,251 ransomware incidents in 2025, with Qilin leading at 1,066 attacks (408% increase). December set a two-year record with 1,004 incidents. 2026 projected to exceed 12,000 attacks.

A practical guide to defending against ransomware attacks, covering prevention controls, detection techniques, backup strategies, and incident response procedures.

Security researchers detail LockBit 5.0's capabilities including ChaCha20-Poly1305 encryption, X25519 key exchange, modular two-stage deployment, and advanced anti-analysis techniques.

The Everest ransomware group leaked 72.7 million Under Armour customer records including emails, names, dates of birth, purchase history, and loyalty program details after the company didn't pay.

Healthcare ransomware attacks affected 93% of organizations in 2024-2025, with Ascension's $1.8B loss and 5.6M affected patients illustrating the sector's vulnerability. HIPAA Security Rule update pending.

A ransomware attack on AZ Monica hospital in Antwerp forced cancellation of 70+ surgeries, patient transfers, and revealed a broader breach affecting five Belgian hospitals through a shared software supplier.

AZ Monica hospital in Antwerp shut down all servers at 6:32 AM after detecting ransomware, canceling 70+ operations and transferring 7 critical patients. Belgium pledged €10M for hospital cybersecurity.

A BlackSuit ransomware attack on CDK Global, the dominant dealer management system provider, shut down operations at 15,000 auto dealerships for nearly two weeks in June 2024, causing over $1 billion in losses and exposing critical supply chain risks.

TridentLocker claims to have stolen 3.4GB from Sedgwick Government Solutions, which provides claims services to DHS, ICE, CBP, DOL, and CISA. The attack targeted an isolated file transfer system.

The TridentLocker ransomware group breached Sedgwick Government Solutions, a federal contractor subsidiary providing claims management to DHS, ICE, and CISA, exfiltrating 3.39 GB of data.

Ryan Goldberg (Sygnia) and Kevin Martin (DigitalMint) admitted to operating as ALPHV/BlackCat affiliates, targeting healthcare organizations and causing $9.5M in losses. They face up to 20 years in prison.

The ALPHV/BlackCat ransomware attack on Change Healthcare caused the most significant disruption to the US healthcare system from a cyberattack, affecting claims processing for months and exposing data of approximately 100 million individuals.

A Qilin ransomware attack on pathology provider Synnovis disrupted blood testing and transfusion services across major London NHS hospitals for months, forcing cancellation of thousands of operations and appointments.

Scattered Spider social-engineered a service desk password reset to breach M&S, deploying DragonForce ransomware that encrypted VMware infrastructure, halted online sales for 46 days, and caused £300 million in lost profit.