Ransomware

University of Mississippi Medical Center shuts 35 clinics statewide after ransomware attack disables Epic EHR access. FBI investigating as doctors resort to pen and paper for patient care.

New ransomware family Reynolds embeds a vulnerable NsecSoft driver directly into its payload to disable CrowdStrike, Sophos, and other EDR tools before encryption begins.

BridgePay confirms ransomware attack crippled its payment processing platform, forcing merchants nationwide to cash-only. FBI and Secret Service are investigating.

Conpet, operator of 3,800km of Romanian oil pipelines, confirms cyberattack. Qilin claims 1TB of stolen data including financial records and passports.

Sophos finds 7,000+ servers with identical hostnames from ISPsystem VMmanager templates. LockBit, Qilin, and Conti all used the same bulletproof hosting VMs.

CVE-2025-22225 sandbox escape now confirmed as a ransomware attack vector. Exploitation toolkit predates Broadcom's patch by a full year.

CVE-2026-24423 lets unauthenticated attackers execute OS commands on SmarterMail servers. CISA confirms active ransomware exploitation and sets a February 26 patch deadline.

GreyNoise reveals CISA silently updated ransomware indicators on 59 vulnerabilities without alerts. New RSS feed tool catches changes within an hour.

Russian-linked gang dumps executive emails, employee IDs, and banking communications in first airline sector attack of 2026.

Flare researchers find a single threat actor wiping misconfigured MongoDB databases and demanding $500 Bitcoin ransoms. Nearly half of unauthenticated instances already compromised.

Learn what ransomware is, how attacks work, the main types including double extortion, and practical steps to defend against this growing threat.

Modern ransomware gangs have weaponized fear, legal liability, and deadline pressure. Here's how extortion tactics have fundamentally changed.

New ransomware family employs BYOVD technique with POORTRY driver to disable endpoint protection. Evidence links operators to Inc ransomware campaigns.

DragonForce and other actors exploiting CVE-2024-57727 to compromise utility billing providers and their downstream customers.

Resecurity uncovers stealthy DLL-sideloading malware with APT-grade anti-VM tricks. Multiple ransomware groups now deploying it.

SafePay ransomware group allegedly stole 3.5TB from the $48B IT distributor. Employee SSNs, passports, and performance reviews exposed.

German and Ukrainian authorities identify 35-year-old Russian national as Black Basta boss, raid homes of two affiliates in Ukraine.

The initial access malware now delivers payloads through deliberately malformed archives that crash security tools while executing normally on Windows.

Russia-linked ransomware group posts samples allegedly from Nissan's internal systems including dealership records and financial documents.

Qilin has hit 1,000+ victims. Everest targets critical infrastructure. Here's what security teams need to know about today's most active ransomware operations.

Ransomware attacks on healthcare surged 30% in 2025. Here's why medical organizations remain prime targets and what defenders can do about it.

A ransomware operation has compromised multiple US educational institutions using stolen VPN credentials. The education sector represents 80% of known victims.

A new ransomware group has compromised at least six healthcare organizations in Taiwan using BYOVD attacks to disable security software before encryption.

Russian ransomware group Clop claims responsibility for breach at Dartmouth College, posting stolen data on dark web and affecting more than 40,000 individuals including students, staff, and alumni.

Russian ransomware gang exploited CVE-2025-61882 to steal SSNs and financial data from the college. The same vulnerability hit Harvard, UPenn, and 100+ organizations.

The Russian-linked gang led all ransomware groups on January 6 with attacks spanning wine distributors, art logistics, and medical practices across three countries.

Aurora College in Canada's Northwest Territories cancels all classes January 5-9 after cyber attack over Christmas break takes down servers, email, and e-learning systems.

New Year's Eve attack on Sedgwick Government Solutions compromises file transfer system serving DHS, CISA, and ICE. TridentLocker claims 3.4GB of stolen data.

After ASUS missed ransom deadline, Everest releases complete data trove including ROG source code, Qualcomm SDKs, and ArcSoft files on cybercrime forums.

ManageMyHealth confirms Kazu ransomware gang compromised Health Documents module, threatening to leak 108GB of medical records unless $60,000 ransom is paid.

Beyond CVSS scores, these vulnerabilities caused the most damage in 2025—from nation-state exploitation to mass ransomware campaigns and breaches affecting millions.

Oltenia Energy Complex shut down IT systems on December 26 after a ransomware attack encrypted critical documents and disrupted ERP, email, and web operations.

Ransomware group says it exfiltrated over a terabyte of Chrysler customer data including Salesforce records and recall case narratives. Threatening to publish in days.

Ransomware tracking data shows 63 total claims from 6 groups on December 26. LockBit's revival dominates holiday attack wave targeting reduced security staff.

David Stern, the sole employee running CISA's ransomware early warning initiative, resigned December 19 after being ordered to relocate. The program had sent 2,100+ alerts in 2024.

Month-long operation across 19 African nations recovers $3 million, takes down 6,000 malicious links, and decrypts six ransomware variants.

Akira ransomware gang exploited known SonicWall vulnerability to hit fintech vendor serving 700+ banks and credit unions. SSNs and card numbers stolen.

Oracle E-Business Suite zero-day exploitation adds another victim to Clop's CVE-2025-61882 campaign. SSNs and bank account numbers among exposed data.

Artem Stryzhak admits role in double-extortion ransomware attacks targeting large US and European companies from 2018 to 2021.

A Sygnia IR manager and DigitalMint negotiator admitted to deploying BlackCat ransomware while employed to help victims respond to such attacks.

Attackers weaponized Windows BitLocker to encrypt systems across Romanian Waters, impacting 10 of 11 river basin management organizations.

From the largest cryptocurrency heist in history to nation-state espionage campaigns targeting critical infrastructure, 2025 redefined the cyber threat landscape.

CVE-2025-55182 exploitation escalates as Weaxor ransomware operators use critical React Server Components flaw for initial access across 60+ organizations.