Search ransomware

Critical infrastructure operators at the water treatment plant in Minot, North Dakota, were forced to resort to manual processes when its Supervisory Control and Data Acquisition (SCADA) system became inoperable as a result of a March 14, 2026, ransomware attack. The attackers are unidentified, but it comes in the wake of the war in Iran, and both Iran and China are known to lead cyber-attacks against water utilities, which often have vulnerabilities that make them easy targets. Last month, the Water Information Sharing and Analysis Center, along with information sharing organizations for the auto, aviation, food, health, IT, national defense, oil and natural energy, and retail and hospitality industries issued a Joint Advisory to their members, including water facilities, warning them of increased cyberattacks from Iranian hackers, as well as physical attacks against critical infrastructure entities. The warning concluded by stating that “the threat environment is likely to remain highly volatile.”

Minot’s water system provides water to approximately 80,000 users. Although the water supply and quality were not affected by the attack, operators were required to manually read gauges for 16 hours while they uninstalled the compromised SCADA system. It has taken Minot over two weeks to spin up a new server.  

Since water facilities are a target for nation state cyber actors, the state of New York recently introduced cybersecurity standards for both drinking and wastewater treatment facilities. Other states will hopefully follow suit so the water supply and quality available will be less vulnerable to attack.

Critical infrastructure operators should be aware of the heightened risk, prepare for an attack, and test their incident response processes through a cybersecurity tabletop exercise that is designed to address a shut down so processes can be improved and services restored as efficiently as possible. We all depend on the basic necessities of food, water, electricity, and access to financial services, all of which could be downed by an attack and dramatically impact our lives. We depend on critical infrastructure operators to have measures in place to prevent and mitigate the effects of an attack.

The Symantec and Carbon Black Threat Hunter Team recently released its Ransomware 2026 report that contains helpful intelligence into the state of ransomware attacks and insight into how they are evolving, despite law enforcement’s success in taking down some of the largest ransomware gangs in 2025.

The very first statement is a sobering reality: “Ransomware activity reached record-high levels in 2025 as criminal actors continued to view extortion as one of the most lucrative forms of attack.”

The report notes that even though RansomHub (the number one ransomware operation) collapsed, there was “only a brief drop in ransomware attacks.” The statistics show that there were 6,182 extortion attacks in 2025, a 23% increase from 2024.

The report outlines the ambitious activities of the various ransomware groups in 2025. It highlights that, although new ransomware groups emerged, they all use similar tactics to achieve a solitary objective: “accessing the victim’s network, obtaining privileges to move laterally across the entire network before exfiltrating data, and delivering an encrypting payload to the maximum number of machines.” The threat actors are able to do this by using legitimate software to evade security measures put in place. “An awareness of the TTPs used by attackers will help organizations prepare their defenses and identify malicious behaviors on their networks.”

The report provides a detailed analysis of the TTPs that should be reviewed by security professionals, and the legitimate software used by threat actors to attack victims.

Finally, the report provides mitigation techniques that organizations can deploy to protect against targeted attacks which are well worth the read.

The statistics listed in the Quarterly Threat Report: Third Quarter, 2025, issued by Beazley Security are eye popping. They include:

  • August and September showed a sharp increase in ransomware activity, with those months accounting for 26% and 18% of reported ransomware incidents in the last half year, respectively.
  • Akira, Qilin, and INC Ransomware represented 65% of all ransomware cases, demonstrating a significant increase in attack activity by the largest ransomware operators. 
  • Known Exploited Vulnerabilities tracked by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) fell by 26%, yet attackers executed several high-impact exploitation campaigns.
  • Critical vulnerabilities in Cisco and NetScaler remote-access devices increasingly drew attention from attackers.
  • Attacks on SonicWall devices by Akira ransomware group accelerated in Q3, followed by a prominent MySonicWall data breach impacting all organizations leveraging the backup cloud service.

According to the report, business services were hit the most, followed by professional services and associations, manufacturing & distribution, healthcare, other, education, government, financial institutions, retail, and construction.

Significantly, the report notes that “the most common entry point was the use of valid, compromised credentials to access VPN infrastructure, which continued to grow in distribution this quarter. This trend underscores the importance of ensuring that multifactor authentication (MFA) is configured and protecting remote access solutions and that security teams maintain awareness and compensating controls for any accounts where MFA exceptions have been put in place.” The next category was the exploitation of internet-facing systems and services. A smaller subset included “search engine optimization (SEO) poisoning attacks and malicious advertisements, observed as a method used for initial access in some Rhysida ransomware investigations. This technique places threat actor-controlled websites at the top of otherwise trusted search results, tricking users into downloading fake productivity and administrative tools such as PDF editors.”

The report notes how effective the SonicWall vulnerability has been for threat actors. It concludes that there is an “overlapping threat to customers using SonicWall’s network appliance product line. Going forward, Beazley Security expects threat actors in possession of the stolen configurations will leverage the compromised backup files to launch future, targeted attacks.”

A November 13, 2025, a Cybersecurity Advisory warned that new activity by the Akira ransomware variant “presents an imminent threat to critical infrastructure.” The Advisory was jointly issued by four U.S. agencies, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency, the Department of Defense Cyber Crime Center, and the Department of Health and Human Services, and five international agencies, Europol’s European Cybercrime Centre, France’s Office Anti-Cybercriminalite – French Cybercrime Central Office, Germany’s Generalstaatsanwaltschaft Karlsruhe – Cybercrime-Zentrum Baden-Württemberg and Landeskriminalamt Baden-Württemberg, and the Netherlands’s National Cyber Security Centre.

Akira has been attacking organizations since March 2023, and the most recent Advisory updates an initial alert published in April 2024 warning organizations about Akira, including providing information about observed tactics, techniques, and procedures (TTPs) that organizations can be aware of to protect themselves against an attack.

Since its inception in approximately March 2023, it is reported that Akira has “pocketed $244 million as of late September.” The FBI calls Akira one of the top five ransomware variants currently attacking companies.

According to the Advisory, Akira is primarily targeting “small- and medium-sized businesses, but have also impacted larger organizations across various sectors, with a notable preference for organizations in the manufacturing, educational institutions, information technology, healthcare and public health, financial services, and food and agriculture sectors.”

The Joint Advisory recommends that organizations:

  1. Prioritize remediating known exploited vulnerabilities;
  2. Enable and enforce phishing-resistant multifactor authentication (MFA); and
  3. Maintain regular backups of critical data, ensure backups are stored offline, and regularly test the restoration process.

The Advisory provides useful information worthy of your consideration about measures to take to harden defenses against an attack.

The SafePay ransomware group has been active since fall 2024 and has increased its activity this spring and summer. According to NCC Group, SafePay hit the most victims of any threat actor in May 2025—it is linked to 248 victims to date, according to Ransomware.live and RansomFeed.

The group uses common tactics, including social engineering with telephone calls and spam. One of SafePay’s particular techniques worth informing employees about is sending “a ton of spam, and at the same time, when they are panicking and raising concerns, a call comes from ‘the company’s IT department’ via Microsoft teams.” Posting as a third-party IT department, the threat actors request remote access, then “drop a PowerShell script and often live on the network for up to a week to investigate and another week to slowly move towards exploitation.”

SafePay employs a double extortion model—exfiltrating files that they threaten to leak, and then deploying the ransomware to affect operations and pressure victims to pay. They are targeting private companies in the financial, legal, insurance, health care, and critical services, as well as pivoting to the public sector.

On March 12, 2025, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center to advise companies about the tactics, techniques and procedures (TTPs), and indicators of compromise (IOCs) to protect themselves against Medusa ransomware.

According to the advisory:

Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation.

The advisory provides technical details on how Medusa gains access to systems, including phishing campaigns as the primary method for stealing credentials. The group also exploits unpatched software vulnerabilities, which reinforces the importance of timely patching.

The threat actors exfiltrate the victim’s data and then deploy the encryptor, gaze.exe, on files while disabling Windows Defender and other antivirus tools. The encrypted files use the .medusa file extension. They then contact the victim within 48-hours and use the .onion data leak site for communication.

The advisory lists the IOCs and TTPs used in the attacks. IT professionals may wish to review them and apply mitigation tactics. The mitigations listed in the advisory are lengthy and worth consulting.

The Cybersecurity & Infrastructure Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center released an advisory on February 19, 2025, providing information on Ghost ransomware activity.

According to the advisory, “Ghost actors conduct these widespread attacks targeting and compromising organizations with outdated versions of software and firmware on their internet facing services.” They use publicly available code to exploit Common Vulnerability Exposures (CVE) that have not been patched. The CVEs used by Ghost include CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.

The advisory urges organizations to:

  1. Maintain regular system backups stored separately from the source systems, which cannot be altered or encrypted by potentially compromised network devices [CPG 2.R].
  2. Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 2.F].
  3. Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
  4. Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.

The advisory details how Ghost (Cring) is gaining initial access, executing applications, escalating privileges, obtaining credentials, evading defenses, moving laterally, and exfiltrating data. It also provides indicators of compromise and email addresses used by the threat actors.

Patching continues to be a crucial block-and-tackle technique, and timely patching is critical for mitigating exploitation. Blocking known malicious emails is a proven tactic to mitigate access. Review the advisory to ensure the applicable patches have been applied and the malicious emails associated with Ghost have been blocked.

Unfortunately, I’ve had unpleasant dealings with the Phobos ransomware group. My interactions with Phobos have been fodder for a good story when I educate client employees on recent cyber-attacks to prevent them from becoming victims. The story highlights how these ransomware groups, including Phobos, are sophisticated criminal organizations with managerial hierarchy. They use common slang in their communications and have to get “authority” to negotiate a ransom. It’s a strange world.

Because of my unpleasant dealings with Phobos, I was particularly pleased to see that the Department of Justice (DOJ) recently announced the arrest and extradition of Russian national Evgenii Ptitsyn on charges that he administered the Phobos ransomware variant.

This week, the DOJ unsealed charges against two more Russian nationals, Roman Berezhnoy and Egor Nikolaevich Glebov, who “operated a cybercrime group using the Phobos ransomware that victimized more than 1,000 public and private entities in the United States and around the world and received over $16 million in ransom payments.” They were arrested “as part of a coordinated international disruption of their organization, which includes additional arrests and the technical disruption of the group’s computer infrastructure.” I’m thrilled about this win. People always ask me whether these cyber criminals get caught. Yes, they do. This is proof of how important the Federal Bureau of Investigation (FBI) is in assisting with international cybercrime, and how effective its partnership with international law enforcement is in catching these pernicious criminals. This is why I firmly believe that we must continue to share information with the FBI to assist with investigations, and why the FBI must be allowed to continue its important work to protect U.S. businesses from cybercrime.

The city of Columbus, Ohio, announced on May 29, 2024, that a ransomware attack forced its systems offline. According to its notice, the attack was perpetrated by “an established, sophisticated threat actor operating overseas,” and that it was working with law enforcement to investigate the incident.  The culprit behind the ransomware attack is reported to be Rhysida.

According to Security Week, the ransomware group posted the city’s data on the dark web, including individuals’ names, addresses, dates of birth, bank account information, driver’s license information, Social Security numbers, and other identifying information. Columbus reported to the Maine Attorney General that it is notifying 500,000 individuals that their personal information was affected by the incident, and is offering those who are affected 24 months of credit monitoring and dark web monitoring.

Unit 42 recently reported that it has identified “Jumpy Pisces, a North Korean state-sponsored threat group associated with the Reconnaissance General Bureau of the Korean People’s Army, as a key player in a recent ransomware incident.” Its investigation indicates “with moderate confidence that Jumpy Pisces, or a faction of the group, is now collaborating with the Play ransomware group (Fiddling Scorpius).” Jumpy Pisces has previously engaged in cyberespionage, financial crime, and ransomware attacks and was behind the ransomware known as Maui.

Unit 42 states that this is the “first observed instance” of Jumpy Pisces using an existing ransomware infrastructure that “signals deeper involvement in the broader ransomware threat landscape.”

According to Unit 42, “We expect their attacks will increasingly target a wide range of victims globally. Network defenders should view Jumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance.”

Unit 42 provides the attack methods, timeline of events, threat actor tooling, collaborations with Play ransomware, indicators of compromise, and resources for organizations to use to protect against these threats.