Ransomware incidents and attacks
On April 7, 2026, ChipSoft — a Dutch healthcare IT company providing Electronic Patient Dossier (EPD/HiX) software to approximately 80% of all Dutch hospitals — was hit by a ransomware attack that …
On approximately 7 April 2026, a Massachusetts healthcare system disclosed it was experiencing a cyberattack that forced the organisation to divert ambulance patients to other facilities and operate …
On March 26, 2026, the Qilin ransomware group (described as Russian-speaking and both financially and politically motivated) attacked Die Linke, a left-wing democratic socialist party in the German …
The Interlock ransomware group exploited a maximum-severity vulnerability in Cisco adaptive security appliances (ASA) or Firepower Threat Defense (FTD) firewalls, gaining persistent network access …
In the weeks following Stryker's March 2026 Handala wiper attack (documented separately), multiple lawsuits were filed against Stryker as the Iranian-linked Handala group continued to boast about the …
An August 2025 ransomware attack on the University of Hawaii Cancer Center's research study data systems was disclosed in early 2026 as affecting approximately 1.2 million individuals who had …
On February 26–27, 2026, the Qilin ransomware gang listed Malaysia Airlines on its dark web leak site. Unlike its typical practice, the group published no file samples, data cache size estimates, or …
On February 19, 2026, the University of Mississippi Medical Center (UMMC) detected a ransomware attack that forced the closure of all 35 of its clinic locations statewide. Hospital emergency …
On February 6, 2026 (starting at ~03:29 AM EST), a ransomware attack hit BridgePay Network Solutions, a payment gateway serving merchants, municipalities, and integrators. The attack knocked offline …
Capital Health — which operates capital health hospital and clinical facilities in New Jersey and Pennsylvania — agreed to pay $4.5 million to settle claims arising from a LockBit ransomware attack. …
Law enforcement agencies raided two suspected members of the Black Basta ransomware group and announced they are actively seeking the group's leader(s). Black Basta has been one of the most prolific …
On New Year's Eve 2025/2026, the TridentLocker ransomware-as-a-service (RaaS) group claimed an attack on Sedgwick Government Solutions, a subsidiary of Sedgwick that provides claims and risk …
In November 2025, the Everest ransomware group claimed Under Armour as a victim and attempted extortion, alleging theft of 343 GB of data. In January 2026, data for approximately 72 million accounts …
Between September 17 and September 23, 2025, an unauthorized actor exploited an unknown vulnerability in Insightin Health's GoAnywhere managed file transfer tool, gaining access to a subset of …
On August 31, 2025, an unknown ransomware group attacked the University of Hawaii Cancer Center's Epidemiology Division, compromising research servers (clinical operations were not affected). …
Beginning August 31, 2025, the 'Scattered Lapsus$ Hunters' alliance — a cybercrime consortium of Scattered Spider (initial access/social engineering), LAPSUS$ (extortion/amplification), and …
Unauthorized access to Insight Hospital and Medical Center's (Chicago) network occurred between August 22 and September 11, 2025. The hospital issued a substitute notice on January 26, 2026. LockBit …
Marquis Software Solutions, a marketing and compliance services vendor to 700+ US financial institutions, was hit by Akira ransomware on August 14, 2025. Threat actors exploited a critical SonicWall …
On August 9, 2025, the INC Ransom ransomware group attacked the Pennsylvania Office of the Attorney General, knocking its website, email, and phone lines offline for approximately three weeks. INC …
The City of St. Paul, Minnesota (state capital) suffered a ransomware attack beginning July 25, 2025. The city shut down all networks on August 11 after confirming it was ransomware and declining to …
On July 2–3, 2025, the SafePay ransomware group exfiltrated files from Ingram Micro's internal repositories. Ingram Micro (a leading global IT distributor processing ~$15B in transactions annually) …
Kettering Health, an Ohio health system running 14 medical centers and dozens of clinics primarily in the Dayton area, was hit by Interlock ransomware on May 20, 2025. Approximately 600 digital …
Covenant Health (Catholic healthcare network serving Massachusetts, Maine, New Hampshire, Pennsylvania, Rhode Island, and Vermont) detected unauthorized activity on May 26, 2025, with the breach …
Scattered Spider (UNC3944) affiliates acting as DragonForce ransomware-as-a-service operators conducted a wave of attacks against UK retailers in April–May 2025. Co-op confirmed system disruptions and …
DaVita Inc., one of the largest kidney dialysis providers in the US, disclosed a ransomware attack on April 12, 2025. Intrusion began March 24, 2025 and was eradicated April 12. Interlock ransomware …
Yale New Haven Health System, a Connecticut-based health system affiliated with Yale School of Medicine, detected unauthorized network access on March 8, 2025. The health system engaged Mandiant for …
Berkeley Research Group (BRG), a major consulting and financial advisory firm, suffered a ransomware attack discovered March 2, 2025. Unauthorized activity occurred February 28 – March 2, 2025. The …
Scattered Spider (UNC3944) gained initial access to M&S systems as early as February 2025 via social engineering of the third-party IT service desk (vishing/impersonation). Attackers exfiltrated the …
On January 27, 2025, Frederick Health Medical Group (a Maryland-based healthcare network with 25+ locations) announced a ransomware attack that compromised the protected health information of 934,326 …
Episource LLC, a medical coding and risk adjustment company and Optum/UnitedHealth Group subsidiary, detected a ransomware intrusion on February 6, 2025, after unauthorized access between January 27 …
Between January 21 and February 5, 2025, the Medusa ransomware group exfiltrated data from SimonMed Imaging (a large US radiology/medical imaging provider). Medusa claimed more than 212 GB of data …
Tata Technologies, a Tata Group subsidiary providing engineering and technology services in automotive, aerospace, and industrial sectors (12,500+ employees, operating in 27 countries), suffered a …
Krispy Kreme detected unauthorized IT activity 29 November 2024; disclosed via SEC 8-K 11 December 2024. Online ordering disrupted. Play ransomware gang claimed attack in December; after failed ransom …
INC Ransom breached Ahold Delhaize USA (parent of Stop & Shop, Food Lion, Giant Food, Hannaford, and The Giant Company) between 5-6 November 2024, stealing up to 6 TB of data. Final breach count: …
Italian Serie A football club Bologna FC was attacked by RansomHub in November 2024. RansomHub claimed to have stolen 200 GB of data including player contracts, passports, financial records …
Hellcat ransomware group breached Schneider Electric's internal Atlassian Jira project tracking platform in November 2024, stealing over 40 GB of compressed data including 75,000 unique email …
ARC Community Services, a Wisconsin-based nonprofit providing community living and support services for people with intellectual and developmental disabilities, announced a November 2024 ransomware …
Conduent, a company providing payment processing and document services to major health insurers and state government programs, was breached by the SafePay ransomware group. Attackers had access from …
An unauthorized third party had access to Conduent Business Services' systems from October 21, 2024, to January 13, 2025, when operational disruption was triggered. Conduent provides technology …
Casio, the Japanese electronics and watchmaking company, suffered a ransomware attack on October 5, 2024. The Underground ransomware group claimed responsibility on October 10, threatening to release …
Texas Tech University Health Sciences Center (TTUHSC) and its El Paso center suffered a ransomware attack in September 2024, claimed by the Interlock group. Combined, 1,465,000 patients were affected …
RansomHub (ransomware-as-a-service operation, launched February 2024) attacked Halliburton. Detected 21 August 2024; SEC 8-K filed 23 August 2024. Production planning and shipment tracking tools …
AutoCanada, a publicly traded North American automotive dealership group operating 84 franchised dealerships, detected a ransomware attack on August 11, 2024. Hunters International claimed …
INC Ransom group (double extortion) gained access 17 July 2024; suspicious activity detected 5 August. All IT systems including EHR taken offline; hospitals reverted to paper charting for ~3 weeks. …
Acadian Ambulance Service, a Louisiana-based emergency medical services provider, was attacked by the Daixin Team ransomware gang between June 19-21, 2024. The group claimed to have exfiltrated data …
BlackSuit ransomware (linked to Royal/Conti lineage) attacked CDK Global June 18 2024, disrupting dealer management systems for ~15,000 US auto dealerships. CDK suffered second attack during recovery …
On 8 June 2024, BlackSuit (rebrand of Royal ransomware / Conti successor) attacked Japanese media/gaming giant Kadokawa and its Niconico video platform. 254,241 individuals' data was confirmed leaked. …
Rite Aid (third-largest US pharmacy chain) was breached on 6 June 2024 with 2.2 million customers' names, dates of birth, addresses, and driver's license/government ID numbers exposed. RansomHub …
Qilin ransomware group attacked Synnovis, a joint venture providing blood testing and pathology services to King's College Hospital NHS Foundation Trust and Guy's and St Thomas' NHS Foundation Trust …
Evolve Bank & Trust, an Arkansas-based fintech banking partner, was attacked by the LockBit ransomware gang in late May 2024. An employee clicked a malicious link, granting attackers access. LockBit …
RansomHub had access to Patelco Credit Union's systems from approximately 23 May 2024 until detected 29 June 2024. Online banking, mobile app, and call centre were shut down for nearly two weeks. …
Landmark Admin LLC, a Texas-based third-party administrator for multiple insurance companies, detected unauthorized access to its systems on May 13, 2024, and was breached again on June 17 while the …
Texas-based third-party insurance administrator Landmark Admin (serving American Monumental Life, Pellerin Life, Liberty Bankers Life, Capitol Life, and others) detected a ransomware attack on 13 May …
Black Basta ransomware group encrypted servers across a 12-hospital system. Initial access via a malicious file inadvertently downloaded by an employee. Attackers accessed only 7 of 25,000 servers but …
Keytronic, a printed circuit board assembly (PCBA) manufacturer based in Spokane, WA, was hit by Black Basta ransomware on May 6, 2024. Operations in the US and Mexico were halted for approximately …
LockBit claimed the attack on London Drugs and demanded $25 million ransom (reportedly offered $8 million). All 79 Western Canada stores closed 28 April–7 May 2024. Corporate head office data …
Frontier Communications (a major US telecom serving 25 states) detected unauthorized access on 14 April 2024. RansomHub claimed responsibility and threatened to leak 5 GB of stolen data. Final …
Young Consulting (also known as Connexure), an Atlanta-based software solutions provider for medical stop-loss insurance organizations, suffered a BlackSuit ransomware attack between April 10-13, …
MediSecure, an Australian electronic prescription delivery service provider, suffered a ransomware attack in April 2024. Approximately 6.5 TB of data was exfiltrated, impacting approximately 12.9 …
The Wacks Law Group, a Whippany, New Jersey estate planning law firm with only six attorneys, was attacked by the Qilin ransomware group on March 9, 2024. Sensitive client data including Social …
In April 2026, Iowa Attorney General Brenna Bird filed a lawsuit against UnitedHealth Group seeking financial damages, civil penalties, and improvements to the company's data security practices for …
Affiliate of ALPHV/BlackCat breached Change Healthcare (UnitedHealth subsidiary) on Feb 11 2024 via stolen credentials on a Citrix portal lacking MFA. Spent 9 days in network before encrypting. UHG …
ALPHV/BlackCat ransomware group breached Prudential Financial (major US insurer) between 4-5 February 2024, initially believed to affect only 36,545 people. The true scope was revealed in July 2024 as …
Rhysida ransomware attacked Lurie Children's Hospital of Chicago (pediatric hospital) Jan 26-31 2024. Patient-facing systems offline for ~3.5 months. 791,784 individuals notified of PHI exposure …
California-based mortgage lender LoanDepot was attacked by the ALPHV/BlackCat ransomware gang between January 3-5, 2024. Approximately 16.9 million customers had their personal data exfiltrated, …
Anna Jaques Hospital in Newburyport, Massachusetts was attacked on Christmas Day 2023 by the Money Message ransomware group, which claimed 600 GB of data was stolen. 316,342 patients' comprehensive …
First American Financial Corp (one of the largest US title insurance providers) shut down its systems in late December 2023 after attackers accessed and encrypted non-production data. 44,000 …
Attackers gained access to Integris Health's network on 28 November 2023. On 24 December 2023, Integris discovered that patients were being directly contacted by the cybercriminal group and offered to …
DP World Australia, which operates approximately 40% of Australia's container port throughput across terminals in Sydney, Melbourne, Brisbane, and Fremantle, suffered a cyberattack on November 10, …
On 10 November 2023, DP World Australia — one of Australia's largest port operators, managing approximately 40% of Australian container port operations across Port Botany (Sydney), Port Melbourne, …
Fred Hutchinson Cancer Center (Fred Hutch), a major Seattle-based research hospital, suffered a ransomware attack between November 10–25, 2023. The Hunters International group exploited a Citrix …
LockBit 3.0 affiliates exploited Citrix Bleed (CVE-2023-4966) to breach Boeing Distribution Inc. (parts and distribution business). Session token extraction from Citrix NetScaler memory allowed …
On 25 September 2023, Johnson Controls International — a global conglomerate manufacturing building automation systems, HVAC systems, fire safety systems, and physical security products — suffered a …
Scattered Spider (UNC3944) used LinkedIn to identify MGM employee, called IT helpdesk impersonating them to get Okta/Azure admin access. Waited 2 days then launched ransomware against 100+ ESXi …
Scattered Spider targeted Caesars' outsourced IT support vendor Aug 18 2023 via voice phishing, convincing vendor to hand over Okta credentials. Within days accessed 6TB loyalty program database with …
On 11 August 2023, Clorox Company — one of the world's largest consumer goods manufacturers (Clorox, Hidden Valley, Burt's Bees, Kingsford charcoal) — detected a cyberattack and took systems offline, …
Ransomware hit Rapattoni Corp. (California-based MLS software provider serving ~100 MLSs and approximately 5% of US MLSs) on 9 August 2023. The attack froze MLS systems used by hundreds of thousands …
In late April 2023, ALPHV/BlackCat ransomware affiliates breached HWL Ebsworth — one of Australia's largest national law firms with offices in all Australian capital cities and thousands of clients …
Capita, a major UK outsourcing company providing services across government, defence, and pension administration, was hit by Black Basta ransomware on March 31, 2023 (initial compromise March 22). An …
In March 2023, Money Message ransomware attacked PharMerica Corporation — one of the largest pharmacy benefit management companies in the US, providing pharmacy services to long-term care facilities …
On 23 February 2023, Dish Network and its parent EchoStar suffered a Black Basta ransomware attack that caused a several-day outage affecting Dish Network's websites, call centers, and internal …
On February 23, 2023, Dish Network — a major US satellite TV provider — suffered a ransomware attack (attributed to Black Basta) that took down its internal systems, customer service centers, and …
LockBit ransomware hit Royal Mail's Heathrow Worldwide Distribution Centre Jan 10 2023, disrupting international mail for 6 weeks. LockBit initially demanded $80M ransom, lowered to $40M. Royal Mail …
On 2 December 2022, Play ransomware attacked Rackspace's Hosted Exchange email service, forcing Rackspace to permanently shut down the service. Rackspace had approximately 30,000 Hosted Exchange …
On 3 October 2022, CommonSpirit Health — the second-largest nonprofit hospital system in the United States with 140 hospitals and over 1,000 care sites across 21 states — was hit by a Hive ransomware …
Over the Labor Day weekend of 3-6 September 2022, Vice Society ransomware attacked the Los Angeles Unified School District (LAUSD) — the second-largest school district in the United States, serving …
Russian cybercriminal (Aleksandr Ermakov, sanctioned by Australia Jan 2024) accessed Medibank's network Aug 25 - Oct 13 2022 via stolen privileged VPN credentials without MFA. Exfiltrated 520GB …
On 25 April 2022, Yuma Regional Medical Center (YRMC) — the primary regional hospital for southwestern Arizona serving Yuma, Arizona and surrounding areas — discovered a ransomware attack. YRMC is the …
Ransomware struck UKG's (Ultimate Kronos Group) Kronos Private Cloud on December 11 2021, taking down workforce management and payroll processing systems used by thousands of large employers including …
On 11 December 2021, UKG (Ultimate Kronos Group) — one of the world's largest workforce management software providers serving over 40 million people across 57,000 organisations globally — suffered a …
On 4 December 2021, Eye Care Leaders — a provider of electronic health records (EHR) and practice management software specifically designed for ophthalmology practices — suffered a ransomware attack …
Lincoln College, a historically Black liberal arts college in Lincoln, Illinois, founded in 1865 (the same year Abraham Lincoln was assassinated), announced in May 2022 that it would permanently close …
On 4 August 2021, Eskenazi Health — Indianapolis's primary safety-net hospital serving the city's most vulnerable and uninsured populations — suffered a ransomware attack. Eskenazi detected the attack …
On approximately 1 August 2021, Roper St. Francis Healthcare — a nonprofit hospital system based in Charleston, South Carolina operating multiple hospitals and medical facilities — discovered …
REvil (Russian) ransomware attack on JBS S.A., world's largest meat processor, May 30 2021. Disrupted beef and pork slaughter facilities in US, Canada, Australia. JBS paid $11M USD in Bitcoin. CEO …
On 30 May 2021, JBS S.A. — the world's largest meat processing company, processing approximately one-fifth of all US beef — was hit by a REvil ransomware attack that forced the shutdown of all its US …
On May 14, 2021, Conti ransomware operators attacked Ireland's Health Service Executive (HSE) — the country's entire national public health system — encrypting approximately 80,000 devices and all HSE …
DarkSide ransomware affiliate (Russian-based) compromised Colonial Pipeline via leaked VPN credentials on a legacy account lacking MFA. 100 GB of data exfiltrated day before encryption. Pipeline …
DarkSide ransomware attacked Brenntag, one of the world's largest chemical distribution companies (Germany-headquartered, North America division targeted), on approximately April 28 2021. The …
On May 1, 2021, Scripps Health — San Diego's second-largest healthcare provider operating five hospitals and 19 outpatient facilities — suffered a Conti ransomware attack that took its systems offline …
On 7 April 2021, Reproductive Biology Associates (RBA) — an Atlanta, Georgia fertility clinic — and its affiliate My Egg Bank North America suffered a DoppelPaymer ransomware attack. Attackers …
On 28 March 2021, Nine Entertainment — Australia's largest media and entertainment company, operating the Nine Network (free-to-air TV), The Sydney Morning Herald, The Age, The Australian Financial …
CNA Financial Corporation, one of the largest commercial insurance companies in the United States, suffered a ransomware attack on March 21, 2021 that disrupted its operations for approximately three …
On 21 March 2021, CNA Financial — one of the largest commercial insurance companies in the United States — suffered a ransomware attack using a new malware strain called Phoenix CryptoLocker, believed …
On March 14, 2021, REvil ransomware operators attacked Acer, the Taiwanese PC manufacturer, using the freshly-disclosed ProxyLogon Exchange vulnerability (CVE-2021-26855, disclosed March 2, 2021) as …
DarkSide ransomware attacked fashion retailer Guess (NYSE: GES) in February 2021, exfiltrating data before encryption. DarkSide published a sample of stolen files on their leak site in April 2021. …
WestRock Company, one of the largest corrugated packaging and paperboard manufacturers in the world, disclosed on January 25, 2021 that it had suffered a ransomware attack on approximately January 23, …
DoppelPaymer ransomware crippled the University of Vermont Health Network on October 28 2020, affecting all six of its hospitals and hundreds of medical staff. The attack knocked out access to Epic …
On 28 October 2020, the University of Vermont Medical Center (UVMMC) and its University of Vermont Health Network — encompassing six hospitals and approximately 1,000 providers across Vermont and …
On September 27, 2020, Universal Health Services (UHS) — one of the largest US hospital chains with 400 facilities across the US and UK — was struck by Ryuk ransomware, causing one of the largest …
On 9 September 2020, ransomware (assessed as DoppelPaymer) crippled the IT systems of University Hospital Düsseldorf (Universitätsklinikum Düsseldorf) — one of Germany's largest hospitals with …
On July 23, 2020, Evil Corp (a Russian cybercrime organization led by Maksim Yakubets, sanctioned by OFAC) deployed WastedLocker ransomware against Garmin, encrypting the company's IT systems and …
Maze ransomware group attacked Cognizant, a Fortune 500 IT managed services provider with ~300,000 employees, on April 18 2020. The attack disrupted services for clients across multiple industries. …
Magellan Health, one of the largest managed care companies in the United States (specializing in behavioral health and pharmacy benefits), disclosed in May 2020 that it suffered a ransomware attack on …
On 11 April 2020, Magellan Health — a Fortune 500 managed care company specialising in behavioral health, pharmacy benefits, and radiology benefits management — suffered a ransomware attack. The …
CLOP ransomware group attacked ExecuPharm, a US clinical research organisation (CRO) and pharmaceutical services company, on March 13 2020. After the company declined to pay, CLOP published stolen …
In February 2020, attackers breached Blackbaud — the world's largest provider of nonprofit and education CRM/fundraising software — and spent approximately five months in the environment before …
On New Year's Eve 2019, REvil ransomware operators exploited CVE-2019-11510 in Travelex's unpatched Pulse Secure VPN to gain initial access to Travelex's corporate network. Travelex, the world's …
Wood Ranch Medical Clinic, a small family medical practice in Simi Valley, California, announced in August 2019 that it would permanently close on December 17, 2019 following a ransomware attack that …
LockerGoga ransomware struck Norsk Hydro, one of the world's largest aluminium producers, on March 19 2019. The attack spread across 22,000 computers in 40 countries, encrypting files and forcing the …
On 14 July 2018, LabCorp — one of the world's largest clinical laboratory networks, processing approximately 2.5 million patient specimens per week — suffered a SamSam ransomware attack that disrupted …
On January 18, 2018, Allscripts Healthcare Solutions — one of the largest electronic health record (EHR) vendors in the United States, serving more than 45,000 physician practices and 180,000 …
On 18 January 2018, SamSam ransomware attackers encrypted systems at Allscripts Healthcare Solutions data centers, taking offline cloud-hosted electronic health record (EHR) and practice management …
In April 2026, German Federal Criminal Police (BKA — Bundeskriminalamt) announced that it had, in conjunction with international law enforcement partners, identified and publicly named a key leader …
On May 12, 2017, WannaCry — a self-propagating ransomware worm — began spreading globally, infecting approximately 230,000 systems in 150+ countries within 24 hours. WannaCry exploited EternalBlue, an …
On 12 May 2017, WannaCry ransomware caused the most significant cyberattack on the UK National Health Service in history. Of the 236 NHS Trusts in England, 80 were affected — about 34% of all NHS …
