2026-04-07
[vendor] ChipSoft HiX (Electronic Patient Dossier / EPD healthcare platform)
Vector: Ransomware attack on ChipSoft's cloud infrastructure (SaaS Patient Portal and GP software tenant); threat actor group not yet publicly identified as of disclosure
On April 7, 2026, ChipSoft — a Dutch healthcare IT company providing Electronic Patient Dossier (EPD/HiX) software to approximately 80% of all Dutch hospitals — was hit by a …
2026-04-07
[vendor] Massachusetts healthcare system IT infrastructure (identity not disclosed at time of reporting)
Vector: Ransomware or destructive cyberattack on the Massachusetts healthcare system's IT infrastructure; the attack forced the organisation to take clinical systems offline and revert to paper-based downtime procedures; emergency services were diverted to protect patient safety
On approximately 7 April 2026, a Massachusetts healthcare system disclosed it was experiencing a cyberattack that forced the organisation to divert ambulance patients to other …
2026-03-26
[malware] Qilin
Vector: Qilin ransomware compromised Die Linke's network IT infrastructure; specific initial access vector not publicly disclosed
On March 26, 2026, the Qilin ransomware group (described as Russian-speaking and both financially and politically motivated) attacked Die Linke, a left-wing democratic socialist …
2026-03-18
Vector: Interlock ransomware group exploited a critical vulnerability (CVSS 10.0) in Cisco ASA/FTD firewalls to gain initial access to victim networks weeks before deploying ransomware
The Interlock ransomware group exploited a maximum-severity vulnerability in Cisco adaptive security
appliances (ASA) or Firepower Threat Defense (FTD) firewalls, gaining …
2026-03-18
Vector: Handala (Iran-linked hacktivist group) deployed a wiper attack against Stryker's Microsoft Intune MDM infrastructure; subsequent lawsuits and ongoing recovery documented
In the weeks following Stryker's March 2026 Handala wiper attack (documented separately), multiple lawsuits
were filed against Stryker as the Iranian-linked Handala group continued …
2026-03-04
Vector: Ransomware attack on the University of Hawaii Cancer Center's research data infrastructure in August 2025
An August 2025 ransomware attack on the University of Hawaii Cancer Center's research study data systems was
disclosed in early 2026 as affecting approximately 1.2 million …
2026-02-26
[malware] Qilin
Vector: Not disclosed; Qilin listed Malaysia Airlines on its dark web victim site with no file samples or proof of data theft published
On February 26–27, 2026, the Qilin ransomware gang listed Malaysia Airlines on its dark web leak site. Unlike its typical practice, the group published no file samples, data cache …
2026-02-19
[malware] Medusa
Vector: Medusa ransomware group breached UMMC; initial vector not publicly disclosed
On February 19, 2026, the University of Mississippi Medical Center (UMMC) detected a ransomware attack that forced the closure of all 35 of its clinic locations statewide. Hospital …
2026-02-06
[vendor] BridgePay Network Solutions (payment gateway platform)
Vector: Unknown; ransomware deployed against BridgePay's payment processing infrastructure
On February 6, 2026 (starting at ~03:29 AM EST), a ransomware attack hit BridgePay Network Solutions, a payment gateway serving merchants, municipalities, and integrators. The …
2026-02-02
Vector: LockBit ransomware group attacked Capital Health's network infrastructure
Capital Health — which operates capital health hospital and clinical facilities in New Jersey and Pennsylvania
— agreed to pay $4.5 million to settle claims arising from a LockBit …
2026-01-19
Vector: Law enforcement action: police raided suspected Black Basta members and are seeking the group's leadership
Law enforcement agencies raided two suspected members of the Black Basta ransomware group and announced they
are actively seeking the group's leader(s). Black Basta has been one of …
2025-12-31
[malware] TridentLocker
Vector: TridentLocker ransomware group breached Sedgwick Government Solutions via an isolated file transfer system; initial access vector not publicly disclosed
On New Year's Eve 2025/2026, the TridentLocker ransomware-as-a-service (RaaS) group claimed an attack on Sedgwick Government Solutions, a subsidiary of Sedgwick that provides …
2025-11-01
[malware] Everest
Vector: Everest ransomware group claimed unauthorized access to Under Armour systems, alleging exfiltration of 343 GB of data; initial access vector not publicly disclosed
In November 2025, the Everest ransomware group claimed Under Armour as a victim and attempted extortion, alleging theft of 343 GB of data. In January 2026, data for approximately …
2025-09-17
[vendor] GoAnywhere (managed file transfer)
[malware] Medusa
Vector: Unauthorized actor exploited a previously unknown vulnerability in GoAnywhere (a managed file transfer tool) used by Insightin Health, gaining access to servers for approximately 6 days
Between September 17 and September 23, 2025, an unauthorized actor exploited an unknown vulnerability in Insightin Health's GoAnywhere managed file transfer tool, gaining access to …
2025-08-31
Vector: Ransomware attack targeting servers supporting the UH Cancer Center's Epidemiology Division research operations; initial access vector not publicly disclosed
On August 31, 2025, an unknown ransomware group attacked the University of Hawaii Cancer Center's Epidemiology Division, compromising research servers (clinical operations were not …
2025-08-31
Vector: Vishing (voice phishing) campaign weeks before the attack tricked employees into disclosing credentials; attackers posing as internal IT staff. Subsequent credential abuse and lateral movement into production and manufacturing systems.
Beginning August 31, 2025, the 'Scattered Lapsus$ Hunters' alliance — a cybercrime consortium of Scattered Spider (initial access/social engineering), LAPSUS$ …
2025-08-22
[malware] Termite
Vector: Ransomware attack on Insight Hospital and Medical Center's IT environment; unauthorized access persisted for approximately 20 days before discovery
Unauthorized access to Insight Hospital and Medical Center's (Chicago) network occurred between August 22 and September 11, 2025. The hospital issued a substitute notice on January …
2025-08-14
[vendor] SonicWall (VPN/firewall)
[malware] Akira
[cve] CVE-2024-40766
Vector: Akira ransomware exploited CVE-2024-40766 (SonicWall VPN improper access control) to breach Marquis Software's network; attackers also bypassed MFA
Marquis Software Solutions, a marketing and compliance services vendor to 700+ US financial institutions, was hit by Akira ransomware on August 14, 2025. Threat actors exploited a …
2025-08-09
[vendor] Citrix NetScaler (VPN/ADC)
[malware] INC Ransom
[cve] CVE-2025-5777
Vector: INC Ransom exploited CVE-2025-5777 (Citrix Bleed 2, critical) in public-facing Citrix NetScaler appliances at the Pennsylvania Attorney General's Office
On August 9, 2025, the INC Ransom ransomware group attacked the Pennsylvania Office of the Attorney General, knocking its website, email, and phone lines offline for approximately …
2025-07-25
[malware] Interlock ransomware
Vector: Unknown; attack described as sophisticated; Interlock typically uses drive-by downloads and ClickFix social engineering
The City of St. Paul, Minnesota (state capital) suffered a ransomware attack beginning July 25, 2025. The city shut down all networks on August 11 after confirming it was …
2025-07-02
[vendor] Palo Alto GlobalProtect (VPN)
[malware] SafePay
Vector: SafePay ransomware gained initial access via Ingram Micro's GlobalProtect VPN platform, likely through leaked credentials or password-spraying
On July 2–3, 2025, the SafePay ransomware group exfiltrated files from Ingram Micro's internal repositories. Ingram Micro (a leading global IT distributor processing ~$15B in …
2025-05-20
[malware] Interlock ransomware
Vector: Drive-by download from compromised legitimate website; ClickFix technique (fake CAPTCHA prompting users to run malicious code via Windows Run dialog)
Kettering Health, an Ohio health system running 14 medical centers and dozens of clinics primarily in the Dayton area, was hit by Interlock ransomware on May 20, 2025. …
2025-05-18
[malware] Qilin
Vector: Qilin ransomware group gained unauthorized access to Covenant Health's IT environment; initial vector not publicly disclosed
Covenant Health (Catholic healthcare network serving Massachusetts, Maine, New Hampshire, Pennsylvania, Rhode Island, and Vermont) detected unauthorized activity on May 26, 2025, …
2025-04-01
[vendor] Co-op Group (UK retailer/food/funeral); Harrods (UK luxury retailer)
[malware] DragonForce ransomware
Vector: CWE-306: Missing Authentication for Critical Function / social engineering (Scattered Spider affiliates used vishing and employee impersonation to bypass MFA and conduct service-desk password resets)
Scattered Spider (UNC3944) affiliates acting as DragonForce ransomware-as-a-service operators conducted a wave of attacks against UK retailers in April–May 2025. Co-op confirmed …
2025-03-24
[malware] Interlock ransomware
Vector: Spear phishing emails targeting employees, followed by exploitation of vulnerabilities on a third-party internet-facing file transfer platform
DaVita Inc., one of the largest kidney dialysis providers in the US, disclosed a ransomware attack on April 12, 2025. Intrusion began March 24, 2025 and was eradicated April 12. …
2025-03-08
[vendor] Yale New Haven Health System IT network
Vector: CWE-284: Improper Access Control
Yale New Haven Health System, a Connecticut-based health system affiliated with Yale School of Medicine, detected unauthorized network access on March 8, 2025. The health system …
2025-02-28
[vendor] Microsoft Teams
[malware] Chaos ransomware
Vector: Social engineering via Microsoft Teams: attacker impersonated an internal IT worker to gain access to an employee's laptop
Berkeley Research Group (BRG), a major consulting and financial advisory firm, suffered a ransomware attack discovered March 2, 2025. Unauthorized activity occurred February 28 – …
2025-02-01
[vendor] Marks & Spencer (UK retailer) — VMware ESXi virtual machines; service desk identity management
[malware] DragonForce ransomware
Vector: CWE-306: Missing Authentication for Critical Function / social engineering (attackers impersonated an M&S employee and called the third-party service desk to perform a password reset; obtained NTDS.dit to crack hashes offline)
Scattered Spider (UNC3944) gained initial access to M&S systems as early as February 2025 via social engineering of the third-party IT service desk (vishing/impersonation). …
2025-01-27
Vector: Ransomware attack targeting a shared network drive; attackers gained unauthorized access to a shared drive containing sensitive patient information (separate from the EMR system)
On January 27, 2025, Frederick Health Medical Group (a Maryland-based healthcare network with 25+ locations) announced a ransomware attack that compromised the protected health …
2025-01-27
[vendor] Episource medical coding and risk adjustment platform
Vector: CWE-284: Improper Access Control
Episource LLC, a medical coding and risk adjustment company and Optum/UnitedHealth Group subsidiary, detected a ransomware intrusion on February 6, 2025, after unauthorized access …
2025-01-21
[malware] Medusa
Vector: SimonMed was alerted on January 27 by a vendor experiencing a security issue; suspicious activity was detected on SimonMed's own systems the following day, suggesting possible supply chain or third-party initial access
Between January 21 and February 5, 2025, the Medusa ransomware group exfiltrated data from SimonMed Imaging (a large US radiology/medical imaging provider). Medusa claimed more …
2025-01-01
[malware] Hunters International ransomware
Vector: Unknown; Hunters International typically uses phishing and exploits internet-facing systems
Tata Technologies, a Tata Group subsidiary providing engineering and technology services in automotive, aerospace, and industrial sectors (12,500+ employees, operating in 27 …
2024-11-29
[vendor] Krispy Kreme (food/restaurant chain)
[malware] Play ransomware
Vector: unknown
Krispy Kreme detected unauthorized IT activity 29 November 2024; disclosed via SEC 8-K 11 December 2024. Online ordering disrupted. Play ransomware gang claimed attack in December; …
2024-11-05
[malware] INC Ransom
Vector: INC Ransom ransomware-as-a-service operation; initial access vector not publicly confirmed; INC Ransom commonly exploits Citrix NetScaler vulnerabilities and phishing
INC Ransom breached Ahold Delhaize USA (parent of Stop & Shop, Food Lion, Giant Food, Hannaford, and The Giant Company) between 5-6 November 2024, stealing up to 6 TB of data. …
2024-11-01
[malware] RansomHub ransomware
Vector: Unknown; RansomHub noted lack of security controls on the club's network
Italian Serie A football club Bologna FC was attacked by RansomHub in November 2024. RansomHub claimed to have stolen 200 GB of data including player contracts, passports, …
2024-11-01
[vendor] Atlassian Jira
[malware] Hellcat
Vector: Hellcat ransomware group accessed Schneider Electric's Atlassian Jira instance using the MiniOrange REST API to extract data
Hellcat ransomware group breached Schneider Electric's internal Atlassian Jira project tracking platform in November 2024, stealing over 40 GB of compressed data including 75,000 …
2024-11-01
[vendor] ARC Community Services administrative systems
Vector: CWE-284: Improper Access Control
ARC Community Services, a Wisconsin-based nonprofit providing community living and support services for people with intellectual and developmental disabilities, announced a …
2024-10-21
[malware] SafePay ransomware
Vector: Unknown initial access; attackers had persistent access from October 21, 2024 to January 13, 2025
Conduent, a company providing payment processing and document services to major health insurers and state government programs, was breached by the SafePay ransomware group. …
2024-10-21
[malware] SafePay
Vector: SafePay ransomware gang gained unauthorized access to Conduent's systems and maintained persistence for approximately three months before triggering an operational disruption
An unauthorized third party had access to Conduent Business Services' systems from October 21, 2024, to January 13, 2025, when operational disruption was triggered. Conduent …
2024-10-05
[malware] Underground ransomware
Vector: Unauthorized remote access; specific initial access vector not publicly disclosed
Casio, the Japanese electronics and watchmaking company, suffered a ransomware attack on October 5, 2024. The Underground ransomware group claimed responsibility on October 10, …
2024-09-17
[malware] Interlock ransomware
Vector: Unknown; systems disrupted between September 17–29, 2024
Texas Tech University Health Sciences Center (TTUHSC) and its El Paso center suffered a ransomware attack in September 2024, claimed by the Interlock group. Combined, 1,465,000 …
2024-08-21
[vendor] Halliburton (oilfield services)
[malware] RansomHub ransomware
Vector: CWE-798: Use of Hard-coded Credentials / phishing (phishing emails delivering malicious links; subsequent credential theft and lateral movement)
RansomHub (ransomware-as-a-service operation, launched February 2024) attacked Halliburton. Detected 21 August 2024; SEC 8-K filed 23 August 2024. Production planning and shipment …
2024-08-11
[malware] Hunters International ransomware
Vector: Unknown; Hunters International typically uses phishing and exploits vulnerable internet-facing systems
AutoCanada, a publicly traded North American automotive dealership group operating 84 franchised dealerships, detected a ransomware attack on August 11, 2024. Hunters International …
2024-07-17
[vendor] McLaren Health Care (12-hospital Michigan system)
[malware] INC Ransom ransomware
Vector: unknown
INC Ransom group (double extortion) gained access 17 July 2024; suspicious activity detected 5 August. All IT systems including EHR taken offline; hospitals reverted to paper …
2024-06-19
[vendor] Acadian Ambulance EMS systems
[malware] Daixin Team ransomware
Vector: CWE-284: Improper Access Control
Acadian Ambulance Service, a Louisiana-based emergency medical services provider, was attacked by the Daixin Team ransomware gang between June 19-21, 2024. The group claimed to …
2024-06-18
[vendor] CDK Global Dealer Management System
[malware] BlackSuit
Vector: CWE-1391: Use of Weak Credentials (social engineering; exact initial vector not fully disclosed)
BlackSuit ransomware (linked to Royal/Conti lineage) attacked CDK Global June 18 2024, disrupting dealer management systems for ~15,000 US auto dealerships. CDK suffered second …
2024-06-08
[malware] BlackSuit
Vector: Phishing email compromised an employee account, leading to BlackSuit ransomware deployment across Kadokawa corporate infrastructure and Niconico video-sharing platform
On 8 June 2024, BlackSuit (rebrand of Royal ransomware / Conti successor) attacked Japanese media/gaming giant Kadokawa and its Niconico video platform. 254,241 individuals' data …
2024-06-06
[malware] RansomHub
Vector: RansomHub threat actor impersonated a Rite Aid employee to obtain business credentials; gained access to certain business systems; incident detected within 12 hours
Rite Aid (third-largest US pharmacy chain) was breached on 6 June 2024 with 2.2 million customers' names, dates of birth, addresses, and driver's license/government ID numbers …
2024-06-03
[vendor] Synnovis (NHS pathology services provider)
[malware] Qilin ransomware
Vector: unknown
Qilin ransomware group attacked Synnovis, a joint venture providing blood testing and pathology services to King's College Hospital NHS Foundation Trust and Guy's and St Thomas' …
2024-05-29
[vendor] Evolve Bank & Trust banking platform
[malware] LockBit ransomware
Vector: CWE-601: URL Redirection to Untrusted Site (phishing link clicked by employee)
Evolve Bank & Trust, an Arkansas-based fintech banking partner, was attacked by the LockBit ransomware gang in late May 2024. An employee clicked a malicious link, granting …
2024-05-23
[vendor] Patelco Credit Union (California)
[malware] RansomHub ransomware
Vector: unknown
RansomHub had access to Patelco Credit Union's systems from approximately 23 May 2024 until detected 29 June 2024. Online banking, mobile app, and call centre were shut down for …
2024-05-13
[vendor] Landmark Admin insurance administration platform
Vector: CWE-522: Insufficiently Protected Credentials (stolen VPN credentials)
Landmark Admin LLC, a Texas-based third-party administrator for multiple insurance companies, detected unauthorized access to its systems on May 13, 2024, and was breached again on …
2024-05-13
Vector: Ransomware attack on Landmark Admin with data encrypted and exfiltrated; initial access vector not publicly confirmed
Texas-based third-party insurance administrator Landmark Admin (serving American Monumental Life, Pellerin Life, Liberty Bankers Life, Capitol Life, and others) detected a …
2024-05-08
[vendor] Ascension Health EHR / MyChart
[malware] Black Basta ransomware
Vector: CWE-494: Download of Code Without Integrity Check (employee downloaded malicious file believing it legitimate)
Black Basta ransomware group encrypted servers across a 12-hospital system. Initial access via a malicious file inadvertently downloaded by an employee. Attackers accessed only 7 …
2024-05-06
[malware] Black Basta ransomware
Vector: Unknown; Black Basta typically uses phishing emails and exploited vulnerabilities for initial access
Keytronic, a printed circuit board assembly (PCBA) manufacturer based in Spokane, WA, was hit by Black Basta ransomware on May 6, 2024. Operations in the US and Mexico were halted …
2024-04-28
[vendor] London Drugs (Canadian pharmacy/retail chain)
[malware] LockBit ransomware
Vector: unknown
LockBit claimed the attack on London Drugs and demanded $25 million ransom (reportedly offered $8 million). All 79 Western Canada stores closed 28 April–7 May 2024. Corporate head …
2024-04-14
[malware] RansomHub
Vector: RansomHub ransomware operation gained initial access to Frontier Communications systems; RansomHub typically focuses on data-theft extortion without file encryption
Frontier Communications (a major US telecom serving 25 states) detected unauthorized access on 14 April 2024. RansomHub claimed responsibility and threatened to leak 5 GB of stolen …
2024-04-10
[vendor] Young Consulting (Connexure) medical stop-loss insurance software
[malware] BlackSuit ransomware
Vector: CWE-284: Improper Access Control
Young Consulting (also known as Connexure), an Atlanta-based software solutions provider for medical stop-loss insurance organizations, suffered a BlackSuit ransomware attack …
2024-04-01
[vendor] MediSecure eScripts prescription delivery platform
Vector: CWE-284: Improper Access Control
MediSecure, an Australian electronic prescription delivery service provider, suffered a ransomware attack in April 2024. Approximately 6.5 TB of data was exfiltrated, impacting …
2024-03-09
[vendor] Wacks Law Group client file systems
[malware] Qilin ransomware
Vector: CWE-284: Improper Access Control
The Wacks Law Group, a Whippany, New Jersey estate planning law firm with only six attorneys, was attacked by the Qilin ransomware group on March 9, 2024. Sensitive client data …
2024-02-12
[vendor] UnitedHealth Group / Change Healthcare (regulatory enforcement record)
[malware] ALPHV/BlackCat ransomware (original incident)
Vector: See original Change Healthcare ALPHV/BlackCat ransomware breach record (2024-02-12): MFA-less Citrix remote access portal exploited by ALPHV affiliates using stolen credentials
In April 2026, Iowa Attorney General Brenna Bird filed a lawsuit against UnitedHealth Group seeking financial damages, civil penalties, and improvements to the company's data …
2024-02-11
[vendor] Citrix remote access / Change Healthcare claims processing platform
[malware] ALPHV/BlackCat
Vector: CWE-308: Use of Single-Factor Authentication (compromised Citrix remote access lacking MFA)
Affiliate of ALPHV/BlackCat breached Change Healthcare (UnitedHealth subsidiary) on Feb 11 2024 via stolen credentials on a Citrix portal lacking MFA. Spent 9 days in network …
2024-02-04
[malware] ALPHV/BlackCat
Vector: ALPHV/BlackCat ransomware gained unauthorized access to Prudential Financial administrative and user data; initial access vector not publicly disclosed
ALPHV/BlackCat ransomware group breached Prudential Financial (major US insurer) between 4-5 February 2024, initially believed to affect only 36,545 people. The true scope was …
2024-01-26
[vendor] Lurie Children's Hospital of Chicago IT systems
[malware] Rhysida
Vector: CWE-1391: Use of Weak Credentials (exact vector not publicly disclosed)
Rhysida ransomware attacked Lurie Children's Hospital of Chicago (pediatric hospital) Jan 26-31 2024. Patient-facing systems offline for ~3.5 months. 791,784 individuals notified …
2024-01-04
[vendor] LoanDepot mortgage platform
[malware] ALPHV/BlackCat ransomware
Vector: CWE-522: Insufficiently Protected Credentials
California-based mortgage lender LoanDepot was attacked by the ALPHV/BlackCat ransomware gang between January 3-5, 2024. Approximately 16.9 million customers had their personal …
2023-12-25
[malware] Money Message
Vector: Money Message ransomware gained access to Anna Jaques Hospital network; initial access vector not publicly disclosed
Anna Jaques Hospital in Newburyport, Massachusetts was attacked on Christmas Day 2023 by the Money Message ransomware group, which claimed 600 GB of data was stolen. 316,342 …
2023-12-20
Vector: Threat actors gained access to First American Financial systems and exfiltrated non-production data before encrypting it; initial access vector not publicly disclosed
First American Financial Corp (one of the largest US title insurance providers) shut down its systems in late December 2023 after attackers accessed and encrypted non-production …
2023-11-28
[vendor] Integris Health (Oklahoma hospital system)
Vector: unknown
Attackers gained access to Integris Health's network on 28 November 2023. On 24 December 2023, Integris discovered that patients were being directly contacted by the cybercriminal …
2023-11-10
[vendor] Citrix NetScaler ADC/Gateway
[cve] CVE-2023-4966
Vector: Attackers exploited a Citrix Bleed vulnerability (CVE-2023-4966) in DP World's Citrix NetScaler infrastructure to gain unauthorized access to the company's network; the vulnerability allowed session token hijacking without authentication
DP World Australia, which operates approximately 40% of Australia's container port throughput across terminals in Sydney, Melbourne, Brisbane, and Fremantle, suffered a cyberattack …
2023-11-10
[vendor] DP World Australia port operations technology
Vector: Unknown attacker (ALPHV/BlackCat ransomware suspected) gained access to DP World Australia's internal IT network by exploiting a vulnerability in internet-facing systems; the attack disrupted the operational technology systems managing container movements
On 10 November 2023, DP World Australia — one of Australia's largest port operators, managing approximately 40% of Australian container port operations across Port Botany (Sydney), …
2023-11-10
[vendor] Citrix workspace
[malware] Hunters International ransomware
Vector: Exploitation of a Citrix workspace software vulnerability to gain network access
Fred Hutchinson Cancer Center (Fred Hutch), a major Seattle-based research hospital, suffered a ransomware attack between November 10–25, 2023. The Hunters International group …
2023-10-01
[vendor] Citrix NetScaler ADC / NetScaler Gateway
[malware] LockBit 3.0
[cve] CVE-2023-4966
Vector: CWE-200: Exposure of Sensitive Information (Citrix Bleed - memory disclosure of valid session tokens enabling auth bypass)
LockBit 3.0 affiliates exploited Citrix Bleed (CVE-2023-4966) to breach Boeing Distribution Inc. (parts and distribution business). Session token extraction from Citrix NetScaler …
2023-09-25
[vendor] Johnson Controls International plc IT infrastructure
[malware] Dark Angels ransomware
Vector: Dark Angels ransomware group gained access to Johnson Controls' internal network via a compromised subsidiary (Asia-Pacific offices); established persistent access and exfiltrated approximately 27TB of data before deploying ransomware
On 25 September 2023, Johnson Controls International — a global conglomerate manufacturing building automation systems, HVAC systems, fire safety systems, and physical security …
2023-08-11
[vendor] Clorox Company IT infrastructure
[malware] ALPHV/BlackCat ransomware
Vector: ALPHV/BlackCat ransomware affiliates (Scattered Spider) gained access to Clorox's network; the attack used the same social engineering techniques deployed against MGM and Caesars — helpdesk vishing and MFA fatigue to impersonate employees and gain network access
On 11 August 2023, Clorox Company — one of the world's largest consumer goods manufacturers (Clorox, Hidden Valley, Burt's Bees, Kingsford charcoal) — detected a cyberattack and …
2023-08-09
[vendor] Rapattoni MLS-as-a-Service
Vector: Ransomware attack on Rapattoni Corp. cloud infrastructure hosting MLS software as a service; initial vector not publicly disclosed
Ransomware hit Rapattoni Corp. (California-based MLS software provider serving ~100 MLSs and approximately 5% of US MLSs) on 9 August 2023. The attack froze MLS systems used by …
2023-04-28
[vendor] HWL Ebsworth law firm internal systems
[malware] ALPHV/BlackCat ransomware
Vector: ALPHV/BlackCat ransomware-as-a-service affiliates compromised HWL Ebsworth's network via unknown initial access vector; spent time in the network exfiltrating approximately 4 terabytes of data before being detected
In late April 2023, ALPHV/BlackCat ransomware affiliates breached HWL Ebsworth — one of Australia's largest national law firms with offices in all Australian capital cities and …
2023-03-22
[malware] Black Basta ransomware
Vector: Phishing email leading to malware download; threat actor then escalated privileges over 58 hours before deploying ransomware (critical 58-hour delay in quarantining the initially infected device)
Capita, a major UK outsourcing company providing services across government, defence, and pension administration, was hit by Black Basta ransomware on March 31, 2023 (initial …
2023-03-12
[vendor] PharMerica pharmacy benefits management systems
[malware] Money Message ransomware
Vector: Money Message ransomware group gained access to PharMerica's network via unknown initial access vector; the group exfiltrated patient data and deployed ransomware; PharMerica is a major pharmacy benefits management company operating in long-term care facilities
In March 2023, Money Message ransomware attacked PharMerica Corporation — one of the largest pharmacy benefit management companies in the US, providing pharmacy services to …
2023-02-23
[vendor] Dish Network / EchoStar internal systems
[malware] Black Basta ransomware
Vector: Black Basta ransomware group attacked Dish Network's internal network; specific initial access vector not publicly disclosed; the attack encrypted internal systems and exfiltrated data
On 23 February 2023, Dish Network and its parent EchoStar suffered a Black Basta ransomware attack that caused a several-day outage affecting Dish Network's websites, call centers, …
2023-02-23
[malware] Black Basta ransomware
Vector: Attackers used compromised VPN credentials to access Dish Network's Windows Active Directory domain, then moved laterally and deployed ransomware across Dish's IT infrastructure
On February 23, 2023, Dish Network — a major US satellite TV provider — suffered a ransomware attack (attributed to Black Basta) that took down its internal systems, customer …
2023-01-10
[vendor] Royal Mail international shipping systems
[malware] LockBit 3.0
Vector: CWE-1391: Use of Weak Credentials (compromised credentials; exact initial vector not publicly disclosed)
LockBit ransomware hit Royal Mail's Heathrow Worldwide Distribution Centre Jan 10 2023, disrupting international mail for 6 weeks. LockBit initially demanded $80M ransom, lowered …
2022-12-02
[vendor] Rackspace Hosted Exchange (managed Microsoft Exchange service)
[malware] Play ransomware
[cve] CVE-2022-41080 +1
Vector: Play ransomware group exploited CVE-2022-41080 (OWASSRF — Microsoft Exchange Server ProxyNotShell bypass) combined with CVE-2022-41082 to achieve remote code execution on Rackspace's Hosted Exchange environment; the vulnerability bypassed existing mitigations Rackspace had applied for ProxyNotShell
On 2 December 2022, Play ransomware attacked Rackspace's Hosted Exchange email service, forcing Rackspace to permanently shut down the service. Rackspace had approximately 30,000 …
2022-10-03
[vendor] CommonSpirit Health hospital IT infrastructure
[malware] Hive ransomware
Vector: Hive ransomware group gained access to CommonSpirit's internal network via compromised credentials; attackers had access from 16 September through 3 October 2022 before the attack was detected; specific initial access vector (likely phishing or RDP) was not fully disclosed
On 3 October 2022, CommonSpirit Health — the second-largest nonprofit hospital system in the United States with 140 hospitals and over 1,000 care sites across 21 states — was hit …
2022-09-03
[malware] Vice Society ransomware
Vector: Vice Society ransomware group gained access to LAUSD's network; initial access vector not officially confirmed but consistent with credential theft or exploitation of internet-facing systems; attackers exfiltrated approximately 500GB of data before deploying ransomware over the Labor Day weekend
The Los Angeles Unified School District (LAUSD), the second-largest school district in the United States (serving approximately 600,000 students and 74,000 employees), suffered a …
2022-08-25
[vendor] Medibank Private health insurance platform
[malware] BlogXX / REvil variant
Vector: CWE-308: Use of Single-Factor Authentication (stolen VPN credentials; VPN lacked MFA, only requiring device certificate or username/password)
Russian cybercriminal (Aleksandr Ermakov, sanctioned by Australia Jan 2024) accessed Medibank's network Aug 25 - Oct 13 2022 via stolen privileged VPN credentials without MFA. …
2022-04-25
[vendor] Yuma Regional Medical Center hospital IT systems
Vector: Ransomware group breached Yuma Regional Medical Center's network, gaining access to systems containing patient information; the specific initial access vector was not publicly disclosed
On 25 April 2022, Yuma Regional Medical Center (YRMC) — the primary regional hospital for southwestern Arizona serving Yuma, Arizona and surrounding areas — discovered a ransomware …
2021-12-11
[vendor] UKG Kronos Private Cloud
Vector: CWE-506: Embedded Malicious Code (ransomware; attack vector not publicly disclosed by UKG)
Ransomware struck UKG's (Ultimate Kronos Group) Kronos Private Cloud on December 11 2021, taking down workforce management and payroll processing systems used by thousands of large …
2021-12-11
[vendor] UKG (Ultimate Kronos Group) Kronos Private Cloud
Vector: Unknown ransomware group compromised UKG/Kronos's cloud-based workforce management platform (Kronos Private Cloud); specific initial access vector was not disclosed; the attack encrypted the Kronos Private Cloud environment requiring several weeks to restore
On 11 December 2021, UKG (Ultimate Kronos Group) — one of the world's largest workforce management software providers serving over 40 million people across 57,000 organisations …
2021-12-04
[vendor] Eye Care Leaders myCare Integrity EHR platform
Vector: Unknown ransomware group attacked Eye Care Leaders' myCare Integrity EHR platform — a managed service ophthalmology-specific EHR system used by hundreds of practices; attackers encrypted data and deliberately deleted database tables and audit logs, making it impossible to determine the full scope of data access
On 4 December 2021, Eye Care Leaders — a provider of EHR and practice management software specifically designed for ophthalmology practices — suffered a ransomware attack that …
2021-12-01
Vector: Ransomware attackers compromised Lincoln College's systems in December 2021, encrypting systems critical to student recruitment, retention, and fundraising operations; the attack prevented access to all institutional data for several months
Lincoln College, a historically Black liberal arts college in Lincoln, Illinois, founded in 1865 (the same year Abraham Lincoln was assassinated), announced in May 2022 that it …
2021-08-04
[vendor] Eskenazi Health hospital IT systems
[malware] Vice Society ransomware
Vector: Ransomware group (Vice Society) gained access to Eskenazi Health's network during a dwell period prior to the attempted encryption; Eskenazi detected the encryption attempt and brought systems offline before full encryption was completed; however, attackers had already exfiltrated patient data during the dwell period
On 4 August 2021, Eskenazi Health — Indianapolis's primary safety-net hospital serving the city's most vulnerable and uninsured populations, and the only Level I adult trauma …
2021-08-01
[vendor] Roper St. Francis Healthcare — South Carolina hospital system IT systems
Vector: Ransomware group breached Roper St. Francis Healthcare's network and accessed a scheduling application containing patient demographic and appointment data; the specific initial access vector was not publicly disclosed
On approximately 1 August 2021, Roper St. Francis Healthcare — a nonprofit hospital system based in Charleston, South Carolina operating multiple hospitals and medical facilities — …
2021-05-30
[vendor] JBS USA meat processing systems
[malware] REvil / Sodinokibi
Vector: CWE-521: Weak Password Requirements (brute-forced or leaked credentials; poor overall security posture confirmed by DHS internal review)
REvil (Russian) ransomware attack on JBS S.A., world's largest meat processor, May 30 2021. Disrupted beef and pork slaughter facilities in US, Canada, Australia. JBS paid $11M USD …
2021-05-30
[vendor] JBS Foods IT infrastructure (North America and Australia)
[malware] REvil (Sodinokibi)
Vector: REvil ransomware-as-a-service affiliate obtained credentials to JBS's VPN; specific initial access vector was compromised remote access credentials; the attack targeted JBS's North American and Australian operations simultaneously
On 30 May 2021, JBS S.A. — the world's largest meat processing company, processing approximately one-fifth of all US beef — was hit by a REvil ransomware attack that forced the …
2021-05-14
[malware] Conti ransomware; Cobalt Strike
Vector: Phishing email delivered to a workstation on March 16, 2021; the workstation had a Cobalt Strike beacon installed, enabling remote access; attackers spent 8 weeks conducting reconnaissance before deploying Conti ransomware on May 14, 2021
On May 14, 2021, Conti ransomware operators attacked Ireland's Health Service Executive (HSE) — the country's entire national public health system — encrypting approximately 80,000 …
2021-05-07
[malware] DarkSide
Vector: CWE-308: Use of Single-Factor Authentication (compromised VPN account lacking MFA)
DarkSide ransomware affiliate (Russian-based) compromised Colonial Pipeline via leaked VPN credentials on a legacy account lacking MFA. 100 GB of data exfiltrated day before …
2021-04-28
[malware] DarkSide
Vector: CWE-312: Cleartext Storage of Sensitive Information (DarkSide actors purchased stolen credentials to access the corporate network)
DarkSide ransomware attacked Brenntag, one of the world's largest chemical distribution companies (Germany-headquartered, North America division targeted), on approximately April …
2021-04-26
[malware] Conti ransomware
Vector: Conti ransomware operators gained access to Scripps Health's network on April 26, 2021; exfiltrated patient data before deploying ransomware on May 1, 2021, taking Scripps systems offline; a Russian national (Maksim Galochkin) was later federally indicted in connection with the attack as part of the Conti/TrickBot prosecution
On May 1, 2021, Scripps Health — San Diego's second-largest healthcare provider operating five hospitals and 19 outpatient facilities — suffered a Conti ransomware attack that took …
2021-04-07
[vendor] Reproductive Biology Associates (RBA) — Atlanta fertility clinic IT systems
[malware] DoppelPaymer ransomware
Vector: DoppelPaymer ransomware group breached Reproductive Biology Associates' network, encrypted a file server containing embryology data, and exfiltrated patient data including highly sensitive fertility treatment records and embryo storage information
On 7 April 2021, Reproductive Biology Associates (RBA) — an Atlanta, Georgia fertility clinic — and its affiliate My Egg Bank North America suffered a DoppelPaymer ransomware …
2021-03-28
[vendor] Nine Entertainment Company IT and broadcast systems
[malware] Conti ransomware
Vector: Conti ransomware group attacked Nine Entertainment via unknown initial access vector; the attack encrypted systems across Nine's network including broadcast and production systems
On 28 March 2021, Nine Entertainment — Australia's largest media and entertainment company, operating the Nine Network (free-to-air TV), The Sydney Morning Herald, The Age, The …
2021-03-21
[malware] Phoenix CryptoLocker (WastedLocker variant); SocGholish
Vector: Evil Corp-affiliated attackers used a fake browser update (SocGholish/FakeUpdates malware) delivered via a watering hole or malicious website to gain initial access; deployed Phoenix CryptoLocker (a variant of WastedLocker) across CNA's network
CNA Financial Corporation, one of the largest commercial insurance companies in the United States, suffered a ransomware attack on March 21, 2021 that disrupted its operations for …
2021-03-21
[vendor] CNA Financial internal network and endpoint systems
[malware] Phoenix CryptoLocker (Evil Corp)
Vector: Evil Corp affiliate used a fake browser update delivered via a legitimate website (watering hole / drive-by download) to deploy the Phoenix CryptoLocker ransomware; CNA employees were redirected to a malicious page that pushed a malicious update package
On 21 March 2021, CNA Financial — one of the largest commercial insurance companies in the United States — suffered a ransomware attack using a new malware strain called Phoenix …
2021-03-14
[vendor] Microsoft Exchange Server
[malware] REvil (Sodinokibi) ransomware
[cve] CVE-2021-26855
Vector: REvil gained initial access to Acer's network via the ProxyLogon Microsoft Exchange Server vulnerability (CVE-2021-26855) — exploiting the critical zero-day mere days after public disclosure
On March 14, 2021, REvil ransomware operators attacked Acer, the Taiwanese PC manufacturer, using the freshly-disclosed ProxyLogon Exchange vulnerability (CVE-2021-26855, disclosed …
2021-02-19
[malware] DarkSide
Vector: CWE-506: Embedded Malicious Code (DarkSide ransomware)
DarkSide ransomware attacked fashion retailer Guess (NYSE: GES) in February 2021, exfiltrating data before encryption. DarkSide published a sample of stolen files on their leak …
2021-01-23
Vector: Ransomware attackers penetrated WestRock's network and deployed ransomware that affected both IT systems and operational technology (OT) systems, including manufacturing and operational systems at packaging production facilities
WestRock Company, one of the largest corrugated packaging and paperboard manufacturers in the world, disclosed on January 25, 2021 that it had suffered a ransomware attack on …
2020-10-28
[malware] DoppelPaymer
Vector: CWE-506: Embedded Malicious Code (DoppelPaymer ransomware; likely delivered via phishing)
DoppelPaymer ransomware crippled the University of Vermont Health Network on October 28 2020, affecting all six of its hospitals and hundreds of medical staff. The attack knocked …
2020-10-28
[vendor] University of Vermont Health Network IT infrastructure (6-hospital network)
[malware] DoppelPaymer ransomware
Vector: DoppelPaymer ransomware group gained initial access via phishing email delivering the Emotet banking trojan, which subsequently dropped the Ryuk precursor; the attack targeted the University of Vermont Medical Center and its health network affiliate hospitals simultaneously
On 28 October 2020, the University of Vermont Medical Center (UVMMC) and its University of Vermont Health Network — encompassing six hospitals and approximately 1,000 providers …
2020-09-27
[malware] Ryuk ransomware; TrickBot; Emotet
Vector: Phishing email leading to TrickBot banking trojan infection, which then delivered Emotet and ultimately Ryuk ransomware across UHS's network via lateral movement
On September 27, 2020, Universal Health Services (UHS) — one of the largest US hospital chains with 400 facilities across the US and UK — was struck by Ryuk ransomware, causing one …
2020-09-09
[vendor] University Hospital Düsseldorf IT infrastructure / Citrix ADC
[malware] DoppelPaymer ransomware
[cve] CVE-2019-19781
Vector: Ransomware group exploited CVE-2019-19781 — a critical path traversal vulnerability in Citrix Application Delivery Controller (Citrix ADC / NetScaler) — to gain initial access to University Hospital Düsseldorf's network; the unpatched Citrix vulnerability had been known and widely exploited since January 2020
On 9 September 2020, ransomware (assessed as DoppelPaymer) crippled the IT systems of University Hospital Düsseldorf (Universitätsklinikum Düsseldorf) — one of Germany's largest …
2020-07-23
[malware] WastedLocker ransomware; FakeUpdates (SocGholish)
Vector: Evil Corp used FakeUpdates (SocGholish) — fake browser update JavaScript injected into compromised websites — to deliver a NetSupport RAT dropper that installed WastedLocker ransomware on Garmin's corporate network
On July 23, 2020, Evil Corp (a Russian cybercrime organization led by Maksim Yakubets, sanctioned by OFAC) deployed WastedLocker ransomware against Garmin, encrypting the company's …
2020-04-18
[malware] Maze
Vector: CWE-506: Embedded Malicious Code (Maze ransomware; initial access vector not publicly confirmed, likely phishing or exploitation of exposed services)
Maze ransomware group attacked Cognizant, a Fortune 500 IT managed services provider with ~300,000 employees, on April 18 2020. The attack disrupted services for clients across …
2020-04-11
Vector: Attackers sent a spear-phishing email impersonating a Magellan Health client, gaining access to a corporate server; exfiltrated data then deployed ransomware
Magellan Health, one of the largest managed care companies in the United States (specializing in behavioral health and pharmacy benefits), disclosed in May 2020 that it suffered a …
2020-04-11
[vendor] Magellan Health managed care / specialty health company IT systems
Vector: Ransomware attackers sent a phishing email impersonating a Magellan Health client to a Magellan employee; the email installed malware that harvested login credentials; the attacker used stolen credentials to gain access to the Magellan server and deployed ransomware after exfiltrating data
On 11 April 2020, Magellan Health — a Fortune 500 managed care company specialising in behavioral health, pharmacy benefits, and radiology benefits management — suffered a …
2020-03-13
[malware] CLOP
Vector: CWE-506: Embedded Malicious Code (CLOP ransomware; initial vector not confirmed)
CLOP ransomware group attacked ExecuPharm, a US clinical research organisation (CRO) and pharmaceutical services company, on March 13 2020. After the company declined to pay, CLOP …
2020-02-07
[vendor] Blackbaud CRM (cloud fundraising and constituent relationship management platform)
Vector: Ransomware group gained access to Blackbaud's self-hosted customer cloud environments; the attackers spent approximately five months conducting reconnaissance and exfiltrating data prior to deploying ransomware; initial access vector was not fully disclosed
In February 2020, attackers breached Blackbaud — the world's largest provider of nonprofit and education CRM/fundraising software — and spent approximately five months in the …
2019-08-10
[vendor] Wood Ranch Medical Clinic (Simi Valley, California)
Vector: Ransomware attack against Wood Ranch Medical Clinic's servers and electronic health record (EHR) backup systems; both primary and backup systems were encrypted, making recovery impossible without paying the ransom; the clinic did not have offline backups
Wood Ranch Medical Clinic, a small family medical practice in Simi Valley, California, announced in August 2019 that it would permanently close on December 17, 2019 following a …
2019-03-19
[malware] LockerGoga
Vector: CWE-522: Insufficiently Protected Credentials (Active Directory compromise via stolen credentials, possibly via prior phishing)
LockerGoga ransomware struck Norsk Hydro, one of the world's largest aluminium producers, on March 19 2019. The attack spread across 22,000 computers in 40 countries, encrypting …
2018-07-14
[vendor] Laboratory Corporation of America Holdings (LabCorp) IT infrastructure
[malware] SamSam ransomware
Vector: Ransomware (SamSam variant) infected LabCorp's network; the attack vector was consistent with SamSam group's known techniques of exploiting exposed RDP endpoints or leveraging JBOSS server vulnerabilities to gain initial access and then deploy ransomware across the network
On 14 July 2018, LabCorp — one of the world's largest clinical laboratory networks, processing approximately 2.5 million patient specimens per week — suffered a SamSam ransomware …
2018-01-18
[vendor] Allscripts Healthcare Solutions (EHR and practice management software vendor)
[malware] SamSam ransomware
Vector: SamSam ransomware variant delivered via exploitation of vulnerable internet-facing servers (likely via RDP brute force or exploitation of unpatched JBoss/Java application servers — the same TTPs used in other SamSam campaigns); the ransomware encrypted servers hosting Allscripts' Professional EHR and electronic prescriptions for controlled substances (EPCS) cloud-hosted services
On January 18, 2018, Allscripts Healthcare Solutions — one of the largest electronic health record (EHR) vendors in the United States, serving more than 45,000 physician practices …
2018-01-18
[vendor] Allscripts Healthcare Solutions cloud EHR hosting infrastructure
[malware] SamSam ransomware
Vector: SamSam ransomware attackers targeted Allscripts' data centers in Raleigh, NC and Malvern, PA; SamSam is deployed via brute force of RDP credentials or exploitation of server vulnerabilities (JBOSS, JMX); the attackers gained access and deployed ransomware across Allscripts' cloud hosting infrastructure
On 18 January 2018, SamSam ransomware attackers encrypted systems at Allscripts Healthcare Solutions data centers, taking offline cloud-hosted electronic health record (EHR) and …
2018-01-01
[vendor] Multiple global victims of REvil/Sodinokibi and GandCrab ransomware (2018-2021)
[malware] REvil (Sodinokibi), GandCrab
Vector: REvil (Sodinokibi) is a ransomware-as-a-service (RaaS) operation that evolved from the GandCrab RaaS (which ran 2018-2019 and claimed revenues of over $2 billion); the REvil core developer and administrator was identified through a multi-year international law enforcement investigation involving German BKA, FBI, Europol, and partner agencies
In April 2026, German Federal Criminal Police (BKA — Bundeskriminalamt) announced that it had, in conjunction with international law enforcement partners, identified and publicly …
2017-05-12
[vendor] Microsoft Windows (SMBv1)
[malware] WannaCry (WannaCrypt, WannaCryptor)
[cve] CVE-2017-0144 +2
Vector: Self-propagating worm exploiting EternalBlue (CVE-2017-0144), an NSA-developed SMBv1 exploit leaked by Shadow Brokers on April 14, 2017; required no user interaction — propagated autonomously over TCP port 445 to vulnerable Windows systems
On May 12, 2017, WannaCry — a self-propagating ransomware worm — began spreading globally, infecting approximately 230,000 systems in 150+ countries within 24 hours. WannaCry …
2017-05-12
[vendor] NHS England / NHS Scotland IT infrastructure (Windows XP/7 systems)
[malware] WannaCry ransomware
[cve] CVE-2017-0144 +1
Vector: WannaCry ransomware worm exploited the EternalBlue NSA exploit (CVE-2017-0144) targeting unpatched Windows XP and Windows 7 systems across NHS organisations; many NHS trusts had not applied the March 2017 MS17-010 patch and were running legacy Windows XP systems no longer supported by Microsoft
On 12 May 2017, WannaCry ransomware caused the most significant cyberattack on the UK National Health Service in history. Of the 236 NHS Trusts in England, 80 were affected — about …
