A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense Cyber Crime Center (DC3), Department of Health and Human Services (HHS), and international law enforcement partners about the Akira ransomware group, which has accelerated its attacks on critical infrastructure in recent months.

According to the FBI, Akira has been paid more than $244 million in ransoms since the group was first identified in March 2023. While Akira primarily targets small- to medium-sized organizations, the group has also attacked larger organizations, favoring sectors such as manufacturing, education, information technology, healthcare, financial services, and food and agriculture.

The group’s tactics are constantly evolving. While the group initially targeted Windows systems, a Linux version of its encryptor has been developed that is used to target VMware Elastic Sky X Integrated (ESXi) virtual machines (VMs), and recently the group has been observed encrypting Nutanix AHV VM disk files.

Akira typically uses stolen credentials for initial access, often obtained in spear phishing campaigns or through brute force attempts to guess weak passwords. Akira may also purchase access to compromised networks from initial access brokers. The group typically targets virtual private network (VPN) services that do not have multifactor authentication enabled, although vulnerabilities are also exploited. Akira has been observed exploiting vulnerabilities in Cisco devices (CVE-2020-3259; CVE-2023-70766) and has recently been observed exploiting a vulnerability in SonicWall Firewall devices (CVE-2024-40766). Once access has been gained, the group maintains persistence by using legitimate remote access tools such as LogMeIn and AnyDesk.

Like many other ransomware groups, Akira engages in double extortion tactics, stealing data and encrypting files, then demanding payment to prevent the publication of the stolen data on its leak site and to obtain the decryptrion keys.

“The threat of ransomware from groups like Akira is real and organizations need to take it seriously, with swift implementation of mitigation measures,” said Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA. The joint advisory about Akira ransomware was first issued in April 2024, but has now been updated with new tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) from recent attacks, including new recommended mitigations. The most important mitigations are to ensure that vulnerabilities are patched promptly, especially the vulnerabilities detailed in the advisory; to implement and enforce phishing-resistant multifactor authentication; and to ensure that backups are made of all critical data, storing backups securely offline.

The post Warning Issued About Akira Ransomware as Attacks on Critical Infrastructure Accelerate appeared first on The HIPAA Journal.

Threat actors are actively exploiting multiple Cisco vulnerabilities for which patches were previously issued in August; however, attacks are ongoing, including attacks on devices that have been improperly patched.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a cybersecurity alert this week about two critical Cisco vulnerabilities – CVE-2025-30333 and CVE-2025-20362 – affecting Cisco Adaptive Security Appliances (ASA) and Firepower devices. The vulnerabilities affect devices running Cisco Secure ASA Software or Cisco Secure FTD Software and have CVSS v3.1 base scores of 9.9 and 9.8. The vulnerabilities can be exploited by sending specially crafted HTTP requests to a vulnerable web server on a device.

Cisco issued patches to fix the vulnerabilities in August this year, warning that hackers could exploit the flaws to execute commands at a high privilege level. The flaws allow threat actors to access restricted URL endpoints that should be inaccessible without authentication. By exploiting the flaws, attackers can execute code on vulnerable devices. If the vulnerabilities are chained, an attacker can gain full control of the devices. At the time the patches were issued, Cisco warned that the vulnerabilities had already been exploited as zero-days in the ArcaneDoor campaign, which exploited two other flaws.

While many organizations applied the patches and believed they were protected against exploitation, in some cases, the patches were applied without updating the minimum software version, leaving the organizations vulnerable to exploitation. “In CISA’s analysis of agency-reported data, CISA has identified devices marked as ‘patched’ in the reporting template, but which were updated to a version of the software that is still vulnerable to the threat activity outlined in the [Emergency Directive], explained CISA in the alert. “CISA recommends all organizations verify the correct updates are applied.” CISA has published guidance on patching the two vulnerabilities and warned that immediate patching is required, including on devices that are not exposed to the Internet.

The post Urgent Patching Required to Fix Actively Exploited Cisco Flaws appeared first on The HIPAA Journal.

The UK pathology lab Synnovis suffered a ransomware attack last year. It has taken 17 months to complete the highly complex data review and notify the affected healthcare provider clients.

Synnovis provides blood, urine, and specimen testing for many healthcare organizations in the United Kingdom and has a pathology partnership with Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust in London, and SYNLANB, a provider of laboratory, diagnostic, and advisory services.

The ransomware attack occurred on June 3, 2024, when the Qilin ransomware group encrypted files on its network. Prior to encrypting files from its network, data was exfiltrated from its network. The ransomware attack caused massive disruption to business operations at Synnovis, interrupting many of its pathology services. Synnovis said that almost all of its IT systems were affected.

NHS trusts that relied on Synnovis for blood testing and other services were forced to cancel appointments, and the lack of blood testing led to a shortage of O-negative blood. The shortage continued for months, with stocks depleted across the country. Disruption to patient services was extensive, with more than 10,000 appointments cancelled in the wake of the attack.

Synnovis immediately launched an investigation and assembled a task force of experts from Synnovis, the affected NHS Trusts, NHS England, and third-party specialists to restore systems and data as quickly as possible. The UK’s National Crime Agency (NCA), the National Cyber Security Centre (NCSC), and the Information Commissioner’s Office (ICO) were notified, and Synnovis has been working closely with those agencies throughout the recovery process.

It took until late autumn 2024 to replace all of the affected IT infrastructure and restore systems and services to pre-attack operational levels. “By month four immediately after the cyberattack, we had rebuilt a new blood transfusion platform, by month five we had completed a substantial cloud migration of our core systems, and by November 2024 we had rebuilt over 75 applications and reconnected a vast pathology estate spanning seven locations from the ground up, including over 65 scientific analyzers and more than 120 individual connections”, explained Synnovis.

Determining which organizations and individuals had been affected and the data types involved has taken considerably longer. Synnovis explained that the ransomware group stole data in haste in a random manner from its working drives, and due to the exceptional scale and complexity of the data review, it has taken more than a year to complete. That process required bespoke systems and processes to be created to reconstruct the affected data.

Synnovis said the forensic analysis confirmed that no data was taken from its primary lab databases, and the data exfiltrated in the attack was not in a form that could easily be used by anyone with ill intent”. Despite an extensive forensic investigation, it was not possible to determine how the ransomware group gained access to its network. All IT infrastructure impacted by the attack was completely replaced.

Synnovis said it consulted with its affected NHS trust partners, and the decision was taken not to pay the ransom.  Doing so would have gone against its ethical principles, and the ransom would undoubtedly have been used to fund further attacks on other critical infrastructure entities, potentially threatening national security. The amount demanded by the ransomware group was not disclosed.

Synnovis has recently completed the data analysis and restoration, and the affected organizations are now being notified. Notifications will be completed by November 21, 2025, after which the affected organizations will decide whether notifications need to be issued to the affected patients under UK data protection laws. Synnovis stressed that the company will not be contacting any of the affected patients directly. Under UK data protection laws, it is down to the data controller to conduct their own legal and risk assessments to determine whether notifications are required. Any individual receiving a communication about the data breach that purports to have come directly from Synnovis rather than one of the affected organizations should assume it is a scam.

The incident clearly demonstrates the massive impact ransomware attacks can have on critical infrastructure. In this case, this was a calculated attack designed to cause as much damage and disruption as possible for financial gain.

June 22, 2024: Ransomware Group Leaks Data from 300 Million Patient Interactions with NHS

The Russian ransomware and extortion group Qilin has added the data stolen in the attack on Synnovis to its dark web data leak site after the deadline for paying the $50 million ransom demand expired.

Synovis, a provider of pathology services to the UK’s National Health Service (NHS), was attacked by the Qilin ransomware group on June 3, 2024, resulting in disruption to many of its services. Multiple NHS trusts in London continue to be affected by the attack, with the recovery expected to take several weeks. Synnovis does not anticipate fully recovering from the attack for several months.

Two of the worst-affected NHS trusts were the King’s College Hospital Foundation Trust and Guy’s and St Thomas’ Foundation Trust, two of the busiest NHS trusts in the country. The attack affected 7 hospitals operated by those trusts, forcing them to cancel 1,134 planned operations and 2,194 outpatient appointments in the first 13 days following the attack. Blood tests in the capital are operating at around 10% of normal levels.

As is typical in ransomware attacks, Qilin exfiltrated data before encrypting files. In the early hours of Friday morning, Qilin uploaded 400 GB of confidential data to its dark web data leak site, where it can be freely downloaded by cybercriminals. The uploaded data includes information from more than 300 million patient interactions with the NHS. The data upload is currently being verified but it appears to be genuine.

The data contains personally identifying information and blood test results, including highly sensitive test results for HIV, sexually transmitted infections, and cancer. It is likely to take several weeks before the exact types of data and the number of affected individuals are known due to the scale of the data theft. The data breach does not appear to be limited to NHS patients. Synnovis also provides pathology services to private healthcare providers, and some of the stolen data is understood to include private healthcare records.

The affected patients may now be subjected to extortion attempts due to the sensitivity of some of the stolen data. For instance, cybercriminals could threaten patients who tested positive for HIV by making that information public if they do not pay to have their data deleted.

The UK’s National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) are currently considering taking retaliatory action against the hacking group. Since this was an attack that affected the NHS and included the theft of NHS data, the attack is effectively an attack on the state. One of the main priorities is to try to take down as much of the uploaded data as possible.

The NCA recently headed an international law enforcement operation against the LockBit ransomware group that resulted in the seizure of its command and control infrastructure in February 2024. While the operation was a success, it was short-lived. The LockBit infrastructure was rapidly rebuilt, and the group was able to continue its operations. According to a recent report from NCC Group, LockBit was the most active ransomware group in May 2024.

June 18, 2024: More Than 1,500 Appointments Cancelled Following Ransomware Attack on NHS Pathology Vendor

At least 1,500 operations and outpatient appointments had to be canceled at two NHS trusts – King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust – following the ransomware attack on Synnovis. The affected NHS hospitals remain open and are continuing to provide care as normal; however, appointments have been postponed that rely heavily on pathology services, and blood testing is being prioritized for the most serious cases. For instance, many individuals have had phlebotomy appointments canceled. The canceled appointments included more than 100 cancer treatments and 18 organ transplants.

That number is likely to grow considerably as other NHS trusts were also affected by the attack, and the 1,500 canceled appointments were only for the period from 3-9 June. Synnovis is expecting to be able to restore some of its IT functionality in the coming weeks but anticipates that disruption will likely continue to be experienced for several months.

The attack is continuing to disrupt blood-matching tests, which has forced the affected hospitals to use O Negative and O Positive blood for patients who can’t wait for alternative matching methods. That has led to a shortage of O-type blood, with the NHS responding to the shortage by calling for the public to urgently arrange blood donation appointments across the country, with the high demand likely to continue for several weeks.

The Qilin ransomware group behind the attack told Bloomberg that they demanded a $50 million ransom payment and required payment to be made within 120 hours. They also claimed to have gained access to the Synnovis network by exploiting a zero-day vulnerability, although they did not state what vulnerability they exploited. The Qilin group has yet to add Synnovis to its data leak site, which could indicate Synnovis is negotiating with the group.

June 5, 2024: Care Disrupted at London Hospitals Due to Ransomware Attack on Pathology Vendor

A ransomware attack on a UK-based provider of medical laboratory services is disrupting patient services at multiple NHS hospitals in London, including Guy’s Hospital, St Thomas’ Hospital, King’s College Hospital, Royal Brompton Hospital, Evelina London Children’s Hospital, and other care sites in six London boroughs – Bexley, Greenwich, Lewisham, Bromley, Southwark, and Lambeth. The attack has had a much wider impact than initially thought, with the South London and the Maudsley (Slam) trust also affected, the largest provider of mental health services in the country, and GP surgeries throughout South London.

Synnovis, a provider of diagnostic and pathology services, published an alert on its customer service portal on Monday, warning that all of its systems are currently unavailable. An investigation has been launched, and its IT team is trying to determine the cause of the outage. The attack has now been linked to a Russian cybercriminal group called Qilin, which is known for using ransomware to encrypt files on victims’ networks and demanding ransom payments to decrypt files and prevent the release of stolen data. The attack appears to be confined to Synnovis. Hospitals connected to the IT systems of Synnovis do not appear to have had their own systems infiltrated.

On Monday, Synnovis notified the affected NHS Trusts that it had experienced a malware attack, and later confirmed in email messages that it was a ransomware attack. A critical incident emergency status has been declared in the region. Synnovis is working with the National Cyber Security Centre and the Cyber Operations Team to investigate and recover from the attack, but cannot yet say how long its systems will be offline.

The affected hospitals have tried and tested business continuity plans for critical incidents such as ransomware attacks, and they are continuing to provide care for patients, although the attack is having a significant impact on the delivery of services at the affected hospitals. Emergency services are still available, but the hospitals have lost pathology services, cannot perform quick-turnaround blood tests, and blood transfusions are particularly affected, so much so that a nationwide appeal has been launched by the NHS for O blood-type donors.

As a result, all non-emergency pathology appointments have been canceled or redirected to other hospitals, and hospital staff have been instructed only to request emergency blood samples. Synnovis can still conduct blood tests, but the results are being printed out when obtained from its laboratories, and they are being hand-delivered, as the lack of access to computer systems is preventing electronic transmission.

One of the problems with an attack such as this is that until it can be determined exactly what the hackers have done while inside the compromised systems, data cannot be trusted. The hackers could have manipulated test results on which decisions about patient care are made. As a result, test results need to be re-run and results re-recorded due to the risk of data manipulation.

According to data from the Information Commissioner’s Office (ICO), there have been 215 ransomware attacks on hospitals in the United Kingdom since 2019. Last year, ransomware attacks reached record levels, with at least 1,231 attacks conducted across all industry sectors in the UK. Government officials are concerned that many attacks are not being reported.

This is also not the first ransomware attack to affect Synnovis in 2024. The BlackBasta ransomware group attacked Synnovis in April this year and published all the data stolen in the attack on its leak site when the ransom was not paid. Cybercriminal groups are known to work together and provide access to compromised networks to other groups. It is unclear if the BlackBasta attack is linked to the Qilin attack.

The post NHS Pathology Provider Synnovis Notifies Organizations Affected by June 2024 Ransomware Attack appeared first on The HIPAA Journal.

There has been a significant increase in cyberattacks targeting Android mobile devices in critical infrastructure sectors in the past year, according to a new report from the cybersecurity firm Zscaler. The biggest increase was in the energy sector, which saw a 387% increase in mobile attacks, followed by healthcare (224%) and manufacturing (111%).

The Zscaler ThreatLabz team analyzed data collected from customers’ mobile and Internet of Things (IoT) devices between June 2024 and May 2025, the findings of which were published in Zscaler’s 2025 Mobile, IoT & OT Threat Report. “Mobile, IoT, and OT systems have become the backbone of business operations today, enabling innovation and powering critical infrastructure across industries,” explained Zscaler in the report. “Mobile devices now dominate global connectivity, while IoT and OT systems keep manufacturing, healthcare, transportation, and smart cities running.”

Attackers are taking advantage of the proliferation of mobile devices and the expanding web of connectivity. The increase in hybrid and remote working, along with bring-your-own-device policies, has been a contributory factor in the growth of attacks targeting mobile devices for initial access. In the year to May 2025, Android malware transactions increased by 67%, with 239 malicious Android applications downloaded 42 million times from the Google Play Store. Google has controls to prevent malicious applications from being uploaded to its Play Store, but the figures show that attackers are circumventing those controls and can easily infect mobile devices.

IoT devices have proliferated in sectors such as manufacturing and healthcare and have become foundational to operations, but these devices have drastically increased the attack surface and are an easy target for intrusions. IoT devices often have security weaknesses and contain vulnerabilities that can be targeted to breach corporate networks and disrupt operations, most commonly using malware families such as Mirai, Mozi, and Gafgyt for botnet expansion and malicious payload delivery.

The interconnectedness of critical infrastructure sectors such as energy and healthcare, combined with the critical role these sectors play in daily life and national security, makes them attractive targets for sophisticated cyber campaigns. In these sectors, there is low tolerance of downtime, and in healthcare, attackers can access valuable and highly sensitive healthcare data. Attackers are targeting these sectors with sophisticated attacks designed to maximize impact and financial gain.

Zscaler predicts that the coming year will see a continued increase in AI-driven exploits, including hyper-targeted phishing campaigns. AI-driven threats can be difficult to identify, and call for AI-driven defenses. IoT and OT ransomware attacks are likely to continue to increase, especially in industries such as manufacturing, energy, and healthcare.

Zscaler warns that attackers are likely to increasingly target mobile applications as supply chain attack vectors, especially third-party mobile app development pipelines to inject malicious code into widely trusted apps, which will require continuous analysis of app permissions and behavior. Industries such as healthcare that have seen a massive increase in attacks will need to ensure that they have a robust mobile device security strategy

One of the most important defenses against increasingly sophisticated threats is the implementation of zero-trust architectures, and Zscaler says it uis especially important to implement zero-trust frameworks for internet-facing devices such as routers and other edge devices.

The post Healthcare Sees 224% Annual Increase in Attacks Targeting Mobile Devices appeared first on The HIPAA Journal.