A recent data analysis by Comparitech has revealed that the average time for a U.S. healthcare organization to report a ransomware attack is 3.7 months, the shortest time out of all industries represented in the study. Across all industries, the average time to report a ransomware attack in 2023 was 5.1 months, a considerable increase from the average of 2.1 months in 2018.

In 2024, ransomware-related data breaches took an average of 3.7 months to report, although it is too early to obtain reliable reporting data, as ransomware victims are still reporting ransomware-related data breaches from last year.

Comparitech’s researchers analyzed data from 2,600 U.S. ransomware attacks since 2018. Over the entire period of study, the average time to report a data breach following a ransomware attack was 4.1 months. The legal sector delayed reporting data breaches for the longest time, taking an average of 6.4 months to report the data breach.

While healthcare had the shortest breach reporting times, one healthcare entity had an exceptionally long delay between the date of the attack and the issuing of notifications. Ventura Orthopedics experienced a ransomware attack in July 2020, yet it took 38 months for notification letters to be issued, which were not sent until September 2023.  Another healthcare entity had an exceptionally long delay before notifications were issued. It took two years from the date of the attack for Westend Dental to issue notification letters, earning the company a $350,000 financial penalty.

The reporting time is no doubt influenced by federal and state laws. In healthcare, the Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires regulated entities to report a data breach within 60 days of the date of discovery, and if the total number of affected individuals is not yet known, the regulated entity must report the breach using an estimated total for the number of affected individuals, with the estimated figure typically being 500 or 501. A figure of 500 affected individuals is the threshold for media announcements and public listing of the data breach on the HHS’ Office for Civil Rights breach portal.

Looking at the business sector only, healthcare also had one of the shortest delays, taking an average of 3.4 months to report the data breach, slightly ahead of utilities at 3.3 months. Healthcare businesses in this sector were not direct healthcare providers.

Comparitech also identified shorter breach reporting times in states that have implemented data breach notification laws, with an average time of 3.9 months to report a breach in those states compared to 4.2 months in other states. The states with the longest breach reporting times were Wyoming (7.3 months), the District of Columbia (6.6 months), and North Dakota (6.3 months), whereas the states with the shortest reporting periods were Montana (1.9 months), South Dakota (2.2 months), and Alaska (2.3 months).

While it may not be possible to issue notification letters quickly, it is important to announce ransomware attacks to allow potentially affected individuals to take steps to protect themselves. If it takes 4.1 months on average to report a ransomware-related data breach, that gives ample time for stolen data to be misused.

Ransomware groups that engage in double extortion list the stolen data on their data leak sites if the ransom is not paid, and the data can be downloaded by anyone. That means the data could be misused for several months before the affected individuals are notified. If a notice is added to the breached organization’s website, even if data theft has not been confirmed, consumers would be aware that they could potentially be at risk and could take steps to protect themselves.

The post Healthcare Organizations Take 3.7 Months To Announce Ransomware Data Breaches appeared first on The HIPAA Journal.

Microsoft, Fortinet & Ivanti have all notified customers about vulnerabilities in their products that are known to have been exploited by threat actors. Prompt patching is strongly recommended, and workaround/mitigations should be implemented if patching must be delayed.

Microsoft

On Patch Tuesday, Microsoft issued patches for five vulnerabilities known to have been exploited in the wild, plus two publicly disclosed zero-day vulnerabilities. The actively exploited  vulnerabilities are:

The following vulnerabilities have been publicly disclosed:

Microsoft also released patches for six critical vulnerabilities that are not known to have been exploited but should be prioritized. They affect Microsoft Office (CVE-2025-30377 and CVE-2025-30386), Microsoft Power Apps (CVE-2025-47733), Remote Desktop Gateway Service (CVE-2025-29967), and Windows Remote Desktop (CVE-2025-29966).

Fortinet

Fortinet has issued a security advisory about a critical vulnerability affecting its FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera products. The stack-based buffer overflow vulnerability has been assigned a CVSS v4 severity score of 9.6 (CVSS v3.1: 9.8) and can be exploited by a remote unauthenticated hacker by sending HTTP requests with a specially crafted hash cookie. Successful exploitation of the vulnerability can allow arbitrary code execution.

Fortinet said it has observed exploitation of the vulnerability on FortiVoice. The threat actor scanned the device network, erased system crashlogs, and enabled fcgi debugging to log credentials from the system or SSH login attempts. The vulnerability is tracked as CVE-2025-32756 and affects the following product versions:

Fortinet has issued indicators of Compromise in its security alert. If immediate patching is not possible, Fortinet recommends disabling the HTTP/HTTPS administrative interface

Ivanti

Ivanti has issued a security advisory about two vulnerabilities affecting the Ivanti Endpoint Manager Mobile (EPMM) solution, one is a medium severity flaw and the other is high severity flaw. The two vulnerabilities can be chained together and can allow unauthenticated remote code execution. Ivanti explained that the two vulnerabilities are associated with open-source code used in the EPMM, and not within Ivanti’s code.

The medium severity flaw is tracked as CVE-2025-4427 and is an authentication bypass flaw with a CVSS v3.1 severity score of 5.3. The second vulnerability is a remote code execution vulnerability with a CVSS v3.1 severity score of 7.2

Ivanti said users should upgrade to the latest version as soon as possible; however, risk can be greatly reduced if the user filters access to the API using the built-in Portal ACLs or an external WAF.

The post Microsoft, Fortinet & Ivanti Warn About Actively Exploited Zero Day Vulnerabilities appeared first on The HIPAA Journal.

New research from Black Kite has shed light on the changing ransomware ecosystem. Over the past year, there has been a marked shift from large ransomware syndicates conducting the bulk of attacks to an increasingly fragmented ransomware ecosystem with a growing number of smaller groups and lone actors.

The report is based on data collected by the Black Kite Research & Intelligence Team (BRITE) between April 2024 and March 2025, including victim analysis, dark web intelligence gathering, and continuous monitoring of ransomware operations. Out of the 150 ransomware groups tracked by BRITE, 96 were considered active, having conducted at least one attack in the past 12 months, a sizeable increase from the 61 active ransomware groups in April 2023. Out of the 96 active ransomware groups, 52 are entirely new groups that emerged in the past 12 months. Over that period, there was a 24% year-over-year increase in the number of publicly disclosed ransomware victims (6,046), which follows an 81% increase over the preceding year, amounting to a 123% increase in disclosed ransomware victims in the past two years.

When the ransomware ecosystem was dominated by large ransomware syndicates such as LockBit and ALPHV/BlackCat, there was a degree of predictability to the attacks, but the power vacuum left by the law enforcement operations against LockBit and the shutdown of ALPHV has led to the creation of many smaller groups, with some of the more experienced actors branching out on their own. With so many new groups, the ransomware ecosystem has become more chaotic, with less sophisticated attacks being conducted in greater volume. BRITE reports that these smaller groups tend to lack the infrastructure, discipline, and credibility of their predecessors, and this shift has resulted in an increase in attack volume, a fall in coordination, and growing unpredictability in how, where, and why attacks unfold.

One trend that has emerged is a shift from attacks on larger companies with deeper pockets to attacks on small to medium-sized businesses (SMBs), which tend to have poorer defenses, smaller cybersecurity teams, and carry a lower risk of retaliation from law enforcement. The potential rewards from conducting the attacks are lower, with BRITE reporting a 35% reduction in ransom payment values in the past 12 months; however, the overall impact of ransomware attacks has widened. In 2024, the average ransom demand was $4,24 million, the median ransom payment was $2 million, and the average ransom payment was $553,959. SMBs with between $4 and $8 million appear to be the sweet spot in terms of ease of conducting attacks and ransom payment value.

In terms of targets, ransomware groups tend to conduct strategic attacks with the top three targets unchanged year-over-year. Manufacturing was the most targeted sector with 1,315 victims over the past 12 months. Attacks on the sector tend to result in massive disruption to business operations, with the costs of downtime increasing the probability of ransoms being paid. Professional and technical services were the second-most targeted sector with 1,040 attacks, followed by healthcare and social assistance with 434 known attacks.

In terms of the growth of attacks on different sectors, excluding the mass exploitation of vulnerabilities by the Clop group as an outlier, wholesale trade saw the biggest growth with a 2.27% increase in attacks, with healthcare and social assistance in second with 1.44% growth. Physicians and health practitioners overtook hospitals in terms of victim count, as they tend to have far weaker security, lack dedicated security teams, and handle reasonable volumes of sensitive patient data, making them low-hanging fruit with significant extortion potential.  These smaller healthcare providers accounted for 38% of attacks, with hospitals in second spot (20%), social assistance in third (11%), and nursing and residential facilities in fourth (9%).

BRITE also reports deeper entanglement in supply chains, with ransomware groups increasingly targeting third-party vendors, as an attack on a vendor can easily allow the ransomware actor to attack and attempt extortion on dozens of downstream organizations. BRITE reports that ransomware was behind 67% of all known third-party breaches. “Incidents involving Change Healthcare, Blue Yonder, and CDK Global made clear that ransomware’s impact is no longer contained within the four walls of the initially affected organization,” explained Black Kite in the report. “When threat actors compromise a widely used vendor, the effects ripple outward, paralyzing downstream businesses in multiple sectors. In this way, ransomware is increasingly a supply chain problem, not just a cybersecurity one.”

Black Kite predicts a deepening fragmentation of the ransomware ecosystem over the coming year, an increase in double targeting of victims with different ransomware variants deployed in a short space of time, speedier attacks with reduced dwell time between initial access and ransomware deployment, and increased automation and AI-assisted reconnaissance.

The post Ransomware Attacks Increase 123% in 2 Years with 52 New Groups Emerging in 2024 appeared first on The HIPAA Journal.

A critical vulnerability affecting multiple Oracle products is being exploited in the wild. The vulnerability was dubbed The Miracle Exploit by the security researchers who discovered it, due to its severity and the number of products they affected – all products based on Oracle Fusion Middleware and Oracle online systems. The vulnerability is one of a pair of related vulnerabilities that were discovered two years apart. The vulnerabilities can be chained, and both can lead to remote code execution.

The Oracle Fusion Middleware products are used to build web interfaces for Java EE applications and any website developed by ADF Faces framework is affected. The vulnerabilities also affect Oracle Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, and Transportation Management. The vulnerabilities are tracked as CVE-2022-21445 (CVSS 9.8) and CVE-2022-21497 (CVSS 8.1) and can be exploited easily by an unauthenticated attacker with network access via HTTP for an application takeover. Successful exploitation can lead to a full system compromise and lateral movement within a network. The vulnerabilities could be exploited to steal sensitive data and could be leveraged by ransomware groups in the future.

CVE-2022-21445 is a deserialization of untrusted data vulnerability and CVE-2022-21497 is a server-side request vulnerability. The first vulnerability allows remote code execution, and the second one could be exploited for lateral movement to other Oracle systems and can also lead to remote code execution. Oracle released patches to fix the vulnerabilities in April 2022, 6 months after the CVE-2022-21445 vulnerability was discovered. In September, the Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2022-21445 Miracle Exploit vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. No information was released about the extent to which the vulnerability has been exploited, and there have been no public reports of exploitation, although CISA does receive some reports privately.

Due to the severity of the vulnerabilities and their impact, the Health Sector Cybersecurity Coordination Center has recently released an analyst note warning the healthcare and public health sector about the risk of exploitation. Healthcare organizations could be vulnerable if they use Oracle Fusion products that rely on the ADF Faces framework. HC3 warns that if the vulnerable Oracle middleware components are integrated into their software for managing electronic medical records or other critical systems, exploitation of the vulnerabilities could result in data breaches, operational disruptions, and potentially regulatory penalties.

HC3 recommends applying the latest patch for Oracle JDeveloper, segmenting networks and ensuring environments that use JDeveloper are isolated from production systems, and limiting access to JDeveloper environments to trusted users only and enforcing strong authentication mechanisms.

The post HPH Sector Warned About Exploitation of Miracle Exploit Vulnerabilities in Oracle Systems appeared first on The HIPAA Journal.

A warning has been issued by the HHS’ Health Sector Cybersecurity Coordination Center (HC3) about a financially motivated group known as Scattered Spider. Many cybercriminal groups are Russian-speaking and are based in Russia or the Commonwealth of Independent States; however, Scattered Spider is a native English-speaking group and its members are believed to be mostly located in the United States and the United Kingdom. There have been four arrests in those countries but the group remains active. Intelligence gathered on the group suggests the members are mostly in the 19-22 age group.

Rather than develop their own malware payloads and attack tools, Scattered Spider uses publicly available tools and malware developed by other threat actors. Legitimate tools known to have been leveraged by the group include remote monitoring and management solutions such as AnyDesk, Connectwise Control, ASG Remote Desktop, Screenconnect, and Splashtop; Mimikatz and LaZagne for credential theft; and Ngrok to create secure tunnels to remote web servers.

The group has previously used multiple malware variants in its operations including Atomic, Racoon Stealer, VIDAR Stealer, and Meduza Stealer, as well as phishing kits such as EIGHTBAIT and Oktapus, and the BlackCat and Ransomhub ransomware variants. The group has also collaborated with the Qilin threat group.

Information stealers are commonly used to obtain credentials for initial access, and then living-off-the-land techniques are used to evade security solutions while the group moves laterally within networks, disabling security solutions and stealing sensitive data. Attacks often end with the deployment of ransomware.

Scattered Spider uses advanced social engineering tactics, with its members well-versed in spear phishing, smishing, and voice phishing. One campaign attributed to Scattered Spider involves spear phishing voice techniques, where members of the IT Help Desk are targeted over the phone with the group posing as employees, sometimes aided by artificial intelligence to impersonate voices.

The aim is to trick the IT Help Desk into performing password resets and registering their own devices to receive multifactor authentication codes. The Help Desk is provided with personal information about the person they are impersonating and usernames and employee IDs obtained in previous stages of its attacks. HC3 has previously issued a warning about this campaign as healthcare organizations were among the group’s victims.

Scattered Spider has been active since at least 2022 and was initially focused on customer relationship management (CRM), business process outsourcing (BPO), telecommunications, and technology companies; however, the group has since expanded its targeting and has been attacking a broader range of sectors. While the healthcare industry has not been extensively targeted by the group, healthcare organizations have been attacked. The Scattered Spider threat actor profile shares indicators of compromise and recommended mitigations to improve defenses.

The post HC3 Issues Warning About Scattered Spider Threat Actor appeared first on The HIPAA Journal.

The majority of healthcare data breaches reported in the past few years are due to hacking incidents but many of these security incidents do not involve the exploitation of vulnerabilities in software and operating systems for initial access. Far more common is the exploitation of human vulnerabilities, where healthcare workers are tricked into providing cyber actors with access to internal systems and sensitive data. According to the Verizon 2024 Data Breach Investigations Report, more than two-thirds of breaches involve the human element rather than the exploitation of weaknesses and vulnerabilities in technology.

One of the most common methods used is phishing, where a cyber actor makes contact with a healthcare employee and convinces them to visit a malicious website where they are asked to enter their credentials or are convinced to download a malicious file, both of which give the cyber actor the access they need. With phishing, the initial contact is often via email, although an increasing number of phishing attacks are now occurring via SMS (smishing), instant messaging platforms, social media networks, and over the telephone (vishing).

Phishing usually involves deception and impersonation. A trusted individual, company, or institution is impersonated, and the targeted individual is provided with a seemingly legitimate reason for taking the requested action. This could be a request for collaboration on a report, a notification about a failed delivery, a missed payment of an invoice, or a security warning. There is often a threat of negative consequences if no action is taken, commonly a pressing matter such as impending loss of service, a significant charge that will soon be applied to an account, or unauthorized account access that warrants immediate steps to secure the account.

The techniques used in phishing are known as social engineering – manipulation, influencing, or deceiving someone into taking a certain action, which in cybersecurity terms involves gaining unauthorized access to computer systems, financial accounts, or sensitive data. While phishing is one of the best-known attack methods that uses social engineering techniques, cyber actors use social engineering in other types of attacks to achieve similar goals. There is baiting, where social engineering is used to trick someone into taking an action to obtain something of value, such as to be entered into a free prize draw or get an amazingly low purchase price on goods and services. In order to get what is promised, sensitive information must be disclosed such as credentials, a credit/debit card number, or personal information.

Advances in artificial intelligence (AI) technology have provided cyber actors with a new way of manipulating individuals – deepfakes. Deepfakes take impersonation and deception to a new level, where trusted individuals are impersonated via audio or video. Deepfakes of authority figures can be created that are incredibly realistic, using synthesized facial images and speech or manipulated videos, photos, and audio recordings to trick people into taking any number of actions. Deepfakes can even be created in real-time, such as impersonating a CEO in a call to a help desk to request credentials be reset or to add an attacker-owned device to receive multifactor authentication codes, or in Zoom meetings where the meeting participants are convinced they are conversing with the genuine person.

Social engineering is the subject of the October 2024 cybersecurity newsletter from the HHS’ Office for Civil Rights. In the newsletter, OCR explains how social engineering is used in attacks on healthcare organizations and how to identify and avoid social engineering attacks. The newsletter also explains how compliance with the HIPAA Security Rule can help HIPAA-regulated entities improve their defenses against social engineering and mitigate threats.

“Attackers have learned how to convincingly imitate our loved ones and our business partners, meaning that nothing can be assumed or taken at face value. Attackers continue to refine their manipulation through social engineering tradecraft. All of these threats have a common theme; they all attempt to convince an individual to do something they would not otherwise do normally, or to provide details such as credentials someplace other than where they should be used,” explained OCR in the newsletter. “Educating workforce members on these attacks is essential when it comes to an individual’s ability to identify and potentially halt social engineering attacks before they start. Such knowledge is powerful not only to protect individuals in their personal online activities, but also by extension an individual’s employer. This is especially important in the current environment where work is taken home on laptops, smartphones, and through remote work.”

The post OCR Offers Advice on Recognizing, Avoiding, and Mitigating Social Engineering Attacks appeared first on The HIPAA Journal.

Ransomware groups target the healthcare sector because a successful attack gives them access to large amounts of sensitive data that can be easily monetized and used as leverage to get a ransom paid. Healthcare organizations are also heavily reliant on access to data to operate, therefore there is a higher probability that a ransom will be paid to regain access to encrypted data. Attacks on the sector are also increasing. According to Recorded Future, there were 358 ransomware attacks on healthcare organizations in 2023, a year-on-year increase of 46%.

A recent study by the cybersecurity firm Rubrik assessed the impact of ransomware attacks and found that attacks on healthcare providers impact more data than other industry sectors. Researchers at Rubrik Zero Labs determined that 20% of a healthcare organization’s sensitive data holdings are affected by a ransomware encryption event, compared to 6% in other industry sectors. That means 20% of healthcare data is encrypted, deleted, or stolen in an attack.

Healthcare organizations generally hold more sensitive data than other industry sectors. According to Rubrik’s analysis, healthcare organizations typically need to secure 50% more data than the global average, with healthcare organizations holding an average of 42 million sensitive data records compared to the global average of 28 million sensitive records.  The amount of data stored grows at a faster rate than other industries. In 2023, a typical healthcare organization saw its data estate grow by 27% compared to 23% for a typical global organization, and the number of sensitive data records in healthcare grew by 63% in the past year compared to the global average of 13%.

The data for Rubrik’s report – The State of Data Security: Measuring Your Data’s Risk – came from telemetry across the company’s customer base of 6,100 organizations and a study conducted by the Wakefield Research of more than 1,600 IT and security leaders. Across all industry sectors, 94% of IT security leaders said they had experienced a significant cyberattack in 2023, and an average of 30 attacks in the past year. One-third of IT security leaders said they had been affected by at least one ransomware attack, and 93% of organizations paid a ransom, with 58% of those paying to prevent the leaking of stolen data.

Dependence on the cloud is growing, with cloud architecture used to store 13 % of an organization’s data on average, compared to 9% the previous year. According to Rubrik’s telemetry, cloud storage has inherent risks as there are security blind spots. Rubrik reports that 70% of all cloud-stored data is in object storage, which typically has much lower security coverage than other areas. 88% of all data stored in object storage is not confirmed as machine-readable or is not covered by prominent security technologies and services, and more than 25% of object storage data is subject to regulatory or legal requirements, such as HIPAA.

“Despite the fallout of cyberattacks dominating headlines, data risk is an issue that continues to be murky — especially in terms of what security teams can actually change and what they cannot,” said Steven Stone, Head of Rubrik Zero Labs. “With this report, we aim to provide quantifiable insights that IT and security leaders can bring back to their organization to drive greater cyber resilience-in particular with their partners in the business and governance teams.”

The post Healthcare Ransomware Attacks Involve 20% of Stored Sensitive Data appeared first on HIPAA Journal.

The exploitation of vulnerabilities in software and operating systems is becoming far more common for initial access to networks, with phishing declining in prevalence, according to Mandiant’s M-Trends 2024 Report. Manidant, part of Google Cloud, is a leading provider of dynamic cyber defense, threat intelligence, and incident response services. The latest report is based on data from Mandiant Consulting investigations of targeted attack activity conducted between January 1, 2023, and December 31, 2023.

Exploited software vulnerabilities were the initial access method in 38% of intrusions investigated by Manidant, up 6% from 2022, with phishing used for initial access in 17% of incidents, down from 22% in 2022. Attackers are increasingly targeting edge devices and are exploiting a wide variety of vulnerabilities. In 2023, Mandiant identified 97 unique zero-day vulnerabilities being exploited in the wild, up 56% from 2022. The exploitation of zero day vulnerabilities used to be limited to a small number of threat actors, typically nation-state cyberespionage groups. While state-sponsored threat actors continue to target zero-day flaws, especially China-nexus threat actors, ransomware and data extortion groups are increasingly acquiring and utilizing 0days, helped by the rise of commercially available turnkey exploit kits.

Threat actors are combining exploits of zero-day flaws with living-off-the-land techniques, which involve native, legitimate tools within a system to allow them to maintain persistence for longer and avoid detection. One of the reasons for the decline in phishing as an initial attack vector is the widespread adoption of multifactor authentication (MFA). While MFA is effective at preventing phishing attacks, Mandiant has identified an increase in the use of web proxies and adversary-in-the-middle phishing pages that can steal credentials and login session tokens to bypass MFA. Defenses can be improved against these attacks by adopting phishing-resistant MFA.

Mandiant has also observed an increase in malware, with 626 new malware families identified in 2023, more than any other year to date. The most common malware families were backdoors (33%), downloaders (16%), droppers (15%), credential stealers (7%) and ransomware (5%). The industries most commonly targeted by threat actors were financial services (17%), business and professional services (13%), high technology (12%), retail and hospitality (9%), and healthcare (8%), with attacks increasingly targeting cloud environments, as more organizations transition to the cloud. The most likely reason for targeting these sectors is they store a wealth of sensitive information, including proprietary business data, personally identifiable information, protected health information, and financial records.

Mandiant’s data show that organizations are getting better at identifying intrusions. Last year, attackers were present in networks for a median of 10 days before the intrusions were detected, down from a median of 16 days in 2022. “Defenders should be proud, but organizations must remain vigilant. A key theme throughout M-Trends 2024 is that attackers are taking steps to evade detection and remain on systems for longer, and one of the ways they accomplish this is through the use of zero-day vulnerabilities,” Jurgen Kutscher, Vice President, Mandiant Consulting at Google Cloud, told The HIPAA Journal. “This further highlights the importance of an effective threat hunt program, as well as the need for comprehensive investigations and remediation in the event of a breach.”

The post Threat Actors Increasingly Targeting Vulnerabilities for Initial Access appeared first on HIPAA Journal.