The threat from ransomware is greater than ever, according to a new report from GuidePoint Security. The cybersecurity firm recorded a 58% year-over-year increase in victims, making 2025 the most active year ever reported by GuidePoint Security. In 2025, GuidePoint Security tracked 2,287 unique victims in Q4, 2025 alone – the largest number of victims in any quarter tracked by the GuidePoint Research and Intelligence Team (GRIT). December was the most active month in terms of claimed victims, which increased 42% year-over-year to 814 attacks. On average, 145 new victims were added to dark web data leak sites every week in 2025, with the year ending with 7,515 claimed victims.

Law enforcement operations have targeted the most active groups, and there have been notable successes; however, they have had little effect on the number of victims, which continues to increase. Rather than the ransomware-as-a-service (RaaS) landscape being dominated by one or two major actors, law enforcement operations have helped create a highly fragmented ecosystem, with smaller groups conducting attacks in high volume, using repeatable operations. In 2025, GRIT tracked 124 distinct named ransomware groups – a 46% increase from 2024 and the highest number of groups ever recorded in a single year.

While ransomware attacks are conducted globally, as in previous years, ransomware actors are primarily focused on the United States, where 55% of attacks were conducted last year, followed by Canada, which accounted for 4.5% of attacks. The manufacturing sector was the most heavily targeted, accounting for 14% of attacks, followed by the technology sector (9%), and retail/wholesale (7%). Healthcare ranked in fourth spot, with more than 500 victims in 2025.

Qilin, the most prolific RaaS group in 2025, disproportionately targets the healthcare sector. The group, which emerged in June 2024, is based in Eastern Europe and is thought to be a rebrand of the Agenda ransomware group. In 2024, the group added 154 victims to its dark web data leak site, increasing that tally by 578% to 1,044 victims in 2025, most likely by increasing its number of affiliates, many of whom are thought to have previously worked with the RansomHub group that shut down operations in April 2025. The large number of affiliates, each with their own specialties, means the group uses diverse tactics in its attacks. To put the volume of attacks into perspective, in 2025, Qilin conducted more attacks than LockBit did at its peak.

Qilin has claimed more healthcare victims than any other ransomware group, one of the most notable of which was UK pathology lab Synnovis. That single attack has reportedly caused more than $40 million in losses. The group is expected to continue as the most dominant group in 2026, although expanding operations to such an extent will make it a target for law enforcement. INC Ransom was the second biggest threat to healthcare organizations in 2025, followed by SafePay. While SafePay has been observed targeting small to mid-sized organizations, the group claimed responsibility for the ransomware attack on Conduent Business Services, which recently confirmed that 14.7 million individuals in Texas alone had their data compromised in the attack.

A relatively new ransomware group called Sinobi has conducted several attacks on healthcare organizations since it emerged in mid-2025. The group picked up the pace in Q4, adding 149 victims to its data leak site. GRIT notes that such a significant increase in tempo just a few months after forming is indicative of an established rather than an emerging or developing RaaS group, indicating the group may be a rebrand or at least has some highly experienced affiliates. In 2026, Sinobi is expected to pose a significant threat to the healthcare sector. LockBit has also returned since the law enforcement disruption in 2024, adding 106 new victims to its data leak site in December. LockBit similarly has no qualms about attacking the healthcare sector and is likely to be a significant threat in 2026.

There is growing evidence that ransomware groups are incorporating AI into their operations, most commonly for social engineering to overcome language barriers, personalize social engineering, and craft contextually appropriate lures that bypass traditional detection methods. They are also thought to have adopted AI to analyze the vast amounts of data they exfiltrate in their attacks to identify high-value data and determine appropriate ransom demands. While there are fears of AI-powered attacks, that has yet to be observed, with threat actors using AI to augment existing capabilities, rather than create fully autonomous and AI-coded malware, although both could become accessible enough for broader adoption in 2026.

“The year 2026 will likely see continued convergence of criminal innovation and AI capabilities, demanding that defenders adopt equally sophisticated technologies and intelligence-led approaches,” concluded GRIT. “The organizations best positioned to withstand this evolution will be those that prioritize rapid detection and response, implement comprehensive identity and access controls, and integrate AI-powered defenses as essential components of their security architecture rather than experimental additions.”

The post Ransomware Attacks Increased by 58% in 2025 appeared first on The HIPAA Journal.

Mirion Medical has issued patches to fix five high-severity vulnerabilities in its EC2 Software NMIS BioDose software. Successful exploitation of the vulnerabilities could allow an attacker to gain unauthorized access to the application, modify program executables, access sensitive information, and potentially remotely execute code.

Mirion Medical EC2 Software NMIS BioDose is tracking software used by healthcare providers to keep track of inventory, doses, patient information, and billing. The vulnerabilities affect software versions prior to v23.0. Users have been urged to update to v23.0 or later versions to prevent the vulnerabilities from being exploited. Users with an active support contract can update to the latest version via the software. At the time of issuing the updated version, there had been no known exploitation of the vulnerabilities in the wild.

CVE-2025-64298 – CVSS v3.1: 8.4 | CVSS v4: 8.6

NMIS/BioDose V22.02 and previous version installations where the embedded Microsoft SQL Server Express is used are exposed in the Windows share accessed by clients in networked installs. The directory has insecure directory paths by default, allowing access to the SQL Server database and configurations, which may contain sensitive data.

CVE-2025-61940 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and previous versions rely on a common SQL Server user account to access data in the database, and while users must supply a password in the client software, the underlying database connection always has access. An option has been added to use Windows user authentication with the database to restrict the database connection.

CVE-2025-62575 – CVSS v3.1: 8.3 | CVSS v4: 8.7

NMIS/BioDose V22.02 and previous versions rely on a Microsoft SQL Server database. The SQL user account – nmdbuser – and other created accounts have the sysadmin role, which could lead to remote code execution through the use of certain built-in stored procedures.

CVE-2025-64642 – CVSS v3.1: 8.0 | CVSS v4: 7.1

In NMIS/BioDose V22.02 and previous versions, installation directory paths have insecure file permissions by default. In certain deployments, this can allow users to modify program executables and libraries.

CVE-2025-64778 – CVSS v3.1: 7.3 | CVSS v4: 8.4

NMIS/BioDose software V22.02 and previous versions have executable binaries with plaintext hard-coded passwords, which could be exploited to gain unauthorized access to the application and database.

The post High Severity Vulnerabilities Patched in Mirion Medical EC2 Software NMIS BioDose appeared first on The HIPAA Journal.

A cryptocurrency mixing service used by criminals to launder the proceeds from their illegal activities has been shut down by Europol, Eurojust, and law enforcement agencies in Switzerland and Germany.

Cybercriminals, such as ransomware actors, typically receive payment for their attacks in cryptocurrency. Cryptocurrency transactions are not anonymous, as all transactions are recorded on the public blockchain and can be traced to the wallets receiving the funds. That means the proceeds from cybercrime can be traced to individuals if the wallet address is linked to a real-world identity. Cybercriminals use cryptocurrency mixing services to launder the proceeds from their attacks, then redirect their anonymized funds to cryptocurrency exchanges to cash out.

The law enforcement operation was a week-long effort – Operation Olympia – between November 24 and November 26, targeting Cryptomixer, an illegal cryptocurrency mixing service that law enforcement agencies have been trying to shut down since its creation in 2016. According to Europol, Cryptomixer was the mixing service of choice for cybercriminals, and was used by ransomware gangs, payment card fraudsters, drug and weapons traffickers, and nation state hackers such as North Korea’s Lazarus Group to launder funds from their illegal activities. Since 2016, more than €1.3 billion in Bitcoin ($1.5 billion) has passed through Cryptomixer infrastructure.

Funds were deposited in the mixing service, pooled for a long and randomized period, then redistributed to destination addresses at random times. Mixing services such as Cryptomixer make pseudonymous cryptocurrency transactions anonymous, concealing the origin of cryptocurrency by making it difficult to trace specific coins, allowing cybercriminals to launder funds from their activities without the risk of being identified. More than €25 million ($28 million) in Bitcoin was confiscated, three servers in Switzerland and the cryptomixer.io clear web domain were seized, along with more than 12 terabytes of data.

The operation was part of a broader international effort by law enforcement agencies to tackle cybercrime by targeting the services that cybercriminals use to hide their financial transactions. Operation Olympia mirrors a similar effort in 2023 by Europol and law enforcement agencies in the United States and Germany that resulted in the seizure of the infrastructure behind the ChipMixer mixing service, which at the time was the go-to mixing service for cybercriminals, through which more than $3 billion in cryptocurrency had passed. In that operation, as well as seizing the infrastructure, more than $50 billion in Bitcoin was confiscated.

The post Europol Takes Down Illegal Crypto Mixing Laundering Service Used by Ransomware Actors appeared first on The HIPAA Journal.

Thanksgiving weekend is just a few days away, and while many healthcare employees will be enjoying time off work, it will be a particularly busy time for cybercriminals. Many hacking and ransomware attacks occur over Thanksgiving weekend when staffing levels are lower, and fewer eyes are monitoring for indicators of compromise.

The high level of ransomware attacks during holiday periods has recently been confirmed by the cybersecurity firm Semperis, which reports that in the United States, 56% of ransomware attacks occur on a weekend or holiday, and 47% of ransomware attacks on healthcare organizations occur during these times when staffing levels are reduced.

“Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks. Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long-lasting business disruptions,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor.

The Semperis 2025 Ransomware Holiday Risk Report is based on an analysis of responses to a detailed global ransomware survey of 1,500 IT and security professionals conducted in the first half of the year by Censuswide. The survey suggests that ransomware groups research their targets and time their attacks to coincide with material corporate events such as mergers, acquisitions, IPOs, and layoffs, and exploit the organizational disruption and reduced security focus during these events. “Organizations are under intense pressure to sustain operations while transforming their form and protocols during an IPO or merger, and cannot afford downtime, making them more likely to pay quickly to restore operations,” said Inglis. “During these times, it is critical to remain vigilant and situationally aware that bad actors may be lurking, looking to plant ransomware.”

In healthcare, 96% of organizations maintain a security operations center, with 80% managing it in-house and 20% outsourcing to a third-party vendor. During weekends and holiday periods, 73% of healthcare organizations reduce their SOC staffing levels by 50% or more, and 5% of organizations said they eliminate their SOC staffing entirely on weekends and holidays. The main reasons given for reducing or eliminating staffing levels were to improve work/life balance (63%), because the organization was closed during holidays and weekends (43%), and 36% of respondents said they did not expect an attack to take place.

Smaller organizations were the most likely to cut or eliminate SOC staffing levels on weekends and during holiday periods because they thought they would be unlikely to be attacked. While reducing staffing levels to give employees weekends and holidays off is all well and good, there is no time off for hackers. If internal staffing levels are to be reduced, there must be adequate monitoring, staff on call, or a third-party vendor providing cover.

There has been a marked increase in organizations bringing their SOC in-house, which is up 28 percentage points from last year, which has coincided with a 30% percentage point increase in below 50% staffing levels during holidays and weekends to maintain a better work/life balance. The reason for the shift in bringing SOCs in-house was not explored in the study, but there could be several factors at play.

“Being able to see what’s happening might enable organizations to pivot and adapt faster based on changing operations, business needs, and regulatory reporting requirements,” Courtney Guss, Semperis Director of Crisis Management, said. “The ROI of outsourcing also seems to be shifting as AI begins to handle some Tier 1 work, leaving the more complex work for SOC analysts.”

The survey also probed respondents on their identity infrastructure and the methods used for protection. The majority (90%) scan for vulnerabilities, although only 38% have vulnerability remediation procedures, and only 63% automate recovery. Concerningly, 10% of respondents said they do not have an identity threat detection and response strategy.

One of the most effective ways to defend against ransomware attacks is by tightening identity systems, most commonly Active Directory, Entra ID, and Okta,” former Australian Prime Minister Malcolm Turnbull said. “These are the digital keys that determine who can access what within an organization. In nearly every major ransomware incident, weak or compromised credentials have been the initial entry point. Strengthening identity systems is therefore not just good practice but a critical line of defense.

The post Threat Actors Time Attacks to Coincide with Periods of Reduced Vigilance appeared first on The HIPAA Journal.

The Health Sector Coordinating Council (HSCC) has published updated Model Contract Language for MedTech Cybersecurity to help healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs) address the challenge of ensuring the cybersecurity of medical devices.

Medical devices can introduce cybersecurity risks that must be managed and reduced to a reasonable and appropriate level to comply with the HIPAA Security Rule. The devices must also meet the safety and effectiveness requirements of the Food and Drug Administration (FDA), which include cybersecurity for the entire life cycle of the devices.

The cybersecurity of medical devices is a shared responsibility between the HDO and the MDM; however, historically, cybersecurity accountability has been inconsistently reconciled in the purchase contract negotiation process due to factors such as uneven MDM capabilities and investment in cybersecurity controls, and varying cybersecurity expectations among HDOs.

If there are ambiguities in cybersecurity responsibilities due to the contract language – or a failure to clearly state in contracts the responsibilities of each party with respect to cybersecurity – it is likely to result in downstream disputes, insufficient security, and potential patient safety issues.

“In today’s partnership between HDOs and MDMs, cybersecurity requirements are often unclear, resulting in a lack of understanding and prioritization of cybersecurity best practices. For HDOs and MDMs alike, this leads to an investment in security controls that are not always aligned between stakeholders,” explained HSCC.

The HSCC Cybersecurity Working Group (CWG) formed the Model Contract Language Task Group in 2020 to help address these issues. The Working Group consists of 50 representatives from HDOs, MDMs, group purchasing organizations, and security and compliance specialists. After two years of deliberations, the Task Group published the first version of the Model Contract Language in 2022, which serves as a neutral framework for the contractual cybersecurity relationships between HDOs and MDMs.

The aim of the Model Contract Language is to help HDOs protect themselves and their patients from cybersecurity threats by establishing and maintaining appropriate security contract terms and commitments from MDMs concerning their products, services, and solutions. Version 1 has been downloaded more than 1,500 times from the HSCC CWG website since its publication.

In 18 months after publication, users submitted almost 100 comments to HSCC. The Task Group reconvened last year to review the feedback and has now incorporated many of the recommendations in Version 2, which it is hoped will simplify the contracting process, making it more predictable and less costly and time-consuming.

The main improvements made in Version 2 are revisions and expansions to align with the changed regulatory environment; updates to reflect increasing security maturity and better alignment with expectations between stakeholders; resolution of unclear separation in areas where terms describe shared responsibilities; and simplification of the language to improve clarity and structure to help speed up contract negotiations.

HSCC says the Model Contract Language can be used as a standalone agreement with an MDM, or as an addendum to a Business Associate Agreement (BAA), Master Service Agreement (MSA), or Request for Proposal (RFP). The document can serve as a template that can be tailored to meet the specific compliance needs of each HDO.

The post HSCC Updates Model Contract Language Framework for HDOs & MDMs appeared first on The HIPAA Journal.

A critical vulnerability in Oracle Identity Manager is under active exploitation, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CISA has instructed all federal civilian executive branch agencies to ensure the vulnerability is patched by December 12, 2025, and strongly recommends that all users apply the available patches as soon as possible.

The remote code execution vulnerability can be easily exploited by an unauthenticated remote attacker via HTTP.  Successful exploitation would allow an attacker to execute arbitrary code on vulnerable systems, leading to a full takeover of Oracle Identity Manager. The vulnerability is tracked as CVE-2025-61757 and has a CVSS severity score of 9.8 out of 10.  The vulnerability is due to missing authentication for a critical function in the REST WebServices component of Oracle Fusion Middleware. The vulnerability can be exploited to trick a security filter into treating protected endpoints as publicly accessible, allowing access to a script that can be abused to run malicious code.

The vulnerability was identified by Searchlight Cyber researchers Adam Kues and Shubham Shahflow, who reported the vulnerability to Oracle. The researchers identified the flaw while investigating a security incident that exploited an older vulnerability, CVE-2021-35587. The researchers report that, in contrast to some of the previously identified vulnerabilities in Oracle Access Manager, this flaw is somewhat trivial and is easily exploitable by threat actors.

The vulnerability affects the supported versions 12.2.1.4.0 and 14.1.2.1.0. Oracle released patches to fix the vulnerability in its batch of October 2025 security updates. Any users who have yet to download and install the patches should do so immediately to prevent exploitation, as the researchers have now released all the necessary information to exploit the flaw.

While it is unclear how widely the vulnerability is being exploited, it is likely to be a prime target for ransomware groups. Some evidence has been found to suggest that the flaw has been exploited since August 30, 2025, potentially by an advanced persistent threat actor.

The post Critical Flaw in Oracle Identity Manager Under Active Exploitation appeared first on The HIPAA Journal.

A critical vulnerability has been identified in Emerson Appleton UPSMON-PRO, monitoring and power management software for uninterruptible power supplies. The software is used by healthcare and public health sector organizations to ensure power is maintained for essential equipment.

The vulnerability was identified by security researcher Kimiya, working with the Trend Micro Zero Day Initiative, who reported the issue to the Cybersecurity and Infrastructure Security Agency (CISA). The stack-based buffer overflow vulnerability is tracked as CVE-2024-3871 and has been assigned a CVSS v3.1 base score of 9.3 (CVSS v4 9.8). The vulnerability can be exploited by sending a specially crafted UDP packet to the default UDP port 2601, which can cause an overflow of the buffer stack, overwriting critical memory locations.

Successful exploitation of the vulnerability could allow an unauthorized individual to execute arbitrary code with SYSTEM privileges if the UPSMONProService service communication is not properly validated.

The vulnerability affects Appleton UPSMON-PRO versions 2.6 and earlier. Emerson has warned that the affected versions have reached end-of-life, so patches are not being released to fix the vulnerability. Any user who has yet to replace the affected UPSMON-PRO version with an actively supported UPS monitoring solution should do so as soon as possible.

While there is no patch, there are recommended mitigations to reduce the potential for exploitation. Users should block UDP port 2601 at the firewall level for all UPSMON-PRO installations, UPS monitoring networks should be isolated from general corporate networks, network-level packet filtering should reject oversized UDP packets to port 2601, and UPSMON-ProSer.exe should be monitored for server crashes as potential indicators of exploitation attempts.

CISA recommends ensuring that Emerson Appleton UPSMON-PRO is not accessible from the Internet, and if remote access is required, to ensure that secure methods are used to connect remotely, such as virtual private networks running the most up-to-date software version.

The post Critical Vulnerability Identified in Emerson Appleton UPSMON-PRO appeared first on The HIPAA Journal.