Healthcare Cybersecurity

CISA Seeks Feedback on Updated Software Bill of Materials Guidance

One of the biggest security headaches in healthcare is managing third-party risk. Healthcare organizations can implement extensive security measures to protect their internal networks and sensitive data, only for a security flaw in a medical device or third-party software solution to be exploited, circumventing their security protections.

While patches can be applied to address known vulnerabilities, software and firmware may contain third-party components and dependencies. Since there may be little visibility into those components and dependencies, risks are impossible to mitigate effectively.

To improve visibility and help with risk management, all medical devices should be provided with a Software Bill of Materials (SBOM), which is a formal, machine-readable inventory of all software components and dependencies used in a medical device. The Food and Drug Administration (FDA) now requires SBOMs to be provided with premarket submissions of medical devices, to help ensure cybersecurity for the whole lifecycle of the device.

The Cybersecurity and Infrastructure Security Agency (CISA) is pushing for SBOMs to be included with software to improve transparency and supply chain security. CISA has previously published SBOM guidance, which has now been updated to reflect the current state of maturity in software transparency.

“SBOMs provide a detailed inventory of software components, enabling organizations to identify vulnerabilities, assess risk, and make informed decisions about the software they use and deploy,” explained CISA. “As adoption of SBOMs has grown across the public and private sectors, so too has the need for machine-processable formats that support scalable implementation and integration into broader cybersecurity practices.”

While the guidance  – 2025 Minimum Elements for a Software Bill of Materials (SBOM) – is primarily intended for federal agencies, CISA is encouraging other entities to use the guidance to help them understand what they can expect from vendors’ SBOMs. The update includes new SBOM data fields, the name of the tool used to create the SBOM, the software’s cryptographic hash, and several revisions. Public comment is sought on the new draft guidance until October 3, 2025, allowing individuals to share their knowledge for incorporation into the guidance ahead of the release of the final version.

The post CISA Seeks Feedback on Updated Software Bill of Materials Guidance appeared first on The HIPAA Journal.

Vulnerability Identified in FujiFilm Synapse Mobility Medical Image Viewer

A medium-severity privilege escalation vulnerability has been identified in FujiFilm Healthcare Americas Synapse Mobility medical image viewing software that could be exploited to bypass authentication and access sensitive data.

The vulnerability is tracked as CVE-2025-54551 and affects all versions of Fujifilm Healthcare Americas Synapse Mobility prior to version 8.2 (Versions 8.0, 8.0.1, 8.0.2, 8.1, 8.1.1). The vulnerability is remotely exploitable in a low complexity attack and can allow an attacker to escalate privileges and access data that they do not have permission to view. Authenticated user interaction is required to exploit the vulnerability.

The vulnerability is due to external control of a Web parameter and can be exploited by altering the parameters of the search function, thereby providing results beyond the intended design of role-based access controls. The vulnerability has been assigned a CVSS v4 base score of 5.3 and a CVSS v3.1 base score of 4.3.

Fujifilm Healthcare Americas has fixed the vulnerability in version 8.2 and later versions and has released patches for versions 8.0 to 8.1.1. Users are encouraged to upgrade to the latest version of the software and ensure that patches are applied before the end-of-support date. If the version in use is past the end-of-support date, users should ensure they update to a supported version.

If an immediate upgrade is not possible, administrators should consider disabling the search function in the configurator settings until the software can be updated. This can be achieved by unchecking the “Allow plain text accession number” checkbox in the security section of the admin interface. This will limit the site to use of the product only via the SecureURL feature.

The post Vulnerability Identified in FujiFilm Synapse Mobility Medical Image Viewer appeared first on The HIPAA Journal.

Warnings Issued About RCE Vulnerabilities in FortiSIEM & N-able N-central

Warnings have been issued about a critical vulnerability in Fortinet FortiSIEM with publicly available exploit code and two actively exploited vulnerabilities in N-able N-central.

FortiSIEM

FortiSIEM is a central security information and event management (SIEM) solution that is used by network defenders for logging, network telemetry, and security incident alerts. FortiSIEM is commonly used by large enterprises, healthcare providers, and government entities. Fortinet has issued a warning about a command injection flaw that can be exploited remotely by an unauthenticated attacker, for which exploit code exists in the wild. As such, it is essential to patch promptly to fix the vulnerability before it can be exploited.

The vulnerability, CVE-2025-25256, is a critical flaw affecting FortiSIEM versions 5.4 to 7.3 and has a CVSS base score of 9.8 out of 10. Successful exploitation of the flaw would allow an unauthenticated attacker to remotely execute code or commands via crafted CLI requests. Fortinet did not state whether the vulnerability has already been exploited, only that functional exploit code was found in the wild.

Fortinet has fixed the vulnerability in the following versions:

  • FortiSIEM 7.3.2
  • FortiSIEM 7.2.6
  • FortiSIEM 7.1.8
  • FortiSIEM 7.0.4
  • FortiSIEM 6.7.10

Users of FortiSIEM versions 5.4 to 6.6 should ensure that they upgrade to a supported version that is patched against the vulnerability. If it is not possible to update to a patched version, Fortinet has suggested a workaround, which involves limiting access to the phMonitor on port 7900.

N-able N-central

N-able N-central is a remote monitoring and management (RMM) solution, commonly used by managed service providers (MSPs) to manage and maintain devices on their clients’ networks. Two vulnerabilities have been identified that are under active exploitation.

The vulnerabilities are tracked as CVE-2025-8875 – an insecure deserialization vulnerability that could allow command execution, and CVE-2025-8876 – a command injection vulnerability due to improper sanitization of user input. No CVSS scores have currently been issued for the vulnerabilities; however, CISA warns that both are under active exploitation. N-able explained in a security alert that the vulnerabilities require authentication to exploit.

N-able has released patches to fix the vulnerabilities, and customers are urged to update to version 2025.3.1 as soon as possible. The fixed version was released on August 13, 2025, and further information about the vulnerabilities will be released by N-able in three weeks, to give customers time to update to a fixed version.

The post Warnings Issued About RCE Vulnerabilities in FortiSIEM & N-able N-central appeared first on The HIPAA Journal.

Remotely Exploitable Critical Vulnerability Identified in Santesoft Sante PACS Server

Five vulnerabilities have been identified in the Santesoft Sante PACS Server medical image archiving and communication system, including a critical vulnerability that allows credentials to be intercepted.

The vulnerabilities affect all versions of Sante PACS Server prior to 4.2.3 and have been patched in version 4.2.3 and later versions. The three most serious vulnerabilities can be exploited remotely by an attacker in a low complexity attack. Successful exploitation of the vulnerabilities could allow an attacker to create arbitrary files, obtain sensitive data, steal users’ session cookies, and cause a denial-of-service condition.

  • CVE-2025-54156 – A critical vulnerability that can be exploited by a remote attacker to steal credentials. The vulnerability is due to Sante PACS Server sending credential information in cleartext. The vulnerability has been assigned a CVSS v4 score of 9.1 (CVSS v3.1: 7.4).
  • CVE-2025-53948 – A high-severity vulnerability that can be exploited by a remote attacker to crash the main thread by sending a specially crafted HL7 message, triggering a denial-of-service condition. The server would require a manual restart. The vulnerability has been assigned a CVSS v4 score of 8.7 (CVSS v3.1: 7.5)
  • CVE-2025-0572 – A medium-severity vulnerability that can be exploited by a remote attacker to create arbitrary DCM files on vulnerable versions of Sante PACS Server. The vulnerability is due to improper limitation of a pathname to a restricted directory. The vulnerability has been assigned a CVSS v4 score of 5.3 (CVSS v3.1: 4.3)
  • CVE-2025-54759 – A medium-severity cross-site scripting vulnerability in Sante PACS Server, which could be exploited by an attacker by injecting malicious HTML code, redirecting a user to a malicious web page to steal the user’s cookie. The vulnerability has been assigned a CVSS v4 score of 5.1 (CVSS v3.1: 6.1).
  • CVE-2025-54862 – A medium-severity cross-site scripting vulnerability in the Sante PACS Server web portal, which could similarly be exploited by an attacker to direct a user to a malicious HTML page to steal the user’s cookie. The vulnerability has been assigned a CVSS v4 score of 4.8 (CVSS v3.1: 5.4).

The vulnerabilities were identified by Chizuru Toyama of TXOne Networks, who reported them to CISA. At present, there have been no known instances of exploitation in the wild; however, users are advised to update Santesoft Sante PACS Server to the latest version as soon as possible.

It is also recommended to avoid exposing Santesoft Sante PACS Server to the Internet. If remote access is required, use secure methods for access, such as a Virtual Private Network (VPN), ensuring it is kept up to date and running the latest version.

The post Remotely Exploitable Critical Vulnerability Identified in Santesoft Sante PACS Server appeared first on The HIPAA Journal.

Warning Issued About High-severity Flaw Affecting Microsoft Exchange Hybrid Deployments

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft have issued warnings about a high-severity flaw affecting Exchange hybrid deployments that could allow an attacker to escalate privileges in Exchange Online cloud environments undetected, potentially impacting the identity integrity of an organization’s Exchange Online service.

The vulnerability is tracked as CVE-2025-53786 and affects hybrid-joined configurations of Exchange Server 2016, Exchange Server 2019, and Microsoft Exchange Server Subscription Edition. The vulnerability has a CVSS v3.1 severity score of 8.0 and is due to improper authentication. The vulnerability can be exploited by an attacker with administrative access to an on-premise Microsoft Exchange server.

In hybrid Exchange deployments, the on-premise Exchange Server and Exchange Online share the same service principal, which is used for authentication between the on-premise and cloud environments. If an attacker controls the on-premise Exchange server, they can potentially manipulate trusted tokens or API calls. Exchange Online will accept these as legitimate since the on-premise Exchange Server is implicitly trusted. Since actions originating from the on-premise Exchange Server do not always generate logs of malicious activity, audits of Exchange Online may not identify security breaches that originated in the on-premise Exchange Server.

At the time of the alert, no exploitation of the flaw has been observed in the wild; however, exploitation is considered “more likely”, so organizations with vulnerable hybrid Microsoft Exchange environments should ensure they follow Microsoft’s mitigation guidance:

Exchange hybrid users should review the Exchange Server Security Changes for Hybrid Deployments guidance to determine if their deployments are potentially affected and if there is a Cumulative Update available.

Microsoft April 2025 Exchange Server Hotfix Updates should be applied to the on-premise Exchange server, and Microsoft’s guidance on deploying a dedicated Exchange hybrid app should be followed.

Any organization using Exchange hybrid, or that has previously configured Exchange hybrid but no longer uses it, should review Microsoft’s Service Principal Clean-Up Mode, which includes guidance for resetting the service principal’s keyCredentials. When these steps have been completed, Microsoft Exchange Health Checker should be run to determine if any further actions are required.

Organizations with public-facing versions of Exchange Server or SharePoint Server that have reached end-of-life or end-of-service should be disconnected from the public Internet, and use should be discontinued.

Microsoft is encouraging customers to migrate to its Exchange Hybrid app as soon as possible to enhance the security of their hybrid environments, and said, “Starting in August 2025, we will begin temporarily blocking Exchange Web Services traffic using the Exchange Online shared service principal” to accelerate adoption of the dedicated Exchange hybrid app.

The post Warning Issued About High-severity Flaw Affecting Microsoft Exchange Hybrid Deployments appeared first on The HIPAA Journal.

More Than Half of Healthcare Orgs Attacked with Ransomware Last Year

A new report from the cybersecurity firm Semperis suggests ransomware attacks have decreased year-over-year, albeit only slightly. The ransomware risk report indicates healthcare is still a major target for ransomware gangs, with 77% of healthcare organizations targeted with ransomware in the past 12 months. 53% of those attacks were successful.

The report is based on a Censuswide survey of 1,500 IT and security professionals across multiple sectors. While attacks are down slightly, 60% of attacked healthcare organizations report suffering multiple attacks. In 30% of cases, they were attacked more than once in the same month, 35% were attacked in the same week, 14% were attacked multiple times on the same day, and 12% faced simultaneous attacks.

A general trend in recent years, as reported by several firms, is fewer victims of ransomware attacks paying ransoms, although across all industry sectors in the U.S., 81% attacked companies paid the ransom, an increase from last year. Ransom payment was far less common in healthcare. According to Semperis, 53% of healthcare victims paid a ransom to either prevent the publication of stolen data, obtain decryption keys, or both. The ransom paid was less than $500,000 for 55% of companies, 39% paid between $500,000 and $1 million, and 5% paid more than $1 million.

The lower rate of ransom payment in healthcare may be due to genuine concerns that the attackers will not be true to their word. The ransomware attack on Change Healthcare last year made that clear. A $22 million ransom was paid to the BlackCat ransomware group to delete the stolen data; however, after pulling an exit scam, the affiliate behind the attack retained a copy of the data and attempted extortion a second time through a different group, RansomHub. Further, law enforcement operations against LockBit found the group lied about data deletion. Copies of stolen data were found on servers after the ransom was paid. Payment of a ransom is also no guarantee that data can be recovered. On average, 15% of companies that paid the ransom did not receive usable decryption keys, and a further 3% found that their data had been published or misused even when payment was made.

Ransomware groups have been observed adopting more aggressive tactics to increase pressure on victims. Falling profits have prompted some groups to start contacting patients of an attacked healthcare provider directly to increase pressure and get the ransom paid, or in some cases, patients have been extorted. Ransomware groups have threatened to file complaints with regulators, such as the Securities and Exchange Commission (SEC). According to Semperis, 47% of attacks involved threats of regulatory complaints, and 41% of attacks on healthcare organizations. In 62% of healthcare attacks, the threat actor threatened to release private or proprietary data. There is also a growing trend of physical threats against staff members, which occurred in 40% of attacks across all sectors, and 31% of attacks on healthcare organizations.

“With the introduction of generative AI and the fast development of agentic AI attacks, creating more advanced tools with more destructive impact is easier, so threat actors no longer need a lot of money and resources to create those tools,” said Yossi Rachman, Semperis Director of Security Research. “As a result, even a drop in ransom payments will not necessarily stop attack groups from proliferating and conducting more effective and frequent attacks.”

Semperis found that organizations are getting better at detecting and blocking attacks, but when attacks occur, they can cause considerable harm. For 53% of healthcare victims, recovery took from a day to a week, with 31% of attacked healthcare organizations taking between one week and one month to fully return to normal operations. The main business disruptions were data loss/compromise, reputational damage, and job losses. In one attack this year, a healthcare provider permanently closed the business after a ransomware attack.

The biggest challenges faced in healthcare were the frequency and sophistication of threats, attacks on identity systems, and regulatory compliance. 78% of victims said attacks compromised their identity infrastructure, yet only 61% maintained a dedicated AD-specific backup system. Semperis strongly advises companies to implement technology to protect IAM infrastructure, since this is the #1 target. It is also important to document, train, and test to improve the response to a ransomware attack, as an attack is almost inevitable.

“Train for the day you are attacked,” advises Rachman. “See that everybody knows exactly what they should do, which systems, processes, and tools need to be involved, and do that every six months.” Further, when cybersecurity has been improved, it is necessary to evaluate the security of partners and supply chain vendors, as even with excellent security, supply chain vulnerabilities could easily be exploited.

The post More Than Half of Healthcare Orgs Attacked with Ransomware Last Year appeared first on The HIPAA Journal.

Average Cost of a Healthcare Data Breach Falls to $7.42 Million

IBM has published the 2025 Cost of a Data Breach Report, which shows a fall in the global average cost of a data breach, but an increase in the cost of U.S. data breaches, which have set a new record at $10.22 million, increasing by 9.2% from an average of $9.36 million in 2024. The higher data breach costs in the United States were largely due to higher regulatory fines and detection and escalation costs. Globally, data breach costs have fallen for the first time in five years to an average of $4.44 million.

global average cost of a data breach 2025. Source: IBM

Global average cost of a data breach in 2025 (in millions). Source: IBM

IBM has been releasing data breach cost reports for the past 20 years. This year, the study was conducted on 600 organizations of various sizes from 16 countries and geographic regions. Out of the 600 organizations participating in the study, 16% were located in the United States and Canada. The report is based on an analysis of data from organizations in 17 industries, 2% of which are in the healthcare industry.

There has been a fall in the cost of healthcare data breaches in the United States, which dropped by $2.35 million year-over-year to an average of $7.42 million. While the cost of a healthcare data breach has fallen significantly, healthcare data breaches are still the costliest out of all industries studied by IBM, and have been for the past 14 years.

Globally, the time to identify and contain a data breach fell to a 9-year low of 241 days, reducing by 17 days compared to 2024. IBM explains that the reduction in average containment time was largely due to a higher number of organizations detecting the data breach internally rather than being notified by an attacker. Healthcare data breaches took the longest to identify and contain, at an average of 279 days, five weeks longer than the global average breach lifecycle.

Phishing was the leading initial access vector in 2025, accounting for almost 16% of data breaches, replacing stolen credentials (10%), last year’s leading initial access vector, which fell to third spot behind supply chain compromise (15%). Ransomware continues to be a problem for healthcare organizations; however, more organizations are choosing not to pay ransoms. Last year, 59% of organizations that experienced a ransomware attack refused to pay the ransom, increasing to 63% this year.  With fewer organizations making payments, ransom demands have remained high, with an average of $5.08 million demanded for attacker-disclosed attacks. Fewer victims of ransomware attacks involve law enforcement, even though law enforcement involvement shaved an average of $1 million off data breach costs last year. In 2024, 52% of ransomware victims contacted and involved law enforcement, compared to 40% in 2025.

Data breaches invariably result in operational disruption, with almost all breached organizations reporting at least some disruption to operations as a result of a breach. The majority of breached organizations took more than 100 days to recover from a data breach. While breached organizations often absorb the cost of a data breach, this year, almost half of the organizations that suffered a data breach said they would be raising the price of goods and services as a result, with almost one-third planning to increase costs by 15% or more due to a data breach.

Each year, the cost of a data breach report identifies the main factors that increase or decrease breach costs. The biggest components in breach costs were detection and escalation ($1.47 million), lost business ($1.38 million), and post-breach response ($1.2 million), although IBM notes that detection and escalation costs fell by almost 10% compared to last year, and lost business and post-breach response costs also fell.

Based on a global average cost of $4.88 million, the most important factors for reducing data breach costs were adoptiong a DevSecOps approach (-$227K), AI-driven and ML-driven insights (-$223K), security analytics or SIEM (-$212K), threat intelligence (-$211K), and data encryption (-$208K). The main factors that increased breach costs were supply chain breaches (+$227K), security systems complexity (+$207K), shadow IT (+$200K), and AI tool adoption (+$193.5K).

Shadow IT – unauthorized use of software and devices – was a new addition to this year’s top three factors increasing data breach costs. Shadow IT increases the attack surface and creates a security blind spot, and IBM warns that many organizations are failing to look for shadow IT, so it remains undetected and can provide an easily exploitable backdoor into networks. On average, organizations with a high level of shadow IT experienced data breach costs $670K higher than organizations with a low level of shadow IT.

For this year’s report, IBM looked at the adoption of AI and found that AI adoption is outpacing governance. The majority of organizations that have adopted AI solutions said they did not have AI governance policies to mitigate or manage the risk of AI. Organizations lacking AI governance paid higher costs when breached. IBM has determined that AI models and applications are an emerging attack surface, especially in the case of shadow AI. This year, 13% of organizations reported a security incident involving an AI model or application that resulted in a data breach, and an overwhelming majority of those breached organizations – 97% – said they lacked proper AI access controls.

There has been growing concern about the use of generative AI by threat actors, such as for accelerating malware development and creating text and images for phishing and social engineering campaigns. IBM looked at the prevalence of AI-driven attacks and found that 16% of breaches involved the use of AI by attackers, with the majority of those attacks involving phishing (37%) or deepfakes (35%).

Last year, almost two-thirds of organizations said they would be increasing investment in cybersecurity over the next 12 months, but only 49% of organizations are planning to increase investment in the next 12 months. Fewer than half of the organizations planning to increase security investment said they were focusing on AI-driven solutions or services.

The post Average Cost of a Healthcare Data Breach Falls to $7.42 Million appeared first on The HIPAA Journal.

HHS-OIG Audit Finds Security Gaps at Large Northeastern Hospital

An audit of a large northeastern hospital by the Department of Health and Human Services Office of Inspector General (HHS-OIG) has identified cybersecurity gaps and weaknesses that are likely to be present in similarly sized hospitals across the country.

Cyberattacks on healthcare organizations have increased sharply in recent years. Between 2018 and 2022, there was a 93% increase in large data breaches reported to the HHS’ Office for Civil Rights (OCR) and a 278% increase in large data breaches involving ransomware. In 2022 alone, OCR received 64,592 reports of healthcare data breaches, across which the protected health information of 42 million individuals may have been exposed or stolen.

The HHS plays an important role in guiding and supporting the adoption of cybersecurity measures to protect patients and healthcare delivery from cyberattacks. The large number of successful cyberattacks raises questions about whether the HHS, including the Centers for Medicare and Medicaid Services (CMS) and OCR, could do more with its cybersecurity guidance, oversight, and outreach to help healthcare organizations implement robust cybersecurity controls and better protect their networks from attack.

While OCR usually conducts audits of HIPAA-regulated entities to assess cybersecurity and compliance with the HIPAA Rules, HHS-OIG’s 2025 Work Plan includes a series of 10 audits of U.S. hospitals to gain insights into healthcare cybersecurity and assess the cybersecurity measures that have been put in place. A northeastern hospital with more than 300 beds agreed to an audit to assess whether appropriate cybersecurity controls had been implemented for preventing and detecting cyberattacks, whether protocols had been developed for ensuring the continuity of care during a cyberattack, and the controls in place to protect Medicare enrollee data. The audited entity was not named due to the threat of cyberattacks.

The hospital is part of a network of providers that share protected health information for treatment, payment, and healthcare operations, and is a covered entity under HIPAA required to implement safeguards to ensure the confidentiality, integrity, and availability of protected health information. As a provider of healthcare services under the Medicare program, the hospital is also required to comply with the CMS Conditions of Participation (CoPs). The hospital had implemented measures to comply with the CoPs and HIPAA, and had voluntarily implemented the NIST Cybersecurity Framework to reduce and better manage cybersecurity risks

The hospital was found to have implemented data security measures to protect Medicare data and had effective cybersecurity controls to ensure continuity of care in the event of a cyberattack, including appropriate network architecture, backup strategies, incident response plans, and disaster recovery controls. HHS-OIG did, however, identify several cybersecurity weaknesses and security gaps.

HHS-OIG conducted several simulated cyberattacks on Internet-facing systems and found its cybersecurity controls, which included a web application firewall (WAF), were generally effective at blocking or limiting malicious requests. Simulated phishing emails were also sent to employees, and no employee responded or interacted with the fake website HHS-OIG had set up for the phishing scam.

HHS-OIG analyzed 26 internet-accessible systems and discovered two had weaknesses in their cybersecurity controls that could potentially be exploited by threat actors to gain access to systems. HHS-OIG also identified 13 web applications with cybersecurity weaknesses related to configuration management controls, and 16 Internet-accessible systems had weaknesses in their cybersecurity controls regarding identification and authentication that left them susceptible to interactions and manipulations by threat actors

HHS-OIG explained that the weaknesses occurred due to the integration of two systems with its existing IT environment without following security best practices. Further, while there were procedures for periodically assessing web application security controls, they were not effective at identifying weaknesses before they were potentially exploited, and industry web application security best practices had not been effectively implemented.

While the systems that were susceptible to some of the HHS-OIG’s simulated attacks did not contain patient data, compromising those systems could potentially provide attackers with a launch pad for conducting additional attacks against other systems, including systems that contained patient data. A threat actor could also use information gathered in an attack on a vulnerable system to conduct more convincing social engineering campaigns on the workforce.

The hospital concurred with all five HHS-OIG recommendations:

  • Enforce and periodically assess compliance with its configuration and change management policy.
  • Periodically assess and update its identification and authentication controls.
  • Periodically assess and update its configuration management controls.
  • Establish a policy or process to periodically assess its internet-accessible systems and application security controls for vulnerabilities.
  • Ensure developers follow secure coding practices.

The post HHS-OIG Audit Finds Security Gaps at Large Northeastern Hospital appeared first on The HIPAA Journal.

Feds Confirm Seizure of BlackSuit Ransomware Infrastructure

Homeland Security Investigations (HSI), the investigative arm of the Department of Homeland Security (DHS) and part of U.S. Immigration and Customs Enforcement (ICE), has released further information about last month’s seizure of dark web domains used by the BlackSuit ransomware group.

On July 24, 2025, the U.S. Department of Justice (DoJ) confirmed that an international law enforcement operation codenamed Operation Checkmate resulted in the seizure of domains used by the BlackSuit ransomware group. Banners were added to those sites confirming they were under the control of law enforcement. The sites were used by the BlackSuit ransomware group to leak data stolen and to communicate with victims to negotiate ransom payments.

The HSI confirmed in an August 7, 2025, announcement that BlackSuit was the successor to Royal ransomware. Both groups have terrorized critical infrastructure entities around the world since Royal emerged in 2022. Royal was the successor to Quantum ransomware, which is thought to be one of the groups operated by former members of the disbanded Conti ransomware operation.

Since 2022, Royal and BlackSuit have conducted more than 450 successful ransomware attacks on companies in the United States, including many critical infrastructure entities in healthcare, education, public safety, energy, and the government.  The ransomware groups engaged in double extortion, stealing data and encrypting files, demanding payment to prevent the data from being leaked and to obtain the decryption keys. Victims have paid the Royal and BlackSuit more than $370 million in ransom payments, based on current cryptocurrency values.

The operation involved the HSI Cyber Crimes Center, IRS Criminal Investigation’s Cyber Crimes Unit, the U.S. Secret Service, the FBI, Europol, and multiple international law enforcement partners, and resulted in the seizure of the group’s servers, domains, and digital assets used to support the group’s attacks, data theft, extortion, and money laundering.

“Disrupting ransomware infrastructure is not only about taking down servers — it’s about dismantling the entire ecosystem that enables cybercriminals to operate with impunity,” said HSI Cyber Crimes Center Deputy Assistant Director Michael Prado. “This operation is the result of tireless international coordination and shows our collective resolve to hold ransomware actors accountable.”

A DoJ announcement on August 11, 2025, explained that laundered cryptocurrency valued at $1,091,453 had been seized as part of the operation, along with four servers and nine domains. The DoJ explained that one of the victims of the Royal ransomware group paid a 49.3120227 Bitcoin ransom to decrypt their data, which was valued at $1,445,454.86 at the time of the transaction. Some of the proceeds, $1,091,453, were repeatedly deposited and withdrawn in a virtual currency exchange to hide the source of the funds. The funds were frozen by the exchange on or around January 9, 2024, and were obtained by U.S. authorities after issuing a warrant for seizure.

“The BlackSuit ransomware gang’s persistent targeting of U.S. critical infrastructure represents a serious threat to U.S. public safety,” said Assistant Attorney General for National Security John A. Eisenberg. “The National Security Division is proud to be part of an ongoing team of government agencies and partners working to protect our Nation from threats to our critical infrastructure.”

July 25, 2025: BlackSuit Ransomware Dark Web Sites Seized by Law Enforcement

The dark web sites of the BlackSuit ransomware group have been seized as part of an international law enforcement operation. The takedown includes BlackSuit’s negotiation and data leak sites, following a court order that authorized the seizure.

The dark web sites have been replaced with banners advising visitors about the seizure by U.S. Homeland Security Investigations, part of Operation CheckMate. Several law enforcement partners assisted with the operation, including the U.S. Department of Justice, Federal Bureau of Investigation (FBI), the U.S. Office of Foreign Assets Control (OFAC), Europol, the UK National Crime Agency, and law enforcement agencies in Canada, Germany, Ukraine, Lithuania, Ireland, and France. The Romanian cybersecurity firm BitDefender also assisted during the operation. The authorities have yet to make an announcement about the operation and any other achievements.

BlackSuit ransomware first appeared in June 2023, having rebranded following an attack on the City of Dallas in Texas. The group previously operated under the name Royal from September 2022 to June 2023. Prior to that, Royal operated under the name Quantum and is believed to have been started by members of the Conti ransomware group. Operating as BlackSuit, the group is thought to have claimed more than 180 victims worldwide and more than 350 victims under the name Royal.

While the takedown is good news, researchers have suggested that BlackSuit may have already rebranded or that some former members of BlackSuit have formed a new group, Chaos ransomware. Researchers at Cisco Talos explained in a June 24, 2025, blog post that they have assessed with moderate confidence that the new group was formed by members of the BlackSuit ransomware group due to similarities in the encryption methodology, ransom note, and toolset used in attacks. Chaos has already conducted at least ten attacks, mostly in the United States. The new group does not appear to be targeting any specific industries.

“The disruption of BlackSuit’s infrastructure marks another important milestone in the fight against organized cybercrime,” stated a representative of the Draco Team, Bitdefender’s cybercrime unit, who participated in the takedown. “We commend our law enforcement partners for their coordination and determination. Operations like this reinforce the critical role of public-private partnerships in tracking, exposing, and ultimately dismantling ransomware groups that operate in the shadows. When global expertise is aligned, cybercriminals have fewer places to hide.”

On July 28, 2025, FBI Dallas announced the seizure of 20 Bitcoins (now valued at $2.3 million) from a cryptocurrency address belonging to a member of the Chaos ransomware group. The funds were tracked to a Bitcoin wallet used by an affiliate with the moniker “Hors” who is suspected of conducting attacks and extorting payments from companies in the Northern District of Texas and elsewhere. The U.S. Department of Justice filed a civil complaint in the Northern District of Texas on July 24, 2025, seeking the forfeiture of the funds, which were seized by the FBI in Dallas in mid-April.

The post Feds Confirm Seizure of BlackSuit Ransomware Infrastructure appeared first on The HIPAA Journal.