A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense Cyber Crime Center (DC3), Department of Health and Human Services (HHS), and international law enforcement partners about the Akira ransomware group, which has accelerated its attacks on critical infrastructure in recent months.

According to the FBI, Akira has been paid more than $244 million in ransoms since the group was first identified in March 2023. While Akira primarily targets small- to medium-sized organizations, the group has also attacked larger organizations, favoring sectors such as manufacturing, education, information technology, healthcare, financial services, and food and agriculture.

The group’s tactics are constantly evolving. While the group initially targeted Windows systems, a Linux version of its encryptor has been developed that is used to target VMware Elastic Sky X Integrated (ESXi) virtual machines (VMs), and recently the group has been observed encrypting Nutanix AHV VM disk files.

Akira typically uses stolen credentials for initial access, often obtained in spear phishing campaigns or through brute force attempts to guess weak passwords. Akira may also purchase access to compromised networks from initial access brokers. The group typically targets virtual private network (VPN) services that do not have multifactor authentication enabled, although vulnerabilities are also exploited. Akira has been observed exploiting vulnerabilities in Cisco devices (CVE-2020-3259; CVE-2023-70766) and has recently been observed exploiting a vulnerability in SonicWall Firewall devices (CVE-2024-40766). Once access has been gained, the group maintains persistence by using legitimate remote access tools such as LogMeIn and AnyDesk.

Like many other ransomware groups, Akira engages in double extortion tactics, stealing data and encrypting files, then demanding payment to prevent the publication of the stolen data on its leak site and to obtain the decryptrion keys.

“The threat of ransomware from groups like Akira is real and organizations need to take it seriously, with swift implementation of mitigation measures,” said Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA. The joint advisory about Akira ransomware was first issued in April 2024, but has now been updated with new tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) from recent attacks, including new recommended mitigations. The most important mitigations are to ensure that vulnerabilities are patched promptly, especially the vulnerabilities detailed in the advisory; to implement and enforce phishing-resistant multifactor authentication; and to ensure that backups are made of all critical data, storing backups securely offline.

The post Warning Issued About Akira Ransomware as Attacks on Critical Infrastructure Accelerate appeared first on The HIPAA Journal.

Threat actors are actively exploiting multiple Cisco vulnerabilities for which patches were previously issued in August; however, attacks are ongoing, including attacks on devices that have been improperly patched.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a cybersecurity alert this week about two critical Cisco vulnerabilities – CVE-2025-30333 and CVE-2025-20362 – affecting Cisco Adaptive Security Appliances (ASA) and Firepower devices. The vulnerabilities affect devices running Cisco Secure ASA Software or Cisco Secure FTD Software and have CVSS v3.1 base scores of 9.9 and 9.8. The vulnerabilities can be exploited by sending specially crafted HTTP requests to a vulnerable web server on a device.

Cisco issued patches to fix the vulnerabilities in August this year, warning that hackers could exploit the flaws to execute commands at a high privilege level. The flaws allow threat actors to access restricted URL endpoints that should be inaccessible without authentication. By exploiting the flaws, attackers can execute code on vulnerable devices. If the vulnerabilities are chained, an attacker can gain full control of the devices. At the time the patches were issued, Cisco warned that the vulnerabilities had already been exploited as zero-days in the ArcaneDoor campaign, which exploited two other flaws.

While many organizations applied the patches and believed they were protected against exploitation, in some cases, the patches were applied without updating the minimum software version, leaving the organizations vulnerable to exploitation. “In CISA’s analysis of agency-reported data, CISA has identified devices marked as ‘patched’ in the reporting template, but which were updated to a version of the software that is still vulnerable to the threat activity outlined in the [Emergency Directive], explained CISA in the alert. “CISA recommends all organizations verify the correct updates are applied.” CISA has published guidance on patching the two vulnerabilities and warned that immediate patching is required, including on devices that are not exposed to the Internet.

The post Urgent Patching Required to Fix Actively Exploited Cisco Flaws appeared first on The HIPAA Journal.

The UK pathology lab Synnovis suffered a ransomware attack last year. It has taken 17 months to complete the highly complex data review and notify the affected healthcare provider clients.

Synnovis provides blood, urine, and specimen testing for many healthcare organizations in the United Kingdom and has a pathology partnership with Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust in London, and SYNLANB, a provider of laboratory, diagnostic, and advisory services.

The ransomware attack occurred on June 3, 2024, when the Qilin ransomware group encrypted files on its network. Prior to encrypting files from its network, data was exfiltrated from its network. The ransomware attack caused massive disruption to business operations at Synnovis, interrupting many of its pathology services. Synnovis said that almost all of its IT systems were affected.

NHS trusts that relied on Synnovis for blood testing and other services were forced to cancel appointments, and the lack of blood testing led to a shortage of O-negative blood. The shortage continued for months, with stocks depleted across the country. Disruption to patient services was extensive, with more than 10,000 appointments cancelled in the wake of the attack.

Synnovis immediately launched an investigation and assembled a task force of experts from Synnovis, the affected NHS Trusts, NHS England, and third-party specialists to restore systems and data as quickly as possible. The UK’s National Crime Agency (NCA), the National Cyber Security Centre (NCSC), and the Information Commissioner’s Office (ICO) were notified, and Synnovis has been working closely with those agencies throughout the recovery process.

It took until late autumn 2024 to replace all of the affected IT infrastructure and restore systems and services to pre-attack operational levels. “By month four immediately after the cyberattack, we had rebuilt a new blood transfusion platform, by month five we had completed a substantial cloud migration of our core systems, and by November 2024 we had rebuilt over 75 applications and reconnected a vast pathology estate spanning seven locations from the ground up, including over 65 scientific analyzers and more than 120 individual connections”, explained Synnovis.

Determining which organizations and individuals had been affected and the data types involved has taken considerably longer. Synnovis explained that the ransomware group stole data in haste in a random manner from its working drives, and due to the exceptional scale and complexity of the data review, it has taken more than a year to complete. That process required bespoke systems and processes to be created to reconstruct the affected data.

Synnovis said the forensic analysis confirmed that no data was taken from its primary lab databases, and the data exfiltrated in the attack was not in a form that could easily be used by anyone with ill intent”. Despite an extensive forensic investigation, it was not possible to determine how the ransomware group gained access to its network. All IT infrastructure impacted by the attack was completely replaced.

Synnovis said it consulted with its affected NHS trust partners, and the decision was taken not to pay the ransom.  Doing so would have gone against its ethical principles, and the ransom would undoubtedly have been used to fund further attacks on other critical infrastructure entities, potentially threatening national security. The amount demanded by the ransomware group was not disclosed.

Synnovis has recently completed the data analysis and restoration, and the affected organizations are now being notified. Notifications will be completed by November 21, 2025, after which the affected organizations will decide whether notifications need to be issued to the affected patients under UK data protection laws. Synnovis stressed that the company will not be contacting any of the affected patients directly. Under UK data protection laws, it is down to the data controller to conduct their own legal and risk assessments to determine whether notifications are required. Any individual receiving a communication about the data breach that purports to have come directly from Synnovis rather than one of the affected organizations should assume it is a scam.

The incident clearly demonstrates the massive impact ransomware attacks can have on critical infrastructure. In this case, this was a calculated attack designed to cause as much damage and disruption as possible for financial gain.

June 22, 2024: Ransomware Group Leaks Data from 300 Million Patient Interactions with NHS

The Russian ransomware and extortion group Qilin has added the data stolen in the attack on Synnovis to its dark web data leak site after the deadline for paying the $50 million ransom demand expired.

Synovis, a provider of pathology services to the UK’s National Health Service (NHS), was attacked by the Qilin ransomware group on June 3, 2024, resulting in disruption to many of its services. Multiple NHS trusts in London continue to be affected by the attack, with the recovery expected to take several weeks. Synnovis does not anticipate fully recovering from the attack for several months.

Two of the worst-affected NHS trusts were the King’s College Hospital Foundation Trust and Guy’s and St Thomas’ Foundation Trust, two of the busiest NHS trusts in the country. The attack affected 7 hospitals operated by those trusts, forcing them to cancel 1,134 planned operations and 2,194 outpatient appointments in the first 13 days following the attack. Blood tests in the capital are operating at around 10% of normal levels.

As is typical in ransomware attacks, Qilin exfiltrated data before encrypting files. In the early hours of Friday morning, Qilin uploaded 400 GB of confidential data to its dark web data leak site, where it can be freely downloaded by cybercriminals. The uploaded data includes information from more than 300 million patient interactions with the NHS. The data upload is currently being verified but it appears to be genuine.

The data contains personally identifying information and blood test results, including highly sensitive test results for HIV, sexually transmitted infections, and cancer. It is likely to take several weeks before the exact types of data and the number of affected individuals are known due to the scale of the data theft. The data breach does not appear to be limited to NHS patients. Synnovis also provides pathology services to private healthcare providers, and some of the stolen data is understood to include private healthcare records.

The affected patients may now be subjected to extortion attempts due to the sensitivity of some of the stolen data. For instance, cybercriminals could threaten patients who tested positive for HIV by making that information public if they do not pay to have their data deleted.

The UK’s National Crime Agency (NCA) and the National Cyber Security Centre (NCSC) are currently considering taking retaliatory action against the hacking group. Since this was an attack that affected the NHS and included the theft of NHS data, the attack is effectively an attack on the state. One of the main priorities is to try to take down as much of the uploaded data as possible.

The NCA recently headed an international law enforcement operation against the LockBit ransomware group that resulted in the seizure of its command and control infrastructure in February 2024. While the operation was a success, it was short-lived. The LockBit infrastructure was rapidly rebuilt, and the group was able to continue its operations. According to a recent report from NCC Group, LockBit was the most active ransomware group in May 2024.

June 18, 2024: More Than 1,500 Appointments Cancelled Following Ransomware Attack on NHS Pathology Vendor

At least 1,500 operations and outpatient appointments had to be canceled at two NHS trusts – King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust – following the ransomware attack on Synnovis. The affected NHS hospitals remain open and are continuing to provide care as normal; however, appointments have been postponed that rely heavily on pathology services, and blood testing is being prioritized for the most serious cases. For instance, many individuals have had phlebotomy appointments canceled. The canceled appointments included more than 100 cancer treatments and 18 organ transplants.

That number is likely to grow considerably as other NHS trusts were also affected by the attack, and the 1,500 canceled appointments were only for the period from 3-9 June. Synnovis is expecting to be able to restore some of its IT functionality in the coming weeks but anticipates that disruption will likely continue to be experienced for several months.

The attack is continuing to disrupt blood-matching tests, which has forced the affected hospitals to use O Negative and O Positive blood for patients who can’t wait for alternative matching methods. That has led to a shortage of O-type blood, with the NHS responding to the shortage by calling for the public to urgently arrange blood donation appointments across the country, with the high demand likely to continue for several weeks.

The Qilin ransomware group behind the attack told Bloomberg that they demanded a $50 million ransom payment and required payment to be made within 120 hours. They also claimed to have gained access to the Synnovis network by exploiting a zero-day vulnerability, although they did not state what vulnerability they exploited. The Qilin group has yet to add Synnovis to its data leak site, which could indicate Synnovis is negotiating with the group.

June 5, 2024: Care Disrupted at London Hospitals Due to Ransomware Attack on Pathology Vendor

A ransomware attack on a UK-based provider of medical laboratory services is disrupting patient services at multiple NHS hospitals in London, including Guy’s Hospital, St Thomas’ Hospital, King’s College Hospital, Royal Brompton Hospital, Evelina London Children’s Hospital, and other care sites in six London boroughs – Bexley, Greenwich, Lewisham, Bromley, Southwark, and Lambeth. The attack has had a much wider impact than initially thought, with the South London and the Maudsley (Slam) trust also affected, the largest provider of mental health services in the country, and GP surgeries throughout South London.

Synnovis, a provider of diagnostic and pathology services, published an alert on its customer service portal on Monday, warning that all of its systems are currently unavailable. An investigation has been launched, and its IT team is trying to determine the cause of the outage. The attack has now been linked to a Russian cybercriminal group called Qilin, which is known for using ransomware to encrypt files on victims’ networks and demanding ransom payments to decrypt files and prevent the release of stolen data. The attack appears to be confined to Synnovis. Hospitals connected to the IT systems of Synnovis do not appear to have had their own systems infiltrated.

On Monday, Synnovis notified the affected NHS Trusts that it had experienced a malware attack, and later confirmed in email messages that it was a ransomware attack. A critical incident emergency status has been declared in the region. Synnovis is working with the National Cyber Security Centre and the Cyber Operations Team to investigate and recover from the attack, but cannot yet say how long its systems will be offline.

The affected hospitals have tried and tested business continuity plans for critical incidents such as ransomware attacks, and they are continuing to provide care for patients, although the attack is having a significant impact on the delivery of services at the affected hospitals. Emergency services are still available, but the hospitals have lost pathology services, cannot perform quick-turnaround blood tests, and blood transfusions are particularly affected, so much so that a nationwide appeal has been launched by the NHS for O blood-type donors.

As a result, all non-emergency pathology appointments have been canceled or redirected to other hospitals, and hospital staff have been instructed only to request emergency blood samples. Synnovis can still conduct blood tests, but the results are being printed out when obtained from its laboratories, and they are being hand-delivered, as the lack of access to computer systems is preventing electronic transmission.

One of the problems with an attack such as this is that until it can be determined exactly what the hackers have done while inside the compromised systems, data cannot be trusted. The hackers could have manipulated test results on which decisions about patient care are made. As a result, test results need to be re-run and results re-recorded due to the risk of data manipulation.

According to data from the Information Commissioner’s Office (ICO), there have been 215 ransomware attacks on hospitals in the United Kingdom since 2019. Last year, ransomware attacks reached record levels, with at least 1,231 attacks conducted across all industry sectors in the UK. Government officials are concerned that many attacks are not being reported.

This is also not the first ransomware attack to affect Synnovis in 2024. The BlackBasta ransomware group attacked Synnovis in April this year and published all the data stolen in the attack on its leak site when the ransom was not paid. Cybercriminal groups are known to work together and provide access to compromised networks to other groups. It is unclear if the BlackBasta attack is linked to the Qilin attack.

The post NHS Pathology Provider Synnovis Notifies Organizations Affected by June 2024 Ransomware Attack appeared first on The HIPAA Journal.

There has been a significant increase in cyberattacks targeting Android mobile devices in critical infrastructure sectors in the past year, according to a new report from the cybersecurity firm Zscaler. The biggest increase was in the energy sector, which saw a 387% increase in mobile attacks, followed by healthcare (224%) and manufacturing (111%).

The Zscaler ThreatLabz team analyzed data collected from customers’ mobile and Internet of Things (IoT) devices between June 2024 and May 2025, the findings of which were published in Zscaler’s 2025 Mobile, IoT & OT Threat Report. “Mobile, IoT, and OT systems have become the backbone of business operations today, enabling innovation and powering critical infrastructure across industries,” explained Zscaler in the report. “Mobile devices now dominate global connectivity, while IoT and OT systems keep manufacturing, healthcare, transportation, and smart cities running.”

Attackers are taking advantage of the proliferation of mobile devices and the expanding web of connectivity. The increase in hybrid and remote working, along with bring-your-own-device policies, has been a contributory factor in the growth of attacks targeting mobile devices for initial access. In the year to May 2025, Android malware transactions increased by 67%, with 239 malicious Android applications downloaded 42 million times from the Google Play Store. Google has controls to prevent malicious applications from being uploaded to its Play Store, but the figures show that attackers are circumventing those controls and can easily infect mobile devices.

IoT devices have proliferated in sectors such as manufacturing and healthcare and have become foundational to operations, but these devices have drastically increased the attack surface and are an easy target for intrusions. IoT devices often have security weaknesses and contain vulnerabilities that can be targeted to breach corporate networks and disrupt operations, most commonly using malware families such as Mirai, Mozi, and Gafgyt for botnet expansion and malicious payload delivery.

The interconnectedness of critical infrastructure sectors such as energy and healthcare, combined with the critical role these sectors play in daily life and national security, makes them attractive targets for sophisticated cyber campaigns. In these sectors, there is low tolerance of downtime, and in healthcare, attackers can access valuable and highly sensitive healthcare data. Attackers are targeting these sectors with sophisticated attacks designed to maximize impact and financial gain.

Zscaler predicts that the coming year will see a continued increase in AI-driven exploits, including hyper-targeted phishing campaigns. AI-driven threats can be difficult to identify, and call for AI-driven defenses. IoT and OT ransomware attacks are likely to continue to increase, especially in industries such as manufacturing, energy, and healthcare.

Zscaler warns that attackers are likely to increasingly target mobile applications as supply chain attack vectors, especially third-party mobile app development pipelines to inject malicious code into widely trusted apps, which will require continuous analysis of app permissions and behavior. Industries such as healthcare that have seen a massive increase in attacks will need to ensure that they have a robust mobile device security strategy

One of the most important defenses against increasingly sophisticated threats is the implementation of zero-trust architectures, and Zscaler says it uis especially important to implement zero-trust frameworks for internet-facing devices such as routers and other edge devices.

The post Healthcare Sees 224% Annual Increase in Attacks Targeting Mobile Devices appeared first on The HIPAA Journal.

The US Healthcare Cyber Resilience Survey from EY and KLAS Research has revealed that more than 7 out of 10 healthcare organizations have experienced significant business disruption due to cyberattacks in the past two years.

The survey was conducted on 100 healthcare executives responsible for cybersecurity decisions within their organization. On average, organizations experienced an average of five different cyber threats in the past year, the most common of which was phishing, experienced by 77% of organizations. The next most commonly encountered threats were third-party breaches (74%), malware (62%), data breaches (47%), and ransomware (45%). Only 3% of respondents reported not experiencing any cyber threats in the past year.

These cyber incidents are having a considerable impact on patient care and business operations. 72% of respondents reported that their organization experienced a moderate to severe financial impact due to cyberattacks in the past two years, 60% reported a moderate to severe operational impact, and 59% reported a moderate to severe clinical impact.

In healthcare, cybersecurity is often viewed as a set of defensive measures to protect against cyber threats and ensure compliance, but cybersecurity should be elevated to an organizational priority. Cyberattacks have a significant impact on patient care and business operations, damaging the organization’s reputation and affecting its bottom line. Healthcare organizations that make cybersecurity an organizational priority find that it creates value and helps them deliver better outcomes.

Cybersecurity investment should be aligned with outcomes such as reduced downtime, improved patient safety, and financial stability, and the survey suggests that CISOs are getting better at communicating this to the C-suite. When the cost of cybersecurity investment is compared to the cost of an outage on patient care and revenue, funds are often provided. The survey suggests that the main challenge is not getting the company to invest in cybersecurity, but to sustain the financial commitment over time, especially when budgets tighten or priorities shift. It can be especially hard to maintain that commitment when, after investing in cybersecurity, the organization continues to experience moderate to severe cyber events.

“Cyber needs to be a shared responsibility across the organization and the health ecosystem,” explained EY and KLAS in the report. “In a time of tight budgets, cutting cyber investments can leave health organizations more vulnerable and ultimately lead to higher costs. Health executives must pivot from viewing cyber as a cost center to a strategic enabler of the business.”

The problem faced by many organizations is competing organizational priorities and tight budgets, which were cited as a problem by two-thirds of respondents. Other challenges affecting healthcare organizations include a rapidly changing threat landscape, AI-driven threats, third-party risk management, and the difficulty of recruiting and retaining cybersecurity talent.

One of the main takeaways from the report is the importance of viewing cybersecurity as more than a set of technical and administrative safeguards to achieve compliance. Cybersecurity needs to be viewed as a value creator that is as critical to the success of other business needs, be that improved patient outcomes, geographical expansion, or smart care models. “When cyber is integrated into care delivery and operational and business strategy, it becomes more than compliance. It serves as a catalyst for trust, transformation, long-term resilience, and care delivery that is future-proof,” suggest EY and KLAS.

The post Cybersecurity Should Be Viewed as a Strategic Enabler of the Business appeared first on The HIPAA Journal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued new guidance for organizations to help them secure their on-premises Microsoft Exchange servers. The guidance document builds on the advice issued in August 2025 on mitigating a high-severity vulnerability in Microsoft Exchange Server – CVE-2025-53786 – that posed a significant risk to organizations with Microsoft Exchange hybrid-joined configurations.

The flaw could be exploited by an unauthenticated attacker to move laterally from an on-premises Exchange server to their Microsoft 365 cloud environment. While the vulnerability could only be exploited if an attacker first gained administrative access to the on-premises Exchange server, CISA was particularly concerned about how easy it was to escalate privileges and gain control of parts of the victim’s Microsoft 365 environment.

Cyber actors have been targeting on-premises Exchange servers in hybrid environments, and CISA is concerned about organizations using misconfigured or unprotected Microsoft Exchange servers, especially Exchange Server versions that have reached end-of-life. In such cases, there is a high risk of compromise. The guidance – Microsoft Exchange Server Security Best Practices – was developed by CISA and the NSA, with assistance provided by the Australian Cyber Security Centre and the Canadian Centre for Cyber Security (Cyber Centre). The document details proactive prevention measures and techniques for combating cyber threats and protecting sensitive data and communications.

“With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems,” said Nick Andersen, Executive Assistant Director for the Cybersecurity Division (CSD) at CISA. “This guidance empowers organizations to proactively mitigate threats, protect enterprise assets, and ensure the resilience of their operations.

The authoring agencies stress that the most effective defense against Microsoft Exchange threats is ensuring that Exchange is updated to the latest version and Cumulative Update (CU). If an unsupported version is still in use, it should be updated to a supported version. The only supported version for on-premises Exchange is Microsoft Exchange Server Subscription Edition (SE), as support ended for previous versions on October 14, 2025. Organizations should also ensure that Microsoft’s Emergency Mitigation Service is turned on, as it will automatically apply defensive rules, disable legacy protocols, and block specific patterns of malicious HTTP requests.

Organizations should maintain a regular patching cadence, applying the monthly security updates and hotfixes promptly, as well as the two CUs per year. CISA warns that threat actors usually develop exploits for Exchange vulnerabilities within a few days of patches being released. If immediate patching is not possible, organizations should implement Microsoft’s interim mitigations.

CISA recommends that organizations enforce a prevention posture to address Exchange threats. The guidance serves as a blueprint for strengthening security, and covers hardening authentication and access controls, enforcing strong encryption, implementing multifactor authentication, enforcing strict transport security configurations, adopting zero-trust security principles, and minimizing application attack surfaces. The guidance is focused on securing on-premises Exchange servers. Organizations with Exchange servers in hybrid environments should follow the advice in CISA’s August 2025 Emergency Directive.

The post CISA; NSA Issue Guidance on Hardening Microsoft Exchange Server Security appeared first on The HIPAA Journal.

Vulnerabilities have been identified in the Hospital Manager Backend Services, a hospital information management system from Vertikal Systems. One of the vulnerabilities is a high-severity flaw that can be remotely exploited in a low complexity attack to gain access to and disclose sensitive information.

The vulnerabilities affect Hospital Manager Backend Services prior to September 19, 2025. The vulnerabilities have been fixed in the September 19, 2025, release and future releases. Users should ensure that their product is up to date and should contact Vertikal Systems for assistance with fixing the flaws.

The most serious vulnerability is tracked as CVE-2025-54459 and has been assigned a CVSS v4 base score of 8.7 (CVSS v3.1 base score 7.5). The flaw is due to the product exposing sensitive information to an unauthorized control sphere. Hospital Manager Backend Services exposed the ASP.NET tracing endpoint /trace.axd without authentication, which means a remote attacker can obtain live request traces and sensitive information such as request metadata, session identifiers, authorization headers, server variables, and internal file paths.

The second flaw is tracked as CVE-2025-61959 and is a medium-severity vulnerability with a CVSS v4 base score of 6.9 (CVSS v3.1 base score: 5.3), due to the generation of error messages containing sensitive information.  Hospital Manager Backend Services returned verbose ASP.NET error pages for invalid WebResource.axd requests, disclosing framework and ASP.NET version information, stack traces, internal paths, and the insecure configuration ‘customErrors mode=”Off”‘, which could have facilitated reconnaissance by unauthenticated attackers.

The vulnerabilities were identified by Pundhapat Sichamnong of Vantage Point Security, who reported the flaws to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). In addition to using the latest version, it is recommended not to expose the product to the internet, to locate it behind a firewall, and if remote access is required, to use a secure method of access, such as a Virtual Private Network (VPN), ensuring the VPN is running the latest version of the software.

The post Vulnerabilities Identified in Vertikal Systems Hospital Information Management Solution appeared first on The HIPAA Journal.

The ransomware remediation firm Coveware has reported a growing divide in the ransomware landscape, with larger enterprises facing increasingly targeted, high-cost attacks, whereas attacks on mid-market companies continue to be conducted in volume. Ransomware groups conducting high-volume attacks appear to have found the sweet spot, as while the ransom payments they receive are much lower, the attacks are easier to conduct, and a higher percentage of victims pay up. Attacks on larger companies require more effort, although attacks are far more lucrative when a ransom is paid. Coveware reports that larger organizations are increasingly resisting paying ransoms, having realized that there are few payment benefits, but has warned that these targeted attacks are likely to increase due to falling ransom payments.

Across the board, there has been a sharp fall in both the average and median ransom payments from a 6-year high in Q2, 2025, to the lowest level since Q1, 2023. In Q3, 2025, the average ransom payment fell by 66% to $376,941, with the median ransom payment down 65% to $140,000. In Q1, 2019, 85% of victims of ransomware attacks chose to pay the ransom, compared to a historic low of 23% in Q3, 2025.

When cybercriminals started conducting ransomware attacks, the focus was on file encryption, whereas double extortion tactics are now the norm, with data stolen prior to file encryption. While data can often be recovered from backups, the threat of publication of the data is often enough to see the ransom paid, in an effort to minimize reputation damage from an attack. According to Coveware, 76% of all attacks in Q3, 2025, involved data theft. There has been a growing trend of data theft-focused attacks, with some groups abandoning data encryption altogether. While extortion-only attacks are generally faster and stealthier, Coveware reports that data exfiltration attacks without encryption only have a ransom payment rate of 19% – a record low. That suggests that victims do not believe paying the ransom will result in their data being deleted.

The most common attack vectors frequently change, with phishing and social engineering the most common method of initial access in Q3, 2024, whereas in Q3, 2025, there was a sharp increase in remote access compromise, with phishing/social engineering dropping to around 18% of attacks, almost on a par with the exploitation of software vulnerabilities. Remote access compromise was behind almost 50% of attacks in Q3. Coveware reports that the distinction between different intrusion types is becoming increasingly blurred, such as remote access and social engineering. For example, attacks impersonating SaaS support teams or abusing helpdesk processes trick individuals into providing remote access. “The modern intrusion no longer begins with a simple phishing email or an unpatched VPN. It starts with a convergence of identity, trust, and access across both people and platforms,” explained Coveware.

The two most active ransomware groups in Q3 – Akira (34%0 and Qilin (10%) – are both focused on high-volume attacks that yield relatively low rewards. While a logical response to fewer victims paying a ransom is to conduct even more attacks, Coveware believes it is more likely to trigger more targeted attacks on companies that have the means to pay large ransoms. As security postures have improved, attacks are becoming harder to pull off. One potential consequence is that attackers will focus once again on targeting employees to trick them into providing access, as well as recruiting insiders. Coveware has identified several attacks where employees have been bribed into providing remote access. In one case, the Medusa ransomware group attempted to recruit an employee of a large organization. Medusa promised to pay the employee 15% of any ransom generated if network access through the employee’s computer was provided.

While healthcare remains a lucrative target for ransomware groups, only 9.7% of attacks involving Coveware’s services affected healthcare organizations, putting the industry in joint second place with software services. Professional services was the most commonly attacked sector in Q3, accounting for 17.5% of attacks.

The post Only 23% of Ransomware Victims Pay the Ransom appeared first on The HIPAA Journal.