Ransomware Attacks Increase 123% in 2 Years with 52 New Groups Emerging in 2024

Posted by Steve Alder

New research from Black Kite has shed light on the changing ransomware ecosystem. Over the past year, there has been a marked shift from large ransomware syndicates conducting the bulk of attacks to an increasingly fragmented ransomware ecosystem with a growing number of smaller groups and lone actors.

The report is based on data collected by the Black Kite Research & Intelligence Team (BRITE) between April 2024 and March 2025, including victim analysis, dark web intelligence gathering, and continuous monitoring of ransomware operations. Out of the 150 ransomware groups tracked by BRITE, 96 were considered active, having conducted at least one attack in the past 12 months, a sizeable increase from the 61 active ransomware groups in April 2023. Out of the 96 active ransomware groups, 52 are entirely new groups that emerged in the past 12 months. Over that period, there was a 24% year-over-year increase in the number of publicly disclosed ransomware victims (6,046), which follows an 81% increase over the preceding year, amounting to a 123% increase in disclosed ransomware victims in the past two years.

When the ransomware ecosystem was dominated by large ransomware syndicates such as LockBit and ALPHV/BlackCat, there was a degree of predictability to the attacks, but the power vacuum left by the law enforcement operations against LockBit and the shutdown of ALPHV has led to the creation of many smaller groups, with some of the more experienced actors branching out on their own. With so many new groups, the ransomware ecosystem has become more chaotic, with less sophisticated attacks being conducted in greater volume. BRITE reports that these smaller groups tend to lack the infrastructure, discipline, and credibility of their predecessors, and this shift has resulted in an increase in attack volume, a fall in coordination, and growing unpredictability in how, where, and why attacks unfold.

One trend that has emerged is a shift from attacks on larger companies with deeper pockets to attacks on small to medium-sized businesses (SMBs), which tend to have poorer defenses, smaller cybersecurity teams, and carry a lower risk of retaliation from law enforcement. The potential rewards from conducting the attacks are lower, with BRITE reporting a 35% reduction in ransom payment values in the past 12 months; however, the overall impact of ransomware attacks has widened. In 2024, the average ransom demand was $4,24 million, the median ransom payment was $2 million, and the average ransom payment was $553,959. SMBs with between $4 and $8 million appear to be the sweet spot in terms of ease of conducting attacks and ransom payment value.

In terms of targets, ransomware groups tend to conduct strategic attacks with the top three targets unchanged year-over-year. Manufacturing was the most targeted sector with 1,315 victims over the past 12 months. Attacks on the sector tend to result in massive disruption to business operations, with the costs of downtime increasing the probability of ransoms being paid. Professional and technical services were the second-most targeted sector with 1,040 attacks, followed by healthcare and social assistance with 434 known attacks.

In terms of the growth of attacks on different sectors, excluding the mass exploitation of vulnerabilities by the Clop group as an outlier, wholesale trade saw the biggest growth with a 2.27% increase in attacks, with healthcare and social assistance in second with 1.44% growth. Physicians and health practitioners overtook hospitals in terms of victim count, as they tend to have far weaker security, lack dedicated security teams, and handle reasonable volumes of sensitive patient data, making them low-hanging fruit with significant extortion potential.  These smaller healthcare providers accounted for 38% of attacks, with hospitals in second spot (20%), social assistance in third (11%), and nursing and residential facilities in fourth (9%).

BRITE also reports deeper entanglement in supply chains, with ransomware groups increasingly targeting third-party vendors, as an attack on a vendor can easily allow the ransomware actor to attack and attempt extortion on dozens of downstream organizations. BRITE reports that ransomware was behind 67% of all known third-party breaches. “Incidents involving Change Healthcare, Blue Yonder, and CDK Global made clear that ransomware’s impact is no longer contained within the four walls of the initially affected organization,” explained Black Kite in the report. “When threat actors compromise a widely used vendor, the effects ripple outward, paralyzing downstream businesses in multiple sectors. In this way, ransomware is increasingly a supply chain problem, not just a cybersecurity one.”

Black Kite predicts a deepening fragmentation of the ransomware ecosystem over the coming year, an increase in double targeting of victims with different ransomware variants deployed in a short space of time, speedier attacks with reduced dwell time between initial access and ransomware deployment, and increased automation and AI-assisted reconnaissance.

The post Ransomware Attacks Increase 123% in 2 Years with 52 New Groups Emerging in 2024 appeared first on The HIPAA Journal.

Healthcare Workers Violating Patient Privacy by Uploading Sensitive Data to GenAI and Cloud Accounts

Posted by Steve Alder

Research conducted by the cybersecurity company Netskope indicates healthcare workers routinely expose sensitive data such as protected health information (PHI) by using generative AI tools such as ChatGPT and Google Gemini and by uploading data to personal cloud storage services such as Google Drive and OneDrive.

The healthcare industry has fully embraced AI tools, with almost all organizations using AI tools to some degree to improve efficiency. According to data collected by Netskope Threat Labs, 88% of healthcare organizations have integrated cloud-based genAI apps into their operations, 98% use apps that incorporate genAI features, 96% use apps that leverage user data for training, and 43% are experimenting with running genAI infrastructure locally.

As more healthcare organizations incorporate AI tools into their operations and make them available to their workforces, fewer healthcare workers are using personal AI accounts for work purposes; however, 71% of healthcare workers still use personal AI accounts, down from 87% the previous year. If genAI tools are not HIPAA-compliant and the developers will not sign business associate agreements, using those tools with PHI violates HIPAA and puts organizations at risk of regulatory penalties. Further, uploading patient data to genAI tools and cloud storage services without robust safeguards in place can erode patient trust.

“Beyond financial consequences, breaches erode patient trust and damage organizational credibility with vendors and partners,” Ray Canzanese of Netskope said. It is clear that there needs to be greater oversight of the use of AI tools, and a pressing need for authorized tools to be provided to reduce “shadow AI” risks.

According to Netskope, the mishandling of HIPAA-regulated data is the leading security concern in the healthcare sector, and PHI is the most common type of sensitive data uploaded to personal cloud apps, genAI apps, and other unapproved locations. Netskope reports that 81% of all data policy violations were for regulated healthcare data, with the remainder including source code, secrets, and intellectual property.

“Healthcare organizations must balance the benefits of genAI with the implementation of strict data governance policies to mitigate associated risks,” warns Netskope. Netskope recommends the adoption of enterprise-grade genAI applications with robust security features to ensure that sensitive and regulated data is properly protected, along with data loss prevention (DLP) tools for monitoring and controlling access to genAI tools to prevent privacy violations. Netskope says 54% of healthcare organizations now have DLP policies, up from 31% the previous year. The most commonly blocked genAI apps in healthcare are DeepAI, Tactiq, and Scite, with 44%, 40%, and 36% of healthcare organizations blocking these apps with their DLP tools due to privacy risks and there being more secure alternatives.

While genAI tools certainly have a place in healthcare and can help improve efficiency, there are significant security challenges. Netskope warns that healthcare organizations must remain vigilant, implement comprehensive security measures, and enforce data protection policies, as well as incorporate the risks into their cybersecurity awareness training.

The report also warns of the risk of malware infections via cloud apps. Threat actors are increasingly using cloud apps to deploy information stealers and ransomware, with GitHub, OneDrive, Amazon S3, and Google Drive being the most common. Rather than trying to breach networks themselves, threat actors use social engineering to trick healthcare employees into compromising their own systems with first-stage malware payloads, which give threat actors initial access to networks. Netskope recommends inspecting all HTTP and HTTPS traffic for phishing and malware, blocking apps that serve no business purpose or pose a disproportionate risk to the organization, and using remote browser isolation technology when categories of websites need to be visited that pose a higher risk, such as newly registered domains.

The post Healthcare Workers Violating Patient Privacy by Uploading Sensitive Data to GenAI and Cloud Accounts appeared first on The HIPAA Journal.

Union Health System: Almost 263,000 Individuals Affected by Oracle Health/Cerner Hack

Posted by Steve Alder

Union Health System, a Terre Haute, Indiana-based integrated health system that operates two hospitals and a medical group, has been affected by a security incident at Oracle Health/Cerner. Oracle Health recently notified healthcare providers about a security incident involving legacy Cerner servers, which had yet to be migrated to Oracle Cloud. Oracle acquired Cerner in 2022. A hacker was able to access and obtain data hosted in the Oracle Health/Cerner data migration environment, and then tried to extort the affected companies.

Oracle Health has released little information about the incident and maintains it is the responsibility of its HIPAA-covered entity clients to determine if there has been a breach that warrants notifications under the HIPAA Breach Notification Rule. Union Health said it received confirmation of the data breach from Oracle Health/Cerner on March 15, 2024. Oracle Health explained that it detected a cybersecurity incident on February 20, 2025, and its forensic investigation confirmed that the unauthorized third party’s initial access occurred on or after January 22, 2025. Union Health received a list of the affected individuals from Oracle Health/Cerner on March 22, 2025.

The compromised data included names plus Social Security numbers, dates of birth, driver’s license numbers, treating physicians’ names, dates of service, medication information, health insurance information, and diagnostic and treatment information. The breach was recently reported to the HHS’ Office for Civil Rights by Union Health as affecting 262,831 individuals.

While the data breach was confirmed by Oracle Health/Cerner in March, that was not the first time that Union Health was made aware of the data breach. An “unknown party” contacted Union Health claiming to be in possession of patient data. Union Health verified the individual’s claims on February 24, 2025, and identified the information as likely having been obtained from Oracle Health/Cerner. Union Health then proactively reached out to Oracle Health about the incident for confirmation, which was obtained on March 15, 2025. Union Health made it clear in the notification letters that the breach occurred at Oracle Health/Cerner and no Union Health systems were accessed. Union Health said it is offering the affected individuals complimentary credit monitoring services.

A lawsuit has already been filed against Union Health and Oracle Health/Cerner over the data breach. The lawsuit, Cerner Corporation d/b/a Oracle Health, Inc. and Union Health System, Inc. – was filed in the U.S. District Court for the Western District of Missouri by plaintiff Shannon Smith, who is represented by John F. Garvey of Stranch, Jennings & Garvey, PLLC.

The lawsuit claims that the defendants’ inadequate security practices violated HIPAA and allowed cybercriminals to gain access to sensitive personally identifiable information (PII) and protected health information (PHI), and that the failure amounts to negligence. The lawsuit cites eight causes of action – negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, breach of fiduciary duty, breach of confidence, and declaratory judgment.

The lawsuit also takes issue with the time taken to issue notification letters, which were not sent until 89 days after the breach occurred, keeping the affected individuals in the dark and depriving them of the opportunity to try to mitigate their injuries in a timely manner.  The lawsuit claims the data breach has placed the plaintiff and class members at a present, continuing, and significant risk of suffering identity theft. The lawsuit seeks a jury trial, compensatory, exemplary, punitive, and statutory damages, injunctive relief, attorneys’ fees, and legal costs and expenses.

This is one of two security incidents to be confirmed by Oracle in 2025. In a separate incident, a hacker obtained usernames, passkeys, and encrypted passwords of an undisclosed number of Oracle customers. “Oracle would like to state unequivocally that the Oracle Cloud – also known as Oracle Cloud Infrastructure or OCI – has not experienced a security breach. No OCI customer environment has been penetrated,” explained Oracle. “No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way.” Oracle confirmed that a hacker gained access to two obsolete servers but did not obtain any usable passwords, as the passwords were either encrypted or hashed.

The post Union Health System: Almost 263,000 Individuals Affected by Oracle Health/Cerner Hack appeared first on The HIPAA Journal.