CyberSecurity news

FlagThis - #ransomware

@kirbyidau.com //
MKA Accountants, a Victorian accounting firm, has confirmed it fell victim to a ransomware attack by the Qilin group. The incident, which occurred in May 2025, resulted in the publication of sensitive company documents on Qilin's leak site. The stolen data included internal correspondence, financial statements, and insurance information, highlighting the severity of the breach and the potential impact on the firm's operations and client relationships. This attack underscores the growing threat posed by ransomware groups to organizations of all sizes, regardless of their industry.

The Qilin ransomware group has been rapidly gaining prominence in the cybercrime landscape. As established players like RansomHub and LockBit face internal turmoil and operational setbacks, Qilin has emerged as a technically advanced and full-service cybercrime platform. Recent reports indicate that Qilin is actively recruiting affiliates, possibly absorbing talent from defunct groups, and bolstering its capabilities to conduct sophisticated ransomware attacks. This rise in prominence positions Qilin as a major player in the evolving ransomware-as-a-service (RaaS) ecosystem, posing a significant threat to businesses worldwide.

To further pressure victims into paying ransoms, Qilin now offers a "Call Lawyer" feature within its affiliate panel. This addition aims to provide affiliates with legal counsel during ransom negotiations, potentially intimidating victims and increasing the likelihood of payment. Furthermore, Qilin provides other services to help affiliates maximize their success. This includes spam services, PB-scale data storage, a team of in-house journalists, and even the ability to conduct distributed denial-of-service (DDoS) attacks, positioning Qilin as a comprehensive cybercrime operation and increasing it's market share.

Recommended read:
References :
  • kirbyidau.com: Incident: MKA Accountants confirms Qilin ransomware attack | CyberDaily.au
  • www.tripwire.com: Tripwire article on Qilin offers “Call a lawyer†button for affiliates.
  • securityaffairs.com: Qilin ransomware gang now offers a “Call Lawyer†feature to pressure victims
  • The Hacker News: Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms

Graham Cluley@Blog RSS Feed //
The Qilin ransomware group is introducing a new tactic to pressure victims into paying larger ransoms. They are now offering a "Call Lawyer" button within their affiliate panel, providing legal counsel to cybercriminals attempting to extort money. This feature aims to give affiliates an edge in ransom negotiations by providing them with on-call legal support. Qilin believes that the presence of a lawyer in communication with victims will increase the likelihood of a successful ransom payment due to the potential legal ramifications and associated costs for the victim company.

Qilin's legal assistance service offers several advantages for its affiliates, including legal assessments of stolen data, classification of legal violations, and evaluation of potential damages. It also provides guidance on how to inflict maximum economic damage on a victim company if they refuse to pay the ransom. This addition is part of Qilin's effort to position itself as a full-service cybercrime platform, offering extensive support options and robust solutions for highly targeted ransomware attacks.

This development indicates a shift in the cybercrime landscape, with ransomware groups like Qilin attempting to mimic legitimate business tactics to increase their success rates. Qilin has become a prominent player in the ransomware-as-a-service (RaaS) market, attracting affiliates from other groups and leading in the number of victims targeted in recent months. The group's mature ecosystem, advanced evasion features, and comprehensive operational features position it as a significant threat in the cybercrime world.

Recommended read:
References :
  • securityonline.info: Ransomware gang Qilin Rises Amid Collapse of Major Gangs Like RansomHub and LockBit
  • The Hacker News: Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms
  • www.tripwire.com: Qilin offers “Call a lawyer†button for affiliates attempting to extort ransoms from victims who won’t pay
  • DataBreaches.Net: Qilin Offers “Call a lawyer†Button For Affiliates Attempting To Extort Ransoms From Victims Who Won’t Pay
  • bsky.app: The Qilin ransomware-as-a-service operation is now offering their affiliates a “Call a Lawyer†button. Yes, really.
  • securityaffairs.com: Qilin ransomware gang now offers a “Call Lawyer†feature to pressure victims

Veronika Telychko@SOC Prime Blog //
Mocha Manakin, a threat actor named by Red Canary, is employing a sophisticated "paste-and-run" technique to compromise systems. This method involves tricking users into executing malicious scripts via PowerShell, leading to the deployment of a custom NodeJS backdoor known as NodeInitRAT. Red Canary's report highlights that this backdoor could potentially lead to ransomware attacks. SocPrime has also released information regarding the detection of Mocha Manakin attacks, emphasizing the backdoor's capabilities.

Red Canary notes the adversary leverages ClickFix technique to deliver NodeJS-based backdoor named NodeInitRAT. Hunting for suspicious events related to PowerShell spawning node.exe can be an effective detection method. Security analysts can monitor process creation events where powershell.exe is the parent process and node.exe is the child process to identify potentially malicious activity associated with the NodeInitRAT backdoor.

Soc Prime offers Sigma rules to detect Mocha Manakin paste-and-run attacks spreading the NodeInitRAT backdoor. It's crucial to detect this threat as early as possible, as researchers note overlaps with Interlock ransomware. These rules can aid in identifying suspicious behavior and mitigating the risk of further compromise, including data exfiltration and ransomware deployment.

Recommended read:
References :
  • redcanary.com: Red Canary's report on Mocha Manakin details the use of NodeInitRAT and provides detection strategies.
  • SOC Prime Blog: SocPrime provides information on detecting Mocha Manakin attacks, focusing on the backdoor's capabilities and associated ransomware.
  • redcanary.com: Named by Red Canary, Mocha Manakin uses paste and run with PowerShell to drop a custom NodeJS backdoor that could lead to ransomware
  • socprime.com: Mocha Manakin Attack Detection: Hackers Spread a Custom NodeJS Backdoor Dubbed NodeInitRAT Using the Paste-and-Run Technique
  • cyberpress.org: Mocha Manakin Exploits Paste-and-Run Method to Deceive Users into Downloading Malware
  • hackread.com: New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack
  • Virus Bulletin: Red Canary researchers analyse a Mocha Manakin activity cluster that delivers NodeJS backdoor via Clickfix/fakeCAPTCHA.

@www.healthcareitnews.com //
References: www.comparitech.com ,
The healthcare sector has been rocked by a recent ransomware attack on Episource, a medical coding, risk adjustment services, and software company. The breach, which occurred in February 2025, resulted in the compromise of sensitive patient health information. According to reports, unauthorized access to Episource's computer systems allowed cybercriminals to view and copy data belonging to the company's healthcare provider and health plan customers. The exposed information includes personal contact information, health insurance plan data, medical diagnoses, test results, and images, raising serious concerns about patient privacy and security.

Sharp Community Medical Group and Sharp Healthcare, Episource clients, have confirmed that patient data was compromised in the attack. While the incident did not involve unauthorized access to electronic health records or patient portals, the exposed data includes health insurance information and health data, such as medical record numbers, doctors, diagnoses, medications, test results, images, care, and treatments. Episource began notifying affected customers about which individuals and specific data may have been involved starting on April 23, 2025. Sharp Healthcare has also started sending out patient breach notifications.

This incident highlights the increasing vulnerability of healthcare organizations to ransomware attacks. Microsoft reports that 389 healthcare companies have been hit by ransomware this year alone, resulting in network shutdowns, offline systems, rescheduled appointments, and delays in critical procedures. The financial impact is significant, with healthcare organizations losing up to $900,000 per day on downtime. Experts emphasize the importance of strengthening cybersecurity measures, including employee training and awareness programs, to protect sensitive patient data and mitigate the risk of future attacks. Episource is working to strengthen its computer systems and has notified law enforcement.

Recommended read:
References :
  • www.comparitech.com: Medical software maker Episource data breach leaks thousands of patients’ private health info
  • : Episource ransomware attack leaked patient health data

Rescana@Rescana //
A new and dangerous version of the Anubis ransomware has emerged, now equipped with a data wiping module that significantly increases the stakes for victims. The Anubis Ransomware-as-a-Service (RaaS) has been active since December 2024 and now presents a dual-threat by not only encrypting files, but also permanently deleting them. This means that even if victims pay the ransom, data recovery is impossible because of the '/WIPEMODE' parameter which renders file contents to 0 KB, despite preserving the file names and extensions.

The ransomware is being deployed via phishing emails with malicious attachments or deceptive links which bypass endpoint defenses. Once inside a network, it uses lateral movement techniques, such as privilege escalation, to gain deeper access. The primary targets are organizations within the healthcare, hospitality, and construction sectors, impacting entities across Australia, Canada, Peru, and the United States. This dual-threat capability represents an evolution from traditional ransomware, exerting even more pressure on victims to comply with ransom demands.

Cybersecurity experts are urging organizations to implement robust backup and recovery procedures to mitigate the impact of Anubis attacks. Trend Micro researchers and others describe Anubis as a "rare dual-threat" that encrypts and permanently erases files. Anubis also operates a flexible affiliate program with negotiable revenue splits, offering additional monetization paths like data extortion and access sales. The discovery of this destructive behavior highlights the increasing sophistication of ransomware operations and the importance of proactive cybersecurity measures.

Recommended read:
References :
  • The Hacker News: Anubis Ransomware Encrypts and Wipes Files, Making Recovery Impossible Even After Payment
  • Davey Winder: This New Ransomware Can Irrevocably Destroy Your Files — Backup Now
  • Rescana: Anubis Ransomware Incident Analysis: Dual-Threat Cyber Attack with Irreversible File Wiping in Healthcare, Hospitality, and Construction Systems
  • securityaffairs.com: New Anubis RaaS includes a wiper module
  • DataBreaches.Net: Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper
  • Security Risk Advisors: 🚩 Anubis Ransomware Emerges with Dual Encryption and File Destruction Capabilities
  • www.trendmicro.com: Trend Micro article Anubis Ransomware Emerges with Dual Encryption and File Destruction Capabilities

@www.healthcarefinancenews.com //
Ransomware groups are continually evolving their tactics, posing an increasing threat to organizations worldwide. Recent reports highlight the exploitation of vulnerabilities in software and the use of sophisticated techniques, such as abusing legitimate employee monitoring software, to breach systems. A Symantec report revealed the discovery of Fog Ransomware, showcasing the attackers' innovative use of tools, including a legitimate security solution (Syteca) capable of recording on-screen activity and monitoring keystrokes, which they deployed using PsExec and SMBExec.

The Cybersecurity and Infrastructure Security Agency (CISA) issued Advisory AA25‑163A, warning of ransomware actors exploiting CVE-2024-57727 in unpatched SimpleHelp Remote Monitoring and Management (RMM) software, specifically versions 5.5.7 and earlier. This vulnerability allowed attackers to compromise a utility billing software provider and initiate double-extortion attacks. The attacks targeting unpatched SimpleHelp deployments have been observed since January 2025, indicating a sustained and targeted effort to exploit this vulnerability.

In addition to software vulnerabilities, data breaches are also occurring through direct hacks. Zoomcar, an Indian car-sharing company, recently acknowledged a data breach affecting 8.4 million users, where hackers accessed customer names, phone numbers, car registration numbers, personal addresses, and emails. While sensitive information like passwords and financial details were reportedly not exposed, the breach raises concerns about the security of personal data stored by such platforms. Furthermore, the DragonForce group has started posting new victims to their darknet site, publicly extorting two new organizations, highlighting the continued use of double extortion tactics by ransomware groups.

Recommended read:
References :
  • cyble.com: The greatest number of ransomware attacks were directed towards the professional services and construction sectors.
  • cybersecurityventures.com: Ransomware: File Data Is Harder to Manage and Defend
  • : The attack resulted in a significant data breach at Caesars Entertainment.

Anna Ribeiro@Industrial Cyber //
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding ransomware actors exploiting unpatched instances of SimpleHelp Remote Monitoring and Management (RMM) software. These attacks target customers of utility billing software providers, leveraging a vulnerability to gain unauthorized access. According to a report by The Register, the exploitation involves CVE-2024-57727, a high-severity path traversal vulnerability affecting SimpleHelp versions 5.5.7 and earlier. The attacks, ongoing since January 2025, have led to service disruptions and double extortion incidents, where sensitive data is stolen and systems are encrypted.

CISA's advisory follows reports of the DragonForce ransomware group breaching a managed service provider (MSP) and using its SimpleHelp RMM platform to infiltrate downstream customers. Sophos attributes the breach to a string of known SimpleHelp vulnerabilities, including CVE-2024-57726 through CVE-2024-57728. Once inside, DragonForce actors conducted network reconnaissance, leading to ransomware deployment and data exfiltration. The Register reported that SimpleHelp patched the flaw in January, but many organizations have not applied the update, leaving them vulnerable to exploitation.

CISA urges organizations using SimpleHelp RMM to immediately patch their systems, conduct thorough threat hunting, and monitor network traffic for any unusual activity. This is crucial to mitigate the risk of compromise and prevent further disruptions. ConnectWise has also issued warnings, advising users of ScreenConnect and Automate to update to the latest build and validate agent updates to avoid disruptions. The attacks highlight the broader trend of ransomware actors targeting the supply chain, emphasizing the importance of proactive security measures and timely patching.

Recommended read:
References :
  • seceon.com: In a recent report by BleepingComputer, DragonForce—a rapidly rising ransomware group—breached a managed service provider (MSP) and leveraged its SimpleHelp remote monitoring and management (RMM) platform to infiltrate downstream customers.
  • go.theregister.com: The Register reports Ransomware scum disrupted utility services with SimpleHelp attacks
  • The Register: Ransomware scum disrupted utility services with SimpleHelp attacks
  • The Register - Security: Ransomware scum disrupted utility services with SimpleHelp attacks
  • arcticwolf.com: Arctic Wolf Observes Campaign Exploiting SimpleHelp RMM Software for Initial Access
  • health-isac.org: Threat Bulletin: SimpleHelp RMM Software Leveraged in Exploitation Attempt to Breach Networks
  • ciso2ciso.com: Ransomware Gang Exploits SimpleHelp RMM to Compromise Utility Billing Firm – Source: www.infosecurity-magazine.com
  • Industrial Cyber: CISA flags exploitation of SimpleHelp RMM vulnerability in ransomware attacks since January
  • Daily CyberSecurity: Urgent CISA Alert: Ransomware Actors Exploiting SimpleHelp RMM Flaw (CVE-2024-57727)
  • thehackernews.com: Ransomware Actors Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion
  • www.cybersecuritydive.com: CISA warns of supply chain risks as ransomware attacks exploit SimpleHelp flaws
  • Resources-2: Ransomware Actors Exploit CVE-2024-57727 in Unpatched SimpleHelp RMM
  • www.scworld.com: CISA: Utility billing provider customers compromised via SimpleHelp exploit
  • Tech Monitor: CISA warns of ransomware exploiting unpatched SimpleHelp RMM vulnerabilities, targeting a utility billing software firm's customers since January.
  • SOC Prime Blog: Detect SimpleHelp RMM Vulnerability Exploitation: CISA Warns of Threat Actors Abusing Unpatched Flaws for Persistent Access and Ransomware Deployment
  • industrialcyber.co: CISA flags exploitation of SimpleHelp RMM vulnerability in ransomware attacks since January
  • socprime.com: Detect SimpleHelp RMM Vulnerability Exploitation: CISA Warns of Threat Actors Abusing Unpatched Flaws for Persistent Access and Ransomware Deployment
  • www.cybersecuritydive.com: CISA warns of supply chain risks as ransomware attacks exploit SimpleHelp flaws
  • www.threatdown.com: CISA has issued a warning about the exploitation SimpleHelp RMM software by ransomware groups.

Threat Hunter@Broadcom Software Blogs //
The Fog ransomware gang is employing increasingly sophisticated tactics, including the use of legitimate employee monitoring software in their attacks. A recent Symantec report reveals that Fog leveraged Syteca, a security solution designed for on-screen activity recording and keystroke monitoring, alongside open-source pen-testing tools. This unusual approach was observed during a May 2025 attack on a financial institution in Asia, marking a significant shift in the gang's methods. The threat actors even utilized PsExec and SMBExec to execute the Syteca client on remote systems, highlighting their advanced understanding of system administration tools.

Researchers noted that the use of legitimate software like Syteca makes detection more challenging. However, specific event types, such as process creation events with "syteca" as the process file product name, can be used for threat hunting. The attackers also deployed several open-source pentesting tools, including GC2, Adaptix, and Stowaway, which are not commonly used during ransomware attacks. This combination of legitimate and malicious tools allows the attackers to blend in with normal network activity, making their actions harder to detect.

This incident indicates a multi-stage attack where the threat actors were present on the target's network for approximately two weeks before deploying the ransomware. What is also unusual is that after the initial ransomware deployment, the attackers established a service to maintain persistence on the network. This behavior contrasts with typical ransomware attacks, where malicious activity ceases after data exfiltration and ransomware deployment. The shift suggests a desire to maintain long-term access to the compromised network. The initial infection vector is unknown, but two of the infected machines were Exchange Servers.

Recommended read:
References :
  • @VMblog: Specific details about the unconventional toolset used in the attack and the potential motives behind it.
  • BleepingComputer: Fog ransomware attack uses unusual mix of legitimate and open-source tools
  • SecureWorld News: Fog Ransomware Exploits Legitimate Monitoring Software in Sophisticated Attacks
  • Broadcom Software Blogs: Fog Ransomware: Unusual Toolset Used in Recent Attack
  • www.csoonline.com: multiple legitimate, unusual tools were used in a Fog ransomware attack, including one employed by Chinese hacking group APT41.
  • Know Your Adversary: Threat actors are always adding new tools to their arsenal. This Symantec on Fog Ransomware proves it one more time. Among other uncommon tools, the adversary leveraged Syteca - a legitimate security solution, which enables recording on-screen activity, keystroke monitoring, etc.
  • www.scworld.com: Fog ransomware uses legit monitoring software, open-source tools
  • securityonline.info: SecurityOnline: Ransomware or Espionage? Fog Ransomware Attack in Asia Raises Suspicion with Rare Toolset
  • www.techradar.com: Fog ransomware attacks use employee monitoring tool to break into business networks
  • securityonline.info: Ransomware or Espionage? Fog Ransomware Attack in Asia Raises Suspicion with Rare Toolset
  • www.sentinelone.com: Interpol disrupts major infostealer operation, Fog ransomware abuses pentesting tools, and zero-click AI flaw in MS 365 Copilot exposes data.
  • ciso2ciso.com: Unusual toolset used in recent Fog Ransomware attack – Source: securityaffairs.com
  • Jon Greig: A cyberattack on a financial institution in Asia last month featuring the Fog ransomware caused concern because the attackers tried to maintain access after the incident and used employee monitoring tools during the attack
  • therecord.media: A cyberattack on a financial institution in Asia last month featuring the Fog ransomware caused concern because the attackers tried to maintain access after the incident and used employee monitoring tools during the attack
  • aboutdfir.com: Fog ransomware attacks use employee monitoring tool to break into business networks FogÂransomware operators have expanded their arsenal to include legitimate and open source tools.
  • securityaffairs.com: Unusual toolset used in recent Fog Ransomware attack

Tyler McGraw@Rapid7 Cybersecurity Blog //
The BlackSuit ransomware group is continuing its campaign of social engineering attacks, a tactic that cybersecurity experts believe they adopted from the Black Basta ransomware group. This shift in tactics comes after Rapid7 observed a significant decrease in social engineering attacks attributed to Black Basta since late December 2024, possibly indicating a change in Black Basta's operations due to internal conflicts or other factors. BlackSuit's persistence in employing social engineering highlights the ongoing threat landscape where ransomware groups readily adapt and evolve their methods to maximize their success in breaching target networks.

The social engineering tactics employed by BlackSuit echo those previously used by Black Basta, including email bombing and Microsoft Teams phishing. According to a report from ReliaQuest in June 2025, attackers have recently begun incorporating Python scripts alongside these techniques, utilizing cURL requests to retrieve and deploy malicious payloads. This demonstrates an increasing sophistication in their approach, aimed at establishing persistent access to targeted systems and evading traditional security measures. These attacks often masquerade as legitimate communications, such as help desk personnel, to trick unsuspecting users into divulging sensitive information or executing malicious code.

ReliaQuest's findings reveal that a substantial portion of Teams phishing attacks originated from onmicrosoft[.]com domains or breached domains, making it difficult to distinguish malicious traffic from legitimate network activity. The affected sectors include finance, insurance, and construction. This transition towards more sophisticated and stealthy methods poses a significant challenge to organizations, as they must enhance their detection capabilities to identify and mitigate these evolving threats effectively.

Recommended read:
References :
  • Rapid7 Cybersecurity Blog: BlackSuit Continues Social Engineering Attacks in Wake of Black Basta’s Internal Conflict
  • BlackFog: BlackSuit Ransomware: How It Works and Who’s Behind It

@cyberpress.org //
Marks & Spencer (M&S), the prominent retail giant, was recently hit by a significant ransomware attack over the Easter period. The cyberattack, orchestrated by the DragonForce hacker group, disrupted crucial business functions, including online ordering and staff clocking systems. The attackers employed "double extortion" tactics, indicating that they stole sensitive data before encrypting the company's servers. This aggressive move puts M&S at risk of both data loss and public exposure.

An exclusive report reveals that the CEO of M&S received an offensive extortion email detailing the timeline and nature of the attack. The email, reportedly filled with abusive language, claimed that DragonForce had "mercilessly raped" the company and encrypted its servers. In response to the attack, M&S took drastic measures by switching off the VPN used by staff for remote work, which successfully contained the spread of the ransomware, but further disrupted business operations. The financial impact of this cyber incident has been substantial, with reports indicating losses of approximately £40 million per week in sales.

DragonForce, the ransomware group behind the attack, has reportedly compromised over 120 victims in the past year, establishing itself as a major player in the cybercrime landscape. The group has evolved from a Ransomware-as-a-Service (RaaS) model to a fully-fledged ransomware cartel, targeting organizations across various sectors, including manufacturing, healthcare, and retail. While the origins of DragonForce are speculative, technical indicators suggest a Russian alignment, including the use of Russian-linked infrastructure and recruitment efforts through Russian-speaking cybercrime forums. M&S has pointed to "human error" as the cause of the breach, with scrutiny falling on an employee of Tata Consultancy Services (TCS), which provides IT services to the retailer, although M&S has officially disputed claims that it didn't have proper plans to handle a ransomware incident.

Recommended read:
References :
  • www.bitdefender.com: Marks & Spencer’s ransomware nightmare – more details emerge
  • bsky.app: EXCLUSIVE: "We have mercilessly raped your company and encrypted all the servers" - the aggressive extortion email sent to the CEO of M&S has been revealed. The offensive blackmail note reveals lots of things about the nature of the attack, the timeline and the hackers
  • cyberpress.org: Reports over 120 victims have been compromised in the last year.
  • The Register - Security: M&S online ordering system operational 46 days after cyber shutdown
  • www.techradar.com: M&S online orders are back following cyberattack - here's what you need to know
  • www.cybersecuritydive.com: Marks & Spencer restores some online-order operations following cyberattack
  • www.techdigest.tv: M&S resumes online orders weeks after cyber attack
  • www.tripwire.com: Report on DragonForce's email to M&S CEO about taking responsibility for the attack.
  • bsky.app: DragonForce has started posting new victims to its darknet site. Two new orgs now being publicly extorted. Nothing yet on Co-op/M&S/ Harrods.
  • www.infosecworrier.dk: Details regarding the significant data breach and the ransomware attack targeting Marks & Spencer.

Sam Silverstein@cybersecuritydive.com //
United Natural Foods (UNFI), a major grocery distributor serving over 30,000 stores across North America including Whole Foods Market, is grappling with disruptions to customer orders following a recent cyberattack. The company, which acts as the "primary distributor" for Whole Foods, detected unauthorized activity on its IT systems on June 5th. In response, UNFI initiated its incident response plan, proactively taking certain systems offline to contain the breach. The incident has already caused temporary disruptions to business operations, and the company anticipates these disruptions will continue as they work to restore their systems.

UNFI has engaged third-party cybersecurity professionals and notified law enforcement as part of its efforts to assess, mitigate, and remediate the incident. The company is implementing workarounds to continue servicing customers where possible. Kristen Jimenez, a UNFI spokesperson, declined to comment on the nature of the cyberattack or whether any ransom demands have been made. UNFI is one of the largest grocery distributors in North America, supplying fresh produce, goods, and food products to a vast network of retailers, including major chains like Amazon, Target, and Walmart. In their most recent financial report they declared $8.2 billion in net sales.

This cyberattack on UNFI highlights the increasing vulnerability of the food supply chain to malicious actors. The incident follows a series of recent cyberattacks affecting the wider retail and grocery sector. UNFI did not say when it expects to recover its systems but assured customers, suppliers and associates that it was working to minimize disruption as much as possible. The company's agreement to be the primary distributor for Whole Foods, has been extended to May 2032.

Recommended read:
References :
  • Zack Whittaker: New: United Natural Foods (UNFI), a major grocery distributor to stores across North America and the "primary distributor" to Whole Foods, was hit by a cyberattack and is warning of ongoing disruption to customer orders. A UNFI spox. wouldn't say if the company has received any demands from the hacker.
  • techcrunch.com: UNFI, a grocery distributor for Whole Foods and others, warned of disruptions to customer orders after a cyberattack.
  • cyberinsider.com: United Natural Foods, Inc. (UNFI) disclosed that it had detected unauthorized activity on its IT systems, prompting the company to initiate its incident response plan and take systems offline.
  • The Register - Security: Let them eat junk food: Major organic supplier to Whole Foods, Walmart, hit by cyberattack
  • www.cybersecuritydive.com: UNFI, a grocery retailer and wholesaler, is working to resume full operations following “unauthorized activity†involving its IT systems.
  • go.theregister.com: North American grocery wholesaler United Natural Foods told regulators that a cyber incident temporarily disrupted operations, including its ability to fulfill customer orders.
  • techcrunch.com: New: United Natural Foods (UNFI), a major grocery distributor to stores across North America and the "primary distributor" to Whole Foods, was hit by a cyberattack and is warning of ongoing disruption to customer orders.
  • Threats | CyberScoop: United Natural Foods, distributor for Whole Foods Market, hit by cyberattack
  • CyberInsider: United Natural Foods, Inc. (UNFI) disclosed that it had detected unauthorized activity on its IT systems, prompting the company to initiate its incident response plan and take systems offline.
  • Catalin Cimpanu: A cyberattack is disrupting the operations of United Natural Foods, a distributor of grocery products in the US. United Natural Foods is the largest grocery carrier and the 14th largest logistics company in the US.
  • cyberscoop.com: United Natural Foods, distributor for Whole Foods Market, hit by cyberattack
  • www.ttnews.com: UNFI hit by cyberattack, orders may be disrupted
  • Techzine Global: Cyber incident disrupted food wholesalers’ operations
  • The Register: GeekNews.chat post about major organic supplier to Whole Foods, Walmart, hit by cyberattack
  • techcrunch.com: United Natural Foods said it is "diligently managing through the cyber incident" that sparked disruption outages.
  • www.techradar.com: Key Whole Foods supplier hit by major cyberattack - delays possibly on the way
  • BleepingComputer: Grocery wholesale giant United Natural Foods hit by cyberattack
  • SecureWorld News: Whole Foods Supplier United Natural Foods Hit in Cyber Attack
  • cyberscoop.com: United Natural Foods fulfilling orders on ‘limited basis’ in wake of cyberattack
  • The Dysruption Hub: NFI's cyberattack disrupts deliveries to 30,000+ stores, including Whole Foods. Stock drops 8% amid fears of ransomware and food shortages.
  • industrialcyber.co: Grocery wholesaler UNFI faces operational disruptions after cyberattack
  • Zack Whittaker: US grocery distribution giant United Natural Foods (UNFI) said it's working to bring its systems online after a cyberattack.
  • Tech Monitor: UNFI, a grocery wholesale distributor in North America, experienced a cyberattack that necessitated the shutdown of some specific systems.
  • Threats | CyberScoop: United Natural Foods fulfilling orders on ‘limited basis’ in wake of cyberattack
  • techcrunch.com: United Natural Foods (UNFI), a major grocery distributor to stores across North America and the primary distributor to Whole Foods, was hit by a cyberattack and is warning of ongoing disruption to customer orders.
  • Industrial Cyber: UNFI's systems are affected by the cyberattack.
  • www.cybersecuritydive.com: UNFI’s operations remain hobbled following cyberattack
  • Metacurity: US grocery distributor United Natural Foods is the latest retail-related cyber victim
  • www.itpro.com: Everything we know so far about the United Natural Foods cyber attack
  • techcrunch.com: Zack Whittaker's report on TechCrunch about the UNFI cyberattack.
  • www.esecurityplanet.com: Cyberattack Disrupts Whole Foods Supplier, Causing Delivery Delays and Empty Shelves
  • www.bitdefender.com: The spate of cyber attacks impacting the retail industry continues, with the latest victim being United Natural Foods (UNFI), which supplies organic produce to Whole Foods, Amazon, Target, and Walmart, amongst many others.
  • bsky.app: United Natural Foods (UNFI), one of the USA's largest wholesale distributors of healthy and specialty food, has been hit by a cyber attack The supplier of organic produce to Whole Foods, Amazon, Walmart, and others, revealed its breach in a SEC filing
  • Graham Cluley: The supplier of organic produce revealed in a SEC filing that after discovering unauthorised network activity it had "activated its incident response plan and implemented containment measures, including proactively taking certain systems offline."
  • techxplore.com: With retail cyberattacks on the rise, customers find orders blocked and shelves empty
  • Lukasz Olejnik: Cyberattack on food store chain Whole Foods is leaving shelves empty as key distributor scrambles to restore systems. Shoppers and small grocers feel the heat—our food supply chain is fragile. In the digital age, cybersecurity is food security.
  • eSecurity Planet: Cyberattack Disrupts Whole Foods Supplier, Causing Delivery Delays and Empty Shelves
  • Graham Cluley: The spate of cyber attacks impacting the retail industry continues. The latest victim is UNFI, one of the USA's largest wholesale distributors of healthy and specialty food.
  • Vulnerable U: UNFI Cyberattack Halts Deliveries to Whole Foods and 30,000+ Grocery Stores
  • www.metacurity.com: US grocery distributor United Natural Foods is the latest retail-related cyber victim
  • techcrunch.com: Whole Foods warns of shortages after cyberattack at its primary distributor UNFI
  • securityaffairs.com: securityaffairs.com describes the cyberattack on United Natural Foods caused bread shortages and bare shelves.
  • ciso2ciso.com: A cyberattack on United Natural Foods caused bread shortages and bare shelves – Source: securityaffairs.com
  • ciso2ciso.com: A cyberattack on United Natural Foods caused bread shortages and bare shelves – Source: securityaffairs.com
  • The Record: United Natural Foods (UNFI) said in a weekend update that it “made significant progress" toward restoring its ordering systems after a cyberattack affected the company's ability to keep grocery stores stocked.
  • Zack Whittaker: NEW: United Natural Foods (UNFI) said it's making "significant progress" in restoring its systems after a cyberattack earlier this month.
  • Zack Whittaker: NEW: United Natural Foods (UNFI) said it's making "significant progress" in restoring its systems after a cyberattack earlier this month.
  • techcrunch.com: NEW: United Natural Foods (UNFI) said it's making "significant progress" in restoring its systems after a cyberattack earlier this month. The hack left grocery stores and supermarkets across the U.S. and Canada without food supplies and caused shelf shortages, including at Whole Foods and others.

Matt Burgess,@WIRED //
References: arstechnica.com , WIRED
German law enforcement has identified the alleged leader of the Trickbot and Conti cybercriminal groups, known online as "Stern," as Vitaly Nikolaevich Kovalev, a 36-year-old Russian national. The Bundeskriminalamt (BKA), Germany’s federal police agency, and local prosecutors made the announcement, alleging Kovalev is the "ringleader" of a "criminal organization." An Interpol red notice has been issued for Kovalev, who is believed to be in Russia, potentially shielding him from extradition. For years, Stern’s true identity remained a mystery despite law enforcement disruptions and leaks of internal chat messages from both Trickbot and Conti.

The Trickbot group, comprised of approximately 100 cybercriminals, has unleashed a relentless hacking spree on the world for years, attacking thousands of victims, including businesses, schools, and hospitals, orchestrating attacks under the direction of Stern. The group is believed to have stolen hundreds of millions of dollars over roughly six years. A mysterious leaker known as GangExposed initially outed Stern’s identity as Kovalev before the German police confirmed the information.

Alexander Leslie, a threat intelligence analyst at Recorded Future, stated that Stern’s naming is a significant event that bridges gaps in our understanding of Trickbot, one of the most notorious transnational cybercriminal groups to ever exist. Leslie added that as Trickbot's ‘big boss’ and one of the most noteworthy figures in the Russian cybercriminal underground, Stern remained an elusive character, and his real name was taboo for years. It has long been speculated that global law enforcement may have strategically withheld Stern’s identity as part of ongoing investigations.

Recommended read:
References :
  • arstechnica.com: German police say they’ve identified Trickbot ransomware kingpin
  • WIRED: Cops in Germany Claim They’ve ID’d the Mysterious Trickbot Ransomware Kingpin

Rescana@Rescana //
Recent ransomware attacks have underscored the persistent and evolving threat landscape facing organizations globally. Notably, Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP), were targeted in separate cyber incidents. The Everest ransomware gang claimed responsibility for breaching Coca-Cola's systems, asserting access to sensitive internal documents and the personal information of nearly a thousand employees. Concurrently, the Gehenna hacking group claimed to have breached CCEP's Salesforce dashboard, potentially compromising over 23 million records. These incidents highlight the vulnerabilities inherent in interconnected digital ecosystems, emphasizing the need for robust cybersecurity measures and vigilant monitoring of network activities.

The healthcare sector has been particularly vulnerable, with Interlock ransomware causing significant disruption at Kettering Health, a network of hospitals in Ohio. The attackers leaked almost a terabyte of data, including patient information, financial records, and employee details after claiming responsibility. This breach led to canceled medical procedures, and a temporary reliance on paper-based systems. Covenant Health also experienced a cyberattack that forced the shutdown of their systems across multiple hospitals. Similarly, Bailey’s catering services, associated with a restaurant group in Louisiana, has been listed as a victim by the Medusa ransomware group, with attackers demanding a $100,000 ransom. These events underscore the severe consequences of ransomware attacks on essential services and sensitive data.

In response to the rising ransomware threat, some countries are implementing stricter regulations. Australia, for example, now requires businesses with an annual turnover exceeding AUS $3 million to report ransomware payments to the Australian Signals Directorate within 72 hours. This legislation aims to improve the tracking of ransomware incidents and inform cybersecurity strategies, even though paying ransoms is still technically legal. The law also includes a six-month grace period for organizations to adapt to the new reporting requirements. Additionally, recent law enforcement operations like Operation Endgame have demonstrated progress in disrupting the ransomware ecosystem by targeting malware testing services and initial access malware strains.

Recommended read:
References :
  • Rescana: Coca-Cola and CCEP Cyber Incident: Everest Ransomware and Gehenna Breach of Salesforce Data
  • cyberinsider.com: Ransomware Attack at Lee Enterprises Impacted Nearly 40,000 Individuals
  • Zack Whittaker: Lee Enterprises, the newspaper publishing giant that was hit by a ransomware attack in February, causing widespread disruption to dozens of U.S. media outlets, has confirmed the cyberattack resulted in the theft of ~40,000 employees’ personal data.
  • www.it-daily.net: Ransomware attack on Kettering Health: Interlock publishes data

Pauline Dornig@it-daily.net //
The ransomware group Interlock has claimed responsibility for the recent cyberattack on Kettering Health, a US healthcare organization comprised of hospitals, clinics, and medical centers in Ohio. The attack, which initially disrupted the healthcare system on May 20th, forced the shutdown of all computer systems and has left Kettering Health struggling to fully recover over two weeks later. CNN first reported on Interlock’s involvement in the breach, but at the time, the group had not publicly taken credit, leading to speculation that ransom negotiations might be underway. However, Interlock has now come forward, potentially indicating that negotiations with Kettering Health have been unsuccessful.

Interlock announced its involvement by posting alleged stolen data on its dark web site, claiming to have exfiltrated over 940 gigabytes of data from Kettering Health’s internal network. A preliminary review of the posted files indicates that the stolen data includes sensitive private health information, such as patient names, patient numbers, and detailed clinical summaries. These summaries contain sensitive information including mental status assessments, medication lists, health concerns, and other specific details about patients' medical conditions. The stolen data also encompasses employee information and the contents of shared drives, raising concerns about further potential privacy breaches.

The cyberattack has severely impacted Kettering Health's operations. Since the initial breach, numerous medical procedures have been canceled or postponed, forcing healthcare professionals to revert to paper-based documentation. This digital standstill has significantly affected clinical care for approximately 1.5 million patients annually. While Kettering Health has reported progress in restoring its systems, including bringing the electronic health record (EHR) system "Epic" back online with the help of around 200 employees, the full extent of the damage and the long-term consequences of the data breach are still unfolding.

Recommended read:
References :
  • infosec.exchange: Ransomware gang Interlock claims responsibility for the Kettering Health hack, posting some alleged stolen data on its dark web site. Data includes private health information, such as patient names, patient numbers, and clinical summaries written by doctors, which include categories such as mental status, medications, health concerns, and other categories of patient data.
  • techcrunch.com: Ransomware gang Interlock claims responsibility for the Kettering Health hack, posting some alleged stolen data on its dark web site. Data includes private health information, such as patient names, patient numbers, and clinical summaries written by doctors, which include categories such as mental status, medications, health concerns, and other categories of patient data.
  • www.it-daily.net: Report on a ransomware attack on Kettering Health.
  • techcrunch.com: Health giant Kettering still facing disruption weeks after ransomware attack
  • The Register - Security: Ransomware scum leak patient data after disrupting chemo treatments at Kettering
  • BleepingComputer: Kettering Health confirms Interlock ransomware behind cyberattack
  • www.bleepingcomputer.com: Details about the leaked data.

Pradeep Bairaboina@Tech Monitor //
The Play ransomware group has been actively targeting organizations worldwide since June 2022, with the FBI reporting that approximately 900 entities have been compromised as of May 2025. These attacks span across North America, South America, and Europe, targeting a diverse range of businesses and critical infrastructure. The group employs a "double extortion" tactic, exfiltrating sensitive data before encrypting systems, putting additional pressure on victims to pay the ransom.

The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued updated advisories regarding the Play ransomware, highlighting new tactics, techniques, and procedures (TTPs) employed by the group. One notable tactic includes exploiting vulnerabilities in the SimpleHelp remote access tool. Specifically, multiple ransomware groups, including those affiliated with Play, have been actively targeting the CVE-2024-57727 path traversal vulnerability, which allows attackers to download arbitrary files from the SimpleHelp server. The advisories also note that Play operators regularly contact victims via phone, threatening to release stolen data if ransom demands are not met.

To mitigate the threat posed by Play ransomware, authorities recommend several proactive security measures, including implementing multifactor authentication, maintaining offline data backups, and developing and testing a recovery plan. It is also critical to keep all operating systems, software, and firmware updated to patch known vulnerabilities. SimpleHelp has released security updates to address the exploited vulnerabilities and strongly urges customers to apply these fixes immediately. While Play ransomware has been linked to attacks on critical infrastructure, including nine attacks impacting healthcare, experts recommend constant vigilance and proactive security strategies across all sectors.

Recommended read:
References :
  • cyberinsider.com: FBI: Play Ransomware Breached 900 Organizations Worldwide
  • DataBreaches.Net: CISA Alert: Updated Guidance on Play Ransomware
  • The Register - Security: Play ransomware crims exploit SimpleHelp flaw in double-extortion schemes
  • Tech Monitor: The FBI reports Play ransomware breached 900 firms by May 2025, up from October 2023, using recompiled malware and phone threats for ransoms.
  • www.cybersecuritydive.com: The hacker group has breached hundreds of organizations and is working with others to exploit flaws in a popular remote support tool.
  • CyberInsider: FBI: Play Ransomware Breached 900 Organizations Worldwide
  • securityaffairs.com: Play ransomware group hit 900 organizations since 2022
  • www.techradar.com: FBI warns Play ransomware hackers have hit nearly a thousand US firms
  • www.cybersecuritydive.com: Understanding the evolving malware and ransomware threat landscape