CyberSecurity news

FlagThis - #ransomwareattack

Pauline Dornig@it-daily.net //
The ransomware group Interlock has claimed responsibility for the recent cyberattack on Kettering Health, a US healthcare organization comprised of hospitals, clinics, and medical centers in Ohio. The attack, which initially disrupted the healthcare system on May 20th, forced the shutdown of all computer systems and has left Kettering Health struggling to fully recover over two weeks later. CNN first reported on Interlock’s involvement in the breach, but at the time, the group had not publicly taken credit, leading to speculation that ransom negotiations might be underway. However, Interlock has now come forward, potentially indicating that negotiations with Kettering Health have been unsuccessful.

Interlock announced its involvement by posting alleged stolen data on its dark web site, claiming to have exfiltrated over 940 gigabytes of data from Kettering Health’s internal network. A preliminary review of the posted files indicates that the stolen data includes sensitive private health information, such as patient names, patient numbers, and detailed clinical summaries. These summaries contain sensitive information including mental status assessments, medication lists, health concerns, and other specific details about patients' medical conditions. The stolen data also encompasses employee information and the contents of shared drives, raising concerns about further potential privacy breaches.

The cyberattack has severely impacted Kettering Health's operations. Since the initial breach, numerous medical procedures have been canceled or postponed, forcing healthcare professionals to revert to paper-based documentation. This digital standstill has significantly affected clinical care for approximately 1.5 million patients annually. While Kettering Health has reported progress in restoring its systems, including bringing the electronic health record (EHR) system "Epic" back online with the help of around 200 employees, the full extent of the damage and the long-term consequences of the data breach are still unfolding.

Recommended read:
References :
  • infosec.exchange: Ransomware gang Interlock claims responsibility for the Kettering Health hack, posting some alleged stolen data on its dark web site. Data includes private health information, such as patient names, patient numbers, and clinical summaries written by doctors, which include categories such as mental status, medications, health concerns, and other categories of patient data.
  • techcrunch.com: Ransomware gang Interlock claims responsibility for the Kettering Health hack, posting some alleged stolen data on its dark web site. Data includes private health information, such as patient names, patient numbers, and clinical summaries written by doctors, which include categories such as mental status, medications, health concerns, and other categories of patient data.
  • www.it-daily.net: Report on a ransomware attack on Kettering Health.
  • techcrunch.com: Health giant Kettering still facing disruption weeks after ransomware attack
  • The Register - Security: Ransomware scum leak patient data after disrupting chemo treatments at Kettering
  • BleepingComputer: Kettering Health confirms Interlock ransomware behind cyberattack
  • BleepingComputer: Details about the leaked data.

@cyble.com //
Nova Scotia Power has officially confirmed it fell victim to a sophisticated ransomware attack, impacting approximately 280,000 customers. The breach, which began several weeks ago, involved unauthorized access to internal systems and the subsequent theft of sensitive data. The cyber incident targeted Nova Scotia Power’s digital infrastructure, encrypting critical systems and exfiltrating customer data. The power utility has confirmed it was hit by ransomware but hasn't paid the ransom, nearly a month after first disclosing the cyberattack.

Nova Scotia Power engaged third-party cybersecurity firms to isolate affected networks, mitigate further damage, and conduct forensic analyses. Investigations suggest the attackers employed advanced techniques to bypass existing safeguards, though specific details about the ransomware variant or entry vectors remain undisclosed. The company emphasized it did not comply with ransom demands, a decision it attributes to adherence to sanctions laws and coordination with law enforcement agencies.

The threat actor publicly released portions of the stolen data, compelling Nova Scotia Power to initiate a large-scale notification campaign. Impacted customers received physical mail detailing the breach’s scope and remediation steps. The compromised information reportedly includes names, addresses, account numbers, and potentially payment histories. To address identity theft risks, Nova Scotia Power partnered with TransUnion to offer affected individuals a two-year subscription to the myTrueIdentity® credit monitoring service at no cost, including real-time credit alerts and dark web surveillance.

Recommended read:
References :
  • thecyberexpress.com: Nova Scotia Power has confirmed it was the victim of a ransomware attack, weeks after initially alerting customers to a cybersecurity breach.
  • Tech Monitor: Nova Scotia Power confirms data breach, customer information compromised
  • cyberpress.org: Nova Scotia Power Confirms Cyberattack Affecting 280K Customers
  • securityaffairs.com: Nova Scotia Power confirms it was hit by a ransomware attack but hasn’t paid the ransom, nearly a month after first disclosing the cyberattack.
  • Cyber Security News: Nova Scotia Power, a key utility provider, faced a significant ransomware attack, which led to the leak of customer data and exposed sensitive information.

Dissent@DataBreaches.Net //
A ransomware attack on Business Systems House (BSH), a Middle Eastern partner of payroll provider ADP, resulted in the theft of Broadcom employee data in September 2024. The breach was claimed by the El Dorado ransomware group, who according to open source trackers, took responsibility in November of that year. Broadcom, a multinational semiconductor and infrastructure software company, used ADP for payroll processing, with BSH functioning as ADP’s regional provider in the Middle East.

Broadcom was in the process of transitioning away from ADP and BSH at the time of the attack; however, the switch had not been finalized. Sensitive data was compromised, and although the data was leaked online in December 2024, Broadcom was not informed about the breach until May 12, 2025. The delay in notification highlights the challenges organizations face in monitoring and securing extended vendor ecosystems. The stolen data was in an unstructured format, complicating the process of identifying affected employees and the specific data fields disclosed.

After discovering the attack, BSH/ADP have been working with ADP and outside experts to investigate the incident and take the necessary steps to harden BSH's environment to protect from similar attacks. Local law enforcement and data protection authorities have been notified. It's understood Broadcom's HR department has begun the process of informing current and former staff who are affected by the ransomware attack.

Recommended read:
References :
  • DataBreaches.Net: Ransomware Attack on ADP Partner Exposes Broadcom Employee Data
  • The Register - Security: Broadcom employee data stolen by ransomware crooks following hit on payroll provider
  • malware.news: Ransomware attack on ADP partner exposes Broadcom employee data
  • databreaches.net: Ransomware Attack on ADP Partner Exposes Broadcom Employee Data
  • Rescana: Broadcom Data Breach: Ransomware Attack on Business Systems House Highlights Third-Party Cybersecurity Risks
  • AAKL: A ransomware attack at a Middle Eastern business partner of payroll company ADP has led to customer data theft at Broadcom, The Register has learned.
  • www.techradar.com: Broadcom hit by employee data theft after breach in supply chain

Dissent@DataBreaches.Net //
In December 2024, PowerSchool, a major provider of K-12 software serving 60 million students across North America, experienced a significant data breach. Hackers gained access to sensitive student and teacher data, including personally identifiable information such as Social Security numbers and health data, through a single stolen credential. The company, believing it was the best course of action, paid an undisclosed ransom to the threat actor to prevent the data from being made public, however this has proven to be unsuccessful.

Months later, it has been revealed that the threat actors are now directly targeting individual school districts with extortion demands, using the stolen data from the initial breach. The Toronto District School Board (TDSB), along with other schools in North America, has confirmed receiving ransom demands from the attackers. The exposed information includes names, contact details, birth dates, Social Security numbers, and even some medical alert data. PowerSchool has confirmed that these extortion attempts are related to the original breach and is working with law enforcement.

Cybersecurity experts have warned against paying ransoms, as there is no guarantee that hackers will delete the stolen data. This case exemplifies the risk of paying extortion demands, as the threat actors have resurfaced to revictimize affected individuals and institutions with additional demands. PowerSchool is offering two years of free identity protection to affected individuals, however there will be pressure for them to improve its security and reassure stakeholders that it can prevent similar incidents in the future.

Recommended read:
References :
  • bsky.app: The hacker behind PowerSchool's December breach is now extorting schools, threatening to release stolen student and teacher data.
  • Threats | CyberScoop: The large education tech vendor was hit by a cyberattack and paid a ransom in December. Now, a threat actor is attempting to extort the company’s customers with stolen data.
  • The Register - Security: PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied
  • The DefendOps Diaries: Report discussing the PowerSchool data breach and its implications.
  • BleepingComputer: PowerSchool is warning that the hacker behind its December cyberattack is now individually extorting schools, threatening to release the previously stolen student and teacher data if a ransom is not paid. [...]
  • www.bleepingcomputer.com: BleepingComputer reports on PowerSchool hacker extorting school districts.
  • cyberscoop.com: PowerSchool customers hit by downstream extortion threats
  • BleepingComputer: PowerSchool hacker now extorting individual school districts
  • malware.news: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (2)
  • DataBreaches.Net: PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • PCMag UK security: UK PCMag covers PowerSchool attackers extorting teachers.
  • go.theregister.com: PowerSchool paid thieves to delete stolen student, teacher data. Crooks may have lied Now individual school districts extorted by fiends
  • Metacurity: PowerSchool hackers are extorting schools despite the company's ransom payment
  • techcrunch.com: TechCrunch article on PowerSchool being hacked.
  • hackread.com: PowerSchool Paid Ransom, Now Hackers Target Teachers for More
  • : Teachers report that bad actors are now targeting them with threatening emails demanding payment following a massive 2024 breach affecting schools across the US and Canada. One of the largest hacks of US schools continues as teachers across the country say that threat actors are extorting them for more money and threatening to release the data.
  • www.metacurity.com: PowerSchool hackers are extorting schools despite the company's ransom payment
  • thecyberexpress.com: Toronto School Board Hit with Extortion Demand After PowerSchool Data Breach
  • Blog: PowerSchool clients now targeted directly by threat actor
  • cyberinsider.com: PowerSchool Ransom Fallout: Extortion Attempts Hit Schools Months After Data Breach
  • www.techradar.com: PowerSchool hackers return, and may not have deleted stolen data as promised
  • malware.news: Double-extortion tactics used in PowerSchool ransomware attack
  • CyberInsider: Months after paying a ransom to suppress the fallout of a major data breach, PowerSchool is facing renewed turmoil as threat actors have begun extorting individual school districts using the same stolen data.
  • Matthew Rosenquist: More extortions, same - a perfect example of how not to deal with risks. The nightmare continues for schools, students, and teachers who's private data was exposed by PowerSchool.
  • matthewrosenquist.substack.com: PowerSchool data breach round 2 extortions
  • aboutdfir.com: Reports an education tech provider paid thieves to delete stolen student, teacher data.
  • MeatMutts: The educational sector has been rocked by a significant data breach involving PowerSchool, a leading education technology provider serving over 60 million students globally.
  • aboutdfir.com: PowerSchool paid thieves to delete stolen student, teacher data. Looks like crooks lied An education tech provider that paid a ransom to prevent the leak of stolen student and teacher data is now watching its school district customers get individually extorted by either the same ransomware crew that hit it – or someone connected to