Newsletter Archive - "eCrime.ch Ransomware Highlights"

For 2025-05-17
Article language: in English - Industry: Food and Beverage Manufacturing - Organisation/company: Arla Foods A.m.b.a
Arla factory in Germany hit by cyber incident - Just Food
2025-05-17
An Arla Foods plant in Germany has been affected by a cybersecurity incident, the dairy giant has confirmed.

The Lurpak and Castello owner said “suspicious activity” had hit the co-op’s IT network as its plant in the German town of Upahl.

“Due to the security measures implemented as a result of the incident, production has been affected,” Arla said in a statement.

“Our production and IT experts are working diligently to resume normal operations at the site and we have now begun the process of systematically restarting the systems to ensure a return to full functionality.”
Article language: in English
Ransomware gangs increasingly use Skitnet post-exploitation malware
2025-05-16
Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks.

The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025.

Prodaft told BleepingComputer they have observed multiple ransomware operations deploying Skitnet in real-world attacks, including BlackBasta in Microsoft Teams phishing attacks against the enterprise, and Cactus.
Article language: in English - Industry: Telecommunications - Organisation/company: Duo County Telephone Cooperative Corporation, Inc. / DUO Broadband
Ransomware attackers steal comms firm’s customer details
2025-05-16
The company noticed unauthorized meddling within its networks on the eve of Valentine’s Day 2025. According to a breach notification letter Duo Broadband sent to impacted individuals, threat actors attempted to disrupt the system, likely trying to deploy ransomware.

“Upon discovery, we immediately took action to secure our systems, terminated any unauthorized access, and notified law enforcement as required by federal regulations,” reads the letter.
Article language: in English - Industry: Hospitals and Health Care
"Endemic" Ransomware Prompts NHS to Demand Supplier Action on Cybersecurity
2025-05-15
England’s National Health Service (NHS) has urged its suppliers to commit to strong cybersecurity practices amid increased cyber threats to patients and services.

The voluntary cybersecurity charter aims to better protect the NHS from growing cyber threats via its supply chain, including ransomware.

The open letter to current and prospective NHS suppliers noted that the ransomware threat is “endemic.”

“We have experienced several significant ransomware attacks on our supply chain in recent years,” it read.
Article language: in English - Industry: Hospitals and Health Care
Ransomware attacks drive majority of US health data breaches, analysis shows
2025-05-15
A new study led by researchers from Michigan State University, Yale University and Johns Hopkins University reveals that ransomware attacks—which involve a hacker putting encryption controls into a file and then demanding a ransom to unlock the files—have become the primary driver of health care data breaches in the United States, compromising 285 million patient records over 15 years.

Published May 14 in JAMA Network Open, the study provides the first comprehensive analysis of ransomware's role in health care breaches across all entities covered by privacy laws—hospitals, physician practices, health plans and data clearinghouses—from 2010 to 2024.
Article language: in English
Ransomware gangs join ongoing SAP NetWeaver attacks
2025-05-14
Ransomware gangs have joined ongoing SAP NetWeaver attacks, exploiting a maximum-severity vulnerability that allows threat actors to gain remote code execution on vulnerable servers.
Article language: in English - Industry: Manufacturing - Organisation/company: Nucor Corp.
Nucor Corp. - Form 8-K | SEC.gov
2025-05-14
Nucor Corporation (the “Company”) recently identified a cybersecurity incident involving unauthorized third party access to certain information technology systems used by the Company. Upon detecting the incident, the Company began promptly taking steps to contain and respond to the incident, including activating its incident response plan, proactively taking potentially affected systems offline and implementing other containment, remediation, or recovery measures. The Company is actively investigating the incident with the assistance of leading external cybersecurity experts and has notified federal law enforcement authorities. As of the date of this filing and in an abundance of caution, the Company temporarily and proactively halted certain production operations at various locations. However, the Company is currently in the process of restarting the affected operations.
Article language: in English - Industry: Mental Health Care - Organisation/company: Horizon Behavioral Health
Data Breach Notice | Horizon Behavioral Health
2025-05-13
Horizon Behavioral Health (“Horizon”) is writing to share with you that Horizon, like many other organizations around the country, has been the victim of a criminal cybersecurity event. This notice provides information about how this incident may have affected personal information and, as a preventative measure, provides steps that can be taken to protect such information.

What Happened?
On March 16, 2025, Horizon discovered issues with our computer systems and quickly determined we were the victim of a ransomware incident. We immediately took steps to stop the ransomware and engaged outside cybersecurity experts to investigate this event. Based on their investigation, it appears the incident began on or around March 13, 2025. Between March 13, 2025, and March 16, 2025, information from Horizon’s systems may have been inappropriately accessed and/or obtained by an unauthorized user.
Article language: in English - Industry: Retail - Organisation/company: Marks and Spencer Group PLC
M&S cyber attack: Customer data stolen, company confirms
2025-05-13
Marks & Spencer has revealed that the contact details and date of births of some customers has been stolen in the recent cyber attack which continues to disrupt its services.

Stuart Machin, chief executive of M&S, said the company was writing to customers on Tuesday to inform them that "unfortunately, some personal customer information has been taken".

"Importantly, there is not evidence that the information has been shared," he added.
Article language: in English - Industry: Government Administration
Alabama investigating cybersecurity ‘event’ on state network | StateScoop
2025-05-12
The Alabama Office of Information Technology is responding to a disruptive cybersecurity “event” after noticing abnormal network activity last week, the office announced Monday.

A notice posted to the state’s website by the technology division warned that users of the state’s network may experience temporary disruptions to websites, email and phone service. Some state employee usernames and passwords were compromised, but the personal data of state residents was not compromised, according to the notice.
Actor/variant: DoppelPaymer - Article language: in English
Moldova arrests suspect in ransomware attacks targeting Dutch firms | The Record from Recorded Future News
2025-05-12
Moldovan authorities have arrested a 45-year-old man suspected of involvement in a series of ransomware attacks targeting Dutch companies in 2021.

Among the attacks the suspect is allegedly responsible for is an incident targeting the Netherlands Organization for Scientific Research (NWO), which caused an estimated 4.5 million euros ($5 million) in damage.
Article language: in English
UK cyber insurance claims in 2024 down YOY but still up on earlier years: Marsh - Reinsurance News
2025-05-12
However, on a positive note, ransomware claims in 2024 have declined by 31% compared to 2023. Marsh attributes this decline to the increase in law enforcement activity, stricter global sanctions relating to cybercrime, and a fall in the number of organisations opting to pay ransoms when targeted.
The broker explained this decline is also linked to improved cybersecurity measures, earlier detection of threat actors prior to encryption, and organisations being less concerned about being publicly identified as ransomware victims.

Although the amounts paid by UK ransomware victims continued to rise in 2024, extortion negotiations involving ransomware experts remained generally effective, often resulting in reductions of over 60% from the initial demands to the final payment.
Article language: in Italian - Industry: Education Administration Programs - Organisation/company: Università Roma TRE
Università Roma TRE - Attacco informatico all'infrastruttura dell'Ateneo
2025-05-12
Nella notte dell’8 maggio, si è registrata una interruzione dei servizi informatici di Ateneo. A seguito delle operazioni di verifica effettuate già nella notte e proseguite per tutta la mattina del 9 si è potuto constatare che l'infrastruttura dell'Ateneo è stata oggetto di un grave attacco informatico che ha reso inaccessibili i siti web di Ateneo.

Immediatamente dopo aver rilevato l'attacco, l'Area Sistemi Informativi ha contattato l'Agenzia per la Cybersicurezza Nazionale e la Polizia Postale che si sono prontamente recate presso le nostre sedi per attivare tutte le azioni necessarie. Tali procedure si sono protratte fino alle ore 02.00 di questa notte e sono state fondamentali per comprendere l'entità dell'attacco, valutare i danni e iniziare il processo di ripristino.