The summer season of 2025 was not sizzling. It was unforgiving.
Ransomware hit hospitals, retailers suffered information breaches, insurers suffered phishing, and nation-state officers launched a disruptive marketing campaign.
From stealth powershell loaders to zero-day SharePoint Exploits, the attackers held the defender on their heels.
This report analyzes probably the most impactful incidents of the season and what safety groups must do earlier than the following wave hits.
Summer season reveals elevated ransomware danger in healthcare
Hospitals cannot afford downtime, and attackers know that.
This summer season, Ransomware Group focused healthcare, leveraging each the worth of affected person information and the urgency of care.
Interlocking rises as a significant risk to US healthcare
On July 22, 2025, joint advisory by the CISA, FBI and HHS highlighted interlocks as a significant risk to the healthcare and public well being (HPH) sector. Teams are linked round 14 In 2025 alone, a 3rd will have an effect on solely healthcare suppliers.
What makes the interlock stand out is its use.”filefix“PowerShell launcher that hides malicious scripts behind decoy file paths. Deceives customers to run payloads by File Explorer and bypasses typical safety detection.
Rhysida ransomware targets one other US medical heart
On July 8, 2025, the Rhysida Ransomware Group is claimed to have leaked delicate information from the Florida Hand Heart, together with medical photos, driver’s licenses and insurance coverage kinds.
Clinics serving sufferers in Punta Gorda, Port Charlotte and Fort Myers have been simply given 7 days Reply earlier than launch.
Spider playbook scattered within the waves of Qilin recycled healthcare violations
In June 2025, Qilin recorded 81 casualties, turning into probably the most energetic ransomware group. 52 within the healthcare sector.
The group exploited unearned Fortinet vulnerabilities (CVE-2024-21762 and CVE-2024-55591) to achieve entry, deploy ransomware, and take away delicate information corresponding to EHRs and insurance coverage information.
To maximise the stress, Qilin has leveraged the techniques of authorized themes, past encryption.Please name your lawyer“Options and automatic negotiation instruments to drive sooner funds.
Use the Picus safety verification platform to actively take a look at and confirm safety administration in opposition to probably the most influential threats of summer season 2025 (probably the most influential threats of summer season 2025) together with interlocks, giraffes, dragon forces, scattered spiders, and power shells.
Begin your 14-day free trial now and uncover that you just’re prepared in minutes.
Take a look at it with a free trial model
Main manufacturers breached by the wave of retail cybercrime
The retail division could not escape the wave of cyberattacks that might be cleansing up till the summer season of 2025.
Louis Vuitton’s violation is marked third with 1 / 4
On July 2, 2025, Louis Vuitton UK suffered a knowledge breach revealing buyer contact info and buy historical past, a 3rd LVMH model violation three months after Dior and LV Korea.
A couple of days later, on July 10, British police arrested 4 suspects in reference to the well-known assaults on M&S, the cooperative and Harrods.
The group is claimed to be linked to scattered spiders, a home risk actor recognized for his or her collaborations with social engineering and ransomware operators like Dragon Power, indicating the rising affect of home made cybercriminals on main retailers.
Dragonforce assaults US retail chain Belk
Between Might 7 and 11, 2025, a Berg-based retailer on the opposite aspect of Atlantic, North Carolina, was subjected to an information breach.
Dragonforce claimed accountability and excluded 156 GB of buyer and worker information, together with identify, social safety quantity, e-mail, order historical past and HR information.
Dragonforce, which first appeared within the second half of 2023, operates as a ransomware cartel, cites roughly 136 casualties by March 2025. Lots of them are in US and UK retail organizations.
Scattered spider techniques have shifted from retail to insurance coverage
Scattered spiders utilizing English-centered social engineering, voice phishing, MFA fatigue, assist desk spoofing, and sort squat domains, English-centered social engineering, voice phishing, MFA fatigue, assist desk spoofing), English-centered social engineering (UNC3944) April – Might 2025.
in Mid-June 2025researchers flagged that the scattered spider (UNC3944) has moved from retail to targets by US insurance coverage corporations.
Aflac Unauthorized entry was detected and included on June 12, 2025. Your buyer and worker private information (together with SSNS and well being claims) could have been compromised.
Erie Insurance coverage and Philadelphia Insurance coverage Firm We additionally reported related cyber disruptions from mid-June to mid-June, leading to operational downtime.
The intrusion coincided with recognized tactical profiles of scattered spiders, though no ransomware was deployed and the system remained operational.
Nationwide help and geopolitical cyber actions
Not all cyber threats this summer season have been about cash.
Nation-state hackers and hacktivists additionally made their mark to make use of the turbulent geopolitical local weather to launch assaults.
June 14th-Seventeenth, 2025: Professional-Israel Hattivist group predatory Sparrow has destroyed $900 million with code by storming Iranian financial institution Sepa, destroying financial institution companies, violating nobitex and sending tokens to burn wallets.
June 30, 2025: The US Division of Homeland Safety and CISA have issued a joint warning about impending Iranian cyber retaliation focusing on essential infrastructure within the US and Europe.
These incidents function harsh reminders that cyber battle is an extension of geopolitical tensions and may ripple effectively past boundaries and sectors.
Necessary vulnerability that draws public consideration
A number of Microsoft SharePoint vulnerabilities have been exploited this summer season. Instrument Shell.
CVE-2025-53770 A essential distant code execution flaw permits uncertified attackers to execute arbitrary code on a weak OnPrem SharePoint server. Menace actors used it to deploy webshells, steal {qualifications}, and transfer them sideways by the enterprise community. CISA added bug Reply Catalog on July 20, 2025.
CVE-2025-49704 and CVE-2025-49706 It was additionally added to KEV July twenty second After being abused in a sequence assault. This pair permits authentication bypassing and code injection, permitting attackers to use unearned SharePoint methods even when earlier fixes are utilized.
The Toolshell Marketing campaign is aimed toward organizations within the US, Europe and the Center East, together with authorities companies, power corporations and telecommunications suppliers.
Safety researchers say it was mounted on Tuesday, the place it’s probably that the attacker reversed Microsoft’s July patch, to develop a bypass utilized in CVE-2025-53770.
What do you have to take from a summer season cybersecurity wildfire?
From hospitals to retail giants, insurance coverage suppliers, nation-states, and even seasons uncovered cracks in probably the most intensive environments.
Subsequent, what safety groups ought to do.
A patch like your life is dependent upon it. As a result of they do in essential sectors.
Begin with CISA KEV entries and a high-strength CVE, however do not cease there. Ask troublesome questions: Are you the form of goal that attackers chase?
Confirm whether or not every CVE is definitely exploitable within the setting.
Concentrate on the exploit chain, not simply on the rating. That is what the enemy is doing.
It strengthens identification as a brand new boundary.
Social engineering has labored higher than malware this summer season. Cease MFA fatigue assaults, improve assist desk validation, and restrict privileged entry.
Practice your folks as a result of they have been the violation level.
The scattered spiders and others didn’t misuse CVE. They exploited folks. Run common simulations, replace phishing eventualities, and put together the high-risk function of the particular lure.
Concentrate on what occurs after the primary entry.
Menace actors like interlocks and giraffes did not simply drop ransomware. They moved sideways, shifting the information step-by-step, avoiding detection. Implement behavioral monitoring for strategies corresponding to PowerShell abuse, qualification theft, and stealth exfoliation.
Do not ignore legacy methods or ignored infrastructure.
Do not ignore legacy methods or ignored infrastructure. Toolshell marketing campaign has been exploited Unpublished SharePoint Serverworking an unsupported or outdated model.
Whether or not growing older your on-prem sharepoints, home equipment, or unsupervised legacy gear, isolate what you may’t improve, monitor what you may’t patch, and substitute what you do not ignore.
To simulate the above assaults, we extremely advocate utilizing the PICUS safety verification platform to check the effectiveness of safety controls in opposition to actual cyber assaults.
You may as well take a look at your protection in opposition to a whole bunch of different malware and exploitation campaigns, together with Medusa, Rhysida, and Black Basta. 14-day free trial of the Picus platform.
Sponsored and written by Picus Safety.
