The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been “silently” updating its Known Exploited Vulnerabilities (KEV) catalog when it concludes that vulnerabilities have been exploited by ransomware groups, according to a security researcher. CISA adds a “known” or “unknown” field next to the “Known To Be Used in Ransomware Campaigns?” entry in its KEV catalog. The problem, according to a blog post by Glenn Thorpe of GreyNoise, is the agency doesn’t send out advisories when a vulnerability changes from “unknown” to “known” vulnerabilities exploited by ransomware groups. Thorpe downloaded daily CISA KEV snapshots for all of 2025 and found that the agency had flipped 59 vulnerabilities in 2025 from “unknown” to “known” evidence of exploitation by ransomware groups. “When that field flips from ‘Unknown’ to ‘Known,’ CISA is saying: ‘We have evidence that ransomware operators are now using this vulnerability in their campaigns,’" Thorpe wrote. “That's a material change in your risk posture. Your prioritization calculus should shift. But there's no alert, no announcement. Just a field change in a JSON file. This has always frustrated me.” In a statement shared with The Cyber Express, CISA Executive Assistant Director for Cybersecurity Nick Andersen suggested that the agency is considering Thorpe’s input. “We continue to streamline processes and enrich vulnerability data through initiatives like the KEV catalog, the Common Vulnerabilities and Exposures (CVE) Program, and Vulnrichment,” Andersen said. “Feedback from the cybersecurity community is essential as CISA works to enhance the KEV catalog and advance vulnerability prioritization across the ecosystem.”

Microsoft Leads in Vulnerabilities Exploited by Ransomware Groups

Of the 59 CVEs that flipped to “known” exploitation by ransomware groups last year, 27% were Microsoft vulnerabilities, Thorpe said. Just over a third (34%) involved edge and network CVEs, and 39% were for CVEs before 2023. And 41% of the flipped vulnerabilities occurred in a single month, May 2025. The “Fastest time-to-ransomware flip” was one day, while the longest lag between CISA KEV addition and the change to “known” ransomware exploitation status was 1,353 days. The “Most flipped vulnerability type” was Authentication Bypass at 14% of occurrences.

Ransomware Groups Target Edge Devices

Edge devices accounted for a high number of the flipped vulnerabiities, Thorpe said. Fortinet, Ivanti, Palo Alto and Check Point Security edge devices were among the flipped CVEs. “Ransomware operators are building playbooks around your perimeter,” he said. Thorpe said that 19 of the 59 flipped vulnerabilities “target network security appliances, the very devices deployed to protect organizations.” But he added: “Legacy bugs show up too; Adobe Reader vulnerabilities from years ago suddenly became ransomware-relevant.” Authentication bypasses and RCE vulnerabilities were the most common, “as ransomware operators prioritize ‘get in and go’ attack chains.” The breakdown by vendor of the 59 vulnerabilities “shouldn't surprise anyone,” he said. Microsoft was responsible for 16 of the flipped CVEs, affecting SharePoint, Print Spooler, Group Policy, Mark-of-the-Web bypasses, and more. Ivanti products were affected by 6 of the flipped CVEs, Fortinet by 5 (with FortiOS SSL-VPN heap overflows standing out), and Palo Alto Networks and Zimbra were each affected by 3 of the CVEs. “Ransomware operators are economic actors after all,” Thorpe said. “They invest in exploit development for platforms with high deployment and high-value access. Firewalls, VPN concentrators, and email servers fit that profile perfectly.” He also noted that the pace of vulnerability exploitation by ransomware groups accelerated in 2025. “Today, ransomware operators are integrating fresh exploits into their playbooks faster than defenders are patching,” he said. Thorpe created an RSS feed to track the flipped vulnerabilities; it’s updated hourly.

Ransomware attacks have soared 30% since late last year, and they’ve continued that trend so far in 2026, with many of the attacks affecting software and manufacturing supply chains. Those are some of the takeaways of new research published by Cyble today, which also looked at the top ransomware groups, significant ransomware attacks, new ransomware groups, and recommended cyber defenses. Ransomware groups claimed 2,018 attacks in the last three months of 2025, averaging just under 673 a month to end a record-setting year. The elevated attack levels continued in January 2026, as the threat groups claimed 679 ransomware victims. In the first nine months of 2025, ransomware groups claimed an average of 512 victims a month, so the recent trend has been more than 30% above that, Cyble noted. Below is Cyble’s chart of ransomware attacks by month since 2021, which shows a sustained uptrend since mid-2025.

Qilin Remains Top Ransomware Group as CL0P Returns

Qilin was once again the top ransomware group, claiming 115 victims in January. CL0P was second with 93 victims after claiming “scores of victims” in recent weeks in an as-yet unspecified campaign. Akira remained among the leaders with 76 attacks, and newcomers Sinobi and The Gentlemen rounded out the top five (chart below). [caption id="attachment_109255" align="aligncenter" width="845"] Top ransomware groups January 2026 (Cyble)[/caption] “As CL0P tends to claim victims in clusters, such as its exploitation of Oracle E-Business Suite flaws that helped drive supply chain attacks to records in October, new campaigns by the group are noteworthy,” Cyble said. Victims in the latest campaign have included 11 Australia-based companies spanning a range of sectors such as IT, banking and financial services (BFSI), construction, hospitality, professional services, and healthcare. Other recent CL0P victims have included “a U.S.-based IT services and staffing company, a global hotel company, a major media firm, a UK payment processing company, and a Canada-based mining company engaged in platinum group metals production,” Cyble said. The U.S. once again led all countries in ransomware attacks (chart below), while the UK and Australia faced a higher-than-normal attack volume. “CL0P’s recent campaign was a factor in both of those increases,” Cyble said. [caption id="attachment_109256" align="aligncenter" width="831"] Ransomware attacks by country January 2026 (Cyble)[/caption] Construction, professional services and manufacturing remain opportunistic targets for threat actors, while the IT industry also remains a favorite target of ransomware groups, “likely due to the rich target the sector represents and the potential to pivot into downstream customer environments,” Cyble said (chart below). [caption id="attachment_109258" align="aligncenter" width="819"] Ransomware attacks by industry January 2026 (Cyble)[/caption]

Ransomware Attacks Hit the Supply Chain

Cyble documented 10 significant ransomware attacks from January in its blog post, many of which had supply chain implications. One was an Everest ransomware group compromise of “a major U.S. manufacturer of telecommunications networking equipment ... Everest claims the data includes PDF documents containing sensitive engineering materials, such as electrical schematics, block diagrams, and service subsystem documentation.” Sinobi claimed a breach of an India-based IT services company. “Samples shared by the attackers indicate access to internal infrastructure, including Microsoft Hyper-V servers, multiple virtual machines, backups, and storage volumes,” Cyble said. A Rhysida ransomware group attack on a U.S. life sciences and biotechnology instrumentation company allegedly exposed sensitive information such as engineering blueprints and project documentation. A RansomHouse attack on a China-based electronics manufacturing for the technology and automotive manufacturers nay have exposed “extensive proprietary engineering and production-related data,” and “data associated with multiple major technology and automotive companies.” An INC Ransom attack on a Hong Kong–based components manufacturer for the global electronics and automotive industries may have exposed “client-related information associated with more than a dozen major global brands, plus confidential contracts and project documentation for at least three major IT companies.” Cyble also documented the rise of three new ransomware groups: Green Blood, DataKeeper and MonoLock, with DataKeeper and MonoLock releasing details on technical and payment features aimed at attracting ransomware affiliates to their operations.  

Ingram Micro, one of the world’s largest IT distributors, has confirmed that sensitive personal data was leaked following a ransomware attack that disrupted its operations last year. The Ingram Micro data breach incident, which paralysed the company’s logistics systems for nearly a week in July 2025, has now been linked to the theft of files containing employee and applicant information, affecting more than 42,000 individuals. The Ingram Micro data breach came to light through a mandatory filing with U.S. authorities, which revealed that 42,521 people were impacted, including five residents of the state of Maine. According to the company, the attackers accessed internal file repositories between July 2 and July 3, 2025, during an external system breach involving hacking. However, the breach was only discovered several months later, on December 26, 2025.

Ransomware Attack Led to Extended Disruption

The data exposure follows a ransomware attack that caused widespread operational disruption at Ingram Micro in July 2025. At the time, the company’s logistics were reportedly paralysed for about a week, affecting its ability to process and distribute products. While the immediate impact of Ingram Micro data breach on operations was known, it has now emerged that the attackers also exfiltrated sensitive files during the same period. In a notice sent to affected individuals, Ingram Micro said it detected a cybersecurity incident involving some of its internal systems on July 3, 2025. The company launched an investigation into the nature and scope of the issue and determined that an unauthorised third party had taken certain files from internal repositories over a two-day window.

Ingram Micro Data Breach: Personal and Employment Data Stolen

The compromised files included employment and job applicant records, containing a wide range of personal information. According to the Ingram Micro data breach notification, the stolen data may include names, contact information, dates of birth, and government-issued identification numbers such as Social Security numbers, driver’s licence numbers, and passport numbers. In addition, certain employment-related information, including work evaluations and application documents, was also accessed. The company noted that the types of affected personal information varied by individual. Ingram Micro employs approximately 23,500 people worldwide, and the breach affected both current and former employees, as well as job applicants. Ingram Micro said it took steps to contain and remediate the unauthorised activity as soon as the incident was detected. These measures included proactively taking certain systems offline and implementing additional security controls. The company also engaged leading cybersecurity experts to assist with its investigation and notified law enforcement. As part of its response to the Ingram Micro data breach, the company conducted a detailed review of the affected files to understand their contents. It was only after completing this review that Ingram Micro confirmed that some of the files contained personal information about individuals.

Support Offered to Affected Individuals

Ingram Micro is notifying impacted individuals and encouraging them to take steps to protect their personal information. Under U.S. law, affected individuals are entitled to one free credit report annually from each of the three nationwide consumer reporting agencies. The company has also arranged to provide complimentary credit monitoring and identity protection services for two years. In its notification, Ingram Micro urged people to remain vigilant by reviewing their account statements and monitoring their credit reports. The company included guidance on how to register for the free protection services and additional steps to reduce the risk of identity theft. For further assistance, Ingram Micro has set up a dedicated call centre for questions related to the breach. The company said it regrets any inconvenience caused and is working to address concerns raised by those affected.

Broader Implications for Corporate Cybersecurity

The incident highlights the growing risks organisations face from ransomware attacks that not only disrupt operations but also result in data theft. The delay between the occurrence of the breach in July and its discovery in December emphasizes the challenges companies face in detecting and containing sophisticated cyber intrusions. For large enterprises like Ingram Micro, which play a central role in global IT supply chains, the consequences of such attacks can extend beyond immediate operational losses. The exposure of sensitive employee and applicant data adds a long-term dimension to the impact, increasing the risk of identity theft and fraud for those affected. As investigations continue, the ransomware attack on Ingram Micro serves as a reminder of the importance of strong cybersecurity controls, continuous monitoring, and timely incident response to limit both operational disruption and data loss.

By Suresh Kanniappan, Sales Head, Infrastructure Management and Security Services, US at Happiest Minds Let’s revisit the recent ransomware attack that hit one of the biggest hospital networks in the US. The cyberattack shut down surgeries, made patients' records unavailable, and forced emergency departments to divert incoming cases. Unfortunately, this is not an isolated story. Throughout 2025, healthcare organisations have faced a growing wave of cyber threats, highlighting the urgent need for Cyber Resilience in Healthcare. The scale and precision of cyber threats have increased manifold, with impacts extending far beyond data breaches: disrupting care, delaying diagnoses, and even shaking the very foundation of patient trust.

Why has Cyber Resilience in Healthcare Become More Critical Than Ever?

The recent report released by the U.S. Department of Health and Human Services, which found that more than 133 million patient records were compromised in the first half of 2025, marking the highest number to date. More concerning is the impact of ransomware attacks, which have grown 3X, affecting everything from the electronic health record systems to connected diagnostic equipment. All these incidents have had a significant impact on human life. There were many postponed surgeries, families were afraid about what was next, and the clinicians had no access to the vital data when it was needed most. All these were not just operational challenges; they were an alarm for all healthcare systems that building a strong resilience is essential in today's highly connected digital world. What we need to understand is clear: cybersecurity in healthcare is no longer about prevention alone; it's about resilience, recovery, and readiness. So, what must the healthcare industry focus on in 2026 and beyond?

1. Zero Trust to Replace Perimeter: Zero Trust security is already in place, but how effectively it is implemented is to be verified. Zero trust will continue to be the backbone of every industry, ensuring every user, every device, and every access is verified without exception. It is not just about restricting access; it is about knowing who has access to what and granting permission to the right people for the right requirements.
2. AI will Redefine Defense: AI has become an integral part of our lives; it is re-shaping both cyber-attacks and defense. Cyber adversaries are using AI to create personalized phishing attacks, exploit unpatched devices, and steal data and credentials at a pace humans can't match. The advice for healthcare experts is to implement AI as a new defense engine, deploying AI-driven threat analytics, automated response workflows, and continuous monitoring to spot and contain threats in real time. This will help healthcare security teams protect data and clinical operations much faster and with higher precision.
3. Supply Chain Vigilance to be Stepped Up: The recent breaches over the last 1 year have not happened within the boundaries of the hospitals, but it is beyond that through third-party vendors, devices, and software. It's time for the healthcare providers to look into every vendor that enforces real-time risk monitoring, contractual accountability, and shared visibility across the entire healthcare and value chain. They need to bring strong security in place to ensure resiliency.
4. Regulations Will Drive Accountability: Global regulators are strengthening mandates around healthcare data protection, breach reporting, and AI transparency. In the coming year, leadership involvement in cybersecurity governance will need to be stronger. Boards and CXOs will need to give digital safety the same priority as patient safety. Compliance will become an ongoing practice of accountability rather than just an annual paperwork exercise. Role of the leaders

Strategic Priorities of Healthcare Leaders

1. Redefining Cyber Resilience as a Leadership Imperative: The need of the hour is resilience, and it should start from the top management itself to foster leadership commitment and shared responsibility for bringing in a positive mindset, investing in better cybersecurity tools and service providers that enable patient safety.
2. Empower People, Not Just Systems: Resilience is not built by technology; it is to be instilled within us, and human awareness is the best barrier. Each staff member, from the frontend IT administrators to nurses, is an integral part of ensuring the organization's integrity and patients' safety. Periodically conducting simulations, awareness campaigns, and real-world readiness drills will be necessary to make security a shared responsibility rather than an isolated function.
3. Establish a Culture of Collaboration: Threats don’t operate in isolation, and neither should our defense. Leaders must champion collaboration across hospitals, vendors, industry groups, and public-sector bodies. Proactive threat intelligence sharing and coordinated response frameworks enable healthcare organizations to anticipate disruptions rather than merely react. True resilience is never built in isolation; rather, it is forged through partnership.

The Way Forward: Resilience as the Heartbeat of Healthcare

Healthcare no longer remains confined to hospital premises. It has gone much beyond the walls of any hospital. Every network and every device that carries the patient's record or clinical data must be protected in today's connected world. It is more about constant trust rather than a one-time effort or technical achievement. Being resilient, even in the face of system failure, without compromising patient care, is vital. As for 2026, organizations would have to balance innovation with integrity and treat cybersecurity not just as a compliance checklist but as a shared responsibility to prioritize patient health and data. Integrating AI into cybersecurity practice will further help strengthen threat detection and response by identifying threats and containing them even before they strike. The future of health is not defined by how sophisticated AI will become but by how well it is integrated into every layer of care. Resilience will come from AI-powered systems that protect patient data, strengthen clinical operations, and make sure the promise of technology truly supports the promise of healing.

After stabilizing in 2024, the growth of known exploited vulnerabilities accelerated in 2025. That was one conclusion from Cyble’s analysis of CISA’s Known Exploited Vulnerability (KEV) catalog data from 2025. After growing at roughly 21% in 2023, with 187 vulnerabilities added to the CISA KEV catalog that year, growth slowed to about 17% in 2024, with 185 vulnerabilities added. Growth in exploited vulnerabilities reaccelerated in 2025, with 245 vulnerabilities added to the KEV database, for a roughly 20% growth rate. The KEV catalog ended 2025 with 1,484 software and hardware flaws at high risk of attack. The 245 flaws added in 2025 is also more than 30% above the trend of 185 to 187 vulnerabilities added the previous two years. Cyble also examined vulnerabilities exploited by ransomware groups, the vendors and projects with the most KEV additions (and several that actually improved), and the most common exploited software weaknesses (CWEs).

Older Vulnerabilities Added to CISA KEV Also Grew

Older vulnerabilities added to the CISA KEV catalog also grew in 2025, Cyble said. After adding an average of 65 older vulnerabilities to the KEV catalog in 2023 and 2024, CISA added 94 vulnerabilities from 2024 and earlier to the catalog in 2025, an increase of nearly 45% from the 2023-2024 average. The oldest vulnerability added to the KEV catalog last year was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. The oldest vulnerability in the catalog remains CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used by ransomware groups, Cyble said. CISA removed at least one vulnerability from the KEV catalog in 2025. CVE-2025-6264 is a Velociraptor Incorrect Default Permissions vulnerability that CISA determined had “insufficient evidence of exploitation,” Cyble noted.

Vulnerabilities Targeted in Ransomware Attacks

CISA marked 24 of the vulnerabilities added in 2025 as known to be exploited by ransomware groups, Cyble said. Those vulnerabilities include some well-known flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities targeted by the CL0P ransomware group. Vendors with multiple vulnerabilities targeted by ransomware groups included Fortinet, Ivanti, Microsoft, Mitel, Oracle and SonicWall.

Projects and Vendors with the Most Exploited Vulnerabilities

Microsoft once again led all vendors and projects in CISA KEV additions in 2025, with 39 vulnerabilities added to the database, up from 36 in 2024. Apple, Cisco, Google Chromium. Ivanti and Linux each had 7-9 vulnerabilities added to the KEV catalog. Several vendors and projects actually improved in 2025, with fewer vulnerabilities added than they had in 2024, “suggesting improved security controls,” Cyble said. Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware were among those that saw a decline in KEV vulnerabilities.

Most Common Software Weaknesses

Eight software and hardware weaknesses (common weakness enumerations, or CWEs) were “particularly prominent among the 2025 KEV additions,” Cyble said, noting that the list is similar to the 2024 list. The most common CWEs in the 2025 CISA KEV additions were:

• CWE-78 – OS Command Injection – accounted for 18 of the 245 vulnerabilities.
• CWE-502 – Deserialization of Untrusted Data – was  a factor in 14 of the vulnerabilities.
• CWE-22 – Path Traversal – appeared 13 times.
• CWE-416 – Use After Free – was a flaw in 11 of the vulnerabilities.
• CWE-787 – Out-of-bounds Write – accounted for 10 of the vulnerabilities.
• CWE-79 – Cross-site Scripting – appeared 7 times.
• CWE-94 (Code Injection) and CWE-287 (Improper Authentication) appeared 6 times each.

 

Two cybersecurity experts charged with deploying ALPHV BlackCat ransomware against five companies have pleaded guilty to federal charges in the case, the U.S. Department of Justice announced today. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were indicted in the BlackCat ransomware case in October. Together with an unnamed co-conspirator, they “successfully deployed the ransomware known as ALPHV BlackCat between April 2023 and December 2023 against multiple victims located throughout the United States,” the Justice Department said today. The two face sentencing in March for conspiring to obstruct commerce through extortion.

Misusing ‘Trusted Access and Technical Skill’

Martin and the co-conspirator worked as ransomware negotiators for DigitalMint, a Chicago-based company that specializes in mitigating cyberattacks, while Goldberg was an incident response manager at Sygnia Cybersecurity Services. DigitalMint and Sygnia have publicly stated they were not targets of the investigation and have cooperated fully with law enforcement. “These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” stated Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Goldberg and Martin used trusted access and technical skill to extort American victims and profit from digital coercion,” added U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida. “Their guilty pleas make clear that cybercriminals operating from within the United States will be found, prosecuted, and held to account.”

BlackCat Ransomware Case Netted More Than $1 million

According to the Justice Department, the three men agreed to pay the ALPHV BlackCat administrators a 20% share of any ransom payments they received in exchange for the ransomware and access to ALPHV BlackCat’s extortion platform. “After successfully extorting one victim for approximately $1.2 million in Bitcoin, the men split their 80% share of this ransom three ways and laundered the funds through various means,” the Justice Department said. The five unnamed victim companies targeted by the co-conspirators included:

• A medical device company based in Tampa, Florida
• A pharmaceutical company based in Maryland
• A doctor’s office based in California
• An engineering company based in California
• A drone manufacturer based in Virginia

The Tampa medical device company paid a $1.27 million ransom; it is not clear if other ransom payments were made. The Justice Department placed the guilty pleas in the context of priori law enforcement actions aimed at disrupting ALPHV BlackCat, including the development of a decryption tool that that the U.S. says saved global victims nearly $100 million in ransom payments. The Justice Department said Goldberg and Martin each pleaded guilty to one count of “conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion in violation of 18 U.S.C. § 1951(a).” The defendants are scheduled to be sentenced on March 12, 2026, and face a maximum penalty of 20 years in prison. The cybersecurity industry has faced a number of insider incidents in recent months, including a “suspicious insider” at CrowdStrike and a former cybersecurity company official who pled guilty to stealing trade secrets to sell them to a Russian buyer. In the Goldberg and Martin case, corporate assets do not appear to have been misused.

By Gauravdeep Singh, Head – State e-Mission Team (SeMT), Ministry of Electronics and Information Technology The Digital Personal Data Protection (DPDP) Act has fundamentally altered the risk landscape for Indian organisations. Data breaches now trigger mandatory compliance obligations regardless of their origin, transforming incidents that were once purely operational concerns into regulatory events with significant financial and legal implications.

Case Study 1: Cloud Misconfiguration in a Consumer Platform

A prominent consumer-facing platform experienced a data exposure incident when a misconfigured storage bucket on its public cloud infrastructure inadvertently made customer data publicly accessible. While no malicious actor was involved, the incident still constituted a reportable data breach under the DPDP Act framework. The organisation faced several immediate obligations:

• Notification to affected individuals within prescribed timelines
• Formal reporting to the Data Protection Board
• Comprehensive internal investigation and remediation measures
• Potential penalties for failure to implement reasonable security safeguards as mandated under the Act

Such incidents highlight a critical gap in traditional risk management approaches. The financial exposure—encompassing regulatory penalties, legal costs, remediation expenses, and reputational damage—frequently exceeds conventional cyber insurance coverage limits, particularly when compliance failures are implicated.

Case Study 2: Ransomware Attack on Healthcare and EdTech Infrastructure

A mid-sized healthcare and education technology provider fell victim to a ransomware attack that encrypted sensitive personal records. Despite successful restoration from backup systems, the organisation confronted extensive regulatory and operational obligations:

• Forensic assessment to determine whether data confidentiality was compromised
• Mandatory notification to regulatory authorities and affected data principals
• Ongoing legal and compliance proceedings

The total cost extended far beyond any ransom demand. Forensic investigations, legal advisory services, public communications, regulatory compliance activities, and operational disruption collectively created substantial financial strain, costs that would have been mitigated with appropriate insurance coverage.

Case Study 3: AI-Enabled Fraud and Social Engineering

The emergence of AI-driven attack vectors has introduced new dimensions of cyber risk. Deepfake technology and sophisticated phishing campaigns now enable threat actors to impersonate senior leadership with unprecedented authenticity, compelling finance teams to authorise fraudulent fund transfers or inappropriate data disclosures. These attacks often circumvent traditional technical security controls because they exploit human trust rather than system vulnerabilities. As a result, organisations are increasingly seeking insurance coverage for social engineering and cyber fraud events, particularly those involving personal data or financial information, that fall outside conventional cybersecurity threat models.

The Evolution of Cyber Insurance in India

The Indian cyber insurance market is undergoing significant transformation in response to the DPDP Act and evolving threat landscape. Modern policies now extend beyond traditional hacking incidents to address:

• Data breaches resulting from human error or operational failures
• Third-party vendor and SaaS provider security failures
• Cloud service disruptions and availability incidents
• Regulatory investigation costs and legal defense expenses
• Incident response, crisis management, and public relations support

Organisations are reassessing their coverage adequacy as they recognise that historical policy limits of Rs. 10–20 crore may prove insufficient when regulatory penalties, legal costs, business interruption losses, and remediation expenses are aggregated under the DPDP compliance framework.

The SME and MSME Vulnerability

Small and medium enterprises represent the most vulnerable segment of the market. While many SMEs and MSMEs regularly process personal data, they frequently lack:

• Mature information security controls and governance frameworks
• Dedicated compliance and data protection teams
• Financial reserves to absorb penalties, legal costs, or operational disruption

For organisations in this segment, even a relatively minor cyber incident can trigger prolonged operational shutdowns or, in severe cases, permanent closure. Despite this heightened vulnerability, cyber insurance adoption among SMEs remains disproportionately low, driven primarily by awareness gaps and perceived cost barriers.

Implications for the Cyber Insurance Ecosystem

The Indian cyber insurance market is entering a period of accelerated growth and structural evolution. Several key trends are emerging:

• Higher policy limits becoming standard practice across industries
• Enhanced underwriting processes emphasising compliance readiness and data governance maturity
• Comprehensive coverage integrating legal advisory, forensic investigation, and regulatory support
• Risk-based pricing models that reward robust data protection practices

Looking ahead, cyber insurance will increasingly be evaluated not merely as a risk-transfer mechanism, but as an indicator of an organisation's overall data protection posture and regulatory preparedness.

DPDP Act and the End of Optional Cyber Insurance

The DPDP Act has fundamentally redefined cyber risk in the Indian context. Data breaches are no longer isolated IT failures; they are regulatory events carrying substantial financial, legal, and reputational consequences. In this environment, cyber insurance is transitioning from a discretionary safeguard to a strategic imperative. Organisations that integrate cyber insurance into a comprehensive data governance and enterprise risk management strategy will be better positioned to navigate the evolving regulatory landscape. Conversely, those that remain uninsured or underinsured may discover that the cost of inadequate preparation far exceeds the investment required for robust protection. (This article reflects the author’s analysis and personal viewpoints and is intended for informational purposes only. It should not be construed as legal or regulatory advice.)

U.S. companies made more than $2 billion in ransomware payments between 2022 and 2024, nearly equaling the total ransoms paid in the previous nine years, according to a new report from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). The report, which looked at threat pattern and trend information identified in Bank Secrecy Act (BSA) filings, said that between Jan. 1, 2022 and Dec. 31, 2024, FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents and totaling more than $2.1 billion in ransomware payments. In the previous nine years, from 2013 to 2021, FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments, the report said. FinCEN notes that because its data is based on BSA filings, it is by nature incomplete, and indeed, the 4,194 ransomware incidents recorded by FinCEN between 2022 and 2024 is less than 40% of the nearly 11,000 ransomware attacks recorded in Cyble’s threat intelligence data over the same period.

ALPHV/BlackCat and LockBit Enforcement Actions Lowered Ransomware Payments

Ransomware incidents and payments reported to FinCEN reached an all-time high in 2023 of 1,512 incidents totaling approximately $1.1 billion in payments, an increase of 77 percent in payments from 2022. In 2024, incidents decreased slightly to 1,476 while total payments dropped to approximately $734 million. FinCEN attributed the decline in ransomware payments in 2024 to law enforcement disruption of the ALPHV/BlackCat and LockBit ransomware groups. However, LockBit is in the midst of its most significant comeback since the law enforcement actions disrupted the group, with 21 new victims claimed so far this month. Of the 267 ransomware variants identified during the reporting period, the most common variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta. However, Qilin has emerged as the top ransomware group in 2025 by a wide margin, so FinCEN’s 2025 BSA data will almost certainly change. Despite the decline in payments, the value of reported ransomware payments in 2024 was still the third-highest yearly total since the reports began in 2013. The median ransomware payment was $124,097 in 2022, $175,000 in 2023, and $155,257 in 2024. Between January 2022 and December 2024, the most common payment range was below $250,000.

Financial Services, Manufacturing and Healthcare Most Targeted Sectors

Measuring both the number of ransomware incidents and the amount of aggregate payments, the financial services, manufacturing and healthcare industries were the most affected during the report period. Between January 2022 and December 2024, the most commonly targeted industries by number of incidents identified in ransomware-related BSA reports were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents). Industries that paid the most in ransoms during the three-year period were financial services (approximately $365.6 million), healthcare (about $305.4 million), manufacturing (approximately $284.6 million), science and technology (about $186.7 million), and retail ($181.3 million). The Onion router (TOR) was the most common communication method used by ransomware groups. About 42 percent of BSA reports indicated the method that ransomware threat actors used to communicate with their targets. Among those reports, 67 percent indicated that ransomware actors used TOR, while 28 percent indicated that ransomware actors used email to communicate with their victims. Bitcoin (BTC) was the most common ransomware-related payment method, accounting for 97 percent of reported payments. Monero (XMR) was cited in two percent of BSA reports involving ransomware. FinCEN also identified several common money laundering typologies used by ransomware groups. Threat actors overwhelmingly collected payments in unhosted convertible virtual currency (CVC) wallets and “continued to exploit CVC exchanges for money laundering purposes after receiving payment,” the report said. Ransomware groups also used “several common preferred malicious cyber facilitators, such as shared initial access vendors,” FinCEN said.

Crisis24’s OnSolve CodeRED emergency alert system has been disrupted by a cyberattack, leaving local governments throughout the U.S. searching for alternatives or waiting for a new system to come online. The INC ransomware group has claimed responsibility for the attack. Some personal data of users may have been exposed in the attack, including names, addresses, email addresses, phone numbers, and passwords, and users have been urged to change passwords for other accounts if the same password is used. Crisis24 is launching a new secure CodeRED System that was already in development, and local governments had varying reactions to the crisis.

New CodeRED Emergency Alert System Expected Soon

Several U.S. local governments issued statements after the attack, updating residents on the CodeRED system’s status and their plans. The City of University Park, Texas, said Crisis24 is launching a new CodeRED System, which was already in the works. “Our provider assures us that the new CodeRED platform resides on a non-compromised, separate environment and that they completed a comprehensive security audit and engaged external experts for additional penetration testing and hardening,” the city said in its statement. “The provider decommissioned the OnSolve CodeRED platform and is the process of moving all customers to its new CodeRED platform.” Craven County Emergency Services in North Carolina said the new CodeRED platform “will be available before November 28.” In the meantime, Craven County said announcements and alerts will continue to be released through local media, the Craven County website, or on Craven County’s social media accounts. The Douglas County Sheriff's Office in Colorado said on Nov. 24 that it took “immediate action to terminate our contract with CodeRED for cause. Our top priority is the privacy and protection of our citizens, which led to the decision to end our agreement with CodeRED.” The Sheriff’s Office said it “is actively searching for a replacement for the CodeRED platform.” The office said it still has the ability to issue “IPAWS” alerts to citizens when necessary, and “will continue to implement various contingency plans, including outreach through social media and door-to-door notifications, to ensure our community stays informed during emergency situations.”

INC Ransom Claims Responsibility for CodeRED Attack

The INC Ransom group claimed responsibility for the CodeRED emergency alert system attack on its dark web data leak site. The threat actors say they obtained initial access on Nov. 1, followed by network encryption on Nov. 10. The group claims to have exfiltrated approximately 1.15 TB before deploying encryption. To substantiate their claims, INC Ransom has published several data samples, including csv files with client-related data, threat intelligence company Cyble reported in a note to clients. Additionally, the group released two screenshots allegedly showing negotiation attempts, where the company purportedly offered as much as USD $150,000, an amount the attackers claim they refused.

Compromised VPN credentials are the most common initial access vector for ransomware attacks, according to a new report. Nearly half of ransomware attacks in the third quarter abused compromised VPN credentials as the initial access point, according to research from Beazley Security, the cybersecurity arm of Beazley Insurance. Nearly a quarter of initial access attacks came from external service exploitation, while remote desktop service (RDS) credential compromises, supply chain attacks and social engineering accounted for 6% each (chart below). [caption id="attachment_106993" align="aligncenter" width="480"] Initial access vectors in ransomware attacks (Beazley Security)[/caption] “This trend underscores the importance of ensuring that multifactor authentication (MFA) is configured and protecting remote access solutions and that security teams maintain awareness and compensating controls for any accounts where MFA exceptions have been put in place,” the report said. In addition to the critical need for MFA, the report also underscores the importance of dark web monitoring for leaked credentials, which are often a precursor to much bigger cyberattacks.

SonicWall Compromises Led Attacks on VPN Credentials

A “prolonged campaign” targeting SonicWall devices by the Akira ransomware group was responsible for some of the 10-point increase in the percentage of VPN attacks. “Adding to SonicWall’s misery this quarter was a significant breach of their cloud service, including sensitive configuration backups of client SonicWall devices,” the report added. Akira, Qilin and INC were by far the most active ransomware groups in the third quarter, Beazley said – and all three exploit VPN and remote desktop credentials. Akira “typically gains initial access by exploiting weaknesses in VPN appliances and remote services,” the report said. In the third quarter, they used credential stuffing and brute force attacks to target unpatched systems and weak credentials. Akira accounted for 39% of Beazley Security incident response cases in the third quarter. Akira “consistently gained access by using valid credentials in credential stuffing attacks against SonicWall SSLVPN services, exploiting weak access controls such as absent MFA and insufficient lockout policies on the device,” the report said. Qilin’s initial access techniques include phishing emails, malicious attachments, and brute forcing weak credentials or stolen credentials in remote desktop protocol (RDP) and VPN services. INC Ransomware uses a combination of phishing, credential theft, and exploitation of exposed enterprise appliances for initial access. “Beazley Security responders observed the group leverage valid, compromised credentials to access victim environments via VPN and Remote Desktop,” the report said.

Cisco, Citrix Vulnerabilities, SEO Poisoning Also Exploited

Critical vulnerabilities in Cisco and Citrix NetScaler were also targeted by attackers in the third quarter. In one campaign, a sophisticated threat actor leveraged CVE-2025-20333 and CVE-2025-20363 in Cisco ASA VPN components to gain unauthorized access into environments, Beazley said. Another campaign targeted a critical SNMP flaw (CVE-2025-20352) in Cisco IOS.‍ Threat actors also targeted Citrix NetScaler vulnerabilities CVE-2025-7775 and CVE-2025-5777. The latter has been dubbed “Citrix Bleed 2” because of similarities to 2023’s “Citrix Bleed” vulnerability (CVE-2023-4966). A “smaller yet noteworthy subset” of ransomware attacks gained access via search engine optimization (SEO) poisoning attacks and malicious advertisements, used for initial access in some Rhysida ransomware attacks. “This technique places threat actor-controlled websites at the top of otherwise trusted search results, tricking users into downloading fake productivity and administrative tools such as PDF editors,” the report said. “These tools can be trojanized with various malware payloads, depending on threat actor objectives, and can potentially give threat actors a foothold directly on the endpoint in a network. The attack is effective because it bypasses other traditional social engineering protections like email filters that prevent phishing attacks.”