The IT Nerd

A ransomware group called Medusa today took credit for last month’s cyber attack on the University of Mississippi Medical Center.

UMMC shut down its clinics and cancelled appointments from February 19 to March 2, 2026 to contain the attack. The medical center lost access to phone lines, email, and patient records. 

Commenting on this news is Rebecca Moody, Head of Data Research at Comparitech: 

“The fact that Medusa has now added UMMC to its data leak site suggests a ransom hasn’t been paid — for the data at least. And its demand of $800,000, which is double the average across its other confirmed healthcare attacks from this group, could be for a number of reasons. It may be because Medusa believes the data it’s stolen from UMMC is of a higher value than others, or it could be because of how much publicity the attack has received. 

Whatever the reasoning for the high ransom and whatever the data is that has potentially been stolen, UMMC needs to provide patients and employees with an update as soon as possible. According to our data, the average breach on a healthcare provider following an attack via Medusa involves 195,000 records, which is a significant figure. Understandably, it takes organizations a long time to analyze the breached data and identify everyone who’s been affected (Bell Ambulance is a prime example with its recent increase in those affected from 114,000 to nearly 238,000), but if all employees and patients are aware of a potential data breach from the offset, it helps them mitigate the risks involved with a data leak. 

Anyone whose data is associated with UMMC should start monitoring their accounts for any unauthorized activity and should be on high alert for any potential phishing campaigns, especially those purporting to be from UMMC.”

Once again, healthcare is the target for threat actors. At this point this is not new information. The problem is that this keeps happening. And this needs to stop ASAP as attacks on the healthcare sector are out of control.

Researchers at Aryaka have identified a year-long cyber campaign with attackers sending messages containing links to files disguised as job applications or resumes to corporate HR departments that injects malware, dubbed BlackSanta, designed to disable security tools before stealing data.

The attack typically starts with victims downloading an ISO file hosted on cloud storage services, which contains seemingly legitimate documents and scripts. When opened, the file executes commands that download additional payloads and deploy the BlackSanta malware. The module functions as an “EDR killer,” disabling antivirus and endpoint detection and response tools at the kernel level, allowing attackers to operate on compromised systems with minimal resistance.

Once security controls are disabled, the malware can perform system reconnaissance, harvest credentials, and exfiltrate sensitive data from the compromised network. Researchers say the campaign specifically targets HR workflows because recruitment staff routinely open files from external applicants and may not scrutinize attachments as closely as security or IT teams, making them a practical entry point into enterprise environments.

Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:

   “HR is a very practical point of entry. This has been a common attack path for a long time, so much so that fake resumes and job applications are taught as phishing lures because they work. HR staff are constantly interacting with unknown external people, opening files, and following up on inbound submissions as part of normal business, which makes them much easier to target than users in IT or finance, who are usually more security conscious and more conditioned to be suspicious.

   “A foothold is a foothold. Attackers do not need to land on the most privileged user first if they can compromise a softer target, establish access, and move laterally from there. HR is attractive because it combines lower resistance with real value. Even if it does not always have the same technical access as IT or the same direct financial access as finance, it often holds a broad set of personal information on both employees and applicants. That data can be stolen, resold, reused in future phishing and social engineering, or leveraged for broader fraud and identity theft.

   “This is not some new or surprising attack path. Most of the tradecraft involved is well known and has become fairly standard across the criminal ecosystem. Using an ISO to get past boundary level detections is a common technique, and the layered execution and EDR tampering here are a good example of how capabilities that once felt more specialized have become easier to obtain and reuse.

   “That broader commercialization matters. Advanced tooling, stolen information, and even direct access are now routinely bought, sold, shared, and reused, which keeps lowering the barrier to entry.”

Rajeev Raghunarayan, Head of GTM, Averlon:

   “The bigger risk isn’t the initial HR compromise. It’s what those compromised credentials or systems can reach. In many environments, HR processes intersect with identity and access workflows, which means an initial foothold can potentially lead to broader access across the organization if permissions and controls are not tightly managed.

   “Many environments still have overly broad permissions that allow attackers to move laterally once they gain a foothold. Organizations need to understand how identities and privileges become part of attack chains, not just focus on the endpoint where the malware first lands.”

Noelle Murata, Sr. Security Engineer, Xcape, Inc.:

   “The BlackSanta campaign utilizes malicious ISO files disguised as job applications to deliver a specialized “EDR killer” payload to corporate targets. This malware operates at the kernel level to systematically disable antivirus and endpoint detection tools, effectively blinding security operations centers before data exfiltration begins.

   “For security professionals, this represents a critical escalation in the arms race between attackers and defensive telemetry. When an adversary can reliably neuter the primary visibility tool of the modern enterprise, the entire incident response playbook is rendered obsolete. While HR departments remain a vulnerable entry point due to their operational need to open external files, the true threat lies in the sophisticated ability of this malware to achieve total silence on the host.

   “Defenders must pivot toward a defense-in-depth strategy that includes robust application control and the enforcement of “least privilege” for kernel-level drivers. Implementing hardware-backed security features and isolated environments for processing untrusted external documents can help mitigate the risk when endpoint agents are compromised.

   “If the EDR can’t see the fire, the whole building burns down before the first alarm sounds.”

This is a scary one as this attack kills the canary in the coal mine so there are no warnings. Thus it’s a good time to look at what you can do to make this less of a threat.

US medical company, Stryker, has been pwned in a cyber attack by Iran-backed cybercriminals. Here’s some details on this attack:

Stryker is a Fortune 500 company that specializes in the manufacturing of surgical equipment, orthopedic implants, and neurotechnology. Headquartered in Michigan, the company employs approximately 56,000 people and reported over $25 billion in revenue for 2025. Its critical role in the healthcare supply chain makes it an essential partner for hospitals worldwide.

The Iran-linked hacker group named Handala has taken credit for the attack, claiming to have struck an “unprecedented blow” to the company.

The hackers claim to have wiped more than 200,000 servers, mobile devices, and other systems, forcing Stryker to shut down offices in 79 countries. They also allegedly stole 50TB of data from the company’s systems. 

Handala has been highly active since the start of the US-Israel-Iran conflict.

Lee Sult, Chief Investigator, Binalyze had this to say:

“The Stryker attack looks to be the first drop of blood in the water as a result of nation-state and hacktivist activity off the back of the Iran conflict. This attack confirms Western organizations are not only in the adversary’s crosshairs, but the adversary can also make the shot. More shots are coming.

“An attack like this is about damage and spreading chaos. Handala is using a scorched earth approach, they get in fast, wipe devices, steal data, and leave chaos behind them. Thousands of employees locked out of devices isn’t just an operational crisis. It quickly becomes a financial, reputational, and potentially life-and-property risk. 

“Speed is everything when attacks like this happen. Investigation can’t be an afterthought, organizations need to know if the attackers are still inside systems, which systems are impact, and how the attackers got in. The faster those questions are answered, the faster you can begin recovery.

“Stryker could be the first in a wave of attacks. Cyber assets friendly to the Iranian regime have regrouped and are actively circling their next target sets. Organizations need to be monitoring for IOCs linked to Iran-backed campaigns – including those seen in Operation Olalampo and APT35. But it’s also about reinforcing the basics: software needs to be patched, phishing-resistant MFA enabled, and having a clear plan to isolate devices and systems when suspicious activity arises. In firefighting terms, it’s time to cancel vacations and pre-stage your fire companies near critical assets.”

The age of hybrid warfare has clearly begun. That means that every single one of us needs to re-evaluate how secure we are and take the steps required to make sure that it is as hard as possible for a threat actor to pwn you. Given the state of the world at the moment, this isn’t optional anymore.

UPDATE: Ensar Seker, CISO at SOCRadar, has provided the following commentary: 

“Claims like wiping 200,000 devices and extracting tens of terabytes of data should be treated cautiously until independently verified. Hacktivist groups often exaggerate operational impact for psychological effect. However, even if the scale is smaller than claimed, a wiper-style attack against a global medical technology company is serious because it targets operational continuity rather than just data theft. In the healthcare ecosystem, outages affecting device manufacturers or support systems can ripple across hospitals, supply chains, and patient care environments.

What makes this incident notable is the alleged use of enterprise management infrastructure to execute a destructive campaign. If attackers gained access to tools such as mobile device or endpoint management platforms, they could push destructive commands at scale across thousands of systems almost instantly. That shifts the attack from traditional ransomware or espionage into a coordinated operational disruption, which is consistent with the tactics we increasingly see in geopolitically motivated hacktivism tied to regional conflicts.

Groups like Handala represent the blurred line between hacktivism, state alignment, and information operations. Many of these actors position themselves as ideological collectives, but their campaigns often align with broader geopolitical narratives. Targeting a global medical technology provider may be intended less as a financially motivated attack and more as a symbolic demonstration that Western critical industries can be disrupted during geopolitical tensions.

Organizations should take this as a reminder that destructive cyber operations are no longer limited to nation-state military targets. Companies in healthcare, manufacturing, and critical supply chains should prioritize stronger identity security around administrative tools, strict segmentation of device-management platforms, and continuous monitoring for anomalous mass actions such as remote wipes or bulk configuration pushes. In many modern attacks, the damage is done not through sophisticated malware but through the abuse of legitimate enterprise management capabilities.”