The IT Nerd

This morning, Comparitech researchers published an analysis looking at all 48 island nations and their reliance on 126 undersea cables for access to the world’s internet.

These cables are often no thicker than a garden hose, leaving them vulnerable to damage. The International Cable Protection Committee (ICPC) reports 150 to 200 faults are reported on undersea cables each year. Of those, 70 to 80 percent resulted from accidental human activities, primarily anchors from shipping vessels. The rest are technical failures or natural disasters.

To gauge which of the island nations are most at risk of being cut off by accident or design, Comparitech looked at the number of undersea cables connecting them, the level of fishing activity that could cause accidental damage, and their proximity to conflict areas that could result in malicious damage.

New Zealand saw the least risk, while Brunei, Bahrain, Dominica, and Haiti were found to be at most risk. In terms of population, cable damage in Haiti would have the most significant impact due to the island’s 11.6 million population. 

The full study can be read here: https://www.comparitech.com/news/cut-off-which-island-nations-are-most-vulnerable-to-undersea-cable-attacks/

This morning, Comparitech researchers published a study looking at all the ransomware attacks for April, finding that attacks actually dropped by nearly 22 percent, falling to the lowest level in six months. The only sector that did not see a decline in attacks, however, was the healthcare sector. 

Rebecca Moody, Head of Data Research at Comparitech, commented:

“While the dip in ransomware figures does make for positive reading, I don’t think we can pop the champagne cork just yet. As noted in the report, Qilin’s claims were down last month, which contributed significantly to the decline in attacks. But with 14 victims added to its site this month already, it looks like the small reprieve may be over. What the report also highlights is the ongoing focus on healthcare companies — both those providing direct care and those operating within the sector (e.g. medical billing providers). Some significant attacks were reported last month (namely Signature Healthcare and ChipSoft), which only served to remind us how extensive the impact these attacks can have on all types of healthcare companies.”

Key findings also included: 

• 628 attacks in total — 43 confirmed attacks (confirmed by the entity involved)
• Of the 43 confirmed attacks:
  • 27 were on businesses
  • 8 were on government entities
  • 4 were on healthcare companies
  • 4 were on educational institutions
• Of the 585 unconfirmed attacks:
  • 524 were on businesses
  • 11 were on government entities
  • 41 were on healthcare companies
  • 9 were on educational institutions
• The most prolific ransomware gangs were Qilin (105), The Gentlemen (67), and DragonForce (60)
• INC had the most confirmed attacks (5), followed by Payload and The Gentlemen (4 each), and LockBit and DragonForce (3 each)
• Nearly 125 TB of data was stolen across all of these attacks
• The US saw the most attacks (260), followed by Canada (32), the United Kingdom (30), and Germany (29)

For full details, the study can be read here: https://www.comparitech.com/news/ransomware-roundup-april-2026/

Comparitech researchers have released a study looking at all the healthcare ransomware attacks in the first quarter of 2026. According to the findings, Q1 2026 saw 120 a recorded 120 ransomware attacks on hospitals, clinics, and other healthcare providers. Additionally, business operating within the healthcare sector (such as pharmaceutical/medical manufacturers, medical billing providers, or healthcare tech companies), saw a recorded 81 ransomware attacks. 

Interestingly, attacks on providers dipped 15% from the previous quarter, but attacks on healthcare businesses jumped 35%. 

Commenting on these findings is Rebecca Moody, Comparitech’s Head of Data Research: 

“Our latest quarterly healthcare report highlights how this sector remains one of the most dominant targets for hackers. For the last two quarters, attacks have been consistently high with hackers focusing on healthcare providers and businesses operating within the healthcare industry. This means healthcare providers not only have to safeguard their own systems from attacks but also need to ensure the third parties they’re using are reaching the same standards.

As the most dominant strain for many months now, Qilin’s attack figures far exceed those of other groups. But this isn’t the case when it comes to healthcare businesses. It claimed just three attacks in three months here, despite claiming 550 victims in total across Q1 of 2026. In contrast, it claimed 23 attacks on healthcare companies. 

LockBit and The Gentlemen are other key threats to healthcare providers, while INC appears to focus more on healthcare businesses (claiming eight attacks here compared to five on healthcare providers).

The focus on certain sectors by certain groups could be due to the success of certain campaigns within a particular industry, or an attempt to infiltrate a sector that isn’t as saturated/high profile when it comes to ransomware. For example, over the last year or so, we have noted a shift toward healthcare businesses. This could be due to how heavily targeted healthcare providers were in previous years. So, while some groups are still “enjoying” success in this sector, others have found a lucrative opening within companies that still deal with critical healthcare systems/services and/or store key healthcare data but don’t necessarily deal directly with patients.”

You can read the study here: https://www.comparitech.com/news/healthcare-ransomware-roundup-q1-2026-stats-on-attacks-ransoms-and-data-breaches/

Comparitech researchers have publised an in-depth analysis of RAMP (Russian Anonymous Marketplace), a Russian-language cybercrime forum that operated from late 2021 until being seized by the FBI in January 2026. 

Comparitech researchers gained exclusive access to a leaked database from RAMP, the dump containing user records, forum threats, private messages, IP logs, and admin activity from November 2021 through January 2024. 

In the analysis of this dump, the researchers have broken down details regarding the access market, the biggest listings, the affiliate splits, the criminal job market, the top vendors, the top buyers, and more. 

You can read the analysis here: https://www.comparitech.com/news/inside-ramp-what-a-leaked-database-reveals-about-russias-ransomware-marketplace/

The ShinyHunters extortion group has leaked data from 13.5 million edtech giant McGraw Hill user accounts, stolen after breaching the company’s Salesforce environment earlier this month.

You can get more details here: Data breach at edtech giant McGraw Hill affects 13.5 million accounts

Commenting on this news is Paul Bischoff, Consumer Privacy Advocate at Comparitech:

“Most of the compromised data is contact info like addresses, phone numbers, and email addresses. While that info probably can’t be used to directly steal from victims, cybercriminals could use it to craft convincing phishing messages that contain personal info. Breach victims should be on the lookout for targeted scam and phishing messages from cybercriminals posing as McGraw Hill or a related organization. Never click on links or attachments in unsolicited messages, and never send any sensitive private info in an email or text message.”

For additional context, Comparitech researchers in February published an in-depth study looking at all education ransomware attacks in 2025. This data and analysis can be seen here: https://www.comparitech.com/news/education-ransomware-roundup-2025-stats-on-attacks-ransoms-and-data-breaches/

Comparitech is reporting that Cookeville Regional Medical Center in TN yesterday confirmed it notified over 337K people of a July 2025 data breach that compromised names, SSNs, financial account numbers, medical treatment info, health insurance info, and much more. 

Commenting on this is Rebecca Moody, Head of Data Research at Comparitech:

“This data breach becomes the eighth-largest on a US healthcare provider from 2025 (following a ransomware attack), and highlights how we often don’t realize just how extensive these attacks are until months (or sometimes years) after the event. It can take a considerable amount of time for organizations to investigate what data has been impacted in these breaches, which is why CRMC needs to be applauded for how it approached this attack. 

From the outset, CRMC has been honest about the nature of the incident and was open about the fact it had fallen victim to a ransomware attack at the time. It also confirmed that data had been breached within a couple of months of the attack taking place, while its investigations into exactly who had been involved were ongoing.

While some organizations avoid using the word “ransomware” and don’t issue any form of data breach notification for months, this lack of clarity and confirmation can leave those affected open to identity theft and phishing campaigns. Hopefully, many of the people impacted in this breach were aware of the attack in its early stages, so the letters being issued now are more of a formality than a shock.”

Stop me if you’re heard this before. Health care is a sector that is a prime target for threat actors. This needs to stop via providing this sector with what they need to stop getting pwned like this.

Researchers at Comparitech have identified 179 internet-exposed industrial control system (ICS) devices across 20 countries, including systems tied to power grids and railway networks, all accessible via the Modbus protocol. The devices were found responding on port 502, the default communication port for Modbus, which is widely used in critical infrastructure environments.

The exposed systems include equipment from major vendors such as Schneider Electric and ABB, performing functions like logic control, power monitoring, and data logging. The United States had the highest number of exposed devices at 57, followed by Sweden (22) and Turkey (19).

Denis Calderone, CTO, Suzu Labs:

   “During yesterday’s extremely busy cybersecurity news cycle we were all abuzz about the six-agency advisory about Iranian actors targeting US critical infrastructure PLCs.  One thing we pointed out yesterday while conversing with clients and others was to look for any Internet exposure to certain protocols used by PLCs including Modbus TCP on port 502.  

   “Modbus is particularly concerning because it is a protocol developed without security controls. Now, today, Comparitech publishes research showing 179 ICS devices sitting exposed on that exact port across 20 countries, with the United States leading the count at 57 devices. The timing on this could not be more relevant.

   “To put it bluntly, Modbus was designed in 1979 for closed industrial networks and that’s why it lacks any concept of authentication and no encryption. If you can reach port 502, you can read from and write to the device registers. The researchers didn’t just do a Shodan search and look at headers, they performed a Masscan, identified open Modbus ports and were able to chart live energy consumption from an exposed power monitoring device using the manufacturer’s publicly available register list.”

   “We already know the Iranian hackers are looking for this, and these devices are just sitting there waiting to be found. So, what we said yesterday stands today that PLCs and ICS devices need to be behind firewalls and segmented OT network zones, not exposed to the internet. Modbus was never meant to be an internet-facing protocol.

   “The convergence of industrial systems onto IP networks has been causing this kind of exposure for decades now. If your organization runs any industrial control systems, scan your own environment for anything responding on port 502 and take it off the internet today. If you need remote access for maintenance or monitoring, put it behind a VPN. There is no scenario where an unauthenticated industrial control protocol should be directly reachable from the public internet.”

Damon Small, Board of Directors, Xcape, Inc.:

   “Exposing Industrial Control System (ICS) assets directly to the Internet via unauthenticated protocols like Modbus represents a critical failure in perimeter hygiene that invites immediate disruption of physical operations.

   “While the report’s tally of 179 devices is statistically small, the inclusion of programmable logic controllers (PLC) and power monitors in the U.S. and Sweden highlights a persistent gap in securing critical infrastructure. The fundamental issue is that Modbus lacks native encryption or authentication, meaning any device responding on port 502 is effectively an open door for unauthenticated read and write commands.

   “Recent surges in activity from state-affiliated actors targeting similar vulnerabilities underscore that this is no longer a theoretical risk but an active targeting priority. Security teams must move beyond simple port blocking and verify that any necessary remote access is tunneled through a robust VPN or a secure gateway with granular identity controls.

   “Prioritize an immediate scan of external IP ranges for port 502 and audit all Modbus TCP gateways to ensure they are not bridging internal Operation Technology (OT) and industrial control networks directly to the public Internet.  Use the Purdue Model reference architecture for guidance on how to properly segment OT from IT to protect these critical infrastructures. In short, the problem is not with the devices or the protocols that they use, but rather the manner in which operators are deploying them.

   “It is 2026, and we are still arguing about whether a power grid should be a public webpage.”

Larry Pesce, VP of Services, Finite State:

   “This highlights a recurring and concerning issue: internet-exposed industrial control system (ICS) devices, particularly those using legacy protocols like Modbus that were never designed with security in mind.

   “What stands out here isn’t just the exposure itself: it’s where it’s happening.

   “Critical infrastructure organizations such as energy, water, and manufacturing have historically been among the most cautious when it comes to external attack surfaces. These environments typically emphasize segmentation, controlled access, and layered defenses. So seeing these systems directly reachable from the internet suggests a breakdown in foundational security practices.

   “And that’s really the key takeaway:

   “This isn’t a failure of advanced security controls, it’s a failure of fundamentals.

   “The “Back to Basics” Problem

   “What these exposures reinforce is the need to revisit core disciplines such as network perimeter management. If Modbus is reachable from the public internet, something upstream like firewalls, routing, and/or segmentation have failed. Full stop.

   “Also, asset inventory. You can’t protect what you don’t know exists. Internet-wide scans keep finding devices because organizations don’t have a complete, continuously updated view of what’s deployed.

   “Patch and update hygiene. Even when exposure is unavoidable, outdated firmware and unpatched services dramatically increases risk.

   “Redundancy and resilience planning. Many ICS environments assume availability—but exposure introduces fragility. Even “low impact” disruptions can cascade if redundancy isn’t properly designed.

   “The compounding risk effect is the part that tends to get underestimated.

   “Individually, many of these exposed systems might not lead to catastrophic outcomes. Maybe it’s read-only access. Maybe it’s a non-critical site. Maybe exploitation requires additional steps.

   “But security doesn’t fail in isolation.

   “When you stack dozens, or hundreds, of “low impact” exposures, you create systemic risk.

   “Attackers don’t need a single catastrophic vulnerability if they can enumerate environments, chain small weaknesses, and establish footholds across multiple sites. At that point, even minor disruptions can aggregate into operational, safety, or economic consequences.

   “This keeps happening because a lot of organizations still rely on point-in-time scans and assumptions about what’s deployed. But what matters is what’s actually running in the field: the firmware, the configurations, the exposed services.

   “And this is exactly the gap. Traditional approaches often miss “firmware reality”: the full picture of what’s deployed, exposed, and reachable. 

   “Without a continuous, accurate inventory tied to real deployed assets, these exposures slip through, even in mature environments.

   “Honestly, this isn’t about blaming operators or engineers. These environments are complex, often decades in the making, with layers of legacy decisions.

   “But moments like this are a good reset. Not a “we need more AI security tooling” moment or a “zero trust will fix everything” moment.

   “This is a: “Did we lock the front door?” moment. Because in this case… the front door is Modbus on port 502, wide open to the internet.”

My admin page nor anything else that’s tied to administrating my router isn’t exposed to the Internet. I do that because I am paranoid that I will get pwned because I gave a threat actor the means to pwn me. I would suggest we all start to become a lot more paranoid.

Comparitech researchers have published a study looking at all the education ransomware attacks of 2025. 

In 2025, ransomware gangs took credit for 251 cyberattacks on schools, universities, and other educational institutions. While similar to 2024’s figure (247), 2025’s attacks resulted in the breach of over 3.96 million records, a significant increase from 2024 (3.11 million).

The three largest breaches of 2025 all stem from Clop’s exploit of a zero-day vulnerability in Oracle’s E-Business Suite software, highlighting how schools not only face the threat of ransomware attacks on their own systems but also on the third parties they rely on.

Key findings include: 

• 3,962,869 records are known to have been breached in the confirmed attacks–UP 27% from 2024’s figure (3,112,121)
• Average ransom demand across all attacks = $464,000–DOWN 33% from 2024 ($694,000)
• The ransomware strains that claimed the most attacks against schools, colleges, and universities were Qilin (37), SafePay (23), Fog and Interlock (18 each), and INC (17)
• Interlock took credit for the most confirmed attacks (11), followed by Qilin (9), Fog (7), SafePay, INC, and Clop (6 each), and Medusa (4)
• Over 241 TB of data was allegedly stolen across all attacks
• The United States saw the most attacks (130), followed by the United Kingdom (12), France, Brazil, and Japan (9 each), Canada (8), and Australia and Spain (7 each)
• Attacks in the US (-9%), the UK (-50%), France (-18%), and Germany (-40%) all declined, while attacks in Brazil (+125%), Japan (+350%), Canada (+14%), Australia (+250%), and Spain (+600%) all increased

The report is here: https://www.comparitech.com/news/education-ransomware-roundup-2025-stats-on-attacks-ransoms-and-data-breaches/

Last year saw a recorded 445 ransomware attacks on hospitals, clinics, and other direct care providers. An additional 191 attacks hit businesses operating within the healthcare sector. When comparing these figures from 2025 to those noted in 2024, attacks on healthcare providers remained about the same, while attacks on healthcare businesses increased by 25 percent. 

Interestingly, the average ransomware demand decreased significantly in 2025 for both healthcare providers (down 84%) and healthcare businesses (down 92%). 

Rebecca Moody, Head of Data Research at Comparitech, provided the following comment on the overall findings: 

“The fact that attacks on healthcare providers appeared to plateau last year while attacks increased overall is positive, but now is not the time to get complacent or take this for granted. As our recent report highlights, healthcare providers are still a dominant focus for hackers because of the amount of disruption these attacks can cause and the amount of sensitive data they have on file. Healthcare providers are also facing increasing pressure via attacks on third parties. Whether it’s the medical billing service they use or their IT provider, healthcare organizations’ systems are only as robust as the third parties they’re using.

2025’s statistics also demonstrate the increased speed and volume of attacks from ransomware groups. As they turn to the likes of AI and Ransomware-as-a-Service (RaaS) to scale up their operations, gangs are constantly evolving to ensure they’re maximizing their output. This perhaps goes some way to explaining why we’ve seen such a reduction in the average ransom amount, too. Larger volumes = lower ransoms. Equally, by issuing these lower demands, hackers are likely increasing their chances of securing a ransom payment.”

You can read more here: https://www.comparitech.com/news/healthcare-ransomware-roundup-2025-stats-on-attacks-ransoms-and-data-breaches/

Comparitech has published its annual Worldwide Ransomware  Roundup for 2025. 

In 2025, there were a recorded 7,419 ransomware attacks across the globe. This is 32% increase from the year before. Across the 1,173 confirmed attacks, nearly 59.2 million records were breached (and counting!). 

In the study, the researchers dove deep into every tracked confirmed and unconfirmed attack of the year, finding out which sectors were hit the most, which countries were most targeted, as well as which ransomware gangs were the most prolific. 

Rebecca Moody, Comparitech’s Head of Data Research, had this to say: 

“If 2025’s figures have shown us anything, it’s that ransomware attacks remain a dominant threat for companies of all sizes and across all industries. As we enter 2026, hackers will likely continue to exploit vulnerabilities, target key infrastructure, public services, and manufacturers, and seek to steal large quantities of data in the process.

2025’s findings also highlight that hackers see third-party service providers as the perfect target because they not only give them potential access to hundreds of companies through one source but they also enable large-scale data breaches. From the crippling attack on Collins Aerospace, which disrupted travel at multiple airports across Europe, to the ripple effects of data breaches on the likes of Marquis Software Solutions and Oracle, 2025 should serve as a stark reminder that – no matter how secure an organization’s systems may be, they’re only as secure as the third parties they use to carry out various services.

So, while companies are going to want to make sure they’re on top of all the key basics (carrying out regular backups, patching vulnerabilities as soon as they’re flagged, providing employees with regular training, and making sure systems are up to date), it’s also critical that they’re vetting the third parties they use.”

For full details, the research can be read here: https://www.comparitech.com/news/worldwide-ransomware-roundup-2025-end-of-year-report/