The IT Nerd

Comparitech researchers have released a study looking at all the healthcare ransomware attacks in the first quarter of 2026. According to the findings, Q1 2026 saw 120 a recorded 120 ransomware attacks on hospitals, clinics, and other healthcare providers. Additionally, business operating within the healthcare sector (such as pharmaceutical/medical manufacturers, medical billing providers, or healthcare tech companies), saw a recorded 81 ransomware attacks. 

Interestingly, attacks on providers dipped 15% from the previous quarter, but attacks on healthcare businesses jumped 35%. 

Commenting on these findings is Rebecca Moody, Comparitech’s Head of Data Research: 

“Our latest quarterly healthcare report highlights how this sector remains one of the most dominant targets for hackers. For the last two quarters, attacks have been consistently high with hackers focusing on healthcare providers and businesses operating within the healthcare industry. This means healthcare providers not only have to safeguard their own systems from attacks but also need to ensure the third parties they’re using are reaching the same standards.

As the most dominant strain for many months now, Qilin’s attack figures far exceed those of other groups. But this isn’t the case when it comes to healthcare businesses. It claimed just three attacks in three months here, despite claiming 550 victims in total across Q1 of 2026. In contrast, it claimed 23 attacks on healthcare companies. 

LockBit and The Gentlemen are other key threats to healthcare providers, while INC appears to focus more on healthcare businesses (claiming eight attacks here compared to five on healthcare providers).

The focus on certain sectors by certain groups could be due to the success of certain campaigns within a particular industry, or an attempt to infiltrate a sector that isn’t as saturated/high profile when it comes to ransomware. For example, over the last year or so, we have noted a shift toward healthcare businesses. This could be due to how heavily targeted healthcare providers were in previous years. So, while some groups are still “enjoying” success in this sector, others have found a lucrative opening within companies that still deal with critical healthcare systems/services and/or store key healthcare data but don’t necessarily deal directly with patients.”

You can read the study here: https://www.comparitech.com/news/healthcare-ransomware-roundup-q1-2026-stats-on-attacks-ransoms-and-data-breaches/

Comparitech researchers have publised an in-depth analysis of RAMP (Russian Anonymous Marketplace), a Russian-language cybercrime forum that operated from late 2021 until being seized by the FBI in January 2026. 

Comparitech researchers gained exclusive access to a leaked database from RAMP, the dump containing user records, forum threats, private messages, IP logs, and admin activity from November 2021 through January 2024. 

In the analysis of this dump, the researchers have broken down details regarding the access market, the biggest listings, the affiliate splits, the criminal job market, the top vendors, the top buyers, and more. 

You can read the analysis here: https://www.comparitech.com/news/inside-ramp-what-a-leaked-database-reveals-about-russias-ransomware-marketplace/

The ShinyHunters extortion group has leaked data from 13.5 million edtech giant McGraw Hill user accounts, stolen after breaching the company’s Salesforce environment earlier this month.

You can get more details here: Data breach at edtech giant McGraw Hill affects 13.5 million accounts

Commenting on this news is Paul Bischoff, Consumer Privacy Advocate at Comparitech:

“Most of the compromised data is contact info like addresses, phone numbers, and email addresses. While that info probably can’t be used to directly steal from victims, cybercriminals could use it to craft convincing phishing messages that contain personal info. Breach victims should be on the lookout for targeted scam and phishing messages from cybercriminals posing as McGraw Hill or a related organization. Never click on links or attachments in unsolicited messages, and never send any sensitive private info in an email or text message.”

For additional context, Comparitech researchers in February published an in-depth study looking at all education ransomware attacks in 2025. This data and analysis can be seen here: https://www.comparitech.com/news/education-ransomware-roundup-2025-stats-on-attacks-ransoms-and-data-breaches/

Comparitech is reporting that Cookeville Regional Medical Center in TN yesterday confirmed it notified over 337K people of a July 2025 data breach that compromised names, SSNs, financial account numbers, medical treatment info, health insurance info, and much more. 

Commenting on this is Rebecca Moody, Head of Data Research at Comparitech:

“This data breach becomes the eighth-largest on a US healthcare provider from 2025 (following a ransomware attack), and highlights how we often don’t realize just how extensive these attacks are until months (or sometimes years) after the event. It can take a considerable amount of time for organizations to investigate what data has been impacted in these breaches, which is why CRMC needs to be applauded for how it approached this attack. 

From the outset, CRMC has been honest about the nature of the incident and was open about the fact it had fallen victim to a ransomware attack at the time. It also confirmed that data had been breached within a couple of months of the attack taking place, while its investigations into exactly who had been involved were ongoing.

While some organizations avoid using the word “ransomware” and don’t issue any form of data breach notification for months, this lack of clarity and confirmation can leave those affected open to identity theft and phishing campaigns. Hopefully, many of the people impacted in this breach were aware of the attack in its early stages, so the letters being issued now are more of a formality than a shock.”

Stop me if you’re heard this before. Health care is a sector that is a prime target for threat actors. This needs to stop via providing this sector with what they need to stop getting pwned like this.

Researchers at Comparitech have identified 179 internet-exposed industrial control system (ICS) devices across 20 countries, including systems tied to power grids and railway networks, all accessible via the Modbus protocol. The devices were found responding on port 502, the default communication port for Modbus, which is widely used in critical infrastructure environments.

The exposed systems include equipment from major vendors such as Schneider Electric and ABB, performing functions like logic control, power monitoring, and data logging. The United States had the highest number of exposed devices at 57, followed by Sweden (22) and Turkey (19).

Denis Calderone, CTO, Suzu Labs:

   “During yesterday’s extremely busy cybersecurity news cycle we were all abuzz about the six-agency advisory about Iranian actors targeting US critical infrastructure PLCs.  One thing we pointed out yesterday while conversing with clients and others was to look for any Internet exposure to certain protocols used by PLCs including Modbus TCP on port 502.  

   “Modbus is particularly concerning because it is a protocol developed without security controls. Now, today, Comparitech publishes research showing 179 ICS devices sitting exposed on that exact port across 20 countries, with the United States leading the count at 57 devices. The timing on this could not be more relevant.

   “To put it bluntly, Modbus was designed in 1979 for closed industrial networks and that’s why it lacks any concept of authentication and no encryption. If you can reach port 502, you can read from and write to the device registers. The researchers didn’t just do a Shodan search and look at headers, they performed a Masscan, identified open Modbus ports and were able to chart live energy consumption from an exposed power monitoring device using the manufacturer’s publicly available register list.”

   “We already know the Iranian hackers are looking for this, and these devices are just sitting there waiting to be found. So, what we said yesterday stands today that PLCs and ICS devices need to be behind firewalls and segmented OT network zones, not exposed to the internet. Modbus was never meant to be an internet-facing protocol.

   “The convergence of industrial systems onto IP networks has been causing this kind of exposure for decades now. If your organization runs any industrial control systems, scan your own environment for anything responding on port 502 and take it off the internet today. If you need remote access for maintenance or monitoring, put it behind a VPN. There is no scenario where an unauthenticated industrial control protocol should be directly reachable from the public internet.”

Damon Small, Board of Directors, Xcape, Inc.:

   “Exposing Industrial Control System (ICS) assets directly to the Internet via unauthenticated protocols like Modbus represents a critical failure in perimeter hygiene that invites immediate disruption of physical operations.

   “While the report’s tally of 179 devices is statistically small, the inclusion of programmable logic controllers (PLC) and power monitors in the U.S. and Sweden highlights a persistent gap in securing critical infrastructure. The fundamental issue is that Modbus lacks native encryption or authentication, meaning any device responding on port 502 is effectively an open door for unauthenticated read and write commands.

   “Recent surges in activity from state-affiliated actors targeting similar vulnerabilities underscore that this is no longer a theoretical risk but an active targeting priority. Security teams must move beyond simple port blocking and verify that any necessary remote access is tunneled through a robust VPN or a secure gateway with granular identity controls.

   “Prioritize an immediate scan of external IP ranges for port 502 and audit all Modbus TCP gateways to ensure they are not bridging internal Operation Technology (OT) and industrial control networks directly to the public Internet.  Use the Purdue Model reference architecture for guidance on how to properly segment OT from IT to protect these critical infrastructures. In short, the problem is not with the devices or the protocols that they use, but rather the manner in which operators are deploying them.

   “It is 2026, and we are still arguing about whether a power grid should be a public webpage.”

Larry Pesce, VP of Services, Finite State:

   “This highlights a recurring and concerning issue: internet-exposed industrial control system (ICS) devices, particularly those using legacy protocols like Modbus that were never designed with security in mind.

   “What stands out here isn’t just the exposure itself: it’s where it’s happening.

   “Critical infrastructure organizations such as energy, water, and manufacturing have historically been among the most cautious when it comes to external attack surfaces. These environments typically emphasize segmentation, controlled access, and layered defenses. So seeing these systems directly reachable from the internet suggests a breakdown in foundational security practices.

   “And that’s really the key takeaway:

   “This isn’t a failure of advanced security controls, it’s a failure of fundamentals.

   “The “Back to Basics” Problem

   “What these exposures reinforce is the need to revisit core disciplines such as network perimeter management. If Modbus is reachable from the public internet, something upstream like firewalls, routing, and/or segmentation have failed. Full stop.

   “Also, asset inventory. You can’t protect what you don’t know exists. Internet-wide scans keep finding devices because organizations don’t have a complete, continuously updated view of what’s deployed.

   “Patch and update hygiene. Even when exposure is unavoidable, outdated firmware and unpatched services dramatically increases risk.

   “Redundancy and resilience planning. Many ICS environments assume availability—but exposure introduces fragility. Even “low impact” disruptions can cascade if redundancy isn’t properly designed.

   “The compounding risk effect is the part that tends to get underestimated.

   “Individually, many of these exposed systems might not lead to catastrophic outcomes. Maybe it’s read-only access. Maybe it’s a non-critical site. Maybe exploitation requires additional steps.

   “But security doesn’t fail in isolation.

   “When you stack dozens, or hundreds, of “low impact” exposures, you create systemic risk.

   “Attackers don’t need a single catastrophic vulnerability if they can enumerate environments, chain small weaknesses, and establish footholds across multiple sites. At that point, even minor disruptions can aggregate into operational, safety, or economic consequences.

   “This keeps happening because a lot of organizations still rely on point-in-time scans and assumptions about what’s deployed. But what matters is what’s actually running in the field: the firmware, the configurations, the exposed services.

   “And this is exactly the gap. Traditional approaches often miss “firmware reality”: the full picture of what’s deployed, exposed, and reachable. 

   “Without a continuous, accurate inventory tied to real deployed assets, these exposures slip through, even in mature environments.

   “Honestly, this isn’t about blaming operators or engineers. These environments are complex, often decades in the making, with layers of legacy decisions.

   “But moments like this are a good reset. Not a “we need more AI security tooling” moment or a “zero trust will fix everything” moment.

   “This is a: “Did we lock the front door?” moment. Because in this case… the front door is Modbus on port 502, wide open to the internet.”

My admin page nor anything else that’s tied to administrating my router isn’t exposed to the Internet. I do that because I am paranoid that I will get pwned because I gave a threat actor the means to pwn me. I would suggest we all start to become a lot more paranoid.

Comparitech researchers have published a study looking at all the education ransomware attacks of 2025. 

In 2025, ransomware gangs took credit for 251 cyberattacks on schools, universities, and other educational institutions. While similar to 2024’s figure (247), 2025’s attacks resulted in the breach of over 3.96 million records, a significant increase from 2024 (3.11 million).

The three largest breaches of 2025 all stem from Clop’s exploit of a zero-day vulnerability in Oracle’s E-Business Suite software, highlighting how schools not only face the threat of ransomware attacks on their own systems but also on the third parties they rely on.

Key findings include: 

• 3,962,869 records are known to have been breached in the confirmed attacks–UP 27% from 2024’s figure (3,112,121)
• Average ransom demand across all attacks = $464,000–DOWN 33% from 2024 ($694,000)
• The ransomware strains that claimed the most attacks against schools, colleges, and universities were Qilin (37), SafePay (23), Fog and Interlock (18 each), and INC (17)
• Interlock took credit for the most confirmed attacks (11), followed by Qilin (9), Fog (7), SafePay, INC, and Clop (6 each), and Medusa (4)
• Over 241 TB of data was allegedly stolen across all attacks
• The United States saw the most attacks (130), followed by the United Kingdom (12), France, Brazil, and Japan (9 each), Canada (8), and Australia and Spain (7 each)
• Attacks in the US (-9%), the UK (-50%), France (-18%), and Germany (-40%) all declined, while attacks in Brazil (+125%), Japan (+350%), Canada (+14%), Australia (+250%), and Spain (+600%) all increased

The report is here: https://www.comparitech.com/news/education-ransomware-roundup-2025-stats-on-attacks-ransoms-and-data-breaches/

Last year saw a recorded 445 ransomware attacks on hospitals, clinics, and other direct care providers. An additional 191 attacks hit businesses operating within the healthcare sector. When comparing these figures from 2025 to those noted in 2024, attacks on healthcare providers remained about the same, while attacks on healthcare businesses increased by 25 percent. 

Interestingly, the average ransomware demand decreased significantly in 2025 for both healthcare providers (down 84%) and healthcare businesses (down 92%). 

Rebecca Moody, Head of Data Research at Comparitech, provided the following comment on the overall findings: 

“The fact that attacks on healthcare providers appeared to plateau last year while attacks increased overall is positive, but now is not the time to get complacent or take this for granted. As our recent report highlights, healthcare providers are still a dominant focus for hackers because of the amount of disruption these attacks can cause and the amount of sensitive data they have on file. Healthcare providers are also facing increasing pressure via attacks on third parties. Whether it’s the medical billing service they use or their IT provider, healthcare organizations’ systems are only as robust as the third parties they’re using.

2025’s statistics also demonstrate the increased speed and volume of attacks from ransomware groups. As they turn to the likes of AI and Ransomware-as-a-Service (RaaS) to scale up their operations, gangs are constantly evolving to ensure they’re maximizing their output. This perhaps goes some way to explaining why we’ve seen such a reduction in the average ransom amount, too. Larger volumes = lower ransoms. Equally, by issuing these lower demands, hackers are likely increasing their chances of securing a ransom payment.”

You can read more here: https://www.comparitech.com/news/healthcare-ransomware-roundup-2025-stats-on-attacks-ransoms-and-data-breaches/

Comparitech has published its annual Worldwide Ransomware  Roundup for 2025. 

In 2025, there were a recorded 7,419 ransomware attacks across the globe. This is 32% increase from the year before. Across the 1,173 confirmed attacks, nearly 59.2 million records were breached (and counting!). 

In the study, the researchers dove deep into every tracked confirmed and unconfirmed attack of the year, finding out which sectors were hit the most, which countries were most targeted, as well as which ransomware gangs were the most prolific. 

Rebecca Moody, Comparitech’s Head of Data Research, had this to say: 

“If 2025’s figures have shown us anything, it’s that ransomware attacks remain a dominant threat for companies of all sizes and across all industries. As we enter 2026, hackers will likely continue to exploit vulnerabilities, target key infrastructure, public services, and manufacturers, and seek to steal large quantities of data in the process.

2025’s findings also highlight that hackers see third-party service providers as the perfect target because they not only give them potential access to hundreds of companies through one source but they also enable large-scale data breaches. From the crippling attack on Collins Aerospace, which disrupted travel at multiple airports across Europe, to the ripple effects of data breaches on the likes of Marquis Software Solutions and Oracle, 2025 should serve as a stark reminder that – no matter how secure an organization’s systems may be, they’re only as secure as the third parties they use to carry out various services.

So, while companies are going to want to make sure they’re on top of all the key basics (carrying out regular backups, patching vulnerabilities as soon as they’re flagged, providing employees with regular training, and making sure systems are up to date), it’s also critical that they’re vetting the third parties they use.”

For full details, the research can be read here: https://www.comparitech.com/news/worldwide-ransomware-roundup-2025-end-of-year-report/

Comparitech has reported that The Richmond Behavioral Health Authority in Virginia has notified 113,232 people of a September 2025 data breach, according to the US Department of Health and Human Services.

Rebecca Moody, Head of Data Research at Comparitech, commented: 

“While ransomware attacks have increased by 27 percent this year (rising from 2,865 in 2024 to 3,637 in 2025 to date), US healthcare providers haven’t seen the same influx. In fact, as it stands, it looks as though attacks in 2025 (280 noted so far) will be similar to 2024’s level (294 noted in total). Average ransom demands on this sector have also declined, dropping from $881,500 across the 294 noted in 2024 to $452,900 across the 280 noted so far this year.

Nevertheless, this latest breach notification from Richmond Behavioral Health Authority serves as a reminder that, even though the healthcare sector may be getting a small reprieve from ransomware gangs, the effects of these attacks when they do happen are no less significant. It also highlights how gangs are increasingly focused on data theft as part of their attacks. Qilin alone is responsible for 10 known data breaches following ransomware attacks on US healthcare providers this year with over 409,000 records breached in total.”

Once again, health care is the victim of a ransomware attack. The madness needs to stop with this sector. Though I could copy and paste that for education and government who are equally as vulnerable.

Today, Comparitech researchers have published an in-depth study looking at the Akira ransomware gang. 

According to the findings, Akira claimed responsibility for 683 ransomware attacks this year so far. This puts it just behind Qilin (864 attacks) in terms of gang dominance. Additionally, the number of attacks in 2025 so far is already double Akira’s attack number in 2024 — 272. 

From these numbers, this research breaks down Akira ransomware attacks by sector and industry (government, healthcare, manufacturing, education, etc.), its most targeted countries, as well as its largest ransomware demands. 

Rebecca Moody, Head of Data Research at Comparitech, said: 

“If this report shows us anything about ransomware groups as a whole, it’s that they’re constantly adapting and evolving in a bid to carry out as many lucrative hacks as they can. Like many other gangs, Akira’s focus has shifted toward the manufacturing sector with manufacturers accounting for 27% of Akira’s attacks in 2025 so far. While system encryption remains key in these attacks, data theft is also present in the majority of cases. Manufacturers can ill afford downtime, which boosts a gang’s chance of receiving a payment for the decryption key but, to double-up their chances of getting a payout, gangs will also steal as much data as possible. 

Manufacturers might not be in possession of as much sensitive personal data as healthcare providers, for example, but they will often have documents that, if leaked, could have severe consequences. For example, if a new concept or design is released, it may give competitors an advantage. Or, if the manufacturer works with government agencies or defense companies, certain documents in the wrong hands could be catastrophic.”

For full details, the in-depth report can be read here: https://www.comparitech.com/news/akira-ransomware-stats-on-attacks-ransoms-data-breaches/