The summer season of 2025 was not scorching. It was unforgiving.
Ransomware hit hospitals, retailers suffered knowledge breaches, insurers suffered phishing, and nation-state officers launched a disruptive marketing campaign.
From stealth powershell loaders to zero-day SharePoint Exploits, the attackers held the defender on their heels.
This report analyzes essentially the most impactful incidents of the season and what safety groups have to do earlier than the subsequent wave hits.
Summer season reveals elevated ransomware threat in healthcare
Hospitals cannot afford downtime, and attackers know that.
This summer season, Ransomware Group focused healthcare, leveraging each the worth of affected person knowledge and the urgency of care.
Interlocking rises as a significant risk to US healthcare
On July 22, 2025, joint advisory by the CISA, FBI and HHS highlighted interlocks as a significant risk to the healthcare and public well being (HPH) sector. Teams are linked round 14 In 2025 alone, a 3rd will have an effect on solely healthcare suppliers.
What makes the interlock stand out is its use.”filefix“PowerShell launcher that hides malicious scripts behind decoy file paths. Deceives customers to run payloads by means of File Explorer and bypasses typical safety detection.
Rhysida ransomware targets one other US medical heart
On July 8, 2025, the Rhysida Ransomware Group is alleged to have leaked delicate knowledge from the Florida Hand Heart, together with medical photos, driver’s licenses and insurance coverage types.
Clinics serving sufferers in Punta Gorda, Port Charlotte and Fort Myers had been simply given 7 days Reply earlier than launch.
Spider playbook scattered within the waves of Qilin recycled healthcare violations
In June 2025, Qilin recorded 81 casualties, turning into essentially the most energetic ransomware group. 52 within the healthcare sector.
The group exploited unearned Fortinet vulnerabilities (CVE-2024-21762 and CVE-2024-55591) to achieve entry, deploy ransomware, and take away delicate knowledge reminiscent of EHRs and insurance coverage information.
To maximise the strain, Qilin has leveraged the ways of authorized themes, past encryption.Please name your lawyer“Options and automatic negotiation instruments to drive quicker funds.
Use the Picus safety verification platform to actively check and confirm safety administration in opposition to essentially the most influential threats of summer season 2025 (essentially the most influential threats of summer season 2025) together with interlocks, giraffes, dragon forces, scattered spiders, and gear shells.
Begin your 14-day free trial now and uncover that you just’re prepared in minutes.
Take a look at it with a free trial model
Main manufacturers breached by the wave of retail cybercrime
The retail division could not escape the wave of cyberattacks that may be cleansing up till the summer season of 2025.
Louis Vuitton’s violation is marked third with 1 / 4
On July 2, 2025, Louis Vuitton UK suffered a knowledge breach revealing buyer contact data and buy historical past, a 3rd LVMH model violation three months after Dior and LV Korea.
A couple of days later, on July 10, British police arrested 4 suspects in reference to the well-known assaults on M&S, the cooperative and Harrods.
The group is alleged to be linked to scattered spiders, a home risk actor identified for his or her collaborations with social engineering and ransomware operators like Dragon Power, indicating the rising influence of selfmade cybercriminals on main retailers.
Dragonforce assaults US retail chain Belk
Between Could 7 and 11, 2025, a Berg-based retailer on the opposite facet of Atlantic, North Carolina, was subjected to a knowledge breach.
Dragonforce claimed duty and excluded 156 GB of buyer and worker knowledge, together with identify, social safety quantity, e-mail, order historical past and HR recordsdata.
Dragonforce, which first appeared within the second half of 2023, operates as a ransomware cartel, cites roughly 136 casualties by March 2025. Lots of them are in US and UK retail organizations.
Scattered spider ways have shifted from retail to insurance coverage
Scattered spiders utilizing English-centered social engineering, voice phishing, MFA fatigue, assist desk spoofing, and kind squat domains, English-centered social engineering, voice phishing, MFA fatigue, assist desk spoofing), English-centered social engineering (UNC3944) April – Could 2025.
in Mid-June 2025researchers flagged that the scattered spider (UNC3944) has moved from retail to targets by US insurance coverage firms.
-
Aflac Unauthorized entry was detected and included on June 12, 2025. Your buyer and worker private knowledge (together with SSNS and well being claims) could have been compromised.
-
Erie Insurance coverage and Philadelphia Insurance coverage Firm We additionally reported comparable cyber disruptions from mid-June to mid-June, leading to operational downtime.
The intrusion coincided with identified tactical profiles of scattered spiders, though no ransomware was deployed and the system remained operational.
Nationwide help and geopolitical cyber actions
Not all cyber threats this summer season had been about cash.
Nation-state hackers and hacktivists additionally made their mark to make use of the turbulent geopolitical local weather to launch assaults.
-
June 14th-Seventeenth, 2025: Professional-Israel Hattivist group predatory Sparrow has destroyed $900 million with code by storming Iranian financial institution Sepa, destroying financial institution providers, violating nobitex and sending tokens to burn wallets.
-
June 30, 2025: The US Division of Homeland Safety and CISA have issued a joint warning about impending Iranian cyber retaliation focusing on crucial infrastructure within the US and Europe.
These incidents function harsh reminders that cyber battle is an extension of geopolitical tensions and may ripple nicely past boundaries and sectors.
Necessary vulnerability that draws public consideration
A number of Microsoft SharePoint vulnerabilities have been exploited this summer season. Software Shell.
-
CVE-2025-53770 A crucial distant code execution flaw permits uncertified attackers to execute arbitrary code on a susceptible OnPrem SharePoint server. Menace actors used it to deploy webshells, steal {qualifications}, and transfer them sideways by means of the enterprise community. CISA added bug Reply Catalog on July 20, 2025.
-
CVE-2025-49704 and CVE-2025-49706 It was additionally added to KEV July twenty second After being abused in a series assault. This pair permits authentication bypassing and code injection, permitting attackers to take advantage of unearned SharePoint programs even when earlier fixes are utilized.
The Toolshell Marketing campaign is geared toward organizations within the US, Europe and the Center East, together with authorities companies, power firms and telecommunications suppliers.
Safety researchers say it was mounted on Tuesday, the place it’s possible that the attacker reversed Microsoft’s July patch, to develop a bypass utilized in CVE-2025-53770.
What must you take from a summer season cybersecurity wildfire?
From hospitals to retail giants, insurance coverage suppliers, nation-states, and even seasons uncovered cracks in essentially the most intensive environments.
Subsequent, what safety groups ought to do.
A patch like your life is determined by it. As a result of they do in essential sectors.
Begin with CISA KEV entries and a high-strength CVE, however do not cease there. Ask tough questions: Are you the sort of goal that attackers chase?
Confirm whether or not every CVE is definitely exploitable within the setting.
Give attention to the exploit chain, not simply on the rating. That is what the enemy is doing.
It strengthens id as a brand new boundary.
Social engineering has labored higher than malware this summer season. Cease MFA fatigue assaults, improve assist desk validation, and restrict privileged entry.
Practice your folks as a result of they had been the violation level.
The scattered spiders and others didn’t misuse CVE. They exploited folks. Run common simulations, replace phishing eventualities, and put together the high-risk position of the particular lure.
Pay attention to what occurs after the primary entry.
Menace actors like interlocks and giraffes did not simply drop ransomware. They moved sideways, shifting the information step-by-step, avoiding detection. Implement behavioral monitoring for strategies reminiscent of PowerShell abuse, qualification theft, and stealth exfoliation.
Do not ignore legacy programs or missed infrastructure.
Do not ignore legacy programs or missed infrastructure. Toolshell marketing campaign has been exploited Unpublished SharePoint Serveroperating an unsupported or outdated model.
Whether or not growing older your on-prem sharepoints, home equipment, or unsupervised legacy gear, isolate what you possibly can’t improve, monitor what you possibly can’t patch, and substitute what you do not ignore.
To simulate the above assaults, we extremely advocate utilizing the PICUS safety verification platform to check the effectiveness of safety controls in opposition to actual cyber assaults.
You may as well check your protection in opposition to lots of of different malware and exploitation campaigns, together with Medusa, Rhysida, and Black Basta. 14-day free trial of the Picus platform.
Sponsored and written by Picus Safety.
