Article illustration 1

The scorching temperatures of Summer 2025 were matched only by the blistering heat of cyber attacks targeting critical sectors globally. Hospitals faced life-threatening ransomware sieges, retail giants hemorrhaged customer data, and nation-state actors turned digital battlefields into extensions of geopolitical conflict. This convergence of threats exposed systemic vulnerabilities across industries—here’s what happened and why it matters.

Healthcare in the Crosshairs: Ransomware’s Lethal Playbook

Hospitals became prime targets as attackers exploited the life-or-death stakes of healthcare operations. Three groups led the assault:

  • Interlock deployed its 'FileFix' PowerShell loader—a stealthy tool that masks malicious scripts behind decoy file paths—to bypass defenses. Linked to 14 incidents in 2025 alone, a third targeted healthcare providers, prompting a rare joint CISA/FBI/HHS advisory.
  • Rhysida breached the Florida Hand Center, leaking sensitive medical images and insurance documents after a 7-day extortion ultimatum.
  • Qilin dominated June with 81 victims (52 in healthcare), exploiting unpatched Fortinet flaws (CVE-2024-21762, CVE-2024-55591). Their innovation? Legal-themed extortion like a 'Call Lawyer' button and automated negotiation bots to pressure payments.
Article illustration 2

Rhysida’s leak site—a grim showcase of summer’s healthcare targeting

Retail Under Fire: Scattered Spider’s Evolving Menace

Retailers faced a wave of socially engineered breaches, with luxury brands and chains alike falling victim:

  • Louis Vuitton UK suffered its third breach in a quarter, exposing customer purchase histories days before UK police arrested four Scattered Spider affiliates tied to M&S, Co-op, and Harrods attacks.
  • DragonForce ransomware hit U.S. retailer Belk, exfiltrating 156GB of employee/customer data including SSNs and HR files after failed negotiations.
  • Notably, Scattered Spider shifted tactics mid-summer—pivoting from retail to U.S. insurance firms like Aflac, Erie Insurance, and Philadelphia Insurance Companies. Their playbook: MFA fatigue attacks, help-desk impersonation, and typosquatted domains.

Geopolitical Sparks Ignite Cyber Fires

Beyond profit-driven crime, nation-state actors escalated hostilities:

  • Pro-Israel hacktivist group Predatory Sparrow disrupted Iran’s Bank Sepah, then destroyed ~$90M in crypto via Nobitex exchange breaches.
  • CISA warned of imminent Iranian cyber retaliation against U.S./European critical infrastructure—highlighting cyber’s role as a geopolitical weapon.

The ToolShell Campaign: SharePoint’s Vulnerability Nightmare

A widespread espionage operation exploited chained SharePoint zero-days:

  • CVE-2025-53770 (critical RCE) allowed unauthenticated attackers to run arbitrary code, added to CISA’s KEV catalog on July 20.
  • CVE-2025-49704/49706 enabled authentication bypass and code injection, permitting attacks even on patched systems.

Attackers reverse-engineered Microsoft’s patches to target government, energy, and telecom organizations globally.

Extinguishing the Flames: Critical Defense Takeaways

  1. Patch Strategically: Prioritize CISA KEV entries but assess exploit chains—not just CVSS scores. Legacy systems (like outdated SharePoint) are tinderboxes.
  2. Harden Identity Controls: Combat MFA fatigue and help-desk social engineering. Limit privileged access; humans are the new perimeter.
  3. Monitor Post-Compromise Behaviors: Detect lateral movement, PowerShell abuse, and data staging—Qilin and Interlock excelled here.
  4. Validate Defenses Proactively: Simulate real-world attacks (like FileFix loaders or DragonForce tactics) to uncover detection gaps.

This analysis is based on threat data from CISA, FBI, and Picus Security via BleepingComputer. Picus Security sponsored the source report.