Ransomware groups such as HELLCAT, Cl0p, and several data‑extortion collectives masterminded some of the most expensive ransomware attacks of 2025. The year saw manufacturing shutdown at a major automotive company, the exposure of millions of patient records at a large healthcare organization, large‑scale OAuth abuse across a Cloud CRM, and a zero‑day campaign against a major enterprise software and cloud provider that disrupted core financial and supply‑chain systems. Plus, a late‑year attack on a global IT distributor demonstrated how quickly ransomware can destabilize global logistics.
Across these events, there’s a common thread: attackers targeted the integrations and platforms that operations depend on, revealing systemic weaknesses that spanned industries from automotive to healthcare.
Below is a chronological roundup of the most consequential ransomware incidents of the year, based on publicly reported data, industry analysis, and disclosures from affected organizations.
1. A Major Automotive Manufacturer (March–August 2025)
Ransomware groups claiming responsibility:
- HELLCAT (initial breach and data theft)
- Scattered Spider, Lapsus$, and ShinyHunters: a collective of three different hacking groups who worked in unison communicating on online platforms to coordinate their attack
Estimated data stolen: ~350 GB
Industry: Automotive manufacturing
In March, the ransomware group HELLCAT successfully hacked a major automotive manufacturer in two waves: the first wave saw 700 internal documents stolen, followed by a second wave in which 350 GB of sensitive data was taken. The stolen material included employee credentials, tracking data, development logs, and proprietary source code.
By late summer, the situation escalated. On August 31, the company shut down global IT operations to contain an active breach that halted production across India, Slovakia, China, and the UK. In the days that followed, multiple threat groups publicly claimed responsibility, creating confusion around attribution. A newly rebranded collective—Scattered Spider, Lapsus$, and ShinyHunters—asserted on Telegram that they were behind the August 31 attack, mocking the company and threatening further UK‑based targets. The company later confirmed that sensitive data had been stolen and that the attack had forced a prolonged shutdown of manufacturing and sales systems.
The company reported a 49% drop in quarterly pre‑tax profit, and industry analysts estimated the total operational and recovery cost at roughly $2.5 billion, making it “the costliest cyber-attack in UK history” according to BBC.
2. A Healthcare Organization Specializing in Kidney Care (August 2025)
Ransomware group: Interlock Ransomware
Estimated data stolen: PHI for 2.7 million patients
Industry: Healthcare
In August, the company confirmed that a ransomware attack had compromised protected health information (PHI) for roughly 2.7 million patients, following the theft of more than 20 terabytes of data, including over 200 million rows of clinical and demographic records. The stolen information spanned treatment histories, insurance details, Social Security numbers, and other high‑risk identifiers—categories that carry significant regulatory, legal, and patient‑safety exposure.
The attack disrupted clinical systems and forced the company to activate contingency protocols across its nationwide network of dialysis centers. Although the company maintains that patient care continued, the long‑tail consequences of stolen medical records remain severe: patients face heightened risks of identity theft and fraudulent credit activity, while healthcare providers may contend with falsified prescriptions, corrupted medical histories, and long‑term record integrity issues.
The company has already incurred $13.5 million in direct costs tied to investigation, remediation, and operational disruption, a figure that excludes business‑interruption losses and potential regulatory penalties. The incident has also triggered multiple class‑action lawsuits (Reid v. Davita Inc., and Jenkins et al v. DaVita), with plaintiffs alleging misuse of stolen data and inadequate safeguards. Together, these factors have intensified scrutiny on healthcare cybersecurity, particularly for providers whose services are essential to patient survival.
3. A Cloud-Based Data Platform (September–October 2025)
Ransomware group: ShinyHunters (affiliated with Scattered Spider / Lapsus$ ecosystem)
Estimated data stolen: Nearly 1 billion customer records across affected tenants ~800 organizations
Industry: Cloud CRM / SaaS
In early autumn, a coordinated set of attacks swept through organizations using a well-known Cloud CRM ecosystem. The attackers didn’t breach the company itself; instead, they moved through the surrounding terrain—vishing campaigns that convinced employees to install a malicious version of the company's Data Loader, and a parallel operation that abused stolen OAuth tokens tied to one of the company’s Drift integrations. One campaign touched 39 companies, while the OAuth‑based activity reached 760 organizations.
The group—operating under names including Scattered Lapsus$ Hunters and ShinyHunters—claims to have taken nearly 1 billion customer records, including large volumes of PII and CRM‑linked business data. The company has stated that its platform was not compromised and that no flaw in its core technology was involved.
For affected tenants, the fallout has been measured in millions of dollars per organization, driven by forensic investigations, customer notifications, and the strain placed on client relationships. The attackers also experimented with new pressure tactics, offering Telegram subscribers $10 in Bitcoin to email executives and demand payment—an unusual attempt to widen the extortion effort.
The campaign shows how attackers move laterally identifying paths, integrations, and third‑party tools rather than the SaaS platforms themselves. They look for backdoor access, where security might not be as rigorous.
4. A Major Enterprise Software and Cloud Provider (Late 2025)
Ransomware group: Cl0p (with activity linked to Scattered Lapsus$ Hunters)
Estimated data stolen: Large volumes of ERP data across multiple enterprises
Industry: Enterprise ERP / multi‑industry
Late in 2025, Cl0p began exploiting CVE‑2025‑61882, a remote‑code‑execution flaw in a major enterprise software and cloud provider’s BI Publisher Integration component. The bug allowed unauthenticated access over HTTP, giving attackers a direct path into the company’s Concurrent Processing engine. Google’s Threat Intelligence Group and Mandiant observed exploitation on October 2; the company issued an advisory and patch on October 4. A second EBS flaw, CVE‑2025‑61884, was patched days later.
Researchers found that attackers chained five separate weaknesses—some newly discovered, others patched earlier in the year—to achieve pre‑authentication access. A proof‑of‑concept published by Scattered Lapsus$ Hunters confirmed the exploit path, enabling multiple threat groups to adopt it. Once inside, Cl0p deployed a malicious script, server.py, which acted as a command‑and‑control channel for data theft and lateral movement.
The campaign reached organizations across media, aviation, higher education, and industrial sectors, including The Washington Post, Harvard University, Envoy Air, Schneider Electric, and Emerson. Victims received extortion emails—often sent from compromised business email accounts—offering “evidence” of stolen ERP data and instructions for payment.
Many organizations first realized they had been compromised only when Cl0p‑linked actors initiated extortion emails referencing data taken from the enterprise software and cloud provider’s platform. Analysis from Google and Mandiant shows that the attackers’ multi‑stage implant framework allowed them to reach deeper application components, including BI Publisher and Concurrent Processing—areas the provider warns can expose sensitive business records when accessed without authorization.
The incident showed how quickly threat actors can escalate privileges once remotely accessible ERP services are exposed, enabling interaction with financial and operational data that enterprises depend on for daily functions.
5. A Global Technology Distributor (Late 2025)
Ransomware group: SafePay (linked to LockBit‑derived activity)
Estimated data stolen: Operational, logistics, and vendor‑related data (scope still under review)
Industry: Global distribution and logistics
In early July, one of the world’s largest technology distributors was hit by a ransomware attack that forced them to shut down core systems across its global network. Employees first saw ransom‑note pop‑ups on July 3, shortly before order‑processing systems, websites, and the company’s Xvantage and Impulse platforms began to fail. SafePay—a fast‑growing extortion group tied to more than 220 prior victims—later claimed responsibility. Early reporting indicated that attackers likely entered through the company’s GlobalProtect VPN using leaked or weak credentials rather than a software flaw.
The outage halted order processing worldwide for several days. With fulfillment systems offline, customers and reseller partners faced backlogs, delayed shipments, and limited visibility into inventory. Manufacturers and service providers relying on the provider's distribution timelines had to shift to backup distributors or draw down reserve stock to keep operations moving. While SafePay’s ransom note claimed data theft, there was no early evidence of leaked customer, vendor, or employee records, and the company continued investigating the scope of any exposure.
The global IT distributor responded by isolating affected systems, taking its VPN offline, and engaging external incident‑response teams. The company issued regular public updates, provided workarounds for placing orders by phone or email, and set up escalation channels for urgent requests. Recovery progressed in stages: websites returned on July 7, partial order processing resumed on July 8, and full global operations were restored by July 9.
Over 42,000 client's personal information was comprised, including social security numbers, birthdates, employment records, and names.
Although the company never disclosed a formal report, estimated costs landed in the low‑ to mid‑millions, driven by system restoration, partner support, and the operational drag created by the outage. Even without confirmed large‑scale data exposure, the event showed how quickly a ransomware intrusion can ripple through a global supply chain when a distributor’s core platforms go offline.
What These Attacks Reveal About Modern Ransomware Campaigns
Why Multiple Groups Claim the Same Attack
Ransomware groups often compete for attention, credibility, and leverage. When an incident affects a high‑visibility target (whether a major automotive manufacturer, a healthcare organization specializing in kidney care, a Cloud‑based data platform, a major enterprise software and cloud provider, or a global technology distributor) several groups may claim responsibility. Some do it to inflate their reputations, others to confuse investigators, and some to pressure victims into paying quickly. It’s all part of the extortion strategy.
Why Companies Disclose So Little, So Slowly
Organizations rarely have a full picture of an attack in the first hours or even days. Legal exposure, regulatory obligations, and the risk of releasing inaccurate information all shape how and when they communicate. Many firms share only what they can verify, which often means limited details during the event and carefully worded statements afterward. This creates gaps in public understanding, but it reflects the reality of incident response: teams are still uncovering what happened while the world is asking for answers.
That being said, corporations have an obligation to uphold transparency when PHI and other sensitive customer data have been compromised. News shouldn't take weeks or months to be released. Companies in the healthcare, SLED, and financial services specifically are held to a higher standard for this reason: the kind of information they house is especially vulnerable and needs to be safeguarded with the best protection available.
What Could Have Prevented These Breaches
Architectural Gaps That Gave Attackers Room to Move
Across all five incidents, the entry points differed—VPN credentials at a global technology distributor, a zero‑day at a major enterprise software and cloud provider, integration abuse at a Cloud CRM, and identity‑driven compromise at a healthcare company specializing in kidney care. But once inside, attackers succeeded for the same reasons:
- Too much implicit trust between systems
- Backup paths that could be reached or tampered with
- Data stores that could be modified or exfiltrated
- Environments where lateral movement was possible long before detection
These weaknesses turned footholds into full‑scale breaches.
Elements That Would Have Limited the Blast Radius
A different architectural approach would have changed the trajectory of each attack.
- Zero Access principles would have shut down the credential misuse and integration‑layer entry points that gave attackers their foothold.
- Segmentation between backup software and backup storage would have cut off the control paths attackers rely on, preventing them from reaching or altering the backups even after breaching primary systems.
- Zero‑trust data resilience would have restricted lateral movement and contained the intrusion to its initial entry point.
- Absolute Immutability would have ensured that even if attackers reached core systems, they couldn’t alter or encrypt the data that organizations rely on to recover.
These strategies are the difference between a breach that becomes a months long multi-million operational crisis and one that ends at the point of entry. To understand what a ransomware attack looks like and how to prepare for it, download our Ransomware Survival Guide.
Interested in making your company ransomware-proof? Speak with one of our Sales Engineers and book a demo today.
