In February 2026, a ransomware attack left the University of Mississippi Medical Center (UMMC) without access to its Epic electronic medical history system in 35 clinics and more than 200 telemedicine points, forcing it to change to paper processes, cancel chemotherapies and postpone non-urgent surgeries. That image - personal, concrete and painful - sums up how a cyber attack ceases to be a purely computer problem to become a real operational risk that affects lives, bank accounts and production lines. The coverage of this incident appeared in specialized media such as HIPAA Journal and reflects a broader trend: in 2025, the practice of publishing incidents and measuring their effects showed a significant increase in attacks and, above all, in critical service interruptions.
The phenomenon is no longer just "cryptar files": For years, criminal gangs have evolved their business model. If at first it was enough to cipher a server and demand rescue for the decipher key, today the extortion often combines the cipher with the theft of sensitive information to pressure the victim through the threat of disclosure. When malicious actors exfiltrate medical records, payroll data or industrial design files, the potential damage transcends temporary loss of access: there is a risk of regulatory sanctions, litigation and reputational damage that traditional backups did not mitigate on their own. Research and analysis of the sector, such as those published Coveware, document how double extortion became usual practice and how, subsequently, some groups added a third layer of pressure by contacting directly with customers or suppliers.
The numbers help to size the problem: in 2025 the number of attacks that became public increased significantly, and researchers who track groups and campaigns detected more than 100 active groups, many of them newly formed. A specialized media count found the detection of 124 active groups of ransomware, with a substantial part emerging in the last period, which complicates the task of traditional defenses and increases the "offer" of criminal services available in the criminal market ( Infosecurity). At the same time, platforms that monitor public incidents provide data on the magnitude of reported cases and their growth year by year ( Emsisoft).
It is no surprise, then, that sectors as different as health, banking or manufacturing are on the front line of impact. In addition to treatment-interrupting hospitals, attacks against payment providers have shown that a single incidence can leave transactions paralyzed and shops uncharged. The risk is systemic: the interdependence between suppliers, cloud services and third parties turns a localized violation into a crisis with chain effects.
In the face of this reality, there are two conclusions that need to be made clear. The first is that solutions based only on perimeters or restoration from backup are no longer enough. The second is that there are tools and practices that reduce the ability of attackers to convert an intrusion into a cost-effective extortion: data encryption at rest, access controls that prevent unauthorized processes from reading or modifying critical files, network segmentation and independently managed recovery plans.
The technical and human challenge not less: protecting critical data requires policies that ensure that, even if an opponent is able to extract files, these data are neither legible nor useful. This means applying effective encryption and linking it to controls that determine which processes and users can decipher in running time. It also means recording and auditing access to detect abnormal activity as soon as possible and having recovery strategies that reduce the need to negotiate with offenders.
Technical and management recommendations have been strengthened from the public level: CISA and health regulatory bodies such as HHS they publish practical guides on how to prevent and respond to incidents, and emphasize the importance of multifactor authentication, segmentation, telemetry visibility and recovery procedures that include periodic evidence. The major actors in the technology industry also warn that the adoption of artificial intelligence changes the dynamics: the same technology that power defenses also facilitates less sophisticated attackers to automate their work, create more effective attack tools or improve social engineering techniques ( Microsoft Digital Defense Report).
In the market there are solutions focused on the idea of "neutralizing" the value of the exfiltered data by applied encryption so that, even outside the network of the organization, the stolen information cannot be read without the appropriate keys. Some suppliers combine this with process-level controls that block unauthorized software and recovery systems that seek to shorten the interruption window. A visible commercial example in the sector's offer is the D.AMO platform of Penta Security, which proposes a combination of encryption at folder level, process control and recovery mechanisms; its own documentation explains how these parts fit into an integrated approach ( Penta Security).
However, no technology works in isolation or replaces robust governance: prevention requires ongoing staff training, simulation exercises, vendor evaluation and clear policies on incident management and communication. Technical resources become effective when applied within a framework that provides for legal, insurance and business continuity aspects.
For organizations that are still designing their defence strategy, the experts' practical recommendation is twofold: to strengthen the prevention layers and, simultaneously, to reduce the cost-effectiveness of the attack. This means hardening access, cracking sensitive information at rest and in transit, monitoring unusual activity and ensuring isolated and proven backup. At the same time, having response agreements, forensic teams and a public and regulatory communication plan reduces the total cost of an incident.
Public and technological conversation about Ransomware will continue to evolve. In the meantime, the essential does not change: organisations must assume that an attack is a question of when, not of whether, and design defenses that mitigate both operational interruption and exploitation and reputational damage resulting from data leakage. Those who internalize and act accordingly will be in a better position to protect their users, customers and patients when the next incident hits.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...