Summer 2025 wasn’t just hot; it was relentless.
Ransomware hammered hospitals, retail giants suffered data breaches, insurance firms were hit by phishing, and nation-state actors launched disruptive campaigns.
From stealthy PowerShell loaders to zero-day SharePoint exploits, attackers kept defenders on their heels.
This report breaks down the season’s most high-impact incidents and what security teams need to do before the next wave hits.
Summer Expose Healthcare’s Growing Ransomware Risk
Hospitals can’t afford downtime, and attackers know it.
This summer, ransomware groups targeted healthcare, exploiting both the value of patient data and the urgency of care.
Interlock rises as a major threat to US healthcare
A July 22, 2025, joint advisory by CISA, FBI, and HHS highlighted Interlock as a major threat to the Healthcare and Public Health (HPH) sector. The group is linked to around 14 incidents in 2025 alone, with a third affecting only healthcare providers.
What sets Interlock apart is its use of “FileFix,” a PowerShell launcher that hides malicious scripts behind decoy file paths. It tricks users into running payloads through File Explorer, bypassing typical security detections.
Rhysida ransomware targeted another US healthcare center
On July 8, 2025, the Rhysida ransomware group allegedly leaked sensitive data from Florida Hand Center, including medical images, driver’s licenses, and insurance forms.
The clinic, which serves patients in Punta Gorda, Port Charlotte, and Fort Myers, was given just seven days to respond before the release.
Qilin recycles Scattered Spider playbook in wave of healthcare breaches
In June 2025, Qilin became the most active ransomware group, recording 81 victims, 52 of them in the healthcare sector.
The group exploited unpatched Fortinet vulnerabilities (CVE-2024-21762 and CVE-2024-55591) to gain access, deploy ransomware, and exfiltrate sensitive data such as EHRs and insurance records.
To maximize pressure, Qilin went beyond encryption, leveraging legal-themed extortion tactics like a “Call Lawyer” feature and automated negotiation tools to drive faster payouts.
Proactively test and validate your security controls against Summer 2025’s most impactful threats—including Interlock, Qilin, DragonForce, Scattered Spider, and ToolShell—with the Picus Security Validation Platform.
Start your 14-day free trial now and discover your readiness in minutes.
Test with a Free Trial
Major Brands Breached in Retail Cybercrime Wave
The retail sector couldn’t escape the wave of cyberattacks sweeping through Summer 2025.
Louis Vuitton breach marks third in a quarter
On July 2, 2025, Louis Vuitton UK suffered a data breach exposing customer contact info and purchase history, its third LVMH brand breach in three months after Dior and LV Korea.
Days later, on July 10, UK police arrested four suspects tied to high-profile attacks on M&S, Co-op, and Harrods.
The group is allegedly linked to Scattered Spider, a domestic threat actor known for social engineering and collaboration with ransomware operators like DragonForce, signaling the growing impact of homegrown cybercriminals on major retailers.
DragonForce hits US retail chain Belk
Between May 7 and 11, 2025, on the other side of the Atlantic, North Carolina, based retailer Belk suffered a data breach.
DragonForce claimed responsibility, stating it exfiltrated 156 GB of customer and employee data, including names, Social Security numbers, emails, order histories, and HR files, which were later posted on its leak site after ransom negotiations stalled.
DragonForce, first emerging in late 2023, operates as a ransomware-as-a-service cartel, listing approximately 136 victims by March 2025, many of whom are in US and UK retail organizations.
Scattered Spider’s tactics have shifted from retail to insurance
Scattered Spider (UNC3944), a native English-speaking cybercriminal collective, used identity-centric social engineering, voice phishing, MFA fatigue, help-desk impersonation, and typosquatted domains to breach UK retailers (M&S, Co-op, Harrods) in April–May 2025.
In mid-June 2025, the researchers flagged that Scattered Spider (UNC3944) had shifted from retail to targeting US insurance firms.
-
Aflac detected and contained unauthorized access on June 12, 2025; customer and employee personal data (including SSNs, health claims) may have been compromised.
-
Erie Insurance and Philadelphia Insurance Companies also reported similar cyber disruptions in early to mid-June, resulting in operational downtime.
The intrusions matched Scattered Spider’s known tactical profile, though no ransomware was deployed, and systems remained operational.
State-Sponsored and Geopolitical Cyber Activity
Not all cyber threats this summer were about money.
Nation-state hackers and hacktivists also made their mark, using the turbulent geopolitical climate to launch attacks.
-
June 14–17, 2025: Pro-Israel hacktivist group Predatory Sparrow hit Iran’s Bank Sepah, disrupting banking services, then destroyed ~$90M in crypto by breaching Nobitex and sending tokens to burn wallets.
-
June 30, 2025: The US Department of Homeland Security and CISA issued a joint alert warning of impending Iranian cyber retaliation targeting critical infrastructure in the US and Europe.
These incidents serve as a stark reminder that cyber conflict is now a frontline extension of geopolitical tension, one that can ripple far beyond borders and sectors.
Key Vulnerabilities Gaining Public Attention
Multiple Microsoft SharePoint vulnerabilities were exploited this summer in a widespread cyber espionage campaign known as ToolShell.
-
CVE-2025-53770 is a critical remote code execution flaw allowing unauthenticated attackers to run arbitrary code on vulnerable on-prem SharePoint servers. Threat actors used it to deploy web shells, steal credentials, and move laterally through enterprise networks. CISA added the bug to its KEV catalog on July 20, 2025.
-
CVE-2025-49704 and CVE-2025-49706 were also added to the KEV on July 22 after being abused in chained attacks. The pair enables authentication bypass and code injection, allowing attackers to exploit unpatched SharePoint systems even if earlier fixes were applied.
The ToolShell campaign targeted organizations across the US, Europe, and the Middle East, including government agencies, energy firms, and telecom providers.
Security researchers say the attackers likely reverse-engineered Microsoft’s July Patch Tuesday fixes to develop the bypass used in CVE-2025-53770.
What to Take from the Summer Wildfires in Cybersecurity?
From hospitals to retail giants and insurance providers to nation-states, the season exposed cracks in even the most fortified environments.
Here’s what security teams should do next.
Patch like your life depends on it, because they do in critical sectors.
Start with CISA KEV entries and high-severity CVEs, but don’t stop there. Ask the harder question: are you the kind of target that attackers go after?
Validate whether each CVE is actually exploitable in your environment.
Focus on exploit chains, not just the scores. That’s what adversaries are doing.
Harden identity as your new perimeter.
Social engineering worked better than malware this summer. Stop MFA fatigue attacks, reinforce help-desk verification, and limit privileged access.
Train your humans, because they were the breach point.
Scattered Spider and others didn’t exploit a CVE; they exploited a person. Run regular simulations, update phishing scenarios, and prepare high-risk roles for real-world lures.
Watch for what happens after initial access.
Threat actors like Interlock and Qilin didn’t just drop ransomware; they moved laterally, staged data, and evaded detection. Implement behavioral monitoring for techniques, such as PowerShell abuse, credential theft, and stealthy exfiltration.
Don’t ignore legacy systems and overlooked infrastructure.
Don’t ignore legacy systems and overlooked infrastructure. The ToolShell campaign exploited unpatched on-prem SharePoint servers, many running unsupported or outdated versions.
Whether it’s aging on-prem SharePoint, appliances, or unmonitored legacy gear, isolate what you can’t upgrade, monitor what you can’t patch, and replace what you’ve ignored.
We strongly suggest simulating the mentioned attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform.
You can also test your defenses against hundreds of other malware and exploitation campaigns, such as Medusa, Rhysida, and Black Basta, within minutes with a 14-day free trial of the Picus Platform.
Sponsored and written by Picus Security.
