Sandhills Medical Breach Affects 170K After Year-Long Delay

South Carolina healthcare provider Sandhills Medical Foundation disclosed a ransomware attack affecting nearly 170,000 individuals — nearly one year after discovering the breach on May 8, 2025. According to Sandhills Medical’s data security notice, the Inc Ransom group obtained sensitive patient data including Social Security numbers, financial information, and personal health records.

The healthcare organization worked with law enforcement, cybersecurity experts, and forensics firms to investigate the intrusion before publicly disclosing the incident. SecurityWeek reported that compromised information includes names, dates of birth, taxpayer identification numbers, driver’s licenses, government-issued identification, passports, and complete medical records.

Ransomware Gang Published Stolen Data

The Inc Ransom ransomware group listed Sandhills Medical on its leak website in early June 2025, making allegedly stolen files available for download. This followed a pattern of healthcare-targeted attacks that have plagued the industry throughout 2025.

Healthcare organizations remain prime targets for ransomware groups due to their critical operations and valuable personal data. The delayed disclosure highlights ongoing challenges healthcare providers face in balancing investigation needs with notification requirements.

The attack represents one of dozens of healthcare breaches affecting hundreds of thousands of patients across multiple states this year. Previous incidents in Illinois and Texas affected over 600,000 individuals combined, according to breach notification filings.

Karakurt Member Gets 8.5 Years for $56M in Damages

A Latvian member of the notorious Karakurt ransomware gang received an 8.5-year prison sentence for his role in extorting victims across 53 organizations. Deniss Zolotarjovs, 35, pleaded guilty in July 2025 after being extradited from Georgia where he was arrested in December 2023.

Court documents show Zolotarjovs operated as a negotiator and data analyst for Karakurt between June 2021 and March 2023. The group, also known as TommyLeaks and associated with the infamous Conti operation, caused $56 million in total losses during his tenure.

Zolotarjovs received 10% of negotiated ransom payments in cryptocurrency, which he converted to Russian rubles through multiple wallet transfers. In one case involving a pediatric healthcare company, he recommended publishing children’s patient data online when the victim delayed payment.

Karakurt targeted organizations across multiple industries, stealing personally identifiable information including names, addresses, Social Security numbers, and healthcare data. The group also disrupted a 911 emergency system during its operations.

Rival Ransomware Groups Attack Each Other

Two emerging ransomware operations, 0APT and KryBit, engaged in a public feud that exposed both groups’ infrastructure and operational data. According to Halcyon’s Ransomware Research Center, the conflict provided defenders with rare insight into ransomware operations.

0APT emerged in late January with nearly 200 fabricated victims before going quiet for months. The group reemerged in mid-April, claiming attacks against established ransomware operators including KryBit, Everest, and RansomHouse.

KryBit launched in late March offering ransomware-as-a-service kits targeting Windows, Linux, ESXi, and network-attached storage devices. The group used an 80/20 affiliate model and published 10 legitimate victims in its first two weeks of operation.

The feud appears to have damaged both organizations significantly. When ransomware groups attack each other, the resulting data leaks often reveal operational details, payment structures, and technical capabilities that benefit cybersecurity defenders.

cPanel Zero-Day Compromises 40,000+ Servers

More than 40,000 servers have been compromised in ongoing exploitation of CVE-2026-41940, a critical authentication-bypass vulnerability in cPanel & WebHost Manager. The Shadowserver Foundation reported the massive compromise campaign targeting the popular server management platform.

https://x.com/Shadowserver/status/2050208472386396568

Disclosed on April 28, the vulnerability allows unauthenticated attackers to gain administrative access to cPanel through special characters in authorization headers. Attackers can write parameters to session files and trigger reloads to authenticate using injected administrative credentials.

The security flaw affects all cPanel versions after 11.40, with roughly 1.5 million instances accessible from the internet according to Rapid7. Exploitation likely began as a zero-day in late February, with activity spiking after public disclosure and technical details publication by WatchTowr.

Most compromised systems are located in the United States, followed by France and the Netherlands. cPanel has released patch versions 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.124.0.35, 11.126.0.54, and 11.130.0.19 to address the vulnerability.

Vect 2.0 Ransomware Acts as Accidental Wiper

The Vect 2.0 ransomware variant contains a critical design flaw that permanently destroys files larger than 128KB instead of encrypting them for recovery. Check Point Software’s analysis revealed the bug affects Windows, Linux, and VMware ESXi versions.

The flaw occurs because Vect’s ChaCha20-IETF encryption scheme generates four random 12-byte nonces for large files but only saves the final nonce to disk. The first three nonces, required to decrypt their respective chunks, are permanently lost.

This effectively makes Vect a wiper for enterprise assets including VM disks, databases, documents, and backups. The ransomware-as-a-service operation first appeared in December 2025 and has been deployed against victims of TeamPCP supply chain attacks.

Organizations hit by Vect 2.0 cannot recover their data even if they pay ransom demands, since the decryption keys for large files no longer exist. The flaw complicates the attackers’ business model while making recovery impossible for victims.

What This Means

The healthcare sector continues facing disproportionate ransomware targeting, with attackers exploiting critical infrastructure dependencies and valuable personal data. Sandhills Medical’s year-long disclosure delay highlights the complex balance between thorough investigation and timely victim notification.

Successful prosecutions like Zolotarjovs’ case demonstrate international law enforcement cooperation against ransomware operations. However, the $56 million in damages from just one operator across 53 organizations shows the massive scale of financial impact.

The cPanel vulnerability exploitation affecting 40,000+ servers underscores how quickly threat actors can weaponize disclosed vulnerabilities. Organizations running internet-facing cPanel instances face immediate risk without emergency patching.

Ransomware groups attacking each other and flawed encryption implementations like Vect 2.0 reveal the often chaotic nature of cybercriminal operations. These incidents provide defenders with valuable intelligence while sometimes accidentally protecting victims through operational failures.

FAQ

How can healthcare organizations better protect against ransomware attacks?
Implement network segmentation, maintain offline backups, deploy endpoint detection and response tools, and establish incident response plans with legal notification requirements. Regular security assessments and employee training are essential.

What should cPanel users do immediately about CVE-2026-41940?
Update to the latest patched version immediately, follow cPanel’s compromise identification guidelines, and monitor for unauthorized administrative access. Consider temporarily restricting internet access to cPanel instances during patching.

Why do ransomware groups sometimes attack each other?
Competition for victims, territorial disputes, revenge for perceived slights, or attempts to steal operational data and cryptocurrency. These feuds often expose valuable intelligence about ransomware operations to cybersecurity researchers.