Sandhills Medical Foundation disclosed a ransomware attack affecting nearly 170,000 patients, nearly one year after discovering the May 8, 2025 breach. According to the healthcare provider’s security notice, the South Carolina-based organization worked with law enforcement and cybersecurity experts to investigate the incident before publicly disclosing it.
The Inc Ransom ransomware group listed Sandhills Medical on its leak website in early June 2025 and has since made stolen files available for download. The breach compromised names, dates of birth, Social Security numbers, taxpayer identification numbers, driver’s licenses, government-issued identification, passports, financial information, and personal health records.
Ransomware Groups Turn on Each Other
Two newer ransomware operations, 0APT and KryBit, recently attacked each other in a feud that exposed their infrastructure and operational data. Halcyon Ransomware Research Center reported that 0APT emerged in late January with nearly 200 fabricated victim claims before going quiet for months.
0APT reemerged in mid-April, deleting its fake victim list while claiming attacks against established ransomware operators including KryBit, Everest, and RansomHouse. KryBit had launched in late March with an 80/20 affiliate model targeting Windows, Linux, ESXi, and network-attached storage devices.
The infighting between criminal groups provided defenders with rare insight into ransomware operations, including infrastructure details and operational methods typically hidden from security researchers.
Vect 2.0 Ransomware Contains Fatal Design Flaw
The Vect 2.0 ransomware variant contains a critical design error that makes it function as a wiper rather than traditional ransomware. Check Point Software discovered that the malware permanently destroys files larger than 128KB instead of encrypting them for ransom.
The flaw affects Vect 2.0’s ChaCha20-IETF encryption scheme across Windows, Linux, and VMware ESXi versions. The ransomware generates four random 12-byte nonces to encrypt large files but only saves the final nonce to disk, making the first three chunks permanently unrecoverable.
“This effectively makes Vect a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included,” Check Point stated. The ransomware-as-a-service operation first appeared in December 2025 and has been deployed against victims of TeamPCP supply chain attacks.
Security Experts Sentenced for BlackCat Ransomware Scheme
Two U.S. cybersecurity professionals received four-year prison sentences for participating in BlackCat ransomware attacks while working as security consultants. Ryan Goldberg of Georgia and Kevin Martin of Texas pleaded guilty to conspiracy to obstruct interstate commerce by extortion.
The defendants worked at cybersecurity firms as ransomware negotiators when they decided to conduct attacks using BlackCat and Alphv ransomware. They paid 20% of ransom proceeds to the criminal operation’s administrators while keeping 80% for themselves.
Authorities said the trio received approximately $1.2 million from one victim and laundered their proceeds through various methods. A third conspirator, Angelo Martino from Florida, also pleaded guilty and awaits sentencing on July 9.
The BlackCat operation targeted more than 1,000 organizations between November 2021 and December 2023 before authorities disrupted it. The cybercriminals later received a $22 million ransom payment and executed an exit scam.
Checkmarx Confirms Data Theft in TeamPCP Supply Chain Attack
Checkmarx confirmed that hackers stole source code, employee databases, API keys, and database credentials during last month’s supply chain attack on its KICS open source project. The security company stated that the compromise originated from the Trivy supply chain attack attributed to TeamPCP.
The initial March 23, 2026 attack allowed hackers to hijack dozens of GitHub Action version tags and poison OpenVSX plugins and GitHub Actions workflows. Despite Checkmarx’s remediation efforts, attackers retained or regained access and launched a second wave on April 22.
The second incident compromised the Bitwarden command-line interface NPM package and poisoned a DockerHub KICS image, GitHub action, VS Code extension, and Developer Assist extension. Lapsus$ added Checkmarx to its leak site over the weekend, claiming theft of sensitive corporate data.
Messages posted by TeamPCP and Lapsus$ suggested the two threat groups may have partnered for monetization purposes during the campaign targeting multiple open source software ecosystems.
What This Means
The healthcare sector continues facing disproportionate ransomware targeting, with Sandhills Medical’s delayed disclosure highlighting the complex investigation and notification processes following major breaches. The Inc Ransom group’s public leak of patient data demonstrates how ransomware operators increasingly use data exposure as leverage beyond encryption.
Infighting between ransomware groups like 0APT and KryBit provides security researchers valuable intelligence about criminal operations typically hidden from view. However, the Vect 2.0 design flaw shows how technical incompetence among newer ransomware developers can create destructive wipers that eliminate recovery options for both victims and attackers.
The sentencing of cybersecurity professionals for BlackCat ransomware participation underscores how insider threats and credential abuse remain critical attack vectors. Meanwhile, sophisticated supply chain attacks like those targeting Checkmarx demonstrate how threat actors exploit open source ecosystems to compromise multiple downstream targets simultaneously.
FAQ
How long did Sandhills Medical take to disclose its ransomware attack?
Sandhills Medical discovered the ransomware attack on May 8, 2025, but didn’t publicly disclose it until nearly one year later. The healthcare organization spent this time working with law enforcement and cybersecurity experts to investigate the incident’s scope and impact.
What makes Vect 2.0 ransomware particularly dangerous?
Vect 2.0 contains a design flaw that permanently destroys files larger than 128KB instead of encrypting them. This makes it function as a wiper rather than traditional ransomware, eliminating any possibility of data recovery even if victims pay the ransom.
Why were cybersecurity experts sentenced for ransomware attacks?
Ryan Goldberg and Kevin Martin worked as ransomware negotiators at cybersecurity firms but used their positions to conduct BlackCat ransomware attacks. They received four-year prison sentences for conspiracy to obstruct interstate commerce by extortion after keeping 80% of ransom proceeds.
Sources
- Sandhills Medical Says Ransomware Breach Affects 170,000 – SecurityWeek
- Feuding Ransomware Groups Leak Each Other’s Data – Dark Reading
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error – Dark Reading
- Two US Security Experts Sentenced to Prison for Helping Ransomware Gang – SecurityWeek
