South Carolina-based Sandhills Medical Foundation disclosed a ransomware attack affecting nearly 170,000 individuals on April 28, 2025 — nearly one year after discovering the breach on May 8, 2024. According to Sandhills Medical’s data security incident notice, the healthcare provider has been working with law enforcement, cybersecurity experts, and forensics firms to investigate the intrusion.
The Inc Ransom ransomware group listed Sandhills Medical on its leak website in early June 2024 and has since made the allegedly stolen files available for download. The compromised data includes names, dates of birth, Social Security numbers, taxpayer identification numbers, driver’s licenses, government-issued identification, passports, financial information, and personal health information.
Ransomware Groups Turn on Each Other
While established healthcare breaches continue to surface, newer ransomware operations are facing internal conflicts that may benefit defenders. The Halcyon Ransomware Research Center reported on a feud between two emerging ransomware-as-a-service (RaaS) actors: 0APT and KryBit.
0APT emerged in late January 2025 with a fabricated victim list of nearly 200 organizations posted over one week. The group went quiet for months before reemerging in mid-April, claiming attacks against established ransomware operators including KryBit, Everest (active since 2020), and RansomHouse (active since 2021).
KryBit launched in late March 2025, offering RaaS kits targeting Windows, Linux, ESXi, and network-attached storage devices using an 80/20 affiliate model. The group published 10 legitimate victims in its first two weeks before becoming embroiled in the 0APT conflict.
Flawed Ransomware Acts as Data Wiper
The Vect 2.0 ransomware variant contains a critical flaw that permanently destroys files larger than 128KB instead of encrypting them, according to Check Point Software’s analysis. This design error effectively makes Vect a wiper for virtually any file containing meaningful data, including VM disks, databases, documents, and backups.
The flaw exists in Vect’s ChaCha20-IETF encryption scheme across Windows, Linux, and VMware ESXi variants. For files above 131,072 bytes, the malware encrypts four independent chunks using four randomly generated 12-byte nonces but only appends the final nonce to the encrypted file on disk. The first three nonces required for decryption are permanently lost, making recovery impossible even with a decryptor.
Vect 2.0 first appeared in December 2025 and has been deployed against victims of TeamPCP supply chain attacks. Organizations hit by this variant face total data loss regardless of ransom payment.
Security Experts Sentenced for Ransomware Scheme
Two cybersecurity professionals received 4-year prison sentences for their roles in BlackCat/Alphv ransomware attacks. Ryan Goldberg of Georgia and Kevin Martin of Texas pleaded guilty to conspiracy to obstruct interstate commerce by extortion.
A third conspirator, Angelo Martino from Florida, also pleaded guilty and awaits sentencing on July 9, 2025. All three worked at cybersecurity firms — two as ransomware negotiators — when they decided to conduct attacks using BlackCat ransomware.
The group received roughly $1.2 million from one victim and kept 80% after paying 20% to BlackCat administrators. They laundered their proceeds through various methods before authorities disrupted the operation.
BlackCat targeted more than 1,000 organizations between November 2021 and December 2023. The cybercriminals received a $22 million ransom from one victim before pulling an exit scam. The US government offers a $10 million reward for information on key BlackCat members.
Supply Chain Attacks Hit Security Vendors
Checkmarx confirmed that hackers stole data during last month’s supply chain attack targeting its KICS open source project. The compromise resulted from the Trivy supply chain attack attributed to the TeamPCP hacking group, which hijacked dozens of GitHub Action version tags to reference malware.
Lapsus$ added Checkmarx to its Tor-based leak site over the weekend, claiming theft of source code, employee databases, API keys, and MongoDB and MySQL credentials. According to Checkmarx, the data originated from GitHub repositories accessed through credentials compromised in the March 23, 2025 Trivy hack.
The attackers maintained or regained access despite remediation efforts, publishing fresh malicious code on April 22 by poisoning a DockerHub KICS image, GitHub action, VS Code extension, and Developer Assist extension. The second incident compromised the Bitwarden command-line interface NPM package, affecting one of the most popular open source password management platforms.
Messages posted by TeamPCP and Lapsus$ suggest the two threat actors may have partnered for monetization purposes, representing a concerning collaboration between supply chain attackers and extortion groups.
What This Means
The healthcare sector continues facing prolonged disclosure timelines, with Sandhills Medical taking nearly a year to publicly report its breach despite early ransomware group publication. This delay pattern undermines patient notification requirements and suggests insufficient incident response coordination.
Ransomware ecosystem instability, demonstrated by the 0APT-KryBit feud and Vect 2.0’s destructive flaws, may temporarily benefit defenders but also creates unpredictable threat landscapes. Organizations should not rely on criminal incompetence for protection.
The sentencing of cybersecurity professionals for ransomware operations highlights insider threat risks within the security industry itself. Companies must implement stronger vetting and monitoring procedures for personnel with privileged access to negotiation processes and victim data.
Supply chain attacks targeting security vendors like Checkmarx represent a sophisticated threat multiplication strategy. When security tool providers are compromised, the ripple effects can impact thousands of downstream organizations relying on those tools for protection.
FAQ
How long do healthcare organizations typically take to disclose breaches?
Healthcare organizations must notify affected individuals within 60 days under HIPAA, but Sandhills Medical’s nearly one-year delay suggests enforcement gaps. The HHS Office for Civil Rights may investigate prolonged disclosure timelines.
Can ransomware victims recover data encrypted by Vect 2.0?
No. Vect 2.0’s design flaw permanently destroys the decryption keys for files larger than 128KB, making recovery impossible even with ransom payment. Organizations should treat Vect 2.0 infections as total data loss events.
What should organizations do about supply chain security after the Checkmarx incident?
Implement software bill of materials (SBOM) tracking, monitor dependency repositories for unauthorized changes, and establish incident response procedures for compromised third-party tools. Consider air-gapped development environments for critical applications.
Related news
Sources
- Sandhills Medical Says Ransomware Breach Affects 170,000 – SecurityWeek
- Feuding Ransomware Groups Leak Each Other’s Data – Dark Reading
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error – Dark Reading
- Two US Security Experts Sentenced to Prison for Helping Ransomware Gang – SecurityWeek
- Checkmarx Confirms Data Stolen in Supply Chain Attack – SecurityWeek
