South Carolina healthcare provider Sandhills Medical Foundation disclosed a ransomware attack affecting nearly 170,000 individuals, with hackers maintaining access for nearly one year before public disclosure. The organization discovered the breach on May 8, 2025, but only notified affected patients and regulators in April 2026, according to SecurityWeek.
The Inc Ransom ransomware group listed Sandhills Medical on its leak website in early June 2025 and has since made stolen patient files available for download. Compromised data includes names, Social Security numbers, dates of birth, driver’s licenses, passports, financial information, and protected health records.
Healthcare Sector Under Siege
The Sandhills Medical incident represents the latest in a series of devastating healthcare breaches that have exposed millions of patient records in 2026. Healthcare organizations face particular vulnerability due to legacy systems, extensive data repositories, and operational pressures that often delay security updates.
Ransomware groups specifically target healthcare providers because hospitals cannot afford extended downtime during patient care emergencies. The Inc Ransom group’s decision to publish stolen medical records demonstrates how cybercriminals monetize healthcare data through both ransom demands and dark web sales.
The nearly year-long delay between discovery and disclosure raises questions about notification requirements. While Sandhills Medical worked with law enforcement and cybersecurity experts during the investigation, affected patients remained unaware their sensitive medical and financial data had been compromised.
Cybersecurity Professionals Turn Criminal
In a separate development, two U.S. cybersecurity experts received four-year prison sentences for conducting ransomware attacks using their professional expertise. Ryan Goldberg of Georgia and Kevin Martin of Texas pleaded guilty to conspiracy charges related to BlackCat and AlphV ransomware operations, according to SecurityWeek.
The defendants worked as ransomware negotiators at cybersecurity firms while secretly orchestrating attacks against multiple companies. They received approximately $1.2 million from one victim and laundered their 80% share through various methods, paying 20% to the ransomware operation’s administrators.
A third conspirator, Angelo Martino from Florida, also pleaded guilty and awaits sentencing scheduled for July 9, 2026. The BlackCat operation targeted more than 1,000 organizations between November 2021 and December 2023 before authorities disrupted the network. The U.S. government offers a $10 million reward for information leading to key members of the ransomware group.
Ransomware Groups Attack Each Other
The ransomware ecosystem experienced internal warfare when two newer groups, 0APT and KryBit, launched attacks against each other and established operations. The feud exposed infrastructure and operational data that provided rare insights into ransomware business models, according to Dark Reading.
0APT emerged in late January 2026 with a fabricated list of nearly 200 victims before going dormant for months. The group reemerged in mid-April, claiming attacks against established ransomware operators including KryBit, Everest, and RansomHouse.
KryBit launched in late March 2026 with ransomware-as-a-service kits targeting Windows, Linux, ESXi, and network-attached storage devices. The group used an 80/20 affiliate model and published 10 legitimate victims in its first two weeks of operation.
When ransomware groups attack each other, they inadvertently provide defenders with valuable intelligence about their operations, infrastructure, and business relationships. The 0APT versus KryBit conflict revealed internal communications, payment structures, and technical capabilities typically hidden from security researchers.
Flawed Ransomware Acts as Data Wiper
The Vect 2.0 ransomware contains a critical design flaw that transforms it into a data wiper, permanently destroying files larger than 128KB instead of encrypting them for ransom recovery. Check Point Software discovered the flaw affects Windows, Linux, and VMware ESXi variants of the ransomware-as-a-service operation, according to Dark Reading.
The malware encrypts four independent chunks of large files using randomly generated nonces but only saves the final nonce to disk. The first three nonces required for decryption are permanently lost, making recovery impossible even with payment.
Affected file types include:
- Virtual machine disk images
- Database files
- Enterprise documents
- Backup archives
- Any file exceeding 131,072 bytes
This flaw effectively eliminates the ransomware’s core value proposition—the ability to restore encrypted data upon payment. Organizations hit by Vect 2.0 face permanent data loss regardless of ransom payment, while attackers lose leverage for extortion demands.
Supply Chain Attacks Escalate
Checkmarx confirmed that hackers stole sensitive data during last month’s supply chain attack targeting its KICS open source project. The breach resulted from the broader Trivy supply chain compromise attributed to the TeamPCP hacking group, according to SecurityWeek.
Attackers accessed Checkmarx’s GitHub repositories using credentials compromised in the March 23, 2026 Trivy hack. Despite initial remediation efforts, hackers retained or regained access and launched a second wave of attacks on April 22, poisoning multiple software packages including a DockerHub KICS image and VS Code extensions.
The Lapsus$ extortion group added Checkmarx to its leak site, claiming theft of source code, employee databases, API keys, and database credentials. The incident demonstrates how supply chain compromises can provide persistent access to target environments even after initial detection and response efforts.
Messages posted by TeamPCP and Lapsus$ suggest potential collaboration between the groups for monetizing stolen data and access. The partnership combines TeamPCP’s technical capabilities with Lapsus$’s extortion expertise and established leak platforms.
What This Means
The healthcare sector’s continued vulnerability to ransomware attacks reflects systemic challenges in balancing patient care operations with cybersecurity requirements. The Sandhills Medical incident’s year-long timeline from discovery to disclosure highlights gaps in incident response and regulatory oversight.
The criminal prosecution of cybersecurity professionals who leveraged their expertise for ransomware operations sends a clear message about accountability within the security industry. These cases demonstrate how insider knowledge of ransomware negotiation processes can be weaponized against the very organizations these professionals were hired to protect.
Ransomware group infighting provides unexpected benefits to defenders by exposing operational details typically hidden from security researchers. However, the emergence of technically flawed ransomware like Vect 2.0 creates new risks where victims face permanent data loss regardless of payment decisions.
Supply chain attacks continue evolving in sophistication and persistence, with threat actors maintaining access across multiple compromise waves. Organizations must assume that initial breach remediation may not eliminate all attacker presence and implement continuous monitoring for secondary compromise indicators.
FAQ
How long did Sandhills Medical wait to disclose the ransomware attack?
Sandhills Medical discovered the ransomware attack on May 8, 2025, but didn’t publicly disclose the incident until April 2026—nearly one year later. The organization said it was working with law enforcement and cybersecurity experts during the investigation period.
What makes the Vect 2.0 ransomware particularly dangerous?
Vect 2.0 contains a design flaw that permanently destroys files larger than 128KB instead of encrypting them. This makes recovery impossible even if victims pay the ransom, as the malware discards three of four decryption keys needed to restore large files.
Why are cybersecurity professionals being prosecuted for ransomware attacks?
Ryan Goldberg, Kevin Martin, and Angelo Martino worked as ransomware negotiators while secretly conducting their own attacks using BlackCat and AlphV ransomware. They received approximately $1.2 million from victims and were sentenced to four years in prison for conspiracy to obstruct commerce by extortion.
Sources
- Sandhills Medical Says Ransomware Breach Affects 170,000 – SecurityWeek
- Feuding Ransomware Groups Leak Each Other’s Data – Dark Reading
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error – Dark Reading
- Two US Security Experts Sentenced to Prison for Helping Ransomware Gang – SecurityWeek
- Checkmarx Confirms Data Stolen in Supply Chain Attack – SecurityWeek
