South Carolina healthcare provider Sandhills Medical Foundation disclosed a ransomware attack affecting nearly 170,000 individuals — nearly one year after discovering the breach on May 8, 2025. According to SecurityWeek, the Inc Ransom group listed Sandhills Medical on its leak website in early June 2025 and has since made allegedly stolen files available for download.
The compromised data includes names, dates of birth, Social Security numbers, taxpayer identification numbers, driver’s licenses, government-issued identification, passports, financial information, and personal health information. Sandhills Medical told the Maine Attorney General’s Office that nearly 170,000 people are affected, though the company described the impact as affecting “select patients.”
Ransomware Groups Turn on Each Other
Two emerging ransomware operations, 0APT and KryBit, recently attacked each other in a feud that exposed both groups’ infrastructure and operational data. According to Dark Reading, the Halcyon Ransomware Research Center documented how this internecine warfare provided defenders with rare insight into ransomware operations.
0APT emerged in late January with a fabricated list of nearly 200 victims before going quiet for months. The group reemerged in mid-April, claiming attacks against established ransomware operators including KryBit, Everest, and RansomHouse. KryBit, which launched in late March with an 80/20 affiliate model targeting Windows, Linux, ESXi, and network-attached storage devices, published 10 legitimate victims in its first two weeks before the conflict erupted.
The mutual attacks left both operations in shambles, with each group leaking the other’s sensitive operational data and infrastructure details.
Vect 2.0 Ransomware Contains Fatal Flaw
The Vect 2.0 ransomware variant contains a critical design error that causes it to act as a wiper rather than encryption tool for files larger than 128KB. Check Point Software reported that the flaw affects all platform variants — Windows, Linux, and VMware ESXi — making recovery impossible even if victims pay ransom demands.
The ransomware-as-a-service operation, which first appeared in December, uses a ChaCha20-IETF encryption scheme that generates four random 12-byte nonces for large files but only appends the final nonce to the encrypted file on disk. This discards three of the four decryption nonces required for recovery, effectively destroying enterprise assets including VM disks, databases, documents, and backups.
Vect 2.0 has been deployed against victims of TeamPCP supply chain attacks, but the encryption flaw makes paying for decryption futile since the files cannot be recovered.
US Security Experts Sentenced for BlackCat Scheme
Two American cybersecurity professionals received 4-year prison sentences for their roles in BlackCat ransomware attacks. Ryan Goldberg of Georgia and Kevin Martin of Texas pleaded guilty to conspiracy to obstruct interstate commerce by extortion, according to SecurityWeek.
The pair worked as ransomware negotiators at cybersecurity firms while secretly conducting attacks using BlackCat and Alphv ransomware. They paid 20% of ransom proceeds to the cybercrime operation’s administrators and kept 80% for themselves, receiving roughly $1.2 million from one victim. A third conspirator, Angelo Martino from Florida, also pleaded guilty and awaits sentencing on July 9.
More than 1,000 organizations were targeted in BlackCat attacks between November 2021 and December 2023, when authorities disrupted the operation. The cybercriminals later received a $22 million ransom and executed an exit scam.
Checkmarx Confirms Data Theft in Supply Chain Attack
Application security company Checkmarx confirmed that hackers stole source code, employee databases, API keys, and database credentials during a March supply chain attack. The company stated that the breach originated from its GitHub repositories, accessed through credentials compromised in the Trivy supply chain attack on March 23, 2026.
The attack, attributed to the TeamPCP hacking group, targeted Checkmarx’s KICS open source project and allowed attackers to hijack dozens of GitHub Action version tags. Despite initial remediation efforts, the attackers retained or regained access and published additional malicious code on April 22, poisoning a DockerHub KICS image, GitHub action, VS Code extension, and Developer Assist extension.
Lapsus$ added Checkmarx to its Tor-based leak site over the weekend, suggesting potential collaboration between TeamPCP and the notorious extortion group for monetization purposes.
What This Means
The healthcare sector continues facing disproportionate ransomware targeting, with Sandhills Medical’s year-long disclosure delay highlighting the extended impact of successful attacks. The Inc Ransom group’s public data leak demonstrates how threat actors increasingly use double extortion tactics to pressure victims.
The 0APT versus KryBit feud reveals the chaotic nature of the ransomware ecosystem, where groups frequently attack competitors and expose operational details. This internecine warfare provides cybersecurity researchers with valuable intelligence about threat actor tactics and infrastructure.
Vect 2.0’s encryption flaw underscores the technical incompetence of some ransomware operations, though the wiper effect makes attacks more destructive for victims. Organizations should prioritize robust backup strategies since paying ransoms may not guarantee file recovery.
The sentencing of US-based ransomware negotiators signals law enforcement’s focus on insider threats within the cybersecurity industry. The BlackCat case demonstrates how legitimate security professionals can exploit their positions and expertise for criminal gain.
FAQ
How long did Sandhills Medical take to disclose their breach?
Sandhills Medical discovered the ransomware attack on May 8, 2025, but only publicly disclosed the incident affecting 170,000 individuals nearly one year later. The Inc Ransom group had already listed the organization on its leak website in June 2025.
What makes Vect 2.0 ransomware different from typical ransomware?
Vect 2.0 contains a critical flaw that causes it to permanently delete files larger than 128KB instead of encrypting them. This makes the malware function as a wiper rather than ransomware, making file recovery impossible even if victims pay the ransom.
Why were the US cybersecurity experts able to conduct ransomware attacks?
Ryan Goldberg and Kevin Martin worked as ransomware negotiators at cybersecurity firms, giving them insider knowledge of attack methods and victim responses. They exploited their positions to conduct BlackCat ransomware attacks while maintaining their legitimate security roles.
Sources
- Sandhills Medical Says Ransomware Breach Affects 170,000 – SecurityWeek
- Feuding Ransomware Groups Leak Each Other’s Data – Dark Reading
- Vect 2.0 Ransomware Acts as Wiper, Thanks to Design Error – Dark Reading
- Two US Security Experts Sentenced to Prison for Helping Ransomware Gang – SecurityWeek
