New AI-Generated Malware "Slopoly" Used in Interlock Ransomware Attacks A recently discovered malware strain, Slopoly, has been linked to a financially motivated threat group tracked as Hive0163, which deployed it in an Interlock ransomware attack. The backdoor, likely generated using generative AI tools, allowed attackers to maintain persistence on a compromised server for over a week while exfiltrating data. The attack began with a ClickFix social engineering tactic, followed by the deployment of Slopoly a PowerShell-based C2 (command-and-control) client. IBM X-Force researchers identified strong indicators of AI-assisted development, including unusually structured code, detailed comments, and well-organized error handling features uncommon in traditional malware. While the exact LLM used remains unclear, the script’s design suggests automation in its creation. Despite its name, Slopoly lacks true polymorphic capabilities, meaning it cannot modify its own code during execution. However, its builder can generate new variants with randomized configurations, such as beaconing intervals and C2 addresses. The malware operates from C:\ProgramData\Microsoft\Windows\Runtime\ and performs the following functions: - Collects system information - Sends heartbeat beacons every 30 seconds - Polls for commands every 50 seconds - Executes commands via cmd.exe and returns output - Maintains persistence via a scheduled task (Runtime Broker) Slopoly supports commands for downloading and executing payloads (EXE, DLL, JavaScript), adjusting beacon intervals, self-updating, or terminating its process. The attack chain also included NodeSnake and InterlockRAT backdoors. Interlock ransomware, active since 2024, has targeted high-profile entities, including the Texas Tech University System, DaVita, Kettering Health, and the city of Saint Paul, Minnesota. The ransomware uses the JunkFiction loader, runs as a SYSTEM-level scheduled task, and employs Windows Restart Manager to unlock files before encryption, appending extensions like ‘. !NT3RLOCK’ or ‘.int3R1Ock’. IBM X-Force notes potential ties between Hive0163 and other malware families, including Broomstick, SocksShell, PortStarter, SystemBC, and the Rhysida ransomware operators. The incident underscores the growing use of AI in malware development, enabling faster customization and evasion of detection.

Global Ransomware Attacks Surge 32% in 2025, With Manufacturing and U.S. Organizations Hit Hardest In 2025, global ransomware attacks reached 7,419 incidents, marking a 32% increase from the 5,631 recorded in 2024, according to a report by Comparitech. Of these, 1,173 attacks were confirmed by targeted organizations, while the remaining were claimed by ransomware groups via data leak sites. Collectively, the confirmed attacks breached 59.2 million records, though this figure is expected to rise as delayed reports emerge. ### Key Trends and Sector Impacts - Manufacturing saw the sharpest rise in attacks, surging 56% to 1,466 incidents, with average ransom demands more than doubling from $523,000 in 2024 to $1.2 million in 2025. - Legal firms experienced a 54% increase in attacks, alongside a 60% jump in ransom demands, averaging $610,000. - Healthcare and education saw stable attack volumes, with only 2% increases in incidents, suggesting a potential shift in attacker focus or improved defenses in these sectors. ### Geographic Breakdown The U.S. remained the most targeted country, accounting for 3,810 attacks (51% of the global total), a 33% increase from 2024. Other heavily affected nations included: - Canada: 392 attacks (31% increase) - Germany: 303 attacks (62% increase) - U.K.: 251 attacks (5% decrease) - France: 178 attacks (39% increase) - South Korea: 64 attacks (540% increase), driven largely by attacks on asset management firms following Qilin’s breach of a third-party provider. ### Ransomware Groups and Data Theft - Qilin was the most active group, responsible for 1,034 attacks (14% of the total), including 172 confirmed incidents. The group claimed to have stolen 31.2 petabytes of data, primarily from a single U.S. manufacturer. - Akira ranked second with 765 attacks, while SafePay was linked to the largest number of breached records (16.15 million), nearly all from its attack on Conduent. - DragonForce exposed 6.5 million records, mostly from its attack on the U.K.’s Co-operative Group, which resulted in £206 million ($276 million) in lost revenue. ### Notable Breaches in 2025 - Conduent (U.S.): 15.9 million records exposed in a SafePay attack, with 8.5 terabytes of data allegedly stolen. - Episource (U.S.): 5.4 million records compromised in an unidentified ransomware attack. - University of Phoenix (U.S.): 3.49 million records breached via a Clop attack exploiting an Oracle zero-day vulnerability. - DaVita (U.S.): 2.69 million records exposed in an Interlock attack, with 1.5 terabytes of data stolen. - Sanrio (Japan): 2 million records affected. - Asahi Group (Japan): 1.9 million records compromised. ### Sector-Specific Trends - Businesses bore the brunt of attacks (6,292 incidents, 35% increase), with 43 million records exposed in confirmed cases. Average ransom demands held steady at $1.09 million. - Government entities faced 374 attacks (27% increase), with 2.19 million records compromised. Ransom demands fell 15% to $1.55 million. - Healthcare saw 444 attacks (2% increase), with 10.1 million records exposed. Ransom demands plummeted 84% to $615,000. - Education recorded 252 attacks (2% increase), with 3.9 million records breached. Ransom demands dropped 34% to $457,200. The data underscores a strategic shift in ransomware targeting, with attackers prioritizing high-value commercial and public-sector entities while maintaining pressure on traditionally vulnerable sectors. Despite the surge in attacks, average ransom demands declined overall, dropping 26% to $1.04 million. However, select industries particularly manufacturing and legal services saw significant increases in both attack frequency and ransom demands.

Kettering Health, a major healthcare provider, fell victim to a ClickFix attack linked to the Interlock ransomware group, resulting in a significant data breach. The attack exploited social engineering tactics, tricking employees into executing malicious scripts via browser-based lures (e.g., fake CAPTCHAs or error-fixing prompts). The malicious payload was copied to the clipboard via obfuscated JavaScript and executed locally, bypassing traditional email security and endpoint detection. The breach compromised sensitive patient and employee data, including medical records, financial details, and personally identifiable information (PII). The attack leveraged SEO poisoning and malvertising via Google Search, evading conventional phishing defenses. Despite EDR (Endpoint Detection and Response) being the last line of defense, the obfuscated, user-initiated commands delayed detection, allowing the ransomware to encrypt critical systems. The incident disrupted healthcare operations, risked patient safety due to delayed treatments, and exposed Kettering Health to reputational damage, financial penalties, and potential legal liabilities. The breach underscored vulnerabilities in both technical controls and user awareness, particularly against browser-based, fileless attacks.

Ransomware Attacks on Healthcare Sector Remain High in 2025, with Shifts in Targets and Tactics In the first nine months of 2025, Comparitech recorded 293 ransomware attacks on hospitals, clinics, and other direct healthcare providers matching 2024’s figures for the same period. However, attacks on healthcare businesses, including pharmaceutical manufacturers, medical billing firms, and tech vendors, surged by 30%, rising from 100 in 2024 to 130 in 2025. Rebecca Moody, Comparitech’s head of data research, attributed the increase in attacks on healthcare businesses to heightened awareness following high-profile breaches in 2024, such as the Ascension attack (5.6 million records breached) and the Synnovis ransomware incident ($50 million ransom demand). While providers have bolstered defenses through updates, employee training, and backups hackers have pivoted to third-party vendors, exploiting shared systems and data-processing networks to access multiple organizations at once. ### Geographic Breakdown The U.S. remained the hardest-hit country, accounting for 257 attacks (63 on providers, 11 on businesses). Australia, Germany, and the U.K. followed, though their totals were significantly lower. For healthcare businesses, the U.S. led with 65 attacks, trailed by Italy (7) and India (6). Australia defied the global trend, seeing a 67% increase in attacks from nine in 2024 to 15 in 2025 with healthcare providers bearing the brunt (an 83% rise). ### Ransomware Strains and Impact - Healthcare Providers (293 attacks, 94 confirmed): - Top strains: INC (39 attacks), Qilin (34), SafePay (21), RansomHub (13), Medusa (13). - Confirmed breaches: 7.4 million records exposed, average ransom demand of $514,000. - Largest breaches by records: Interlock (2.7M+ from DaVita), Nova (941K+ from Clinical Diagnostics), BianLian (multiple U.S. providers). - Healthcare Businesses (130 attacks, 23 confirmed): - Top strains: Qilin (19 attacks), KillSec (12), Akira (10), INC (9), SafePay (7). - Confirmed breaches: 6 million records exposed, average ransom demand of $532,000. - Largest breaches by data volume: Qilin (11.1TB stolen, including 8TB from Israel’s Shamir Medical Center), INC (20.1TB claimed, unconfirmed). Notably, Van Helsing caused the largest single breach by records, affecting 320,000 individuals in an attack on Australia’s Compumedics Limited. KillSec followed with 241,000 records compromised via Ireland’s Ocuco Limited. ### Broader Trends While global ransomware attacks rose 36% year-over-year in 2025, healthcare saw a 2% decline though this masks the shift toward supply-chain attacks targeting vendors. The education sector, by contrast, saw only a 5% increase, highlighting healthcare’s persistent vulnerability.

DaVita, a Fortune 500 company specializing in kidney care, experienced a significant data breach resulting in the theft and leak of 1.5 terabytes of data from their systems. The attack was carried out by the Interlock ransomware group, which has been actively targeting businesses and critical infrastructure organizations with double extortion attacks. The stolen data included sensitive information, impacting the company's operations and potentially compromising patient data.

Interlock ransomware group targeted DaVita Healthcare, a major healthcare provider specializing in kidney dialysis treatment. In April 2025, the group stole a staggering 20 terabytes (TB) of sensitive patient data. This attack highlights a significant shift in targets for the Interlock ransomware group, which is known for its double-extortion tactics. The theft of such a large amount of sensitive data raises concerns about the security of healthcare information and the potential for further attacks on critical sectors.

DaVita, a leading US-based kidney dialysis provider, suffered a severe ransomware attack in March 2025, orchestrated by the Interlock gang. The breach compromised 2,689,826 patient records, with hackers allegedly exfiltrating 1.51 TB of sensitive data, including medical histories, treatment details, and personally identifiable information (PII). The attack disrupted critical healthcare operations, raising concerns over patient safety and data privacy compliance (e.g., HIPAA violations). While DaVita did not confirm whether a ransom was paid, the incident underscored vulnerabilities in third-party vendor integrations and legacy system protections. The breach’s scale—ranked among the top 5 largest healthcare ransomware attacks of Q1-Q3 2025—highlighted the escalating targeting of healthcare providers by cybercriminals exploiting high-value patient data for extortion. The prolonged recovery period further strained resources, with potential long-term reputational damage and regulatory penalties looming.

Ransomware in 2025: A Systemic Threat Disrupting Global Supply Chains and Critical Services In 2025, ransomware evolved from isolated IT disruptions into a systemic risk, threatening national supply chains, essential services, and entire industries. Cybersecurity Ventures projects the global cost of ransomware will surge to $275 billion annually by 2031, driven by downtime, data loss, recovery efforts, and lost productivity not just ransom payments. A recent SOCRadar analysis highlighted the top 10 ransomware attacks of 2025, each exposing vulnerabilities across sectors: 1. Salesforce Ecosystem – A SaaS supply chain blind spot exploited for widespread disruption. 2. Oracle E-Business Suite – A zero-day attack leveraging supply chain extortion. 3. Jaguar Land Rover – Britain’s costliest cyberattack, crippling automotive operations. 4. Ingram Micro – A ransomware strike paralyzing global IT distribution. 5. Co-operative Group – A sustained siege on the UK retail sector. 6. PowerSchool – Large-scale extortion targeting the education sector. 7. Synnovis – Healthcare disruption with confirmed patient harm. 8. DaVita – Ransomware striking critical healthcare infrastructure. 9. Asahi Group – Manufacturing halts exposing IT-OT convergence risks. 10. Collins Aerospace – Ransomware grounding European airports. Key patterns emerged across these incidents: - Initial access frequently relied on stolen credentials or social engineering rather than sophisticated exploits. - Supply chain vulnerabilities amplified impact, turning single breaches into cascading failures. - Data theft and operational paralysis often outweighed encryption as the primary damage driver. - Delayed consequences such as regulatory penalties or confirmed human harm surfaced months after the attacks. The incidents underscore ransomware’s growing role as a strategic threat, with far-reaching consequences beyond financial losses.

Ransomware in 2025–2026: Evolving Threats, Rising Costs, and High-Profile Attacks Ransomware remains a critical threat to governments, businesses, and critical infrastructure, disrupting healthcare, fuel distribution, retail, and identity security. Financial and operational impacts have intensified, with attackers refining tactics to maximize damage and extortion. ### Key Ransomware Trends 1. Supply Chain Attacks – Threat actors increasingly target software vendors to compromise multiple downstream victims. Notable incidents include: - 2023 MoveIt Transfer breach (Clop ransomware gang) - 2021 Kaseya attack (1,500+ MSP customers affected) - 2020 SolarWinds hack 2. Triple Extortion – Beyond encrypting data and threatening leaks, attackers now demand payment to prevent additional attacks. The Vice Society group used this tactic in its 2023 attack on San Francisco’s BART system. Leading ransomware groups like LockBit 5.0 now use private negotiation portals for targeted extortion. 3. Ransomware-as-a-Service (RaaS) – Cybercriminals lease pre-built ransomware tools and infrastructure, lowering the barrier to entry for attacks. 4. Exploiting Unpatched Systems – While zero-day vulnerabilities draw attention, most ransomware exploits known flaws in outdated software. 5. Phishing & AI-Driven Attacks – Phishing remains a primary infection vector, while generative AI enhances social engineering lures, reconnaissance, and attack automation. ### Ransomware by the Numbers (2025) - 44% of breaches involved ransomware (Verizon 2025 DBIR), a 37% increase from 2024. - 88% of SMB breaches included ransomware, compared to 39% in large enterprises. - 34% rise in attacks in the first three quarters of 2025 (Total Assure). - 5,010 U.S. incidents in the first 10 months of 2025 a 50% increase from 2024 (Cyble). - 85% of attacks go unreported (BlackFog). - Median ransom payment: $267,500 (Palo Alto Networks 2025). - Average ransom payment: $1 million (Sophos 2025), down from $2 million in 2024. - Average insurance claim: $292,000 (Coalition 2025), a 7% decrease from 2024. ### Notable 2024–2025 Ransomware Attacks - PowerSchool (Dec. 2024) – Exposed data of 62M students and 9.5M teachers across North America. - Yale New Haven Health (Mar. 2025) – Compromised 5.6M patient records; settled a class-action lawsuit for $18M. - NASCAR (Apr. 2025) – Medusa ransomware gang stole 1TB of data and demanded $4M. - DaVita (Apr. 2025) – 2.7M patients’ health data exposed by Interlock ransomware. - Marks & Spencer (May 2025) – Pay2Key ransomware disrupted operations, contributing to a 90% profit drop. - Ingram Micro (Jul. 2025) – SafePay ransomware caused service disruptions and revenue losses. - Change Healthcare (2024) – Initially reported 100M+ victims; revised to 193M by mid-2025. - LoanDepot (2024) – Attack disrupted loan services for 16.6M customers. - MGM Resorts & Caesars Entertainment (2023) – High-profile attacks crippled Las Vegas casino operations. ### Future Ransomware Predictions - AI-Powered Automation – Attacks will become faster, more persistent, and harder to detect (Trend Micro). - Voice-Based Vishing – AI-generated calls will rise as a social engineering tactic (Zscaler). - Encryption-Free Extortion – More groups will skip encryption, relying solely on data theft threats (SentinelOne). - GenAI-Enhanced Phishing – AI will enable more convincing, large-scale phishing campaigns. Ransomware shows no signs of slowing, with attackers leveraging AI, supply chain vulnerabilities, and multi-layered extortion to escalate both frequency and impact.

On June 17, 2024, DaVita Inc. suffered a data breach involving unauthorized transmission of personal information via online tracking technologies to third-party vendors. The exposed data included IP addresses, usernames, and demographic details, but no highly sensitive information such as Social Security numbers, financial account details, or medical records was compromised. The incident was disclosed by the California Office of the Attorney General on July 3, 2024. The breach primarily affected non-critical personal data, meaning the impact was limited to potential privacy concerns rather than financial fraud or identity theft. While the exposure of IP addresses and usernames could lead to targeted phishing attempts or reputational harm, there was no evidence of malicious exploitation of the leaked data. The company likely faced regulatory scrutiny under data protection laws (e.g., CCPA) but avoided severe operational or financial disruptions. No ransomware, direct cyberattack, or systemic vulnerability exploitation was reported in this case.

DaVita, a major U.S. dialysis service provider operating nearly 3,000 outpatient clinics and serving ~200,000 patients annually, suffered a ransomware attack that encrypted parts of its IT network. The incident, discovered on Saturday, caused operational disruptions, forcing the company to isolate affected systems while continuing patient care. DaVita could not estimate the duration or full extent of the disruption, which impacted its ability to restore critical functions. The attack follows a broader trend of cyber threats in healthcare, including a 2023 breach at rival Fresenius Medical Care (500,000 patient records stolen) and a 2023 ransomware attack on UnitedHealth Group’s tech unit (100 million records exposed). DaVita engaged third-party cybersecurity experts and notified law enforcement. Given its role in life-sustaining dialysis services, the attack poses risks to patient safety and operational continuity, with potential cascading effects on healthcare delivery.

DaVita Inc. experienced a data breach after an unauthorized party accessed sensitive consumer data entrusted to the company. The breach compromised the names, addresses, Social Security numbers, medical information and health insurance information of certain individuals including 1,072 Texas residents.