What the Dickens! Did that really just happen?

As far as cybersecurity goes, this week has been one that’ll go down in history…and not in a good way. Not only has it seen the biggest crypto hack of all time ($1.46bn lost to Dubai-based Bybit) but Clop decided to release the remaining 220+ companies caught up in its Cleo vulnerability exploit, creating over 370 victims in total).

So, as we approach the end of February, our ransomware figures look like this:

• 899 unconfirmed attacks
• 32 confirmed attacks

And, for what it's worth, we're tracking the biggest crypto hacks​

Here for network monitoring tips? Scroll to the bottom!

Grow your skills for free! Check out these other top newsletters for IT professionals

A tale of two ransomware attacks…

Having previously fallen victim to Maze in May 2020, we revealed this week that IT giant Conduent had fallen victim to another ransomware gang – SafePay. It uploaded the company to its data leak site after allegedly stealing 8.5 TB of data.

Conduent shared a statement with Comparitech which confirmed it had “experienced an operational disruption due to a compromise of one of our technology operating systems” in January 2025. The incident has been contained but investigations continue.

Conduent's operating systems were a conduit for SafePay

Hard times for healthcare

One sector that’s taken a particular hit recently is healthcare. Throughout February so far we’ve seen six confirmed attacks–up from four in January.

Of note this week are:

• HCRG Care Group, UK - It was added to Medusa’s data leak site with a $2 million ransom demand for 2.275 TB of alleged stolen data. The group, which operates hundreds of facilities for the NHS and local authorities, confirmed an incident had been contained and it was investigating the data leak claims.
• Genea, Australia - As the fertility clinic continued to grapple with a cybersecurity incident, it was added to Termite’s site. Genea sought a court-ordered injunction to prohibit the threat actor and third parties from accessing, using, sharing, or publicizing the stolen data. How effective this will be against cybercriminals remains to be seen…
• Pound Road Medical Centre, Australia - This clinic found itself part of a batch of claims from new ransomware group, Anubis. PRMC had previously confirmed a cyber attack in November 2024, stating that data may have been taken from its systems.

The healthcare industry needs a vulnerability check-up

One ‘el of a twist

Over the last couple of months, Clop has taunted its Cleo victims with partial leaks and alphabetical reveals. With its batch in mid-February just entering into companies named with E, those at the other end of the alphabet likely felt like they had a good few weeks (if not months) until their names were drawn out of the hat.

But, in one final twist, Clop decided to list all of its remaining 220+ victims in one go. Of these were:

• 🇺🇸 - 164 US organizations
• 🇨🇦 - 18 Canadian organizations
• 🏭 - 84 manufacturers
• 🧑‍🍳 - 32 food & beverage companies
• 🚒 - 31 transport companies
• 💻 - 22 technology companies

Are you overlooking these three network monitoring techniques?

There are many, many reasons why we are seeing so many ransomware attacks. Chief among these are overstretched IT professionals, a continued disregard from leadership for the importance of network security, and amateur net admins missing some critical network monitoring techniques.

Many network monitoring strategies focus on the obvious, but here are three often-overlooked tips that can make a significant difference in your network’s performance and security:

1. Deep Packet Inspection (DPI) for anomaly detection: While traditional traffic analysis might flag obvious issues, DPI allows for the inspection of packet-level data to identify hidden threats like malware or data exfiltration attempts. Regularly analyzing packet content, including headers and payloads, can uncover malicious activity that would otherwise evade detection.
2. Monitor MAC address changes: In a well-secured network (like yours...right?), the MAC addresses of devices should remain static. Unexpected changes in MAC addresses can indicate a spoofing attack or unauthorized device attempting to connect. Set up alerts for any unregistered or changed MAC addresses to prevent rogue device access.
3. Watch for privilege escalation attempts: Attackers often try to escalate privileges to gain access to sensitive data. Use granular monitoring to track the use of sudo or other privilege escalation commands in real-time. Correlate this data with login locations and times to detect suspicious behavior before it leads to a breach.

Here you're probably thinking: Great in theory, but what if I have no way to put that into practice? We've got you covered. PRTG lets anyone waltz right in, download its networking monitoring tool for free and without a credit card, just to give it a whirl. And yes, that means anyone. Whether you're a CTO, a new professional, or a student still getting your feet wet in cybersec, this is a great chance to poke around and explore how to implement these and other security strategies.

Until next week. Let’s keep that zero-day count hardened at zero!