Third-party attack casts a cloud over dozens of schools
Last week, new ransomware group, Skira, claimed responsibility for a recent attack on Carruth Compliance Consulting. Carruth, which administers the retirement savings plans for a large number of school districts, started notifying victims of a data breach in January 2025. Since then, at least 40 schools have reported attacks with over 155,000 people affected as a result.
New gangs cause a rumble with hefty ransom demands
Alongside Skira, three other gangs started posting victims to data leak sites this week – Weyhro, Crazy Hunter, and NightSpire. The first two added five victims each, and NightSpire added six. While none of Weyhro’s or NightSpire's are confirmed, Skira claimed Carruth (as seen above) and Crazy Hunter claimed recent cyber attacks on three Taiwanese entities.
Among Crazy Hunter’s victims are Asia University and Mackay Memorial Hospital (both hit with attacks in February and ransom demands of $1.5 million each) and Changhua Christian Hospital (hit this month with a ransom demand of $800,000).
A flood of big data breaches from US healthcare ransomware attacks
This week has also seen two big breach notifications from US healthcare organizations – both of which were claimed by Rhyisda with considerable ransoms. These are:
- Community Care Alliance - breached in July 2024. 114,975 affected and a $1.5 million ransom demanded.
- Sunflower Medical Group, P.A. - breached in December 2024. 220,968 affected and a $1.02 million ransom demanded.
Throughout 2024, we recorded 145 attacks on US healthcare companies, with nearly 24.7 million records breached across these attacks.
Fog descends on a number of schools
One thing’s become increasingly clear this week: the ransomware group Fog has a thing for the education sector. Of its seven confirmed attacks this year, six are on the education sector. These are:
- University of Oklahoma, US
- Aurora Public Schools, US
- The University of Notre Dame Australia
- Saint George's College, Chile
- Williamsburg-James City County Schools, US
- University of Applied Sciences and Arts Northwestern FHNW, Switzerland
This week, Asbury Theological Seminary also started notifying people of a data breach following its June 2024 breach. Fog claimed this one, too.
Lateral movement detection: The hot data monitoring strategy you need to implement right now
Once attackers gain initial access to a network—often through phishing or credential theft—they don’t strike immediately. Instead, they move laterally, probing for sensitive systems, escalating privileges, and expanding their foothold before launching an attack. It makes sense. Attackers move strategically by quickly going through your system, finding the vulnerabilities that exist, and taking advantage of weaknesses that will give them access to sensitive data they can steal.
How to detect lateral movement:
✅ Monitor internal traffic between endpoints
- Most workstations don’t typically talk to each other—if one suddenly starts making SMB, RDP, or RPC requests to others, it’s a red flag.
- Look for traffic between unrelated systems that normally wouldn’t communicate.
✅ Flag unusual authentication attempts
- Multiple failed login attempts across different devices often indicate brute-force activity.
- Unexpected use of admin accounts—especially outside business hours—can signal privilege escalation.
✅ Track access to high-value systems
- If a standard user account suddenly queries domain controllers, file shares, or backup servers, it may be compromised.
- Sudden spikes in access to sensitive resources (like databases or critical apps) are worth investigating.
✅ Correlate network & host activity
- A workstation scanning IP ranges or making large volumes of outbound requests could be an attacker mapping the network.
- Combine network flow data with endpoint logs to detect stealthy movements.
Doing this type of thing manually is...near impossible. Data monitoring solutions like Datadog, Splunk, Graylog, and Solarwinds exist. Sometimes, we call them SIEM tools. Sometimes, we call them network monitoring tools. Whatever you call them, we recommend you call them, investigate what they offer, and demo, demo, demo, to find out which one best protects your network.
Until next week. Let’s keep that zero-day count hardened at zero!