Ready, sec, go…

We’re four days in, and the race for the top spot this month is already on. KillSec is off to a head start with 19 victims added to its data leak site (all unconfirmed as it stands). Akira follows close behind with 15, while Play takes the third spot with six claims so far.

RansomHub was last month’s “winner” with over 80 claims, including safe bet–Jackpot Junction Casino Hotel.

Grow your skills for free! Check out these other top newsletters for IT professionals

When the chips are down…

RansomHub added Jackpot Junction Casino Hotel to its data leak site this week. The hotel had noted various disruptions to its systems from March 27, with bingo, continuity programs, promotional drawings, and a restaurant being impacted.

Then, in a further twist, the hotel’s operator, the Lower Sioux Indian Community, confirmed the incident had also impacted its government and healthcare centers.

It seems the house doesn't ALWAYS win

Here to learn more about navigating Bitcoin payments for ransomware? Skip to the last section!

Raising (or lowering) the bar…

The State Bar of Texas has started issuing data breach notifications to 2,700 Texans following a cyber attack that was discovered in February but started in January 2025. INC claimed this attack in March.

Data affected includes names, Social Security numbers, financial account info (including account numbers, credit and debit card numbers), driver’s licenses or other government-issued ID, medical info, and health insurance info.

Everyone hates lawyers, but even they don't deserve data theft

$420,000 - stick or twist…?

Forrest City School District in Arkansas has a day left to decide whether or not to meet the 5 bitcoin (around $420,000) ransom demand of Rhysida. The gang added the school district to its data leak site over the weekend and uploaded samples of the alleged stolen data. The proof pack appears to include student transcripts, internal memos, and financial documents.

The school district had previously announced it suffered a cyber attack on or around December 12, 2024. Internet services were suspended as a result.

School's barely have enough money as it is

Legal ransomware compliance with Bitcoin: One do, and one BIG don't

Putting aside the "how in the world did we get into this mess" for a moment, there may come a time when your organization is compelled to make a ransomware payment. Look, you'll get no judgement from us. Cyber insurance, which covers ransomware, exists because hackers gunna hack. There's only so much you can do about it, especially since nearly 90% of ransomware attacks succeed due to human error and not the security software and systems you have in place.
​
So maybe you're now staring down the barrel of a ransomware demand. And, as these gangs tend to do, that demand is for payment in Bitcoin. Hackers love Bitcoin because it's untraceable, but that begs some serious questions about legal compliance. Particularly for those SMBs in the house, proceed with caution. You don't want to simply snag from Bitcoin off Coinbase, send it to the ransomware gang's wallet, and hope for the best.

Compliance here is a minefield, but here's one action you absolutely must take, and one that you absolutely should avoid.

DO: Consult with legal counsel and law enforcement (e.g., call your lawyer and possibly appropriate law enforcement branch)

Before you take any action on a ransomware demand, contact legal counsel and (if appropriate) law enforcement before making any Bitcoin payment. As best you can, you will need to verify that you aren't making a payment to a sanctioned state actor or violating anti-money laundering rules.

The US Cybersecurity and Infrastructure Security Agency (CISA) noted as much in a 2022 memorandum following Korean state-sponsored ransomware attacks against healthcare companies:

"The FBI, CISA, and Treasury highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks. Note: in September 2021, Treasury issued an updated advisory highlighting the sanctions risks associated with ransomware payments and the proactive steps companies can take to mitigate such risks. Specifically, the updated advisory encourages U.S. entities to adopt and improve cybersecurity practices and report ransomware attacks to, and fully cooperate with, law enforcement. The updated advisory states that when affected parties take these proactive steps, Treasury’s Office of Foreign Assets Control (OFAC) would be more likely to resolve apparent sanctions violations involving ransomware attacks with a non-public enforcement response."

DON'T: Assume that a ransomware payment is going to fix your problem.

Sorry to burst your bubble here, but making a ransomware payment to a criminal is no guarantee of data recovery. They're criminals, after all. They're far from honorable. A 2021 study on ransomware from Cybereason found that just 46% of companies that paid a ransom got their data recovered -- and quite often, it was corrupted, anyway.

There's also the risk of double extortion, where criminals, seeing that you're willing to pay, will make you pay not just for the recovery key, but also for the "guarantee" that they won't continue offering your data on the dark web for the highest bidder.

It comes down to this: Being a victim of ransomware is every business' nightmare. But it does happen, with increasing frequency. If this does happen to you, as Douglas Adams memorably put in his magnum opus, The Hitchhiker's Guide to the Galaxy, "Don't Panic." Neither a towel or a babel fish will help you here, but a level head sure will.

Until next week. Let’s keep that zero-day count hardened at zero!