Zero-Day Newsletter: Cybersecurity reports, news, and insights for IT professionals
The cheekiest cybersecurity newsletter on the planet.
Cybersecurity news doesn't have to be boring. Comparitech's Zero-Day Newsletter is focused on giving IT professionals weekly updates on cybersecurity alerts, ransomware news, industry insights, and IT product recommendations.
Here to learn more spotting network intrusion warning signs? Scroll to the bottom!
$400K could dry out this River…
Last week, Fall River Public Schools in Bristol County, Massachusetts, said it was investigating a cyber attack that had taken down various systems. Ransomware gang Medusa claimed the attack this week, giving the school district seven days to meet its $400K ransom demand before data was leaked.
A quality example of how not to jump to assumptions…
On April 9, 2025, Oregon’s Department of Environmental Quality said it had suffered a cyber attack on its systems. In subsequent notifications, it said there was no evidence of a data breach (yet) and that a ransom demand hadn’t been received, so it was unlikely this was a ransomware attack.
Then, Rhysida flipped the tables on DEQ’s statements this week as it came forward to claim the attack. Not only did it allege that it had stolen over 2.5 TB of data (including Social Security cards and passport documents), but it also put a sizable ransom demand on said data–30 BTC ($2.7M).
Vitenas Cosmetic Surgery started notifying 31,852 people of a February 2025 data breach that exposed Social Security numbers and health information. This attack was claimed by ransomware Kairos, with nude patient photos uploaded as part of its proof pack.
This week, it was the turn of Hertz (on behalf of Hertz, Dollar, and Thrifty brands) to announce itself as the latest Clop Cleo vulnerability victim. So far, over 139,000 people in the US have been caught up in this breach on Hertz, including over 34,000 in Massachusetts, 3,400 in Maine, 4,700 in New Hampshire, and more than 96,600 in Texas.
Legal financial services company USClaims issued data breach letters to 25,722 people this week following an attack in January 2025. LeakedData put its name to the attack and appeared to leak the alleged stolen data.
3 common ransomware attack smoke signals—and one that’s usually missed
Last week, we talked about compliancereasons why reporting a data breach is important. But sometimes, those breaches are missed, and reporting the breach in a timely manner doesn't happen because...well...you don't even know there's a breach. A few years ago, we reported on how many companies openly admit to a breach. We track breaches every day, and because many organizations claim they never received a ransom, we typically send a notice to those organizations who are impacted. Back then, 58% never acknowledged our notification. This doesn't mean they ignored the breach, of course. Companies often don't want to put anything in writing, especially to a news organization (even one like ours that has no ulterior motives). Nevertheless, the reason why we send those reports is because many companies don't even know that they've been breached until they receive a ransom. Then the investigation begins. To help further our mission to helping companies stay ahead of attacks, here are 3 common signs that an attack may be happening, and one that usually gets missed. 1. Unusual system access patterns
Sudden spikes in data access—especially large file reads from shared folders—can be a telltale sign of staging before encryption. Fall River Schools, who we mentioned earlier, had various systems taken offline before the $400K Medusa ransom demand surfaced. These early disruptions were a likely result of pre-encryption staging.
2. Security tools going dark failing to catch unauthorized access
If endpoint detection, antivirus, or backup systems suddenly go offline or become unresponsive, assume it’s not an accident. Disabling defenses is often step one for ransomware actors. That's possibly what happened to Vitenas Cosmetic Surgery, mentioned above, who was hit with a ransomware attack that leaked sensitive medical images. The level of system access required suggests defenders may have been blindsided—often the result of neutralized security tools.
3. New or altered user accounts
Watch for unexpected admin account creation, privilege escalations, or lateral movement—especially after-hours or from odd locations. That's possibly what happened to PowerSchool, whose executive admitted that a lack of proper multi-factor authentication allowed bad actors to log into an account from a team member whose name and password were already available on the dark web. At that point, hackers just need to figure out that individual's email address and, if the password was reused in multiple locations, lets them right on in. Most often, they'll change account details while they work to steal data.
But here’s one signal that often flies under the radar.
4. Outbound traffic to suspicious IPs or locations, particularly during off-hours
This is one of the first moves attackers make: Establishing a command-and-control channel to exfiltrate data or prepare for detonation. Yet, because it happens before anything “breaks,” it’s often missed. Make sure your team has alerts for abnormal outbound traffic volume, foreign geolocations, and DNS anomalies. In the case of Oregon DEQ, Rhysida surfaced claiming it had stolen 2.5 TB which included passport and SSN details. Outbound activity almost certainly occurred, but wasn’t flagged in time.
Ransomware doesn’t erupt out of nowhere. It smolders first. The teams that learn to spot smoke instead of waiting until there's an inferno have the best shot at stopping an attack before the damage is done. And those that actively utilize better network monitoring tools (or any at all!) are the ones that actually succeed at catching threats before they're too late.
Until next week. Let’s keep that zero-day count hardened at zero!
Suite 3 Falcon Court Business Centre, College Road, Maidstone, Kent ME15 6TF Unsubscribe · Preferences
The cheekiest cybersecurity newsletter on the planet.
Cybersecurity news doesn't have to be boring. Comparitech's Zero-Day Newsletter is focused on giving IT professionals weekly updates on cybersecurity alerts, ransomware news, industry insights, and IT product recommendations.