Top news stories this week
- All rise. Rise in proportion of companies paying ransoms.
- Stryker struck. Iran-aligned group claims attack on US medical device manufacturer.
- Phishy business. Threat actors use social engineering techniques to distribute backdoor malware.
- Guests welcome. Shinyhunters continues to target Salesforce Cloud Experience platforms.
- Juvenile jammers. Polish teens arrested running DDoS scheme.
- Copilot crack. Zero‑click Microsoft vulnerability can be exploited to cause Copilot to leak sensitive data.
1. Rise in proportion of companies paying ransoms
A key finding in the S-RM and FGS 2026 Cyber Incident Insights Report is a rise in ransom payments in 2025, following two years of significant decline. Based on analysis of over 800 incidents, the report also shows that companies in the industrial and manufacturing sector are more likely to pay a ransom due to the high impact of operational disruption caused by a ransomware attack.
So what?
Deciding whether or not to pay a ransom is a complex process with potential legal and reputational consequences. Organizations should prepare through workshops with specialist cyber advisers ahead of any incident occurring.
[Researcher: James Tytler]
2. Pro-Iran group wipes data of US medical device manufacturer Stryker
On 11 March the Iran-aligned hacking group Handala claimed responsibility for an attack on Stryker, a US-headquartered global manufacturer of surgical and orthopedic devices. The group is reported to have gained access to Stryker’s Microsoft Intune portal and wiped data on thousands of company devices. Stryker has confirmed that the incident was limited to its Microsoft environment and did not impact medical devices.
So what?
The attack shows that even less sophisticated attack vectors can cause major disruption. Organizations should ensure that privileged accounts are well secured.
[Researcher: James Tytler]
3. Threat actors use social engineering techniques to distribute backdoor malware
For over a year, Human Resources (HR) departments have been targeted by a Russian‑speaking threat actor using a new security‑disabling tool called BlackSanta. The backdoor malware is likely delivered through spear‑phishing emails disguised as resumes and is designed to steal sensitive information from infected systems.
Separately, criminals targeted financial and healthcare organizations with social engineering attacks by flooding employees’ inboxes with spam, then contacting them on Microsoft Teams while posing as IT staff offering assistance.
So what?
Organizations should use email filtering tools and remind their employees to stay vigilant for the changing social engineering techniques of threat actors.
[Researcher: Milda Petraityte]
4. ShinyHunters targets Salesforce Experience Cloud for data theft attacks
Threat actor group ShinyHunters claimed to have stolen data from several hundred organizations by exploiting a misconfiguration in Salesforce Experience Cloud websites. The group used a modified version of AuraInspector, a legitimate third-party tool used to identify misconfigurations, in order to find vulnerable instances with overly permissive guest user profiles.
SO WHAT?
Organizations running Salesforce Experience Cloud should follow guidance from Salesforce and review configuration for guest profiles, reduce permissions, and disable guest access to public APIs.
[Researcher: Adelaide Parker]
5. Polish teens arrested over DDoS scheme
Seven Polish teenagers have been arrested by authorities in Poland for selling Distributed Denial-of-Service (DDoS) tools online. The group are alleged to have used their tooling infrastructure to attack a range of targets from e-commerce websites to IT hosting services.
So What?
Organizations should ensure they implement effective defences and processes against both volumetric and application‑layer DDoS attacks, including always‑on traffic filtering, rate‑limiting, and incident response planning.
[Researcher: Jack Woods]
6. Zero‑click Microsoft vulnerability can be exploited to cause Copilot to leak sensitive data
As part of the latest Patch Tuesday, Microsoft disclosed critical severity vulnerability which weaponizes an Excel spreadsheet and the Copilot Agent to steal data. The flaw abuses Copilot’s legitimate network privileges, creating an AI‑enabled data‑exfiltration pathway. It requires network access to exploit, but no user interaction or privilege escalation.
SO WHAT?
AI agents risk exposing organizations in new and unpredictable ways. It is important to stay up to date with critical patches.
[Researcher: Tlhalefo DIkolomela]
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
