$74 billion annually. That’s the prediction for the annual ransomware cost for this year by Cybersecurity Ventures. Ransomware is still the fastest growing form of cybercrime, with the predicted annual cost to reach $275 billion by 2031. That would average an attack every two seconds.
Ransomware is continually listed among the top enterprise cybersecurity concerns year-after-year. It was the top cyber risk concern for global CEOs in 2025 (replaced this year by cyber-enabled fraud and phishing) and for CISOs in 2025 and 2026, per a World Economic Forum and Accenture study released in January.
Today we’re back for the PTP Report’s bi-monthly roundup, this time covering cybersecurity news from mid-December to mid-February 2026.
But before our ransomware and data breach coverage, we’ll review some of the top breaches and events from 2025, look at vulnerabilities in the recent news, profile AI cybersecurity updates, and look at some recently disclosed insider threats.
The Year in Cybercrime: Major Data Breaches and Attacks from 2025
At year’s end, numerous outlets released their top cybersecurity events from the past year, and here are some of the biggest:
- Salesforce Integrations Breached: We wrote two PTP Reports on these attacks (the second on the shift to OAuth token abuse). Rather than attacking Salesforce directly, these targeted third-party integrations (like Gainsight and Salesloft), as well as going after company instances. Most of the attacks were attributed to the Scattered Lapsus$ Hunters (SLSH) group and started with highly effective social engineering. A number of large companies were impacted, including Google, Cloudflare, Verizon, Workday, Cisco, LinkedIn, Bugcrowd, Proofpoint, GitLab, SonicWall, Adidas, Louis Vuitton, Chanel, and the TransUnion credit bureau (reportedly leaking some 4.4 million names tied to Social Security numbers).
- Oracle E-Business Suite Zero-Day: Cl0p is associated with these attacks, which exploited a vulnerability in the software to steal the data from numerous companies and institutions. While patches came in October, data had already leaked from organizations across industries, including healthcare, the media, and education. Stolen data included employee records, but also the personal information of executives, many of whom have been targeted for ransoms directly as a result (see below).
- Universities Breached: While education-targeting ransomware attacks were down overall in 2025 (see below), a number of high-profile colleges made news from significant cybersecurity incidents, including the University of Pennsylvania, Harvard, Princeton, NYU, Columbia, and the for-profit University of Pheonix (a breach which may have leaked info for 3.5 million people).
- Specific Industries Targeted: There was advanced warning about an insurance company hacking spree by the Scattered Spider group, following on their successful attacks on UK retailers (including Marks & Spencer and Co-op) which then broadened worldwide (hitting Dior, The North Face, Cartier, Victoria’s Secret, Adidas, Coca-Cola, and United Natural Foods). Aside from focusing on specific industries at a time and using fake helpdesk scams, the attacks seemed otherwise unrelated. Aflac’s breach resulted in 22.65 million people being notified that extensive personal information (including health and medical records) may have leaked.
- Cloud Shutdowns and Outages: While not caused by cyberattacks, the web’s dependence on a few companies and chokepoints once again drew global attention after massive outages occurred at AWS, Cloudflare, and Azure last fall. These incidents shut down large sections of the internet for lengthy periods of time and again pulled digital resilience into the spotlight.
- AI Chatbots Hacked: While prompt-injection is an ongoing issue, a number of larger-profile incidents occurred last year around poisoned LLM memory. These included the open-source framework ElizaOS (with researchers demonstrating the same attacks on Gemini and GitLabs’ Duo), and the Gemini CLI coding tool. As vibe coding systems grew at record pace, these solutions were also increasingly targeted by things like malicious fake packages which turned up in hallucinated code.
2025’s Surge in Supply Chain Security Breaches
As Ars Technica’s Dan Goodin describes them, supply chain attacks are, for criminals, “the gift that keeps on giving—or, if you will, the hack that keeps on hacking.”
By breaching an upstream company like a service provider with numerous clients, attackers can turn one win into access to potentially millions of accounts. Some of the leading newsmakers from last year:
- Solana-Related Software: By adding a backdoor to the code library (which may have started through accounts at Web3.js), updates spread it at scale, enabling the theft of private keys and other credentials.
- The NPM Repository: There were several attacks around NPM in 2025, with the repository flooded with malicious packages that then got repeatedly downloaded, and the breaching of developer accounts. The latter enabled backdoors to be added to existing, commonly downloaded packages. A self-replicating worm used NPM to run rampant last year (numerous times), in what researcher Nicholas Weaver called “a supply chain attack that conducts a supply chain attack.”
- E-Commerce Backdoors:The compromise of three software providers based on open-source Magento led to backdoors being installed that enabled the execution of malicious code on the browsers of people visiting e-commerce sites. At least 500 sites rely on the software that was impacted.
Botnet Attacks and Ongoing Issues Started in 2025
DDoS attacks of record-breaking scale made news repeatedly last year, surging by more than 121% and reaching an average of 5,376 attacks automatically handled per hour, according to the Hacker News.
Cloudflare blocked a record-setting 7.3 Tbps attack in May (lasting just 45 seconds), and Azure mitigated a 15.72 Tbps attack in November. The latter was initially associated with the Aisuru botnet and believed to come from compromised home routers in residential ISPs. It was the largest ever seen in the cloud at the time and attacked just a single endpoint.
Another, even larger DDosS attack (31.4 Tbps) was then stopped by Cloudflare later in November, linked with another called The Night Before Christmas in December.
This has continued into 2026, with a botnet called Kimwolf continuing to surge in scale and reach. It has infected more than two million devices by getting through residential proxy networks and into local networks. It then uses devices largely believed to be protected by local firewalls and internet routers.
Profiled in a series of articles by Brian Krebs, Kimwolf is infecting things like digital photo frames and Android TV boxes (some which come with malware pre-installed).
By the end of January, it was also found to include university addresses and devices in nearly 300 government networks, at 318 utility companies, 166 healthcare companies or hospitals, and 141 banking and finance companies.
A recent review of customer traffic by Infoblox found that nearly 25% of customers made a query to a Kimwolf domain since October 2025. These infected devices are located all over the world and all across industries.
It’s believed Kimwolf is being monetized by selling residential bandwidth and app installs, as well as utilized for DDoS attacks on hire. It also shares actors and infrastructure with the Aisuru botnet.
The Latest Cybersecurity Threats from Vulnerabilities
Notepad++ has long been popular with developers, but last year, its updater was selectively redirected to download malware automatically onto user machines. While the attacker’s access was terminated in December, the incident shows that updates can’t be trusted just because they’re coming from a legitimate source.
Analysis by Forrester added, “Attackers prize distribution points that touch a large population.”
Other vulnerabilities in the news in this period:
- KrebsonSecurity reported in December that Infoblox found 90% of parked domains (expired or dormant names or common misspellings of popular websites) now redirect to malicious sites. This is a sharp reversal from 2014, when that number was just 5%.
- Microsoft Office zero-day vulnerabilities were revealed in late January and already were being actively exploited. The company released an emergency, unscheduled update, with CISA warning that it was of high risk (CVSS 7.8/10) and giving federal agencies only until February 16 to patch or mitigate. Microsoft said attacks would have to begin from a malicious file with users convinced to open it.
- CISA added a critical security flaw from SolarWinds Web Help Desk (WHD) to its known exploited catalog (KEV) in February. With a CVSS score of 9.8/10 and a three-day deadline to remediate, this update is about as urgent as they get. It allows unauthenticated users to gain admin-level access. Per Huntress researchers, it is also being actively exploited.
- OpenClaw (the open-source AI assistant agent formerly known as Moltbot) and Moltbook (the associated social media site for agents) have been all over the tech news for a variety of reasons. This includes numerous serious security issues. These range from exposing user emails and API credentials to unvetted third-party access to machine files to exposed control panels giving full system access. Researchers also caution that uninstalling may not resolve all risks, as credentials and configuration files can get left behind.
AI: Agents, Defenses, and AI Security Vulnerabilities
Microsoft’s Cyber Pulse AI Security Report was dropped in February, finding that over 80% of Fortune 500 companies have active AI agents built using low-code or no-code tools (like OpenClaw).
As you’d expect, some of these are sanctioned and/or secure, but many are not. The report finds only 47% of organizations are using security controls on their GenAI platforms, and 29% of employees were found to be using unsanctioned agents at work.
CrowdStrike acquired a pair of cybersecurity startups in January aimed at helping them better manage risks with AI agents. Their co-founder and CEO George Kurtz discussed the AI agent cybersecurity risk with Yahoo Finance’s Brian Sozzi:
“The challenge that you have with some of these AI agents, it’s like giving full access to a drunken intern. I mean, who knows what they’re going to do, right?
“So you have to put a lot of guardrails around the agents. AI and AI agents are going to change the world, there’s no doubt about that. But that has to be done in a secure way that minimizes risk to the business and provides a level of compliance.”
Beyond agents, multimodal AI models being used for physical AI applications will soon be a prime targetfor hackers over the next year, according to SentinelOne CEO Tomer Weingarten.
He remains concerned that there isn’t enough attention to being paid to things like Waymos. He gave the example of an attacker outside the vehicle using a sign that means nothing to the car’s passengers but targets an underlying AI model.
With far more kinds of inputs being processed (text, video, audio, and images), safeguarding novel approaches will be more complex than ever.
Weingarten told Axios’s Sam Sabin that real world impacts from such attacks are coming, adding: “that’s one vector I would really like people to pay more attention to.”
On the defensive side, AI agents are enjoying a large step-up in capacity in recent months, and that includes finding bugs. In the Anthropic Claude Opus 4.6 sandboxed red teaming before release, the model reportedly found more than 500 bugs which were all previously unknown open-source zero-day vulnerabilities. Each was also validated by their human team.
While these capabilities can be used by attackers, Anthropic says it has added new security controls to Claude Opus and is also working with the security community to accelerate the implementation of these advances.
News on Insider Threats to Cybersecurity
While ransomware attacks come in numerous shapes and sizes, they often require some kind of social engineering to open the front door or plant malware.
With two US cybersecurity professionals pleading guilty to aiding the Blackcat/ALPHV group early in January (joining a third charged), it’s clear that sometimes there are even cybersecurity pros greasing the wheels.
These insiders reportedly paid 20% of their take to the ransomware administrators for the malware and extortion-management platform.
A former Google engineer was also found guilty of stealing confidential AI tech for two Chinese tech firms in this period. He had reportedly been in talks to become the CTO of a Chinese AI startup at the time, copying and modifying proprietary Google tech.
December-to-February: The Data Breach Roundup
While ransomware attacks across sectors jumped 32% from 2024 to 2025, one positive is that education-related ransomware attacks were down in 2025 by 9% from the prior year. This is welcome news, as 82% of K-12 schools experienced a cyber incident between July 2023 and December 2024, per the nonprofit Center for Internet Security.
Other attacks in this period:
- Instagram was in the news in January for what antivirus company Malwarebytes initially called a breach of some 17.5 million accounts. The breached accounts were found on the dark web paired with a surge in password email reset emails. But the data may date to a 2024 API exposure, with the emails being triggered by a vulnerability that Instagram claimed to have fixed on January 10. And while the company wrote that those emails should be disregarded, resetting one’s password in this situation seems like a good idea.
- Fintech company Betterment said hackers used social engineering (involving a marketing and operations third-party platform) to break into their systems. The attack included a broadcast request for crypto on official channels, and stolen data analyzed by HaveIBeenPwned found personal information for more than 1.4 million accounts (yet to be acknowledged by the company). Betterment also suffered a DDoS attack over this period causing sporadic outages.
- Wired reported on security analyst Jeremiah Fowler’s discovery of an exposed database containing 149 millionaccount usernames and passwords. These were for accounts including Gmail, Outlook, iCloud, Facebook, TikTok, institutional and government accounts, and crypto platforms which he suspects were assembled by infostealer malware. As he observed the database, it continued to grow in size and its contents were self-organizing. It has since been taken down though the owner was never identified.
- Hackers claimed in January that they’d stolen 14 million records from Panera Bread, though the unique records appear closer to 5.1 million. Like other attacks recently that used vishing to target SSO authentication accounts at Okta, Microsoft, and Google, they gained access to Panera’s cloud-based SaaS system.
- Security firm Silent Push linked the Panera attack to a broader surge by the Scattered Lapsus$ Hunters (SLSH) group hitting at least 100 organizations since the start of 2026, including: Atlassian, Adyen, Canva, Epic Games, HubSpot, Moderna, ZoomInfo, GameStop, WeWork, Halliburton, Sonos, and Telstra. The ShinyHunters leak site also listed Betterment (see above), Crunchbase, and SoundCloud, who have all confirmed breaches as well.
- Meanwhile, in yet another attack that may also be connected to this wave, ShinyHunters has claimed 10 million records were stolen from the Match Group (owner of Tinder, Match, Meetic, OkCupid, and Hinge). They have confirmed a hack but not the number of records, and have also disputed claims that Google Drive and Dropbox storages were also accessed.
Conclusion
While there’s evidence to show that fewer companies are paying ransoms today (down from 50% to around a third of disclosed cases last year), the SLSH group has been directly targeting executives in recent months. Some of these even with swatting attacks where fake threats are called in using a person’s address. The goal is to get a large police presence to turn up and rachet up the extortion pressure.
As one threatened himself, Brian Krebs gave added reason for not paying ransoms or negotiating with the SLSH group: In contrast to traditional ransomware groups, these criminals are showing less consistent behavior and have proven less likely to follow through on promises like deleting stolen data.
And of course, paying ransoms also feeds the beast, encouraging ever more sophisticated and well-funded forms of ransomware to continue to scale with advances like AI.
This concludes our roundup covering from the middle of December to today.
If your company is in need of experienced cybersecurity experts with the most in-demand security or AI skills, talk to PTP.
We are also proudly AI-first, and love helping companies implement safe, effective AI solutions that can help you get and stay ahead of the curve.
For more detail on many of the cybersecurity events touched on in this article, check out our last three roundups covering the end of 2025:
References
Ransomware Damage To Cost The World $74B In 2026, Cybercrime Magazine
Global Cybersecurity Outlook 2026, World Economic Forum with Accenture
AI Bots Are Now a Significant Source of Web Traffic and The Worst Hacks of 2025 and 149 Million Usernames and Passwords Exposed by Unsecured Database, Wired
3 key takeaways from the Scattered Spider attacks on insurance firms, Data breach at fintech firm Betterment exposes 1.4 million accounts, and Match Group breach exposes data from Hinge, Tinder, OkCupid, and Match, Bleeping Computer
Supply chains, AI, and the cloud: The biggest failures (and one success) of 2025, Ars Technica
Defending the cloud: Azure neutralized a record-breaking 15 Tbps DDoS attack, Azure Infrastructure Blog
The Kimwolf Botnet is Stalking Your Local Network, Who Benefited from the Aisuru and Kimwolf Botnets?, Kimwolf Botnet Lurking in Corporate, Govt. Networks, and Please Don’t Feed the Scattered Lapsus ShinyHunters, KrebsonSecurity
Weekly Recap: AI Skill Malware, 31Tbps DDoS, Notepad++ Hack, LLM Backdoors and More, and CISA Adds Actively Exploited SolarWinds Web Help Desk RCE to KEV Catalog, The Hacker News
Thousands of exposed Moltbot control panels may be vulnerable to takeover, New Microsoft Office zero-day under active attack, patch now, and Another active exploitation of SolarWinds Web Help Desk detected, Cybernews
Two US Cybersecurity Pros Plead Guilty Over Ransomware Attacks and Over 100 Organizations Targeted in ShinyHunters Phishing Campaign, Security Week
Axios Future of Cybersecurity and Ex-Google engineer found guilty of stealing AI secrets for China, Axios
CrowdStrike CEO says AI agents are unpredictable as company snaps up more cybersecurity startups, Yahoo Finance
Ransomware attacks against education sector slow worldwide, Cybersecurity Dive
Instagram says accounts ‘are secure’ after wave of suspicious password reset requests, Engadget
