Port of Seattle Ransomware Breach Affects 90,000 Individuals
The Port of Seattle confirmed a ransomware attack that had compromised personal data of approximately 90,000 individuals. This breach occurred in late August 2024 but was only recently disclosed following an internal investigation. According to a notification submitted to the Maine Attorney General’s Office, the exposed data include names, birth dates, Social Security numbers, driver’s license numbers, and state identification numbers.
The Rhysida ransomware group claimed responsibility for the attack and has already leaked some of the stolen data. The port stated that while systems were encrypted, operations were restored with help from third-party cybersecurity experts. Free credit monitoring and identity protection services were also offered to the impacted victims.
The Port of Seattle oversees key public infrastructure, including the Seattle-Tacoma International Airport. The breach raises concerns about the vulnerability of critical infrastructure to ransomware attacks and the potential impact on public trust and operational continuity.
Governments Warn: Ransomware Gangs Using "Fast Flux" to Evade Detection
Cybersecurity agencies from the United States, Canada, and Australia have issued a joint advisory warning of ransomware groups increasingly using a technique known as “fast flux” to obscure their infrastructure. Fast flux involves rapidly rotating IP addresses associated with malicious domains, making it more difficult for defenders to block or take down ransomware infrastructure such as command-and-control servers, leak sites, and extortion portals.
The advisory does not name specific threat actors but notes that Russian-speaking ransomware gangs have adopted this method to enhance their operational resilience. Fast flux was originally used in phishing and botnet activities, but now supports ransomware campaigns by complicating detection and takedown efforts.
The agencies recommend monitoring DNS activity, blocking suspicious domains, and using threat intelligence to detect infrastructure-level indicators. The advisory is part of a broader effort to improve global response to evolving ransomware tactics that go beyond traditional malware payloads.
Hunters International Rebrands as "World Leaks"
Hunters International has officially rebranded as “World Leaks,” marking a strategic shift away from ransomware encryption toward a pure data extortion model. The group announced the change through a new dark web leak site, which now hosts data from both past and current victims under the new identity.
According to the group’s statement, they will no longer encrypt victims’ files. Instead, they will focus solely on stealing sensitive data and using the threat of public exposure to pressure victims into paying. They mentioned that encryption lacks value, and that exposure alone is often enough to compel payment.
This move reflects a broader trend among cybercriminal operations that favour data exfiltration and public leaks over traditional ransomware tactics. By eliminating file encryption, the group aims to reduce detection by security tools and simplify their extortion process. World Leaks is expected to continue targeting sectors where confidentiality is critical, including healthcare, law, and education.
Texas State Bar Breached by INC Ransomware Group
The State Bar of Texas has disclosed a data breach following claims by the INC ransomware group that it compromised the organization’s systems. INC listed the Bar on its leak site and posted samples of allegedly stolen data, including legal and administrative documents. The Bar confirmed the breach on March 29, 2025, and stated it is working with external cybersecurity experts to investigate the incident and secure its network.
While the Bar has not verified the authenticity of the leaked files or confirmed whether ransomware was deployed, the attack seems to be part of a double extortion scheme. As of now, there is no public confirmation of a ransom demand. The State Bar has begun notifying individuals whose information may have been impacted. This incident highlights ongoing risks faced by legal institutions, particularly those handling sensitive or confidential data.
Ransomware Attack Disrupts Operations of the Sault Tribe in Michigan
The White Earth Nation, a federally recognized Native American tribe in Minnesota, has confirmed a cyber incident that disrupted multiple services. The breach was detected on March 12, 2025, when the tribe’s IT team identified suspicious activity and took systems offline to contain the threat.
The incident affected both government functions and business operations, including the White Earth Health Center and the Shooting Star Casino. The tribe is working with cybersecurity experts and federal law enforcement to investigate and recover from the attack.
Officials have not disclosed the nature of the cyberattack, whether ransomware was involved, or if any data was stolen. Recovery efforts are ongoing, and affected systems are being restored in phases. This is the second reported attack on a Native American tribe in recent weeks, underscoring growing concerns about cyber risks facing tribal governments with limited IT resources.
RedCurl Espionage Group Shifts to Ransomware—Targets Hyper-V Servers
RedCurl, a cyber-espionage group known for data theft and surveillance, has recently developed their own ransomware that targets Microsoft Hyper-V virtual machines. According to a report from Positive Technologies, the group now uses encryption in their operations in order to increase leverage in data extortion campaigns.
The custom ransomware is designed to encrypt virtual disk files (VHD and VHDX) on Hyper-V servers, allowing RedCurl to disrupt key infrastructure. Attacks typically occur after months of covert access, during which the group conducts reconnaissance and steals data.
Victims have been identified across Russia, Germany, the U.K., Canada, and the U.S., mainly in sectors like finance, retail, and construction. The ransomware does not include ransom notes, indicating its primary purpose could be operational disruption rather than financial extortion. This shift marks a notable convergence of espionage and ransomware tactics, with RedCurl leveraging encryption to apply additional pressure on its targets.
VanhelSING Ransomware Targets Windows, ARM, and ESXi Systems
A new ransomware strain named VanhelSING is targeting a wide range of systems, including Windows, ARM-based devices, and VMware ESXi servers. The ransomware was discovered by researcher Will Thomas and written in Go, allowing cross-platform compatibility. It uses ChaCha20 and RSA-4096 encryption algorithms and drops a ransom note titled HOW_RETURN_YOUR_DATA.txt, directing victims to contact the attackers via TOX.
VanhelSING is capable of terminating processes linked to ESXi virtual machines, enabling it to encrypt VM files, and includes specific functionality to attack ARM64 systems, highlighting a rare focus on embedded and IoT platforms. The ransomware performs system architecture checks before encryption and includes obfuscation techniques to hinder analysis.
No affiliations with known ransomware-as-a-service groups have been found, and the malware currently lacks a payment infrastructure, indicating it may still be in early development. The emergence of VanhelSING reflects a growing trend of ransomware adapting to broader and more diverse environments.