Free Access
Blog
From Oil to Healthcare How Ransomware Shaped July 2025

From Oil to Healthcare How Ransomware Shaped July 2025

July 2025 was another reminder that ransomware is not slowing down. From global construction firms to healthcare networks and SaaS giants, attackers showed once again that no industry is safe.

A Global Wave of Attacks

China Harbour Engineering Company was the first major victim of the month. The Devman group breached its systems on July 5, stealing sensitive engineering documents and threatening to leak them.

Just days later, Tyree Oil in the U.S. suffered a massive breach. Over 530 GB of financial and personal data was exfiltrated by the Play group from tax details to payroll files.

Rezayat Group in Saudi Arabia faced a different adversary, Everest, which claimed 10 GB of stolen engineering plans and financial records.

The luxury watch market wasn’t spared either: Richard Mille Asia & D’League were hit by Lynx, which exposed contracts and transactions worth billions of dollars.

In Turkey, Anadolu Hastaneleri became the latest healthcare victim. Direwolf ransomware actors took 240 GB of patient records, raising serious concerns about privacy in critical services.

Finally, Mailchimp closed out the month with a major breach. Everest leaked a database of nearly one million lines of customer data, shaking trust in a leading SaaS provider.

The Actors Behind the Curtain

Devman: a new player, but already aggressive, often stealing credentials with infostealers before encrypting files.

Play: veteran operators known for targeting VPNs and moving laterally via stolen RDP credentials.

Everest: persistent and well-equipped, using tools like Cobalt Strike and Metasploit for intrusions.

Lynx: a successor to the INC ransomware, expanding rapidly with dozens of confirmed victims.

Direwolf: 2025’s rising star in the ransomware world, combining phishing with zero-day exploits and advanced encryption.

Why This Matters

The July incidents highlight three critical realities:

Double extortion is the norm  stealing and leaking data to force ransom payments.

Healthcare and energy remain prime targets, with life and death consequences.

Attackers are refining their techniques, blending phishing, credential theft, and VPN exploitation into powerful attack chains.

Building Resilience

Defending against ransomware requires more than just firewalls. Organizations must:

Patch systems promptly.

Train employees to recognize phishing campaigns.

Implement zero trust architectures.

Share intelligence across industries to stay ahead of evolving threats.

Final Thought

Ransomware in July 2025 was not just a collection of isolated incidents. It was a coordinated demonstration of how cybercriminals can disrupt economies, industries, and even healthcare systems. The message is clear: resilience is no longer optional  it’s essential.

More posts

This image is about monthly vulnerabilities for September 2024.
Peek into Monthly Vulnerabilities: September 2024
October 9, 2024
This image is about the ServiceNow data leak.
ServiceNow Data Leak: Risks of Misconfigured Knowledge Bases
September 18, 2024
This image is about monthly vulnerabilities for July 2024.
Peek into Monthly Vulnerabilities: July 2024
August 12, 2024
This image is about Securing the Games- cyber strategies for the Paris Olympics 2024.
Securing the Games: Cyber Strategies for Paris Olympics 2024
August 9, 2024
Hunter’s Lens: Russian Influence Operations Targeting the Paris Olympics 2024
Hunter’s Lens: Russian Influence Operations Targeting the Paris Olympics 2024
August 2, 2024
View All
advanced divider

Share this article

Found it interesting? Don’t hesitate to share it to wow your friends or colleagues

advanced divider

Subscribe to our blog newsletter to follow the latest posts