Peter A Clarke

The city of Hamilton in the United States was hit by a ransomware attack in February 2025. The cost of the ransomware attack is $18.3 million. The attack disabled nearly 80% of the city’s network. So far, not so unusual. Where this story falls into the category of salutory lesson is that Hamilton’s insurance declined cover. The reason for that was that Hamilton failed to implement multi factor authentication for on line services at the time of the attack. Data breach reports that ransomware is a growing problem with On the Rise: Ransomware Victims, Breaches, Infostealers.

Cyber insurance has become an important part of the protections organisations use to deal with the consequences of a data breach.  Insurance policies almost always have terms requiring implementation of processes, provision of hardware and other things related to providing protection against threat.  Hamilton didn’t have a basic level of protection.

The article provides:

The City of Hamilton will be on the hook for the more than $18 million it has cost to recover from a ransomware attack after their insurance claim was denied.

In an update presented to a city committee on Wednesday, staff said that its insurer denied the claim for reimbursement of costs related to the February cyberattack because multi-factor authentication had not been fully implemented for online services when the attack happened.

Staff said Hamilton obtained a third-party to review the coverage denial, but the review found the denial aligned with the policy.

The total cost incurred to recover from the attack so far is $18.3 million, according to a staff report. The city says more than $14 million of that amount has been paid to external experts while more than $1 million each has been put towards infrastructure, staffing, and other related costs.

“I understand why Hamiltonians are frustrated – this was a serious and costly breach,” said Mayor Andrea Horwath in a news release on Wednesday.

“We expect our public systems to be strong, secure, and dependable. This incident highlights that the city fell short of that standard – and we’re not okay with that.”

The attackers disabled nearly 80 per cent of the city’s network and demanded a ransom of roughly $18.5 million in exchange for a decryption tool to unscramble the data, the update revealed.

The ransom was never paid because the city said doing so would have increased “risk and financial exposure.”

“This was in the best interests of Hamiltonians, aligned with guidance from third-party experts and law enforcement, and is consistent with industry best practices,” City Manager Marnie Cluckie said in the release.

“We are rebuilding our IT systems and infrastructure in a financially responsible way, applying what we’ve learned to strengthen cybersecurity and improve service.”

Additionally, the city said no one’s personal or health data was impacted or accessed during the breach.

Most of the affected systems have been successfully recovered or rebuilt, according to the city.

However, they say a limited number of services, including the finance business management application suite, development and permit applications and licensing, fire department records management, public health inspection application, traffic signal systems management, museum collections management solution and the utility locates application, were unrecoverable.

The Data Breach article provides:

Cybercrime so far this year can be summarized as featuring “more of everything,” with researchers tracking increases in the number of ransomware and data breach victims, credentials stolen by infostealers, and new vulnerability disclosures with exploits coming to light.

The year so far has been a story of “an alarming acceleration in cyber threats,” said Ian Gray, vice president of cyber threat intelligence operations at Flashpoint. “We’ve seen an 800% increase in credential theft via information-stealing malware, making ‘identity’ a dominant attack vector,” he said. “With ransomware up 179% and data breaches surging 235%, the sheer scale of malicious activity is undeniable.”

The firm’s research, based on the first half of this year, also counted more than 20,000 new vulnerabilities coming to light, of which nearly 7,000 have publicly available exploits. “These trends combined pose a significant challenge to security teams, who must triage growing volumes of vulnerabilities, while attackers meticulously seek to weaponize exploit code,” says a Thursday report from Flashpoint.

The firm’s findings aren’t an outlier, including on the data breach front. The Identity Theft Resource Center, a U.S. non-profit organization that assists breach victims, recently counted 1,732 total data breach incidents, affecting nearly 166 million individuals, in the first half of this year. Comparing that timeframe to the first half of 2024, the quantity of reported U.S. data breaches has increased by 10%. If that trend holds until year’s end, 2025 will set a record for the number of known-breached organizations.

Infostealers Surge

Experts said at least some of those breaches trace to the rising success of infostealers. A new report from threat intelligence firm Kela says that in the first half of this year, 2.7 million systems were infected by infostealers, leading to 204 million compromised credentials flooding the market. If those levels continue, 2025 is set to surpass the scale of infostealers seen in 2024, which involved more than 4.3 million systems being infected and 330 million credentials compromised.

Attackers continue to refine their tactics for tricking victims into installing infostealers, lately including via AI-generated videos posted to TikTok, using “paste and run” tactics, aka ClickFix or ClearFake attacks, which purport to identify both a problem and a solution, which oftentimes involves pasting attacker-provided code into a Windows terminal session (see: Infostealer Attackers Deploy AI-Generated Videos on TikTok).

One challenge with infostealer infections is that they’re designed to harvest whatever sensitive data they might find on a system – cryptocurrency wallet addresses, access credentials for corporate systems and bank accounts, credit card data, cookies, passwords and more.

A thriving ecosystem exists to connect sellers of this stolen information with buyers. Data from each system typically gets batched up as a “log” and sold on automated clouds of logs marketplaces, forums and Telegram channels. Because this malware harvests in part corporate credentials, “infostealers serve as precursors to advanced attacks, including ransomware and espionage,” Kela said. In other words, log buyers include nation-state hackers and extortionists.

Notable incidents this year involving attackers using credentials harvested by infostealers to gain initial access to a network affected the likes of Spanish telecommunications giant Telefónica and French telecom giant Orange, both of which were hit by the HellCat respectively in January and February, Kela said.

“At Telefónica, HellCat compromised 15 Jira accounts, exfiltrating 24,000 employee records, 500,000 Jira tickets and over 2 GB of internal documents,” Kela said. “Six weeks later, HellCat gained month-long access to Orange via Raccoon-Stealer credentials, stealing 12,000 files (6.5 gigabytes) including financial, HR and network data. They also altered RIPE entries through an MFA-lacking ‘ripeadmin’ account, leaking thousands of documents,” it said, referring to the RIPE NCC not-for-profit regional internet registry for Europe, the Middle East and parts of Central Asia.

In March, brand-new Arkana ransomware group claimed to breach Colorado-based internet service provider WideOpenWest, aka WOW, and threatened to leak stolen information pertaining to over 400,000 subscribers unless WOW paid a ransom. “This attack stemmed from an infostealer compromising a WOW workstation in September 2024, which siphoned browser credentials,” Kela said.

Infostealer infections are a global problem. In the first half of this year, the top 10 countries from which victims hail, based on the quantity of uploaded logs, are India, the United States, Brazil, Indonesia and Pakistan, Flashpoint said.

Many infostealer users rent the software for $400 or less per month from one of at least 30 different service providers. In the first half of this year, Flashpoint said the most used infostealer was Lumma, which it tied to 5 million infected hosts and devices, distantly followed by RedLine, StealC, Vidar and Agenta Tesla, each with 329,000 or fewer infected hosts.

Infostealer-as-a-service providers’ terms and conditions often give them the right to keep any especially lucrative data, such as access credentials for cryptocurrency wallets or accounts.

Ransomware Counts More Victims

Ransomware attacks also appear to be trending upwards. That comes despite ongoing law enforcement disruptions of top groups and overall trust and stability issues. “Q2 has seen plenty of infighting between prominent and up-and-coming threat actors, claims of rivals uniting and major players hit by arrests,” said Chris Boyd, a threat researcher at Rapid7, in a recent report. “It makes sense, then, that affiliates would be in a state of flux, moving from one RaaS group to another, or even holding off altogether until the dust settles.”

Major players in recent months include Scattered Spider, which has socially engineered many name brands, including retailers and insurers, as well as Dragonforce, and healthcare-hacking-happy Qilin, Boyd said (see: Ransomware Thrives in Shook-Up Criminal Underworld).

In the first half of 2025, Kela counted 3,662 ransomware victims either via public reports or claims posted to ransomware group’s data-leak blogs. Of those victims, more than half are U.S.-based. The six month total is already 70% of the count of 5,230 ransomware victims claimed by groups in 2024, meaning the number of known ransomware victims looks set to exceed previous infection levels.

Flashpoint likewise found that the United States remains far and away the country most targeted by ransomware, based on known victims, accounting for what it said were 2,160 claimed victims in the first half of this year, followed by Canada with 249, Germany with 154, the United Kingdom with 148 and Italy with 96.

The ransomware victim count and demographics aren’t definitive, as groups only list a subset of nonpaying victims, sometimes list victims months later and repeatedly lie.

Security experts do keep track of their claims, to help measure the extent to which organizations have been hit by ransomware, which remains very difficult to fully quantify.

Based on what security experts can glean, “the scale of hidden activity remains significant,” with perhaps only one-fifth of all such attacks ever getting reported, said cybersecurity firm BlackFog in a Tuesday report.

Attacks that have come from Jan. 1 through July 31 reveal the damage each one can do to victims. “Among attacks where data theft details were available, the average volume of data exfiltrated was 858 gigabytes,” Flashpoint said. “This figure is based on 609 incidents where leak site posts included specific volume information. Ransom demands were disclosed in 44 cases, with the average demand exceeding $676,000.”