Ransomware/nation-state: Iran Rockwell PLCs/APT28 router AiTM/Storm-1175 Medusa healthcare zero-days/Signature Healthcare/Silent Ransom/REvil/Qilin/Nissan + Handala/NK + FBI

Key Questions

What Iranian-linked attacks targeted US critical infrastructure?

Iranian actors exploited Rockwell PLCs like Studio 5000, CompactLogix, and Micro850, disrupting US energy and water sites. CISA, FBI, NSA, DOE, and EPA issued alerts with IOCs.

What ransomware hit Signature Healthcare?

Signature Healthcare's Brockton hospital faced ransomware, shutting down EMR systems and causing diversions. It created chaos similar to emergency scenarios.

How did Storm-1175 target healthcare?

Storm-1175 used Medusa ransomware in 24-hour chains exploiting Ivanti, JetBrains, and Exchange zero-days against healthcare. This rapid attack chain highlights sector vulnerabilities.

What did APT28 do with routers?

APT28 (GRU-linked) compromised over 18,000 routers for AiTM attacks to steal Microsoft Office tokens. They turned home routers into global spy networks.

What ransomware groups were active recently?

REvil demanded €35M, Qilin hit Die Linke party, and Silent Ransom emerged. Nissan and Handala (pro-Palestinian) also conducted attacks, including 12PB Stryker data theft.

What impacts did the Signature Healthcare ransomware have?

The attack disrupted hospital operations at Brockton, forcing emergency diversions and EMR downtime. It exemplifies rising ransomware threats to healthcare.

How has AI influenced ransomware?

AI boosts ransomware operations by 22%, enhancing attack efficiency. Groups leverage it for faster exploitation chains.

What is the Handala group's activity?

Handala, linked to pro-Palestinian hackers, stole 12PB from Stryker. They represent nation-state aligned ransomware trends.

Iran-linked Rockwell Studio 5000/CompactLogix/Micro850 exploits disrupt US energy/water CI (CISA/FBI/NSA/DOE/EPA alerts IOCs); Signature Healthcare Brockton hospital ransomware (EMR down/diversions); Storm-1175 Medusa 24hr chains Ivanti/JetBrains/Exchange healthcare; APT28/GRU 18k+ routers; Handala Stryker 12PB; REvil €35M; Qilin Die Linke; AI boosts 22%.

Sources (49)

Updated Apr 8, 2026

Ransomware/nation-state: Iran Rockwell PLCs/APT28 router AiTM/Storm-1175 Medusa healthcare zero-days/Signature Healthcare/Silent Ransom/REvil/Qilin/Nissan + Handala/NK + FBI

Key Questions

What Iranian-linked attacks targeted US critical infrastructure?

What ransomware hit Signature Healthcare?

How did Storm-1175 target healthcare?

What did APT28 do with routers?

What ransomware groups were active recently?

What impacts did the Signature Healthcare ransomware have?

How has AI influenced ransomware?

What is the Handala group's activity?

FBI slams cybercriminals for attacking schools, hospitals, as crypto fraud soars

Iran attempting cyberattacks against critical U.S. infrastructure, officials say

Iran-linked hackers have disrupted multiple US industrial sites

US Warns That Iranian Hackers Are Targeting Water, Energy Sectors

Chaos at Massachusetts hospital as it faces emergency straight out of The Pitt

Iran-Linked Hackers Are Sabotaging US Energy and Water Infrastructure

Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure | CISA

Iranian hackers are breaking into U.S. industrial systems, agencies warn

Jones Day Claims Hackers Accessed Client Files

Russian Hackers Turned Your Home Router Into a Global Spy Network

Russia Hacked Routers to Steal Microsoft Office Tokens

German political party Die Linke targeted in ransomware attack | DigitalShield

Iran Threatens “Annihilation” of OpenAI’s $30B Abu Dhabi AI Data Center

Iran IRGC Warns It Will Destroy OpenAI’s Stargate Facility in UAE Video Threat

Iran-Linked Password-Spraying Campaign Targets 300+ Israeli Microsoft 365 Organizations

Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations | Microsoft Security Blog

Check Point tracks Iranian password-spraying waves targeting government and energy sectors in Israel and UAE - Industrial Cyber

Medusa ransomware group using zero-days to launch attacks within 24 hours of breach, Microsoft says | The Record from Recorded Future News

Ransomware Group anubis Hits: Tesla Systems

Toy giant Hasbro hit by cyberattack, considers delivery delays

Backups won’t save you from this version of ransomware

Healthcare hacker ransom demands average $18.2M: Report

AI-Enabled Ransomware Demands AI-Enabled Defense — Not Just Better Recovery | Morphisec Blog

BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab

FBI Calls Breach of Sensitive Agency Networks a ‘Major Incident’

Crypto attorney says Drift incident may qualify as 'civil negligence'

UAE foils massive AI cyber attack targeting government digital systems

Nissan's Fourth Breach in Four Years Exposed 910GB of Customer and Loan Data

Don't glamorize cybercrims, roast them instead • The Register

837 victims for United Kingdom

Iranian missile blitz takes down AWS data centers in Bahrain and Dubai — Amazon reportedly declares “hard down” status for multiple zones

Absolute Domination (.domination) ransomware removal.

FBI Warns iPhone And Android Users—Do Not Install These Apps

FBI Director's Emails Leaked: Here's What Got Exposed

In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware - SecurityWeek

ELECQ Data Breach May Have Exposed EV Charger Users' Private Information

Minot Water Treatment Plant Hit by Ransomware Attack

How Iranian hackers pose a threat to US critical infrastructure

Bourbon & Breaches: Sweepstakes, Steel, and Surge

Ransomware and Other Cyberattacks on Cities: What to Do Before, During, and After

Threat actor UAC-0255 impersonate CERT-UA to spread AGEWHEEZE malware via phishing

Velvet Tempest Utilizes ClickFix and Windows Tools for Ransomware Deployment

Salt Typhoon Strikes: The FBI Breach You Weren’t Supposed to Know About

Middlesex County town impacted by cyber attack

UAC-0255 Attack Detection: Threat Actors Impersonate CERT-UA to Infect Ukrainian Public and Private Sector Organizations With AGEWHEEZE RAT | SOC Prime

Iran-Linked Campaign Targets M365 in Middle East

The Week in Breach News: April 01, 2026 | Kaseya

Cyberattack Hits 'Carecloud' Network; Investigation Ongoing To Identify Data Impacted | WION News