Think Positive Cyber

DaVita – a Fortune 500 provider of kidney dialysis with roughly 3,000 outpatient clinics worldwide – fell victim to a ransomware attack in April 2025​securityweek.com​bleepingcomputer.com. On April 12, DaVita detected that hackers had encrypted parts of its network, leading to portions of the system being locked down and some operations being disrupted​bleepingcomputer.com. The incident forced DaVita to activate emergency response protocols: affected servers were isolated, backups were engaged, and some functions switched to manual processes to ensure continuity of care​securityweek.com​securityweek.com. Despite the IT outage, DaVita stressed that patient treatments continued without interruption – a critical point for a company serving over 200,000 patients with life-sustaining dialysis​securityweek.com.

The attack had no immediate known culprit, as DaVita did not name a ransomware group or disclose any ransom demands in its initial SEC filing​securityweek.com. An investigation was launched with law enforcement involved, but early on the full scope of damage was unclear​sec.gov. DaVita could not estimate how long systems would be down, indicating the recovery might take time​sec.gov. Notably, DaVita acknowledged the possibility that sensitive data – including patient information – may have been compromised, though no concrete evidence of theft was confirmed at first​bleepingcomputer.com. This reflects the common ransomware tactic of data exfiltration (stealing confidential files) before encryption, to later extort the victim by threatening leaks​bleepingcomputer.com. In DaVita’s case, the company said it was still determining if any patient or employee records were accessed. The combination of network encryption (locking up systems) and potential data theft aligns with the modern double-extortion MITRE ATT&CK techniques used by many ransomware gangs (tactic: Impact – encrypt data; tactic: Exfiltration – steal data)​bleepingcomputer.com.

While DaVita has not publicized the exact attack vector, ransomware incidents of this type often begin with a phishing email or compromised remote access (MITRE ATT&CK initial access techniques) that allows intruders to plant malware. Cybersecurity experts noted that the attack struck over a weekend – a period when IT staff might be slower to respond – which is a deliberate strategy by ransomware operators to maximize damage​bleepingcomputer.com. By Monday April 14, DaVita had disclosed the breach in an 8-K report and was working with third-party cybersecurity firms to remediate​bleepingcomputer.com. This case underscored the healthcare sector’s vulnerability: large providers like DaVita hold vast amounts of Protected Health Information (PHI), making them prime targets. (In fact, DaVita’s rival Fresenius Medical had suffered a 2023 hack exposing data on 500,000 patients​reuters.com.) The DaVita attack of 2025 highlights how ransomware can threaten patient services and sensitive data on a massive scale.

Sensata Technologies Breach: Ransomware and Data Theft in Tech Manufacturing

In early April 2025, industrial tech manufacturer Sensata Technologies – a $4 billion firm supplying sensors and electrical components globally – was hit by a major cyberattack. According to a regulatory disclosure to the SEC, on April 6 the company detected a ransomware incident that encrypted files on certain devices in its network​securityweek.com. Sensata immediately took drastic containment measures: it proactively shut down portions of its network to stop the spread, and brought in third-party cybersecurity experts to investigate​markets.businessinsider.com. Law enforcement was notified as well​markets.businessinsider.com. Despite these efforts, the attack caused significant business disruption. Sensata reported that the breach temporarily paralyzed operations including product manufacturing, shipping and receiving, and other support functions critical to its supply chain​securityweek.com​securityweek.com. By April 10, many systems were still being restored, and the company warned it had no firm timeline for full recovery​securityweek.com.

Crucially, Sensata confirmed evidence that the attackers stole sensitive files from its network (not just encrypting them)​securityweek.com​securityweek.com. A preliminary investigation found data had been exfiltrated, though the exact files and scope were still being determined. The company indicated it would notify any individuals or customers affected once they learn what was taken​securityweek.com. This admission means the attack was a data breach as well as a ransomware event – the intruders likely obtained proprietary business data or personal information, raising the stakes. Stealing data is now a standard tactic by ransomware gangs to gain leverage (the “double extortion” model), a fact noted by security experts observing the case​bleepingcomputer.com. By exfiltrating files, attackers can threaten to publish or sell the information if the victim refuses to pay, adding compliance and privacy headaches to the victim’s crisis​bleepingcomputer.com.

As of mid-April, Sensata did not know which ransomware gang was behind the breach – no group had openly claimed responsibility on darknet leak sites​securityweek.com. Often, there is a delay before gangs list victims, as they may be negotiating privately. Sensata stated that it did not expect immediate material impact on its Q2 financial results from the incident​securityweek.com. However, it cautioned that if ongoing investigation finds more severe damage, the impact could ultimately become “material” (significant) to the business​securityweek.com. The lack of an immediate financial hit suggests the company’s contingency plans (and perhaps cyber insurance) were activated to keep core operations running in some capacity.

From a MITRE ATT&CK standpoint, the Sensata breach likely involved threat actors gaining Initial Access through either a phishing campaign or exploiting a vulnerability in the company’s extensive IT infrastructure. Once inside, they deployed ransomware to encrypt data (Impact tactic) and quietly exfiltrated files (Collection and Exfiltration tactics) before detection​bleepingcomputer.com. Sensata’s response – taking systems offline and containing infected segments – limited further spread. Still, the incident shows how a ransomware attack on a technology/manufacturing firm can disrupt physical production lines. It also exemplifies the rising threat of intellectual property theft and supply chain delays when hackers strike critical tech providers.

Port of Seattle Ransomware Breach Exposes Personal Data of 90,000

Critical infrastructure was not immune to 2025’s cyber onslaught. The Port of Seattle, which operates Seattle-Tacoma International Airport (SEA) and maritime facilities, suffered a ransomware attack that culminated in a major data breach. The incident actually began in late August 2024 when the Port’s IT team noticed system outages on August 24 consistent with a cyberattack​portseattle.org. Immediate actions were taken: critical systems were isolated and some services taken offline to contain the threat​portseattle.org. This response kept essential operations safe – officials reported that airport travel and port facility safety were never compromised during the incident​portseattle.org. However, the attackers had already infiltrated the network. By mid-September 2024, investigators confirmed that the disruption was caused by Rhysida ransomware, a relatively new ransomware group, and that the Port’s data had been accessed by the hackers​securityweek.com​securityweek.com.

The Rhysida gang demanded a hefty ransom of $6 million for the Port to regain access to its files​securityweek.com. The Port of Seattle, a public agency, refused to pay the ransom​securityweek.com – a stance many organizations take, especially government entities, to avoid funding criminals. In retaliation, Rhysida listed the Port on its dark web leak site just days later and claimed to have stolen over 3 terabytes of data, which it even put up for auction​securityweek.com​securityweek.com. Over time, the ransomware group leaked portions of the stolen data publicly, exposing some of the information as proof​securityweek.com. This escalation confirmed that large amounts of sensitive data had indeed been exfiltrated from the Port’s servers.

Fast forward to April 3, 2025 – after a lengthy forensic investigation – the Port of Seattle notified approximately 90,000 individuals that their personal information was compromised in the breach​securityweek.com​securityweek.com. According to an official notice, the attackers accessed data from certain legacy systems containing employee, contractor, and parking records​securityweek.com. The stolen personal data included names, dates of birth, Social Security numbers (in some cases), driver’s license or ID numbers, and even some medical information​securityweek.com. Fortunately, systems handling passenger data or payment processing were not affected, and the Port holds very little customer travel data anyway​securityweek.com. The majority of impacted individuals were current or former Port employees and contractors (about 71,000 of those affected reside in Washington state)​securityweek.com. The Port offered one year of free credit monitoring and identity protection services to everyone affected as a remediation step​securityweek.com.

This Port of Seattle incident highlights the dire consequences of ransomware on critical infrastructure. The attack not only disrupted operational technology (forcing the temporary closure of some services like fuel pier operations and vehicle emissions testing in the immediate aftermath​securityweek.com​industrialcyber.co), but it also led to a major data breach of personal information. The involvement of Rhysida, a known cybercrime gang, shows that even transportation hubs are on the radar of sophisticated attackers. Using MITRE ATT&CK analysis, the Port of Seattle attack likely started with Initial Access via phishing or exploiting an unpatched system in the Port’s network (exact entry is undisclosed). The adversaries then conducted Lateral Movement to reach servers holding sensitive archives (legacy data), performed Data Collection on 3TB of files, and Exfiltrated that data (Exfiltration tactic) before deploying the Ransomware payload (Impact tactic) to encrypt systems. The Port’s robust incident response – isolating systems quickly – limited any threat to public safety, but the data theft impact was significant​securityweek.com. This case underscores that government and infrastructure entities must secure not only their active systems but also legacy data repositories against modern ransomware threats.

Other Notable Cyberattacks in 2025

Beyond the headline incidents above, several other cyberattacks in 2025 hit the healthcare, infrastructure, and tech sectors:

• Laboratory Services Cooperative (LSC) Breach: LSC, a medical lab services provider (serving Planned Parenthood clinics in 31 states), announced that hackers exfiltrated data on 1.6 million individuals in a breach first detected in October 2024​scworld.com. Attackers infiltrated LSC’s network and stole extensive patient information – names, contact details, Social Security numbers, medical lab results, health insurance info, and billing records were pilfered​scworld.com. The breach did not affect all Planned Parenthood centers (only those using LSC), but it exposed a vast trove of sensitive health data. LSC offered affected patients credit monitoring and reported no evidence (so far) of misuse of the stolen data​scworld.com. This incident, disclosed in 2025, is one of the largest healthcare data breaches of the year by volume of records.
• Attacks on State and Local Agencies: Several U.S. state government agencies suffered ransomware attacks in 2025, demonstrating that local infrastructure is squarely in attackers’ sights. For example, in April 2025 Oregon’s Department of Environmental Quality was hit by a cyberattack that forced the agency to take its network offline, shutting down all vehicle emissions testing stations for days​industrialcyber.co. Around the same time, a ransomware attack on Arizona’s Federal Public Defender’s Office knocked its systems offline, resulting in court case delays until systems could be restored​industrialcyber.co. Smaller counties were targeted too – in Idaho, Gooding County was struck by ransomware on March 25, 2025, and officials reported it likely compromised county residents’ personal data​industrialcyber.co. In Nebraska, the Qilin ransomware group claimed an attack on a Natural Resources District (a public utility organization) that occurred in late 2024, stealing data and disrupting services​industrialcyber.co. These examples show that ransomware isn’t just a big-city or corporate problem; it’s affecting regional governments, potentially impacting services like environmental monitoring, legal defense, and utilities. The common thread is attackers seeking out vulnerable public-sector systems, often for financial gain, and sometimes leaking stolen government data when ransoms go unpaid.
• MoveIT/Cleo File Transfer Exploits – Private Sector Impact: In 2025, fallout continued from earlier supply-chain cyberattacks involving managed file transfer (MFT) software vulnerabilities. One high-profile victim disclosure was Hertz Corporation, the rental car giant, which confirmed that customer data was compromised via the Clop ransomware gang’s exploitation of a Cleo file transfer software flaw​scworld.com. Between October and December (2024), Clop attackers leveraged this vulnerability to steal personal data from multiple companies; Hertz announced the breach in April 2025, indicating U.S. and international customers’ info was involved​scworld.com. This incident is part of a larger wave of attacks where criminals target third-party software (like file transfer tools) used by enterprises, illustrating the risks in software supply chains. Organizations such as banks, tech firms, and universities were also affected by the MOVEit Transfer zero-day exploits in 2023-2024, and those repercussions extended into 2025 as victims gradually disclosed data losses. The key lesson is that even without being directly targeted, companies can suffer breaches if a widely-used vendor product is compromised – reinforcing the need for vigilant third-party risk management.

Ransomware Attack Techniques and MITRE ATT&CK Analysis (2025 Trends)

The 2025 incidents above follow familiar patterns seen in today’s ransomware playbook. Using the MITRE ATT&CK framework to analyze these attacks, we can identify common tactics and techniques employed by the threat actors:

• Initial Access: Most ransomware intrusions start with an initial foothold via social engineering or exploitation. Phishing emails with malicious attachments or links remain a top initial access technique (MITRE tactic: Initial Access)​rapid7.com. Attackers trick employees into running malware or stealing credentials. In other cases, hackers exploit unpatched Internet-facing vulnerabilities on servers or VPN devices to break in (e.g., MITRE technique T1190: Exploit Public-Facing Application). Weak or stolen remote login credentials (for RDP/VPN) are another entry vector. In the DaVita and Sensata cases, while the exact vectors weren’t disclosed, security analysts suspect phishing or similar methods could have opened the door for the attackers.
• Persistence and Lateral Movement: Once inside a network, ransomware operators often establish persistence – installing backdoor malware or creating new admin accounts to maintain access (MITRE tactic: Persistence). They may use tools like Cobalt Strike beacons or scheduled tasks to survive reboots and avoid detection. The attackers then perform privilege escalation (gaining higher user rights) and move laterally through the IT environment (MITRE tactics: Privilege Escalation and Lateral Movement), searching for high-value systems and data stores. For example, in the Port of Seattle incident, the intruders likely traversed from an initial beachhead to the servers housing legacy employee data, indicating lateral movement to reach sensitive systems.
• Data Collection and Exfiltration: Before deploying ransomware, virtually all modern ransomware gangs now engage in data exfiltration (MITRE tactic: Exfiltration)​rapid7.com. They quietly gather sensitive files – databases, document shares, email archives – and transfer them out of the network, usually to cloud storage or dark web servers under their control. In 2025, this “steal then encrypt” approach was evident in each major incident: DaVita suspected patient records might have been taken​bleepingcomputer.com, Sensata confirmed hackers stole corporate files​securityweek.com, and the Port of Seattle attackers exfiltrated a huge 3 TB trove of personal data​securityweek.com. This stolen data is used as leverage for extortion: the attackers threaten to leak it publicly if the victim refuses to pay. According to cybersecurity reports, data exfiltration and blackmail via leak sites has become the name of the game for ransomware crews​rapid7.com. This tactic increases pressure on victims (who face regulatory fines and customer lawsuits if data leaks) and has been effective in extracting payments.
• Impact – Ransomware Deployment: Finally comes the impact phase (MITRE tactic: Impact), where the attackers execute file-encrypting malware across the network to lock the victim out of their systems. They often schedule the ransomware deployment for off-hours (nights or weekends) to avoid immediate detection​bleepingcomputer.com. The malware (ransomware binary) encrypts servers, databases, and workstations, displaying ransom notes with instructions for payment. This is exactly what hit DaVita’s network on that Saturday in April, and what forced the Port of Seattle to shut down systems in August. The encryption (MITRE technique T1486: Data Encrypted for Impact) typically halts operations – DaVita had to revert to manual processes for some treatments, and Sensata’s production line was interrupted​securityweek.com. Even after restoring from backups, victims often face days or weeks of downtime as they rebuild IT systems and ensure the malware is eradicated.

In summary, the 2025 cyberattacks on DaVita, Sensata, the Port of Seattle and others show a consistent pattern of sophisticated ransomware operations. These threat actors combine multiple tactics – stealthy infiltration (Initial Access), persistence, data theft (Exfiltration), and destructive encryption (Impact) – to maximize their leverage. MITRE ATT&CK provides a useful lens to understand these steps. By studying this framework and the tactics used, defenders can implement security controls at each stage (e.g. phishing training for Initial Access, network segmentation to hinder Lateral Movement, robust backups and encryption to mitigate Impact). The events of 2025 serve as a stark reminder that organizations in healthcare, tech, and infrastructure must stay vigilant, as cybercriminals continue to refine their methods to exploit any weakness.

---