In partnership with
Welcome back to The CyberSignal — your weekly digest of what’s shifting in the cybersecurity landscape, with a focus on the United States and Canada.
This week, attackers leaned heavily into healthcare, education, manufacturing, and community organizations, exploiting seasonal staffing gaps and slower response cycles. Ransomware groups continued publishing victims at a steady pace, while global incidents reinforced how logistics, retail, and higher education remain structurally exposed.
Whether you’re a CISO, IT leader, or security practitioner, this edition breaks down what happened, why it matters, and what to prioritize heading into the end of the year.
Let’s dive in.
✨ Our Partner
Get Content Workflows Right - Best Practices from Media Execs
The explosion of visual content is almost unbelievable, and creative, marketing, and ad teams are struggling to keep up.
The question is: How can you find, use, and monetize your content to the fullest?
Find out on January 14th as industry pioneers from Forrester Research and media executives reveal how the industry can better manage and monetize their content in the era of AI.
Save your spot to learn:
What is reshaping content operations
Where current systems fall short
How leading orgs are using multimodal AI to extend their platforms
What deeper image and video understanding unlocks
Get your content right in 2026 with actionable insights from the researchers and practitioners on the cutting edge of content operations.
Join VP Principal Analyst Phyllis Davidson (Forrester Research) and media innovation leader Oke Okaro (ex-Reuters, Disney, ESPN) for a spirited discussion moderated by Coactive’s GM of Media and Entertainment, Kevin Hill.
🔎 Overview: What Shifted in Cyber Since Last Thursday
Ransomware activity stayed steady through the holiday window, with consistent victim disclosures despite slower public reporting.
U.S. healthcare and education remained the most targeted sectors, continuing a long-running trend.
Mid-market organizations dominated victim lists, reflecting attacker preference for limited security staffing and slower response.
Manufacturing and service providers faced ongoing operational risk, with potential downstream supply-chain impact.
Nonprofits and community organizations continued to be targeted, often holding sensitive personal and donor data.
Globally, attacks extended across logistics, retail, higher education, and sports, showing ransomware’s continued expansion beyond traditional enterprise targets.
🔥 Key Incidents & Analysis
The Iowa-based hospital was listed on ransomware leak sites, signaling potential exposure of patient and operational data. Healthcare continues to be one of the most consistent ransomware targets, especially during holiday periods when staffing levels are reduced.
Sector: Healthcare
Threat Actor: LockBit
Why it matters: Healthcare incidents increasingly trigger regulatory scrutiny, patient trust erosion, and extended recovery timelines well beyond initial containment.
A Texas school district appeared on leak sites, continuing the trend of K–12 institutions being targeted for both operational disruption and data theft.
Sector: K–12 Education
Threat Actor: Qilin
Why it matters: Education environments often lack strong segmentation and modern identity controls, making them repeat ransomware targets with long-tail recovery costs.
A manufacturing firm disclosed on ransomware sites, consistent with Akira’s ongoing focus on industrial and production-focused organizations.
Sector: Manufacturing
Threat Actor: Akira
Why it matters: Manufacturing attacks increasingly impact physical operations, not just IT systems, amplifying downtime and financial loss.
The breach highlights continued pressure on small and mid-sized service providers that support larger enterprises.
Sector: SMB / Print Services
Threat Actor: TridenLocker
Why it matters: SMBs remain a supply-chain risk multiplier, often serving as indirect access points to larger organizations.
A nonprofit community organization was listed on ransomware leak sites, reinforcing that attackers increasingly view nonprofits as low-resistance targets.
Sector: Nonprofit / Community Services
Threat Actor: Sinobi
Why it matters: Nonprofits often hold donor data, membership records, and payment information, yet lack enterprise-grade security budgets.
A logistics provider appeared on leak sites, raising concerns around shipment data and supply-chain visibility.
Sector: Logistics
Threat Actor: Devman
Why it matters: Logistics breaches can cascade across partners, customers, and national supply chains.
A European retail platform disclosed a breach affecting customer data.
Sector: Retail / E-commerce
Threat Actor: SafePay
Why it matters: Retail attacks continue to scale quickly due to high transaction volumes and customer PII concentration.
A public university was listed on ransomware leak sites, consistent with global higher-education targeting trends.
Sector: Higher Education
Threat Actor: Qilin
Why it matters: Universities combine open access environments with valuable research and personal data, making them persistent targets worldwide.
A major international sports organization appeared on ransomware leak sites, reflecting the continued expansion of ransomware beyond traditional enterprise targets.
Sector: Sports / Entertainment
Threat Actor: Qilin
Why it matters: High-profile brands face reputational damage, fan trust loss, and commercial disruption following breaches.
✨ AI Tool Spotlight:
A Framework for Smarter Voice AI Decisions
Deploying Voice AI doesn’t have to rely on guesswork.
This guide introduces the BELL Framework — a structured approach used by enterprises to reduce risk, validate logic, optimize latency, and ensure reliable performance across every call flow.
Learn how a lifecycle approach helps teams deploy faster, improve accuracy, and maintain predictable operations at scale.
📈 Data & Research Corner
9 ransomware victims were disclosed on leak sites between Dec 18–25, per BreachSense tracking.
56% of victims were U.S.-based, keeping North America the primary ransomware target this week.
Healthcare and education represented ~33% of U.S. disclosures, continuing to lead all sectors.
Mid-market organizations accounted for ~75% of victims, reflecting attacker focus on limited security staffing.
LockBit, Qilin, and Akira drove over 65% of disclosures, remaining the most active ransomware groups.
Incidents spanned 4 global regions, showing ransomware’s continued geographic expansion.
🛡️ Actionable Playbook for CISOs & IT Leaders
Re-evaluate email security posture for executive, government-facing, and healthcare-linked systems, with a focus on MFA enforcement, privileged access review, and logging coverage.
Assume persistence in advanced intrusions, especially those tied to state-aligned actors; prioritize behavioral detection and anomaly monitoring over perimeter-only controls.
Map and validate third-party access paths, particularly for healthcare, education, and public-sector vendors operating in shared or legacy environments.
Prepare for service disruption, not just data exposure — ensure incident response plans account for operational downtime, continuity, and recovery scenarios.
🏛️ Regulatory, Legislative & Structural Shifts
European governments are accelerating public attribution of state-backed cyber activity, signaling reduced tolerance for quiet remediation.
Healthcare oversight is expanding upstream, with regulators increasingly scrutinizing technology vendors and service providers, not just data owners.
Critical infrastructure sectors are facing renewed pressure to demonstrate cyber resilience, recovery capability, and visibility — not just baseline compliance.
Long-dwell espionage campaigns are driving policy emphasis on detection, logging, and incident transparency requirements.
📊 Poll of the Week
Where does your organization face the greatest hidden cyber risk today?
🔭 Looking Ahead
Additional government attributions are likely following recent European disclosures.
Healthcare and public-sector vendors may face new breach notifications, audits, or enforcement actions.
Expect further reporting on long-running intrusions uncovered during end-of-year reviews.
Energy, transport, and logistics systems remain high-probability targets amid ongoing geopolitical pressure.
💡 Pro Tip of the Week
Optimize for detection, not just prevention.
This week’s incidents reinforce a familiar reality: the most damaging attacks aren’t always loud — they’re persistent.
If your team can’t quickly answer who accessed what, when, and for how long, your exposure is already higher than it appears.
🔒 Conclusion
This week’s activity reinforces a clear shift: cyber incidents are increasingly operational, persistent, and national in scope.
From hospitals and school districts to logistics providers and global brands, attackers are exploiting trusted access paths — often without triggering immediate alarms.
For security leaders, the priority is clear:
Shorten dwell time. Harden vendor access. Plan for disruption — not just disclosure.
Stay sharp. Stay ahead.
The CyberSignal Team
📩 Found this roundup useful? Share The CyberSignal with a colleague who needs to stay ahead of cyber threats.
Can you scale without chaos?
It's peak season, so volume's about to spike. Most teams either hire temps (expensive) or burn out their people (worse). See what smarter teams do: let AI handle predictable volume so your humans stay great.