18.08.25 Threat Report

Here's your weekly roundup of the cybersecurity threats. This week brings a mixed bag of supply chain disruptions, critical patches, law enforcement wins, and policy changes that will reshape how we handle ransomware.

1. Stock in the Channel Suffers Zero-Day Ransomware Attack

A UK-based multinational providing technology stock availability tools was hit by a sophisticated ransomware attack that exploited a zero-day vulnerability in a third-party application. Stock in the Channel (STIC), which serves over 60,000 registered users across 22 countries, including many healthcare technology suppliers, had its website taken offline for 24 hours. The company claims no customer data was compromised and that all critical data was recovered. The attack demonstrates how cybercriminals are increasingly targeting supply chain partners to maximise disruption across multiple sectors.

Healthcare organisations rely heavily on technology distributors like STIC for procuring medical devices, IT equipment, and essential hardware. Supply chain disruptions can delay critical equipment deliveries and force healthcare providers to source from unfamiliar suppliers, potentially compromising security vetting processes.

Recommendations:

• Review and diversify your technology supplier relationships to avoid single points of failure
• Ensure backup procurement channels are established for critical medical devices
• Verify that suppliers have robust cybersecurity measures and incident response plans
• Consider supply chain risk assessments as part of your vendor management programme

2. Patch Tuesday Addresses 107 CVEs, Including Critical RCE Flaw

Microsoft's August Patch Tuesday release addressed 107 vulnerabilities, with 13 rated as critical. The standout threat is CVE-2025-53766, a critical remote code execution vulnerability in Windows GDI+ with a CVSS score of 9.8. This heap-based buffer overflow allows unauthenticated attackers to execute arbitrary code through malicious documents or web services without user interaction. CVE-2025-53779 is a publicly disclosed zero-day affecting Windows Kerberos authentication, with functional exploit code already available. The vulnerability landscape shows 39% elevation of privilege and 33% remote code execution flaws, highlighting the ongoing risks to Windows-based systems.

Windows systems are ubiquitous in healthcare environments, powering everything from administrative workstations to medical device controllers. The critical GDI+ vulnerability could be exploited through seemingly innocent documents, whilst the Kerberos flaw threatens network authentication security.

Recommendations:

• Prioritise patching CVE-2025-53766 and CVE-2025-53779 immediately across all Windows systems
• Test patches in non-production environments first, especially for medical device systems
• Review document handling processes and consider additional scanning for malicious files
• Audit Kerberos authentication configurations and monitor for unusual privilege escalation attempts

3. DOJ Takes Down BlackSuit Ransomware Group Targeting Hospitals

The US Department of Justice announced a coordinated international operation that dismantled key infrastructure belonging to the BlackSuit (formerly Royal) ransomware group. Authorities seized four servers, nine domains, and $1.1 million in cryptocurrency. BlackSuit has been particularly aggressive in targeting critical infrastructure, with hospitals and healthcare organisations being primary victims. The group's tactics included deploying ransomware, extorting victims, and laundering proceeds through sophisticated cryptocurrency operations. This takedown represents a significant victory against one of the most healthcare-focused ransomware operations currently active.

BlackSuit seems specifically to target hospitals and healthcare organisations, making this takedown directly relevant to the sector. Whilst the infrastructure has been disrupted, the criminal operators may regroup under different names or join other ransomware-as-a-service operations.

Recommendations:

• Don't assume the threat has disappeared—maintain vigilance against ransomware attacks
• Implement CISA's recommended protections: prioritise patching known exploited vulnerabilities
• Enhance user training to recognise and report phishing attempts, which remain the primary attack vector
• Enable and enforce multifactor authentication across all systems, especially administrative accounts
• Review and test incident response plans, including communication protocols during outages

4. New UK Policy Prohibits NHS and Public Sector Ransom Payments

The UK government announced plans to ban public sector organisations—including NHS trusts, local councils, and schools—from paying ransomware demands. The policy also requires private businesses to notify authorities before making ransom payments, enabling legal vetting and support. Whilst 96% of UK business leaders support the ban, a striking 75% admit they would still pay ransoms to save their businesses, highlighting the tension between policy and practical reality. The ban aims to disrupt ransomware profitability but raises concerns about potential underreporting and the need for stronger defensive capabilities.

This directly impacts all NHS trusts and public healthcare organisations, fundamentally changing how they must approach ransomware incidents. The policy shifts the burden from reactive recovery to proactive prevention and resilience.

Recommendations:

• Invest in backup and recovery systems that can restore operations quickly without paying ransoms
• Strengthen network segmentation to limit the spread of ransomware infections
• Develop comprehensive business continuity plans that don't rely on ransom payments
• Consider cyber insurance policies that align with the new legal requirements
• Focus on detection and prevention technologies rather than post-incident recovery strategies

Threat Intelligence 

Stay ahead of cyber risks. Explore our Threat Intelligence within the Compliance Tool now.