Ransomware is a type of attack where criminals lock up systems (or data), then demand money to restore access, often while threatening to leak stolen files.
Below is a clear recap of seven widely discussed 2025 cybercrime cases, what’s confirmed, what remains unclear in public reporting, and the simple lessons that carry into 2026. The 2025 ransomware attacks set the tone for serious discussions since the impact has been real and yet damaging to many others.
The 7 cybercrimes that shook the world in 2025 (what happened and why it mattered)
1. Ingram Micro (July 2025): global tech supply chains stalled after SafePay data theft
In early July 2025, IT distributor Ingram Micro confirmed a ransomware attack tied to the SafePay group, after employees reportedly saw ransom notes. The company took systems offline to contain the incident.
The outage hit key tools worldwide, including online ordering and portals used by resellers and partners. When a distributor goes down, lots of smaller businesses don’t have a backup plan.
SafePay also claimed it stole about 3.5 TB of data, and threatened to leak it. Reported stolen data included business and customer information, legal documents, and financial materials.
Ransom payment details were not made public, but the pressure was still obvious: public leak threats plus an outage that analysts estimated at about $136 million per day in lost revenue. For regular businesses, the pain showed up as delayed hardware, delayed projects, and missed delivery windows.
2. DaVita (reported March to April 2025): why dialysis and “always-on” care became prime extortion targets
Public reporting available at publication time did not provide reliable, consistent details confirming a March to April 2025 ransomware incident at DaVita (including attacker attribution, patient counts, or cost figures). That gap matters because it shows another 2025 problem: the story often breaks before facts are stable.
What is clear is the broader pattern: dialysis providers sit under extreme time pressure. Even short disruptions can mean rerouted care, delayed scheduling, and exhausted staff.
For patients, the fear isn’t only “Will treatment happen today?” It’s also “Will my medical and identity data show up in a leak next month?” To some parents, this kind of worry can not easily be comprehended, but of course, it could lead to fatalities.
3. Sunflower Medical Group (reported January 2025): early-year alarms about stolen identity data
Public details confirming a specific January 2025 ransomware event at Sunflower Medical Group (including an attacker name and a verified ransom amount) were not consistently available in widely accessible reporting at publication time.
Still, smaller medical groups were a repeated theme in 2025 breach reporting across the health sector. Attackers don’t need a giant hospital when a clinic has years of billing, insurance, and patient intake data.
The lasting damage often comes after systems come back, when stolen data is used for account takeovers, tax fraud, or medical identity misuse.
4. DEphoto (UK, 2025): when photo services turn private memories into pressure
Public reporting available at publication time did not provide enough verified information to confirm key facts around a 2025 breach at DEphoto (including attacker identity, the scope of records, and whether ransom was paid).
But 2025 showed why consumer services can be brutally effective targets: personal images and order details are emotional ammunition. A leak isn’t just “data,” it can be wedding photos, baby photos, and family addresses.
That’s why these incidents can feel like digital hostage-taking, even without system encryption. The threat is exposure, embarrassment, and doxxing-style harassment.
5. Sault Ste. Marie Tribe of Chippewa (Michigan, reported January 2025): the unique risk to community services
Public details confirming a January 2025 ransomware event against the Sault Ste. Marie Tribe of Chippewa (including a verified ransom figure and stolen data volume) were not consistently available in widely accessible reporting at publication time.
Even so, tribal governments and smaller public entities remained high-pressure targets in 2025 for a simple reason: many connected services, limited IT staffing, and intense urgency to restore daily operations.
When phones, payment systems, or scheduling tools go down, the impact is immediate. It can hit clinics, benefits offices, and local commerce in the same week.
6. Richmond University Medical Center (2025): hospital disruption fears, even when details are incomplete
Public reporting available at publication time did not provide consistent, verifiable detail for a 2025 cyber incident at Richmond University Medical Center (including an exact affected-person count and confirmed data types exposed).
Hospitals stayed in the crosshairs across 2025 because the stakes are high and the environment is complex. A hospital relies on vendors, connected devices, labs, scheduling systems, and patient portals.
For patients, the “cyber” part becomes real when appointments shift, lab results are delayed, or staff revert to paper. Trust takes longer to restore than servers do.
7. Excelsior Orthopaedics (2025): how specialty clinics fit the medical data black market
Public reporting available at publication time did not provide enough verified, consistent detail confirming a 2025 incident at Excelsior Orthopaedics (including attacker attribution, affected-patient totals, and ransom specifics).
Specialty practices still carry high-value data: insurance details, imaging references, billing histories, and personal identifiers. Criminals like records that can support fraud for years, not days.
Even if care continues, the privacy harm can linger. A stolen medical record can be reused, resold, and mixed with other leaks to strengthen scams.
What made 2025 different: ransoms, pressure tactics, and revenue at scale
Across 2025, many attacks followed the same playbook: steal data, disrupt operations, then threaten exposure to force payment. In the confirmed Ingram Micro case, the leak threat was part of the pressure, not an afterthought.
The word “torture” fits here only as a description of psychological pressure, the stress of deadlines, leak countdowns, and the fear that private data will be published. It’s pressure designed to make leaders act before they can fully assess options.
Three patterns showed up again and again:
- Double extortion: attackers aim to encrypt systems and take data, so recovery alone doesn’t end the crisis.
- Public shaming tactics: leak sites and timed “proof” posts raise pressure on executives and boards.
- Businesslike operations: negotiated demands, strict deadlines, and repeatable methods that scale across victims.
Why hospitals and clinics kept getting hit
Healthcare runs on time. A missed appointment can become a missed diagnosis, and that clock makes threats more effective. The uncertainty around several 2025 healthcare incidents, including the reported DaVita and Richmond cases, also shows how fast fear spreads when care is involved.
Clinics also store dense identity data in one place, and they often rely on many third parties. That mix gives attackers multiple paths in.
Why supply chain attacks created global shockwaves
Supply chain targets multiply the impact. Ingram Micro is a clear example: one outage can delay orders for thousands of downstream companies at once.
Attackers like that math because it boosts urgency. Each hour of downtime doesn’t just hurt one firm, it creates a backlog across many.
A simple 2026 defense checklist for people and organizations
No checklist stops every attack, but basic discipline blocks a lot of them.
For organizations
- Keep offline, tested backups, and practice restoring them.
- Turn on multi-factor authentication (especially for email, remote access, and admin accounts).
- Patch internet-facing systems fast, and remove old, unused services.
- Apply least access (staff should only reach what they need).
- Review vendor access quarterly, and cut stale accounts.
- Write an incident plan with clear owners (legal, IT, comms, ops), and run short tabletop drills.
- Centralize logs where possible, and set alerts for unusual sign-ins and mass data downloads.
For individuals
- Place a credit freeze if your SSN might be exposed, it’s free and reversible.
- Use strong passwords and MFA, a password manager helps.
- Treat “invoice,” “DocuSign,” and “patient portal” emails with caution, and verify via a known phone number.
- Lock down health portals with MFA, and review insurance EOBs for care you didn’t receive.
If your data was in a breach, change passwords, watch accounts, set fraud alerts, and ask your provider for access logs or a record history if they offer it.
Conclusion
2025 proved cybercrime can disrupt care, trade, and private lives, not just IT systems. The biggest themes were data theft used as pressure, nonstop risk for healthcare, and supply chain outages that spread damage far past the first victim.
The response doesn’t need panic. It needs basics done well: tested backups, MFA everywhere, tighter vendor access, and a plan people can follow under stress. Treat privacy as part of safety, because for patients, workers, and families, that’s what it is.