by jdpoteet | May 14, 2025 | News, Blogs
At Blackswan Cybersecurity, we’ve seen firsthand how ransomware has transformed—from noisy, opportunistic malware into coordinated, multi-stage attacks that strike fast and cause deep disruption. And while some organizations are getting better at preparing for these threats, the reality is still sobering: ransomware remains one of the most damaging and persistent threats to modern businesses.
Recent industry research confirms what we’ve long known—ransomware isn’t going away. In fact, while the percentage of organizations hit by ransomware dropped slightly from 75% to 69%, a staggering number are still falling victim. And when those attacks hit, the ability to bounce back remains limited. Only 1 in 10 organizations recovered more than 90% of their data, while over half recovered less than 50%.
This isn’t just a technical problem—it’s an operational and reputational one. And as a 24/7 Cyber Fusion Center with deep expertise across verticals, Blackswan Cybersecurity helps our clients close that gap with right-sized, proactive defense strategies that go beyond alerts and automation. We partner with your team to build lasting resilience, ensuring you’re prepared not just to detect and contain threats, but to recover from them—fast.
Exfiltration-Only and Double Extortion Attacks Are on the Rise
One of the most concerning trends we’ve observed in the field is the shift toward data exfiltration-only attacks. Instead of locking down systems, attackers quietly steal sensitive data—patient information, student records, intellectual property—and use it as ransom leverage. In many cases, this is paired with double extortion, where encryption and data leaks are both used to coerce payment.
Making matters worse, attackers are moving faster than ever. The dwell time—how long they remain in your network before striking—has dropped from weeks to just hours. Without round-the-clock detection and response, many organizations don’t even realize they’ve been breached until the ransom note arrives.
Blackswan’s Texas-based, always-on Cyber Fusion Center monitors for these threats in real-time. Our advanced multi-signal MDR and Open XDR platform reduces attacker dwell time and accelerates containment—often within minutes, not hours or days.
The Landscape is Shifting: Ransom Payments Are Down, But the Stakes Are Higher
Interestingly, the overall value of ransom payments fell in 2024. Roughly 36% of victims chose not to pay, and among those that did, the majority paid far less than originally demanded. Why? Because organizations are learning that attackers can’t be trusted to keep their word—and are instead investing in robust, independent recovery strategies.
This shift is being reinforced by new legal and regulatory frameworks that discourage ransom payments. At the same time, entities like the International Counter Ransomware Initiative are encouraging organizations to boost their defenses, not their payouts.
At Blackswan, we support that philosophy 100%. Our vCISO and incident response services help clients build robust recovery playbooks, implement immutable backups, and maintain business continuity without ever having to negotiate with criminals.
Recovery Starts with Resilience
Organizations that emphasize proactive data resilience are recovering from ransomware attacks up to 7x faster than their peers. What separates them? A strategic mix of:
-
Frequent and verified backups
-
Immutable backup storage
-
Clear incident response protocols
-
24/7 threat detection and containment
-
Executive alignment across IT, security, and leadership
Unfortunately, many organizations overestimate their preparedness. While 98% claim to have a ransomware response plan, fewer than half include crucial components like backup frequency or defined chains of command. Confidence plummets after an attack—especially among CIOs, whose perceived readiness often drops by 30%.
That’s where Blackswan comes in. Our vCISO advisory program works hand-in-hand with your team to build cyber resilience from the ground up—establishing baselines, identifying blind spots, and ensuring technical, operational, and strategic alignment before a crisis strikes.
Partner with Blackswan to Build a Stronger, Safer Future
At Blackswan Cybersecurity, we believe prevention, detection, and recovery must be seamlessly integrated. Our Cyber Fusion Center delivers enterprise-grade protection to organizations of all sizes—without the bloat or complexity of traditional vendors.
Ransomware isn’t going away. But with Blackswan at your side, neither is your peace of mind.
→ Ready to build your ransomware resilience?
Schedule a 15-minute discovery call and learn how our 24/7 Cyber Fusion Center and vCISO services can right-size your cybersecurity program.
by jdpoteet | May 8, 2025 | News, Threat Advisories
DOWNLOAD PDF
Executive Summary
DOWNLOAD PDF OF THREAT ADVISORY
Blackswan Cybersecurity is actively monitoring the evolving threat landscape following the PowerSchool breach initially detected in December 2024. Recent developments indicate that the threat actor responsible for the incident is now individually extorting K12 school districts, leveraging data exfiltrated during the original breach. Despite PowerSchool’s efforts—including the payment of a ransom and collaboration with law enforcement—affected school systems continue to face re-victimization. This report outlines the sequence of events, threat actor tactics, implications for the education sector, and critical guidance for prevention and response.
Incident Overview
In December 2024, PowerSchool detected unauthorized access to its PowerSource customer support portal. The breach, traced back to compromised credentials, enabled the attacker to use a remote maintenance tool to exfiltrate sensitive school district data from across the U.S., Canada, and other regions. According to threat actor claims, the data set includes information on over 62 million students and 9.5 million teachers across 6,505 school districts.
PowerSchool later confirmed the breach originated months earlier, in August and September 2024. Despite responding by paying a ransom and receiving a purported deletion video from the attacker, the threat actor has now resumed extortion attempts—this time targeting individual school districts directly.
Current Threat Activity: Targeted Extortion
PowerSchool has issued a statement acknowledging that multiple school district customers are receiving direct extortion threats. The threat actor is demanding separate ransoms under the threat of publishing sensitive student and staff data.
The Toronto District School Board (TDSB)—Canada’s largest school board—is among the entities receiving extortion communications. A letter to parents from TDSB confirmed that the attacker has retained the stolen data despite previous assurances, indicating a betrayal of the ransom agreement originally made with PowerSchool.
Data Compromised
The breached databases contain varying levels of sensitive information depending on the school district. The following categories of data are confirmed to be at risk:
- Full names of students and staff
- Physical addresses and phone numbers
- Passwords and login credentials
- Parent/guardian contact details
- Social Security Numbers (SSNs)
- Medical and health-related information
- Academic records and grades
This type of data poses substantial identity theft, social engineering, and fraud risks, especially within vulnerable populations like students and minors.
PowerSchool’s Response
PowerSchool has reiterated its regret for the continued victimization of its clients and is collaborating with law enforcement agencies in both the United States and Canada. The company has offered two years of complimentary credit monitoring and identity protection services to affected users.
The firm justified its original ransom payment as a difficult but necessary action to protect the students and communities it serves. However, the incident underscores the inherent risk in trusting ransomware actors to uphold their commitments after payment is rendered.
Implications for the Education Sector
This incident highlights several persistent challenges in the K12 cybersecurity ecosystem:
- High-Value Targets: Education systems remain lucrative for cybercriminals due to the breadth and sensitivity of personal data they store.
- Credential Abuse: The initial compromise through stolen credentials reinforces the need for robust identity and access management (IAM) protocols.
- Inefficacy of Ransom Payments: Paying ransom does not guarantee that data will be deleted or withheld from public release. This case mirrors broader industry trends, such as the Change Healthcare and UnitedHealth incidents, where paid ransoms failed to prevent continued extortion.
Blackswan’s Recommendations
Blackswan Cybersecurity urges school districts, education service providers, and technology vendors to take immediate action:
- Zero Trust Architecture
Adopt a zero-trust framework to limit lateral movement and restrict access based on verified identity and device posture.
- Credential Hygiene and MFA
Enforce multi-factor authentication (MFA) across all privileged accounts and conduct routine credential audits.
- Threat Detection and Response
Implement Managed Detection and Response (MDR) services to monitor and neutralize threats before data can be exfiltrated.
- Data Minimization and Segmentation
Reduce unnecessary data retention and apply strict network segmentation to isolate sensitive records.
- Incident Response Preparedness
Maintain a tested incident response plan, inclusive of extortion scenarios, communications strategies, and legal considerations.
Blackswan Cybersecurity: Trusted Protection for K12
With over a decade of defending educational institutions, Blackswan Cybersecurity remains a frontline partner to schools nationwide. Our 24/7 Cyber Fusion Center, Open XDR platform, and expert vCISO services have helped districts mitigate attacks like this before they escalate. We remain committed to safeguarding the digital trust of students, educators, and their communities.
To schedule a threat briefing or discuss hardening your district’s security posture, contact us at: contact@blackswancybersecurity.com or blackswan-cybersecurity.com.
References
by jdpoteet | May 7, 2025 | News, Blogs
Cybercriminals are relentlessly targeting healthcare organizations—and they’re not slowing down. In fact, the healthcare sector saw a 60% increase in ransomware attacks in the last year alone, making it the most targeted industry for cybercrime. From large hospital systems to regional clinics and outpatient facilities, no healthcare delivery organization is immune.
The reason? Healthcare organizations are rich with valuable patient data, operate under tight regulatory scrutiny (HIPAA, HITECH, PCI-DSS), and often rely on legacy systems that weren’t built for today’s cyberthreat landscape. Add to that the high-pressure, always-on nature of care delivery, and it’s no surprise that even a short system outage can mean more than just financial damage—it can impact lives.
The Challenge: Complex Threats, Limited Resources
Despite being high-value targets, many healthcare providers operate with limited IT staff, outdated security tools, and growing compliance demands. Managing cybersecurity in this environment can feel overwhelming—especially for teams trying to balance patient care with risk management.
That’s where Blackswan Cybersecurity comes in.
Why Healthcare Chooses Blackswan
With years of experience working alongside hospitals, clinics, and healthcare systems, Blackswan understands the unique needs of healthcare providers. Our approach goes beyond basic protection—we deliver enterprise-grade security that’s scaled, simplified, and affordable for healthcare environments of all sizes.
Here’s how we help:
✅ 24/7/365 Monitoring, Detection, and Response from Our Texas-Based Cyber Fusion Center
Healthcare doesn’t stop, and neither do we. Our U.S.-based team of cybersecurity analysts monitors your environment around the clock—ready to detect and stop threats before they can disrupt patient care or compromise sensitive data.
✅ Multi-Signal MDR + Open XDR: No Alert Fatigue, Just Results
Our managed detection and response (MDR) service combines machine learning, behavioral analytics, and threat intelligence across multiple data streams (network, endpoint, cloud, identity). With Stellar Cyber’s Open XDR platform, we correlate and analyze everything—so you’re not flooded with false positives. You only hear from us when it matters.
✅ Compliance-Ready: Supporting HIPAA, HITECH & More
From logging and reporting to breach detection and incident response, our solutions help healthcare organizations stay aligned with compliance frameworks. We also offer vCISO services to help you build and maintain a strategic security program with clear documentation, policies, and executive support.
✅ Rapid Containment = Operational Resilience
Our average mean time to contain threats is under 15 minutes. That means ransomware, phishing attempts, or insider threats are stopped before they become system-wide failures or compliance headaches.
✅ Expert-Led Cyber Strategy with a Human Touch
We don’t just install tools—we act as an extension of your team. From onboarding through incident response, you’ll have direct access to cybersecurity experts who understand your business and communicate in terms that make sense to clinicians and executives alike.
One Partner. One Call. All-Inclusive Protection.
Healthcare providers don’t have the luxury of ignoring cybersecurity. From ensuring uptime of critical systems to protecting the privacy of patients, every second matters. That’s why so many healthcare organizations are turning to Blackswan for help.
Whether you’re a rural clinic with limited IT staff or a growing health system seeking greater visibility and control, Blackswan delivers the protection, expertise, and peace of mind you need—without the enterprise price tag.
Let’s protect your patients, your data, and your mission—together.
📞 Book a 15-minute call today to see how Blackswan Cybersecurity can support your healthcare organization.
by jdpoteet | May 6, 2025 | News, Blogs
A recent GitHub supply chain compromise sent shockwaves through the developer community, reinforcing the urgent need for stronger cybersecurity hygiene, especially around third-party automation tools. The attack targeted a widely used GitHub Action known as tj-actions/changed-files, which was compromised to leak sensitive credentials from over 23,000 repositories.
The breach, first detected by StepSecurity on March 14, involved an attacker gaining access to a GitHub automation account. By modifying the code within the Action, the attacker exposed developer “secrets” like API tokens, encryption keys, and passwords to public logs—a severe threat to both security and trust across software supply chains.
Although GitHub has since removed and restored the tool after eliminating the malicious code, the incident highlights a fundamental vulnerability in the open-source ecosystem: reliance on unaudited third-party tools. As Varun Sharma of StepSecurity noted, this incident could open the floodgates to a rise in credential-based supply chain attacks.
This is where Blackswan Cybersecurity steps in. With over 30 years of experience and a proven record of protecting both public and private organizations, we specialize in supply chain risk management, threat detection, and continuous monitoring. Our 24/7 Cyber Fusion Center, powered by Managed Detection and Response (MDR), actively monitors for suspicious activity and enables real-time responses to credential misuse and code injection threats.
From public education and municipalities to industries such as automotive, legal, and other SMBs that are targeted due to limited internal security teams—our right-sized, cost-effective solutions offer enterprise-grade protection without the complexity. Maintaining secure software development pipelines is crucial to operational continuity and customer trust.
Key Takeaways:
- Always vet third-party Actions or Packages before integrating them into your workflow.
- Regularly rotate and audit exposed credentials.
- Implement real-time monitoring and automated detection systems.
Let Blackswan help you safeguard your software supply chain. Our proactive, AI-enhanced defenses ensure that your repositories, cloud services, and infrastructure stay protected against the next wave of sophisticated attacks.
Reference:
by jdpoteet | May 4, 2025 | Flyers, Blogs
Cybercriminals are no longer wasting time breaking through firewalls. Instead, they’re exploiting the weakest point in most environments: identity.
From compromised email credentials to lateral movement in cloud platforms, identity-based attacks are now the go-to tactic—and they’re growing fast.
At Blackswan Cybersecurity, our Endpoint Detection and Response (EDR) solution powered by Huntress is built to stop these attacks before they escalate. We provide real-time detection, rapid containment, and deep visibility into suspicious behavior—because identity is no longer just a user account. It’s your new attack surface.
Over 600 IT security professionals were surveyed to learn how identity threats are impacting their organizations, what defenses they’re deploying, and what they’re planning next.
Download the infographic to see the trends, insights, and strategies shaping the future of identity protection.
