A ransomware attack walked in through one email, sat silent for two days, then destroyed every computer in an Indiana sheriff's office — and the FBI is still investigating. That's just one of three cybersecurity stories that every business owner needs to hear this week. On this episode of Security Squawk, Bryan Hornung, Randy Bryan, and Reginald Andre cover: CHUBB'S 2026 CYBER CLAIMS REPORT — The average cyber insurance claim for large businesses nearly DOUBLED in one year, jumping from $2.2 million to $4.4 million. That's a 586% increase since 2021. And with premiums projected to rise 15-20% in 2026, the cyber insurance market is about to get expensive — even for small and mid-size businesses. ALAMO HEIGHTS ISD CYBERATTACK — A San Antonio-area school district serving 5,400 students went completely offline. Wi-Fi down. Gmail down. Third-party forensic investigators brought in. 27 Texas school districts hit in two years — and $55 million in state grants existed to prevent this. Only one-third applied. JACKSON COUNTY SHERIFF'S OFFICE RANSOMWARE ATTACK — A dormant ransomware payload entered through a phishing email, waited 48 hours, then activated and spread across every connected system. "Anything that it touched, it corrupted so bad, it won't be able to be used again." The sex offender registry may be permanently lost. Support the show: buymeacoffee.com/securitysquawk

31% of businesses that had backup solutions still failed to restore their data during a ransomware attack according to At-Bay's analysis of 186 real insurance claims. And if you think your business is safe because someone "set up backups," you need to watch this. Meanwhile, there are 4.8 million unfilled cybersecurity jobs globally right now and 61% of midsize businesses have zero dedicated security staff on payroll. Bryan Hornung and Reginald Andre break down exactly how bad the staffing gap has gotten (ISC2's 2025 Cybersecurity Workforce Study shows the pipeline shrank from 31% growth in 2022 to just 12% in 2024), why your IT person is being set up to fail, and how much a single mid-level security analyst actually costs vs. what an MSSP can deliver at the same price. Then they go straight at the backup crisis: the 25-point confidence gap between what IT teams believe about recovery and what At-Bay, Sophos, and Spiceworks data actually show. Ransomware attackers are targeting your backup repositories first before they trigger the main attack. The average business is down 24 days after a ransomware hit, with average recovery costs of $1.53 million. For a business under 500 employees, that can be existential. This episode is for every business owner who has ever said "we have backups" or "IT handles security" and hasn't verified either of those statements. Support the show: buymeacoffee.com/securitysquawk

A ransomware negotiator at DigitalMint secretly ran the attacks he was being paid to stop and then negotiated ransoms on behalf of the companies he'd just hit. This week on Security Squawk, we break down $75 million in extorted ransoms, an Iranian hacker group that destroyed 80,000 Stryker devices in three hours without using any malware, and a new Ponemon Institute survey showing 77% of industrial companies got breached in the past year. DigitalMint: Angelo Martino, a ransomware negotiator at Chicago-based cybersecurity firm DigitalMint, has been charged with running at least 10 ransomware attacks using the BlackCat/ALPHV gang while simultaneously negotiating ransoms for his own victims. Five companies he attacked then hired DigitalMint and were assigned Martino as their negotiator. Ransoms totaled $75.25 million. Two co-conspirators, including another DigitalMint negotiator and an employee at rival firm Sygnia, already pleaded guilty in December. Stryker: On March 11, the Iran-linked hacktivist group Handala wiped approximately 80,000 employee devices at medical device giant Stryker using Microsoft Intune, the same device management tool your IT team uses every day. No malware. No ransomware. Just a compromised admin account and a "remote wipe" command. OT Security Survey: A new Ponemon Institute survey commissioned by Siemens Energy found 77% of organizations running operational technology factories, pipelines, utilities, industrial control systems were breached in the last 12 months. 41% of attacks go completely undetected. Recovery takes seven months on average. Support the show: buymeacoffee.com/securitysquawk

A hacker used an AI chatbot to break into 10 government agencies and steal records on 195 million people — without writing a single line of code. Meanwhile, Cognizant's TriZetto healthcare billing platform sat silently compromised for over a year while 3.4 million patients' data walked out the door. This week on Security Squawk, Bryan Hornung, Randy Bryan, and Reginald Andre break down four stories that will change how you think about cybersecurity risk in 2026. COGNIZANT TRIZETTO + UMMC TriZetto Provider Solutions — a Cognizant company that processes medical billing for thousands of doctors and hospitals — was breached in November 2024. The company didn't discover it until November 2025. One full year. In that time, 3,433,965 patients had their Social Security numbers, Medicare IDs, birth dates, and health insurance details exposed. And in parallel: UMMC was hit by ransomware in February 2026 — shutting down all 35 of its statewide clinics for nine days, canceling surgeries, and sending doctors back to pen and paper. AKZONOBEL AkzoNobel — the $12 billion paint giant behind Dulux — confirmed that the Anubis ransomware gang stole 170GB of data from one of its U.S. sites. Passport scans, private emails, confidential client agreements. They called it "contained." The data is already public. AI AND THE MEXICO GOVERNMENT HACK Fewer than five people used Claude Code AI to breach 10 Mexican government agencies. 150 GB stolen. 195 million identities exposed. The AI initially said no. The attacker talked it into cooperating anyway. The cost of entry for a sophisticated cyberattack just became the price of an AI subscription. [00:00] Intro [02:30] Cognizant TriZetto: 3.4M Patients, 1 Year of Silence [11:00] UMMC: 9-Day Clinic Shutdown Update [15:30] AkzoNobel: "Contained" Means Nothing When the Data Is Already Gone [21:00] Claude Code and the Mexico Hack: AI Just Became a Weapon Anyone Can Afford [27:00] Wrap-Up Support the show: buymeacoffee.com/securitysquawk

This week's Security Squawk episode isn't about phishing. It's about structural weakness. Three separate incidents. Three different industries. One uncomfortable pattern: the systems organizations trust most are expanding risk quietly — and in some cases, architecturally. First, a lawsuit that should make every board member pay attention. Marquis Software Solutions, a fintech serving 74 U.S. banks, is suing SonicWall. The allegation centers on SonicWall's cloud backup system, where firewall configuration backups were allegedly accessible and contained credentials — including MFA scratch codes. Those backups were reportedly used to compromise Marquis, leading to a ransomware incident and downstream exposure. What began as a scoped 5% customer exposure was later reported as potentially impacting all customers. This is not a misconfigured endpoint. This is a control-plane failure. For CEOs, this reframes vendor risk. It's no longer a questionnaire exercise. It's a litigation vector. If a security provider's design exposes authentication artifacts, your internal diligence may not matter. The liability chain now includes vendors and MSPs in a very direct way. For IT Directors, the operational question is simple: what exactly is inside your firewall backups? Are reusable authentication artifacts stored? Who can access vendor-hosted exports? If attackers obtain your configuration backups, can they replay your defenses? For MSPs, the exposure is real. If you manage firewall exports or MFA deployments, you are part of the architecture. And potentially part of the courtroom. Then we shift to UFP Technologies, a medical device manufacturer. Intrusion detected. Billing and shipping label systems disrupted. Data stolen or destroyed. Insurance expected to offset financial impact. But this isn't primarily a data story. Attackers disrupted order-to-cash and fulfillment velocity. In healthcare supply chains, slowing billing and labeling can create immediate executive escalation without touching the factory floor. Modern ransomware groups increasingly target business process choke points — ERP, labeling, scheduling — because leverage doesn't require full encryption anymore. For CEOs, “no material impact expected” is accounting language. Customers measure impact in delayed shipments. For IT leaders, the question becomes operational: can billing, labeling, and fulfillment functions recover independently? Are those systems segmented? Tested? Immutable? For risk managers and insurers, this represents a shift in underwriting focus — from endpoints to process resilience. Finally, the University of Hawaiʻi Cancer Center ransomware incident. Roughly 87,000 study participants directly impacted. But historical datasets, including Social Security numbers collected from driver's license and voter registration data dating back to 1998, expanded potential exposure to nearly 1.2 million individuals. They engaged the threat actors. They received a decryptor. They received “assurances” that data was destroyed. That's not verification. That's negotiation. The uncomfortable truth: legacy identity data becomes modern ransom currency. Research environments often have weaker governance than clinical systems, yet they can contain decades of sensitive identifiers. For boards, the issue isn't just security posture. It's data retention discipline. What obsolete identity data are you still holding? Why? For how long? And who owns the risk? Across these stories, three themes emerge: Control-plane trust is fragile. Operational choke points are the new leverage strategy. Data retention is compounded liability. Cybersecurity is no longer just about stopping intrusion. It's about architectural accountability and governance maturity. If you value independent, executive-level analysis without vendor spin, support the show at: buymeacoffee.com/securitysquawk The real question is this: Are your greatest cyber risks coming from external attackers — or from design decisions you haven't revisited in years?

Hospital Shutdown, Ransomware Surge, Fortinet Failures A hospital doesn't cancel chemotherapy appointments because of a “technical issue.” They cancel them because they've lost operational control. This week, the University of Mississippi Medical Center shut down its entire network after a ransomware attack disrupted systems — including Epic. Clinics closed. Elective procedures paused. Outpatient services halted. Emergency operations activated. Leadership described the shutdown as precautionary. But here's the real question executives should be asking: Why was a full network shutdown necessary? If segmentation is validated… If identity governance is enforced… If lateral movement detection is operationalized… Why does the only safe option become “turn it all off”? In this episode of Security Squawk, we break down what this incident signals about containment confidence, governance maturity, and operational resilience — not just in healthcare, but across every industry that depends on uptime. And we zoom out. Because UMMC isn't happening in isolation. According to TechRadar, ransomware groups have reached an all-time high in 2025. The victim growth rate has doubled. Qilin and other affiliate-driven operators are scaling aggressively. This isn't random chaos. It's industrialization. More fragmentation. More specialization. More execution discipline on the criminal side. Healthcare, public sector, and critical infrastructure are being economically targeted because downtime equals leverage. When systems go dark, negotiation pressure spikes. Then we connect it to something many leaders are still underestimating: Fortinet exploitation patterns. Edge vulnerabilities. VPN credential harvesting. Reinfection cycles months after patches were released. The vulnerability itself isn't the story. The response maturity is. Attackers are repeatedly probing whether organizations: – Patch fast enough – Rotate exposed credentials – Reset trust boundaries after compromise – Validate segmentation integrity – Rebuild identity confidence When those governance steps are skipped, attackers come back. That's not a tooling failure. That's a leadership failure. This episode translates three headlines into one hard truth: Ransomware is no longer just a malware problem. It's a containment confidence problem. For CEOs: If you cannot isolate an intrusion without shutting down revenue operations, your resilience model is fragile. For IT Directors: Active Directory recovery is not a restore-from-backup event. It's a trust re-establishment event. For MSPs: Client environments are operating in a denser criminal ecosystem. Tool stacking without maturity validation will not scale. For Risk Leaders: Financial exposure is no longer limited to ransom. Revenue interruption, regulatory scrutiny, and reputational damage compound quickly — especially in healthcare. We also discuss: • Why attacker communication often signals a second phase • Why affiliate ransomware models are accelerating • Why segmentation validation will become a board-level metric • Why detection speed does not equal governance strength Security Squawk exists to translate cybersecurity chaos into business reality — without vendor spin and without hype. If you value that kind of analysis and want to support independent, executive-focused cybersecurity conversations, you can back the show at: buymeacoffee.com/securitysquawk Your support helps us keep this live, timely, and unfiltered. Because criminals are already running maturity audits. And they invoice in operational shutdown. The question is simple: If it happened to you tomorrow, could you contain it — or would you turn the lights off?

Google has confirmed that state-backed threat actors are operationally using Gemini across the intrusion lifecycle — not experimentally, but strategically. In this episode of Security Squawk, we break down how AI is being integrated into reconnaissance, phishing refinement, vulnerability research, and even dynamic malware generation. According to Google's Threat Intelligence Group, multiple clusters — including DPRK-linked actors — are using Gemini to synthesize OSINT, map organizational structures, refine recruiter impersonation campaigns, and research exploit paths. In one case, malware known as HONESTCUE leveraged Gemini's API to dynamically generate C# code for stage-two payload behavior, compile it in memory using legitimate .NET tooling, and execute filelessly. This isn't a zero-day story. It's a friction story. At the same time, two individuals in Connecticut were charged for allegedly using thousands of stolen identities to exploit FanDuel's onboarding and promotional systems. No exotic exploit. No advanced intrusion chain. Just automated workflow abuse at scale. The pattern is clear: AI is compressing attacker timelines, and identity-driven fraud is industrializing predictable processes. We examine: How AI-enhanced phishing eliminates traditional grammar-based red flags Why trusted SaaS domains (Gemini share links, Discord CDNs, Cloudflare fronting, Supabase backends) are weakening reputation-based defenses What model distillation attempts (100,000+ structured prompts) signal about API abuse and intellectual property risk How fileless malware compiled with legitimate developer tooling challenges signature-based detection Why onboarding workflows and recruiting processes are now primary attack surfaces For CEOs, this is about erosion of trust anchors and shifting insurability expectations. For IT Directors and SOC leaders, this means reevaluating fileless execution visibility, API anomaly detection, and the reliability of reputation filtering models. For MSPs and risk managers, breaches will increasingly originate from workflow exploitation rather than perimeter misconfiguration. AI didn't invent new attack types. It removed friction from existing ones. And when friction disappears, scale compounds. If your recruiting, onboarding, verification, or AI product interfaces can be scripted — they can be weaponized. This episode is about operational clarity in a rapidly compressing threat landscape. Keywords: Google Gemini, HONESTCUE malware, AI phishing, state-backed threat actors, DPRK cyber operations, model distillation attacks, API abuse detection, fileless malware, .NET in-memory compilation, identity fraud, FanDuel fraud case, workflow exploitation, SaaS infrastructure abuse, Cloudflare phishing, Discord CDN payloads, Supabase backend abuse. Support the show https://buymeacoffee.com/securitysquawk

In this episode of Security Squawk, Bryan Hornung, Reginald Ande, & Randy Bryan break down three stories that should change how executives think about cyber risk. This is not about tools, alerts, or vendor promises. It is about operational dependency, leadership accountability, and financial exposure when systems fail. Story one focuses on active exploitation of SolarWinds Web Help Desk vulnerabilities being used as an entry point for ransomware staging. Researchers are seeing attackers move fast after initial access, blending in by using legitimate remote management and incident response tools. That is the point. When attackers use normal looking admin utilities, many organizations do not detect the intrusion until the business impact is already locked in. If you run Web Help Desk or you have not verified your patch posture, this is a governance issue, not an IT debate. Patch timelines and exposure management are leadership decisions because they directly affect business interruption risk. Story two is a warning about the ransomware market adapting. As more organizations refuse to pay for data theft only extortion, threat actors are expected to pivot back toward encryption. Encryption creates urgency because it disrupts operations. The financial exposure shifts toward downtime, recovery labor, lost revenue, and customer churn. Executives should treat restore capability like a business continuity requirement. If your recovery plan has not been tested under pressure, it is not a plan. Story three covers the BridgePay ransomware incident and the downstream impact on merchants and local government services. Even when payment card data is not confirmed compromised, availability failures still create real harm. Customers do not care which vendor was hit. They only see that your business cannot process transactions. This is a clear reminder to revisit vendor criticality, SLAs, outage communications, and contingency processing options. Security Squawk is built for business owners, executives, board members, and IT leaders who want the real world impact without the fear marketing. Subscribe, share, and support the show at https://buymeacoffee.com/securitysquawk