Cookeville Regional Medical Center Discloses Rhysida Ransomware Attack Affecting 337,917 Patients

A major Rhysida ransomware breach has hit Cookeville Regional Medical Center (CRMC) in Tennessee, exposing the personal and medical data of 337,917 individuals. The hospital confirmed the incident this week, sending breach notification letters to affected patients nearly nine months after the attack was first detected.

This healthcare ransomware attack, which occurred in July 2025, ranks among the largest in the United States for that year. The 309-bed facility serves about 250,000 patients annually across 14 counties in the Upper Cumberland region, making the scale of the data compromise particularly concerning for the local community.

How the Rhysida Ransomware Breach Unfolded at CRMC

According to a filing with the Maine Attorney General’s Office, an unauthorized party accessed or acquired files between July 11 and July 14, 2025. The Rhysida ransomware group, a Russia-linked ransomware-as-a-service operation active since May 2023, claimed responsibility on August 2, 2025. The gang demanded a ransom of 10 Bitcoin—worth roughly $1.15 million at the time—and posted sample files on its dark web leak site. It remains unclear whether any ransom was paid.

The hospital began mailing notification letters on April 14, 2026, roughly nine months after the intrusion. This delay, while typical for complex investigations, left patients in a prolonged state of uncertainty about their data security.

Data Exposed in the Attack

The compromised information may include names, addresses, dates of birth, Social Security numbers, driver’s license numbers, financial account details, medical record numbers, treatment information, and health insurance data. CRMC is offering 12 months of free identity theft protection through Experian to those affected.

Given the sensitive nature of medical records, this Rhysida ransomware breach poses significant risks for identity theft and medical fraud. Patients are advised to monitor their accounts closely and take advantage of the offered protection services.

The Growing Threat of Rhysida Ransomware in Healthcare

The CRMC incident is not an isolated case. According to Comparitech, which tracks healthcare breaches, this ranks as the eighth-largest US healthcare ransomware breach of 2025 by records compromised. Last year, there were 134 confirmed attacks on US healthcare providers, exposing 11.7 million records in total.

Rhysida alone claimed 91 attacks across all sectors in 2025, with 23 confirmed. The average ransom demand from the group was $1.2 million. Other recent healthcare victims of Rhysida include Florida Lung, Asthma & Sleep Specialists (May 2025, $639,000 demand), MedStar Health in Maryland (September 2025, $3.09 million demand), and Spindletop Center in Texas (September 2025, $1.65 million demand).

These incidents highlight the persistent targeting of the healthcare sector by ransomware groups. For more on Rhysida’s tactics, see our analysis on Rhysida Ransomware Analysis Reveals Vice Society Connection.

Why Breach Notifications Take So Long

Rebecca Moody, head of data research at Comparitech, explained that the lengthy investigation timeline reflects the scale of forensic work required after a hospital ransomware hit. “It can take a considerable amount of time for organizations to investigate what data has been impacted in these breaches,” she said.

“While some organizations avoid using the word ‘ransomware’ and don’t issue any form of data breach notification for months,” Moody added, “this lack of clarity and confirmation can leave those affected open to identity theft and phishing campaigns.” CRMC, however, has been transparent about the nature of the attack, which helps patients understand the risks they face.

Impact on Patient Care and Hospital Operations

Ransomware incidents at US hospitals routinely force extended downtime, canceled appointments, and patient diversions, even when clinical systems remain operational. In CRMC’s case, the hospital stated it has put additional security measures in place since the attack to prevent future incidents.

For patients, the immediate concern is the potential misuse of their data. Social Security numbers and medical records are particularly valuable on the black market, often fetching higher prices than credit card numbers. This means that even if no direct financial loss occurs, victims may face long-term risks such as fraudulent medical claims or identity theft.

Healthcare organizations across the country are increasingly investing in cybersecurity defenses, but as the CRMC case shows, the threat from groups like Rhysida remains potent. For more insights on protecting patient data, read our guide on Healthcare Cybersecurity Best Practices.

In conclusion, the Rhysida ransomware breach at Cookeville Regional Medical Center underscores the urgent need for robust cybersecurity in healthcare. With 337,917 patients affected and sensitive data exposed, this incident serves as a stark reminder of the vulnerabilities in our medical infrastructure. Patients are urged to remain vigilant and take advantage of identity protection services offered by the hospital.

APK Malformation: How Attackers Are Bypassing Android Security Checks

When it comes to APK malformation, the numbers are staggering. Researchers from Cleafy’s Threat Intelligence and Incident Response team have identified this evasion technique in over 3,000 malicious Android samples. Families like Teabot, TrickMo, Godfather, and SpyNote are all leveraging broken APK structures to slip past static analysis tools.

At its core, APK malformation is a deliberate act: attackers craft non-standard or corrupted Android Package files that still install and run on devices. The trick lies in the Android installer’s leniency. It tolerates inconsistencies that strict parsers cannot, allowing malicious apps to function normally while frustrating reverse engineering efforts.

How APK Malformation Bypasses Static Analysis

An APK is essentially a ZIP archive containing code, resources, and a manifest. Each file sits behind a Local File Header, and a Central Directory acts as a table of contents. Attackers introduce conflicts between these structures. Tools like JADX crash on the inconsistency, but the Android installer quietly proceeds.

Cleafy’s team catalogued several active techniques:

• Directory-file name collisions that confuse parsers about which entry to load
• Unsupported compression methods that Android treats as uncompressed, but analysis tools fail on
• False password protection flags placed inconsistently across headers
• Mismatched checksums, file sizes, and offset references between header structures
• AndroidManifest.xml corruption through magic header changes, string pool manipulation, and malicious offset injection

Another method abuses the assets/directory by storing payloads under filenames with non-ASCII or control characters. This triggers path traversal errors during decompilation, forcing analysts to manually extract and inspect archive contents.

Defenders Push Back With Open-Source Tooling

In response, Cleafy released Malfixer, a Python utility that detects and repairs malformed APKs. It rebuilds them into a form conventional reverse engineering tools can parse. The project, published on GitHub, was developed after analyzing more than 70 malformed samples from the TrickMo, Teabot, Godfather, and SpyNote families.

This release reflects a wider arms race. Cleafy noted that earlier incidents failed to classify samples later linked to TrickMo precisely because malformation techniques prevented standard static analysis. “As defenders, we must evolve our tools and techniques to counter these evasive tactics,” the researchers wrote, urging the community to contribute new samples and methods.

Practical Implications for Android Security

For security teams, this means that static analysis alone is no longer sufficient. Combining it with dynamic analysis and behavior monitoring is essential. Organizations should also consider integrating tools like Malfixer into their malware analysis pipelines to catch malformed APKs early.

As malware authors refine their techniques, defenders must keep pace. The battle over APK malformation is just one front in a larger war for mobile security. Staying informed and updating toolkits is critical.

For more on Android malware evasion, check out our guide on Android Malware Evasion Techniques and learn about Static Analysis Limitations.

Sri Lanka Faces New Financial Scandal: Another Missing Payment Surfaces After $2.5 Million Hack

Sri Lanka is grappling with yet another financial security breach. Just days after hackers siphoned $2.5 million from the country’s finance ministry, authorities have disclosed a second missing payment. This time, approximately $625,000 (around 199.7 million Sri Lankan rupees) intended for the U.S. Postal Service has vanished. The revelation came after American officials alerted Colombo that the funds never arrived.

The Unfolding Sri Lanka missing payment hack Saga

Local media reports confirm that Sri Lankan authorities detected the irregularity following a separate attempt to divert a payment meant for India. This pattern suggests a coordinated effort targeting the nation’s financial systems. The Sri Lanka missing payment hack appears to be part of a broader scheme, as Australian officials have also flagged irregularities in payments owed to their country. This indicates that the thefts could extend far beyond initial estimates.

How Business Email Compromise Works

These incidents bear the hallmarks of business email compromise (BEC) attacks. In such schemes, cybercriminals infiltrate email inboxes or accounting systems. They then manipulate bank account details and routing numbers during invoice processing. This allows them to redirect legitimate payments to fraudulent accounts. The Sri Lanka missing payment hack follows this exact playbook, with hackers allegedly diverting funds from the country’s postal authority to unauthorized destinations.

Treasury Secretary Harshana Suriyapperuma confirmed at a press conference that the stolen $2.5 million payment was redirected “to other bank accounts, instead of the intended recipient.” He did not provide further details on the investigation.

The Scale of Business Email Compromise Threats

BEC scams remain a top source of profit for cybercriminals globally. According to recent FBI data, these attacks resulted in billions of dollars in losses last year alone. A single breach can yield vast sums, making them highly attractive to hackers. The Sri Lanka missing payment hack underscores how vulnerable even government institutions are to such threats.

This means that organizations must adopt stronger verification protocols. Multi-factor authentication and manual confirmation of payment details can help prevent these attacks. However, as the Sri Lanka case shows, gaps in security can still be exploited.

Political and Economic Fallout

News of these successive security lapses has placed immense pressure on the Sri Lankan government. The nation is still recovering from a severe economic crisis that led to a debt default in 2022. That crisis sparked months of protests, ultimately forcing then-President Gotabaya Rajapaksa to resign. Now, the Sri Lanka missing payment hack raises fresh questions about governance and financial oversight.

Member of Parliament Nalinda Jayatissa stated that the government is investigating whether the two thefts are connected. Currently, it remains unclear if the same group is responsible. However, the timing and methodology suggest a coordinated campaign.

Broader Implications for Sri Lanka

Building on these developments, the country’s financial stability faces new tests. International partners may now demand stricter controls before processing payments. For more on how cyber attacks impact developing economies, read our guide on cyber risks in emerging economies. Additionally, businesses can learn from this case by reviewing BEC prevention strategies.

As a result, Sri Lanka must act swiftly to restore confidence. The government has launched a full investigation, but the damage to its reputation may take years to repair.

What This Means for Global Cybersecurity

This incident serves as a stark reminder that no institution is immune. Governments, corporations, and individuals must remain vigilant. The Sri Lanka missing payment hack demonstrates how a single breach can trigger a cascade of financial and political consequences.

To stay protected, experts recommend regular security audits, employee training, and advanced threat detection systems. For further reading, check out our analysis on lessons from government cyber attacks. Ultimately, proactive measures are the best defense against these evolving threats.