#CyberWeekly

January 13, 6:32 AM: AZ Monica hospital in Antwerp disconnected all servers after detecting a cyberattack. The incident forced Belgium's largest private hospital to cancel 70 operations, postpone chemotherapy treatments, and transfer seven critical patients to other facilities with Red Cross assistance.

The impact was immediate and severe:

• 70 planned operations cancelled on day one — zero operations on day two
• 7 critical patients transferred to nearby hospitals via Red Cross
• Ambulances redirected — emergency services in Antwerp stopped transporting patients to AZ Monica
• Electronic patient files inaccessible — staff reverted to paper-based registration
• Radiology, imaging, and chemotherapy all postponed

Ransomware is suspected, though no group has claimed responsibility and no ransom demand has been publicly confirmed. Belgian police and federal cybercrime investigators are on site.

This isn't abstract. AZ Monica is in Antwerp — two campuses, serving hundreds of thousands of Belgians. When a hospital goes dark, people don't get their chemotherapy. Surgeries don't happen. Ambulances drive past. This is what a cyberattack looks like when it hits critical infrastructure close to home.

For every Belgian organization: if a hospital with dedicated IT staff can be taken down, no one is too big — or too small — to be a target. The CyberFundamentals framework exists precisely for this: structured protection before the attack, not scrambling after.

Big week for the platform. We shipped a complete activity tracking system — so you always know what changed, when, and by whom.

• Activity log for controls & tasks — every checklist update, every status change, every remark is recorded. Open any control or task and see its full history.
• Incident log — a dedicated space to track security incidents with a chat-style timeline. Log what happened, add updates as the situation develops, close it when resolved.
• Search in activity — find any change across your entire activity history. Filter by what matters.
• Partner dashboard — partners can now see all their clients at a glance with an improved management view.
• Accessibility improvements — better keyboard navigation, screen reader labels, and focus management across the entire platform.
• Security hardening — added role checks and defense-in-depth to every API route. Your data has an extra layer of protection.

The timing couldn't be better. AZ Monica's attack shows why incident tracking matters. When something goes wrong, you need a clear record of what happened and what you did about it. That's exactly what the incident log gives you — and it's part of your incident response readiness.

January 15: German and Ukrainian police raided homes of BlackBasta ransomware suspects, and Germany named the group's alleged leader. Oleg Nefedov, a 35-year-old Russian national, was placed on both the EU Most Wanted list and INTERPOL's Red Notice.

What we know about Nefedov:

• Founder and leader of BlackBasta — selected targets, recruited members, assigned tasks, negotiated ransoms
• Uses aliases including "Tramp," "Trump," "GG," and "AA"
• Previously arrested in Armenia in June 2024 but somehow "secured his freedom"
• Alleged ties to Russian intelligence agencies (FSB, GRU)
• Believed to be in Russia — exact whereabouts unknown

The numbers are staggering: BlackBasta extorted €20 million from ~100 German companies alone, and hundreds of millions from ~600 victims worldwide between 2022 and 2025.

The raids in Ukraine's Lviv and Ivano-Frankivsk seized digital storage devices and cryptocurrency. But the alleged boss? Still free, likely protected by Russian officials. It's a reminder that even when law enforcement identifies the attackers, geopolitics can keep them out of reach. Prevention remains your best defense.

January 18: The Everest ransomware group dumped data from 72.7 million Under Armour customer accounts on a cybercrime forum. Have I Been Pwned confirmed the breach — making it one of the largest retail data exposures in recent memory.

What was leaked:

• Names, email addresses, dates of birth
• Physical addresses and phone numbers
• Purchase history and loyalty program details
• No passwords or financial data — according to Under Armour

The breach happened back in November 2025. Everest added Under Armour to their leak site with a seven-day ransom deadline. When no payment came, they published everything. Under Armour's response? "Any implication that sensitive personal information of tens of millions of customers has been compromised is unfounded."

Troy Hunt, the creator of Have I Been Pwned, called the lack of official disclosure "unusual, especially given the size of the organisation." A class action lawsuit has already been filed.

The lesson for SMEs: you don't need to be the one breached to be affected. If your employees used Under Armour accounts with their work email, that data is now in criminal hands. It's the same supply chain risk we saw with Ledger last week — except at a much larger scale.