This week brought a stark reminder that ransomware doesn’t just hit data centers, but it also hits the supply chains that keep people alive, the platforms students rely on to graduate, and the remote access points most of us use to work. From Canvas to West Pharmaceutical Services, from Patch Tuesday’s 120 monthly updates to Scattered Spider’s targeting of remote workers, the threat landscape moved faster and struck harder than usual. Here’s what happened, why it matters, and what you need to do about it.
1. Ransomware Is Shutting Down Medicine
West Pharmaceutical Services, one of the world’s largest makers of drug delivery systems (syringes, vials, inhalers, auto-injectors), was hit by a ransomware attack that shut down manufacturing and shipping. This isn’t a data breach affecting passwords or credit cards. This is an attack on the physical supply chain that keeps people alive. Patients waiting for insulin. Hospitals running low on vaccine supplies. Emergency care disrupted because the tools to deliver it aren’t available.
BET-R Actions: If you operate in healthcare, manufacturing, or any supply-chain-critical industry, ransomware is now an existential threat, not just an operational headache. Start with network segmentation and access controls. Your most critical systems should be isolated from general company networks. Implement real incident response planning: not a binder on a shelf, but a tested process that includes backup restoration procedures, communication protocols, and decision trees for when attackers come knocking. Most importantly, get your patch management program in place immediately. West Pharma likely had patch windows, system dependencies, and unpatched vulnerabilities that attackers exploited to gain entry.
2. Patch Tuesday: 120 Vulnerabilities in One Day
On May 13, Microsoft released patches for 120 vulnerabilities, with 17 of them classified as Critical. The dangerous ones? Flaws in Microsoft Office and Word that activate when you *open* an email attachment. A Windows DNS flaw that lets a rogue server hijack your machine remotely. A SharePoint vulnerability allowing attackers to run code on your servers without ever entering your building. And that was just Microsoft. Adobe, Apple, Cisco, Fortinet, SAP, Ivanti, and Palo Alto Networks all released critical patches the same day. Palo Alto is still warning about an active zero-day with no patch available yet.
BET-R Actions: For most small businesses, patches don’t get applied for weeks—if ever. That’s the window attackers exploit. Start documenting your patch schedule: which systems get patched when, and how you’ll prioritize Critical vulnerabilities. Set a 48-hour window for Critical patches on systems exposed to the internet. For internal systems, work within your change management process, but don’t let bureaucracy become an excuse for delay. If you don’t have a change management process, that’s your next conversation. Also: audit who’s using Microsoft Office, Excel, and Word. If your team is opening email attachments from unknown senders, that’s a training moment.
3. Scattered Spider Is Hunting Your Remote Access Credentials
A new ransomware gang called Scattered Spider is targeting small businesses and self-employed people, not enterprise data centers. They’re hunting remote access credentials. Once inside, they lock everything: files, clients’ data, your ability to work. Then they ask for money. The FBI issued a warning because it’s happening now.
BET-R Actions: If your team is working remotely, they should be using multi-factor authentication on every remote connection (VPN, RDP, cloud applications). Not “if you can,” but always. Audit who has remote access and why. Are former contractors still on the VPN? Are there shared accounts? Do you know what time last night someone logged in from an IP address outside the country? Set up alerts for unusual login patterns. And test your incident response plan with a tabletop exercise: “What do we do if someone calls at 2am saying the network is locked up and attackers are asking for $500K?”
4. Canvas Ransomware Canceled Finals
Canvas, the online learning platform used by universities and K-12 schools across the country, was hit by a ransomware attack mid-week. The University of Illinois postponed all final exams. Schools nationwide scrambled. The attackers didn’t care that it was finals week, and instead they probably knew exactly when to hit for maximum pressure.
BET-R Actions: If your business relies on third-party platforms (and which doesn’t?), you’re now dependent on *their* security posture. Start asking vendors: How do you test your backup restoration? What’s your incident response time? Do you have cyber insurance? Have you been audited? This doesn’t mean switching platforms—it means understanding your risk and having a contingency plan. If Canvas or your email provider or your payment processor goes down, what happens to your business? That’s the conversation worth having now, not during the breach.
5. Mythos AI Alarmed the White House
Anthropic released a new AI model called Mythos that raised serious national security concerns, and we’re serious enough that VP JD Vance was alarmed. The government is now scrambling to regulate AI capabilities. This isn’t science fiction. This is this week.
BET-R Actions: If your team is using AI tools (ChatGPT, Claude, Gemini, etc.), you need a data governance policy. What’s safe to share? What’s confidential? What would happen if a prompt you sent today ended up in someone else’s training data? Start there. Then ask your vendors: How do you handle user data in your AI models? Do you have opt-out provisions? This isn’t paranoia; it’s basic security hygiene for the AI era.
Recent Incidents This Week
The following organizations and systems were impacted by security incidents this week:
- Canvas LMS– Ransomware attack disrupted online learning platforms at universities and K-12 schools nationwide. The University of Illinois postponed final exams. The platform was restored, but the incident raised questions about vendor resilience and backup restoration protocols.
What this means for you: Third-party platform outages aren’t theoretical. They happen. Have a contingency plan and test it. - West Pharmaceutical Services- Ransomware attack shut down manufacturing and shipping of critical drug delivery systems (syringes, vials, inhalers). Supply chain disruption affected healthcare providers and patients relying on those supplies.
What this means for you: If you operate in healthcare, manufacturing, or supply chain, ransomware is now an existential threat. Your security directly impacts whether hospitals can deliver care. - NVIDIA GeForce NOW– Breach exposed personal information of GeForce NOW users after unauthorized access to internal databases. Data exposure included user account information and usage patterns.
What this means for you: If you use cloud gaming or streaming platforms, assume your personal data has been exposed. Use unique passwords and monitor your accounts for unauthorized activity. - Patch Tuesday (May 13)– Microsoft released 120 patches (17 Critical), including remote code execution flaws in Office, Word, Excel, and SharePoint. Adobe, Apple, Cisco, Fortinet, SAP, Ivanti, and Palo Alto Networks also released critical patches. Palo Alto warned of an active zero-day in PAN-OS with no patch available yet.
What this means for you: The window between patch release and patch deployment is the window attackers exploit. Don’t let yours be measured in weeks. - Scattered Spider Ransomware– FBI warning issued for a new ransomware gang actively targeting small businesses and remote workers. The gang hunts remote access credentials and deploys ransomware to lock down operations.
What this means for you: Multi-factor authentication on every remote connection isn’t optional anymore. Deploy this now, everywhere.
How Individuals and Small Businesses Can Respond
Here’s what you can do this week to strengthen your security posture:
- Patch management: Set a 48-hour window for Critical patches on internet-facing systems. Document your patch schedule and stick to it. Don’t let “we’ll get to it eventually” become “attackers got to it first.”
- Multi-factor authentication everywhere: Your email, VPN, cloud applications, backup systems; if it holds business data, it needs MFA. No exceptions. No “we’ll do it next quarter.”
- Remote access audit: Document who has remote access, when they use it, and from where. Set up alerts for unusual login patterns (new countries, odd hours, multiple failed attempts). Test your response plan.
- Backup restoration testing: Can you actually restore from your backups? When was the last time you tested it? Not just “we have backups,” but “we tested restoration in the last 30 days.” Ransomware gangs know if your backups are tested or fake.
- Third-party risk assessment: Ask your vendors about their security posture, backup procedures, and incident response capabilities. Have a contingency plan for when (not if) they go down.
- Incident response planning: Create a real plan: Who do you call? What’s the decision-making process for ransom payment? How do you communicate with customers? Who contacts law enforcement? Write it down. Test it. Update it quarterly.
- Ransomware-specific preparation: Know the difference between encrypted files and locked systems. Have offline backups. Have a communication strategy for when your systems go down. Know which vendor or consultant you’d call at 2am.
Citations:
West Pharmaceutical Services Ransomware Attack
Microsoft Patch Tuesday May 13 – 120 Vulnerabilities