What major cyberattacks occurred in September 2020?

September 2020 saw several high-profile cyberattacks, including a fatal ransomware attack on a hospital in Düsseldorf, Germany, a large-scale ransomware incident at Universal Health Services, and targeted attacks by groups like OldGremlin and RedDelta. These attacks involved sophisticated ransomware variants, spear-phishing campaigns, and exploitation of software vulnerabilities.

How did ransomware impact hospitals in September 2020?

Hospitals were heavily targeted by ransomware in September 2020. Notably, a ransomware attack on a Düsseldorf hospital led to the death of a patient who had to be diverted to another facility. Universal Health Services, with over 400 locations, also suffered a major ransomware attack, disrupting healthcare operations.

What is Thanos ransomware and how was it used in September 2020?

Thanos is a Ransomware-as-a-Service (RaaS) platform that allows affiliates to customize ransomware payloads. In September 2020, a new Thanos variant was used to attack state-run organizations in the Middle East and North Africa, overwriting master boot records and demanding ,000 in Bitcoin for decryption.

Who is OldGremlin and what tactics did they use?

OldGremlin is a ransomware group that emerged in September 2020, targeting large corporate networks, especially in Russia. They used custom backdoors (TinyPosh, TinyNode), ransomware (TinyCrypt), and third-party tools for reconnaissance and lateral movement. Their attacks involved spear-phishing, remote desktop protocol for lateral movement, and demanded ransoms around ,000 in cryptocurrency.

What was the impact of the RedDelta cyberattacks on the Vatican?

China-based RedDelta targeted the Vatican and Catholic institutions with spear-phishing emails containing the PlugX remote access tool (RAT) ahead of the renewal of the China-Holy See deal. These attacks aimed to gain insight into the Vatican's negotiating position and used multiple C2 servers for communication.

How did FinSpy malware operate in September 2020?

FinSpy, a commercial spyware suite, was distributed via a fake Adobe Flash Player download site in September 2020. It targeted both Windows and Android devices, enabling attackers to intercept communications, access private data, and record audio/video. It is used by both threat actors and law enforcement agencies.

What vulnerabilities were exploited in the Arthur J. Gallagher & Co. ransomware attack?

Attackers exploited two F5 BIG-IP servers vulnerable to CVE-2020-5902, an unauthenticated remote code execution vulnerability, to gain access to Arthur J. Gallagher & Co.'s systems, forcing the company to take all global systems offline.

How can organizations test their defenses against the latest malware attacks?

Organizations can use Cymulate’s Immediate Threats assessment to test and verify their exposure to the latest malware attacks. The platform provides actionable mitigation suggestions and Indicators of Compromise (IOCs) directly in the Cymulate UI.

What steps can organizations take to become ransomware resilient?

Organizations can follow practical steps such as regular security assessments, employee training, patch management, and leveraging platforms like Cymulate for continuous threat validation. For more details, see the blog post 7 Essential Steps to Becoming Ransomware Resilient .

How does Cymulate help organizations stay ahead of evolving cyber threats?

Cymulate empowers organizations to continuously assess and validate their security posture through advanced threat simulation and comprehensive security assessments. The platform provides actionable insights and tools to proactively address emerging threats and vulnerabilities.

What features does Cymulate offer for exposure management and security validation?

Cymulate offers continuous threat validation, exposure awareness, defensive posture optimization, attack path discovery, automated mitigation, comprehensive integration with SIEM/EDR tools, and dedicated cloud security validation. These features help organizations proactively manage their cybersecurity posture and reduce risk.

Does Cymulate support integration with other security tools?

Yes, Cymulate integrates with leading security tools across endpoint security (e.g., CrowdStrike Falcon, SentinelOne), cloud security (e.g., AWS GuardDuty, Wiz), SIEM (e.g., Splunk), vulnerability management (e.g., Rapid7 InsightVM), and network security (e.g., Akamai Guardicore). For a full list, visit the Cymulate Partnerships and Integrations page .

How does Cymulate help with ransomware resilience?

Cymulate enables organizations to simulate ransomware attacks, assess their defenses, and receive actionable mitigation guidance. This proactive approach helps organizations identify vulnerabilities and strengthen their resilience against ransomware threats.

What is Cymulate's Immediate Threats assessment?

Cymulate's Immediate Threats assessment allows organizations to test their exposure to the latest malware and ransomware attacks, providing real-time validation and mitigation recommendations. Indicators of Compromise (IOCs) are available in the Cymulate UI for further investigation.

How does Cymulate address cloud security validation?

Cymulate provides dedicated features for hybrid and cloud environments, enabling organizations to validate security controls and address new attack surfaces introduced by cloud adoption. This ensures comprehensive coverage across on-premises and cloud infrastructure.

What technical documentation is available for Cymulate?

Cymulate provides a range of technical resources, including a whitepaper on the Exposure Management Platform, data sheets on platform capabilities and custom attacks, and documentation on technology integrations and MITRE ATT&CK alignment. Access these at the Cymulate Resources page .

How does Cymulate align with the MITRE ATT&CK framework?

Cymulate aligns its threat simulation and validation capabilities with the MITRE ATT&CK framework, enabling organizations to test defenses against a comprehensive set of real-world attack techniques. Learn more at the MITRE ATT&CK Framework page .

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, Security Operations (SecOps) teams, Red Teams, Detection Engineers, and Vulnerability Management teams across industries such as healthcare, finance, and technology. It is ideal for organizations seeking to proactively manage cyber risk and improve security posture.

What business impact can customers expect from Cymulate?

Customers typically achieve a 30% improvement in threat prevention, a 52% reduction in critical exposures, a 60% increase in operational efficiency, and an 81% reduction in cyber risk within four months. These outcomes are supported by customer case studies and measurable ROI.

How does Cymulate help organizations in the healthcare sector?

Cymulate helps healthcare organizations protect sensitive patient data and ensure operational continuity by continuously validating defenses against ransomware and other advanced threats. Case studies show improved detection, response, and risk reduction in healthcare environments.

What are some real-world examples of Cymulate's impact?

Hertz Israel reduced cyber risk by 81% within four months using Cymulate. Nemours Children's Health increased visibility and improved detection and response. Nedbank focused remediation on critical vulnerabilities, and GUD Holdings established consistent security metrics across subsidiaries. See more case studies at the Cymulate Customers page .

How does Cymulate address the pain points of security teams?

Cymulate addresses overwhelming threat volume, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers by providing unified, automated, and actionable exposure management and validation solutions.

How does Cymulate's platform differ for Red Teams, Detection Engineers, and Vulnerability Management teams?

Red Teams benefit from automated, production-safe attack simulations and a continuously updated attack library. Detection Engineers can identify SIEM coverage gaps and validate detection rules. Vulnerability Management teams gain a consolidated view for prioritizing exposures and managing unpatchable risks.

What are the primary cybersecurity risks faced by the financial services sector?

The financial services sector faces sophisticated threats such as ransomware, phishing, and advanced persistent threats (APTs). Cymulate helps these organizations validate defenses and protect both internal systems and customer-facing applications.

What are the main cybersecurity challenges for healthcare organizations?

Healthcare organizations are targeted for their valuable patient data and sensitivity to operational disruptions. Ransomware attacks can have dire consequences. Cymulate helps healthcare providers validate defenses and minimize risk of downtime and data breaches.

How easy is it to implement Cymulate?

Cymulate is known for its quick deployment and ease of use. It operates in agentless mode, requiring no additional hardware or complex configuration. Customers can start running simulations almost immediately after deployment, as noted by multiple customer testimonials.

What do customers say about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly design and dashboard. Testimonials highlight its simplicity, ease of navigation, and the ability to quickly gain actionable insights with minimal effort. See more feedback on the Cymulate website.

What support options are available for Cymulate users?

Cymulate offers email support (support@cymulate.com), real-time chat support, and a range of educational resources including webinars, e-books, and a knowledge base to help users maximize platform value.

What security and compliance certifications does Cymulate hold?

Cymulate is certified for SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. These certifications demonstrate adherence to industry-leading security and privacy standards.

How does Cymulate ensure data security and privacy?

Cymulate hosts its services in secure AWS data centers with ISO 27001, PCI DSS, and SOC 2/3 compliance. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). The company follows a secure development lifecycle, conducts regular penetration tests, and provides GDPR compliance through dedicated privacy and security teams.

How does Cymulate help organizations with compliance reporting?

Cymulate provides compliance evidence report templates to help organizations demonstrate alignment with key industry standards and regulatory frameworks, simplifying the compliance reporting process.

How does Cymulate compare to AttackIQ?

Cymulate offers a larger threat scenario library, AI-powered capabilities, and greater ease of use compared to AttackIQ. Cymulate is recognized for innovation and comprehensive threat coverage. Read more .

How does Cymulate differ from Mandiant Security Validation?

Cymulate is known for continuous innovation, AI and automation, and leadership in exposure management, while Mandiant's platform has seen minimal innovation in recent years. Read more .

What makes Cymulate different from Pentera?

Pentera focuses on attack path validation, while Cymulate provides deeper exposure validation, defense optimization, and a broader range of offensive testing and awareness capabilities. Read more .

How does Cymulate compare to Picus Security?

Picus Security is suitable for on-premise BAS needs, but Cymulate offers a more comprehensive exposure validation platform, covering the full attack kill chain and including cloud control validation. Read more .

What are Cymulate's advantages over SafeBreach?

Cymulate provides unmatched innovation, the largest attack library, a full CTEM solution, and comprehensive exposure validation, outpacing SafeBreach in automation and precision. Read more .

How does Cymulate compare to Scythe?

Scythe is suitable for advanced red teams, but Cymulate offers greater ease of use, daily threat updates, comprehensive control validation, and automated remediation. Read more .

How does Cymulate differ from NetSPI?

NetSPI is a PTaaS vendor, while Cymulate provides a platform for continuous, independent assessment and defense strengthening. Cymulate is recognized as a leader in exposure validation by Gartner and G2. Read more .

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model, customized based on the chosen package, number of assets, and scenarios required. For a tailored quote, organizations can schedule a demo with the Cymulate team. Book a demo .

What is Cymulate's mission and vision?

Cymulate's vision is to lead the way in cybersecurity strategy, making the world safer. Its mission is to empower organizations against threats and make advanced cybersecurity as simple as sending an email. The platform helps organizations move from guessing to knowing and acting on security threats.

How large is Cymulate and what is its global reach?

Cymulate was founded in 2016 and has a global presence with offices in eight locations and customers in 50 countries. Over 1,000 customers rely on Cymulate to enhance their cybersecurity posture. Learn more .

Where can I read the Cymulate blog?

You can stay updated on the latest threats, research, and best practices by visiting the Cymulate blog .

What topics are covered in the Cymulate blog?

The Cymulate blog covers a wide range of cybersecurity topics, including threat research, vulnerability analysis, attack techniques, and best practices for defense. Recent posts include analyses of ransomware, lateral movement, and supply chain attacks. Explore the blog .

Where can I find more research and blog posts by Cymulate Research Lab?

You can find more research and blog posts by Cymulate Research Lab at the Cymulate Research Lab author page .

What information is required to subscribe to the Cymulate blog?

To subscribe to the Cymulate blog, you need to provide your full name, email address, and country of residence. See privacy policy .

Who authored the Cyber Attacks Wrap Up - September 2020 blog post?

The blog post was authored by Cymulate. For more about the author, visit the Cymulate author page .

Cymulate's September 2020 Cyberattacks Wrap-up

By: Cymulate

Last Updated: May 15, 2025

In September 2020, cybercrime caused the death of an innocent victim. A patient suffering from a life-threatening illness had to be turned away from a hospital in the city of Düsseldorf since the systems had been blocked due to a ransomware attack. This forced the ambulance transporting her, to drive to a hospital in the nearby city of Wuppertal. The patient died on the way. The threat actors breached the hospital using a hole in Citrix software.

Ransomware Hits Hospitals

Hospitals remain a popular target, even in COVID-19 times. At the end of September, Universal Health Services, which has more than 400 locations, was at the receiving end of a ransomware attack. Since Ryuk ransomware was used, fingers were pointed at Russian cybercrime group Wizard Spider.

Ransomware attacks were rampant again, becoming more sophisticated. Let’s start with Thanos, a Ransomware-as-a-Service (RaaS) advertised on Russian-speaking hacker forums, that allows affiliates to customize their own ransomware through a builder offered by the developer. In September, we saw a new variant that was used to attack two state-run organizations in the Middle East and North Africa. This Thanos version overwrites master boot records (MBR) to deliver its ransom note demanding $ 20,000 in Bitcoin. This particular attack involved multiple layers of PowerShell scripts, inline C# code and shellcode to load the ransomware into memory and to run it on the local network using previously mentioned stolen credentials.

OldGremlin

In September, a new ransomware group joined the scene targeting large corporate networks. Dubbed OldGremlin, they used self-made backdoors and file-encrypting malware during the attack. They used custom backdoors TinyPosh and TinyNode, ransomware TinyCrypt, aka decr1pt as well as third-party software for reconnaissance and lateral movement such as Cobalt Strike and NirSoft's Mail PassView for email password recovery. For now, OldGremlin’s victims are limited to Russian medical labs, banks, manufacturers, and software developers. This could change in the near future.

The attacks follow a familiar path:

Spear phishing emails were sent, impersonating well-known individuals such as journalists.
The emails contained malware, TinyPosh or TinyNode backdoor, for initial access
Once inside the victim’s network, additional modules were downloaded from the C&C server
Remote Desktop Protocol was used for lateral movement
OldGremlin identified valuable systems and then initiated file encryption
Server backups were deleted, and hundreds of corporate computers were locked
The ransom note was left behind asking for around $50,000 in cryptocurrency for the decryption key
For contacting OldGremlin, a Proton email address was included in the ransom note

At the end of September, Arthur J. Gallagher & Co., one of the largest insurance brokers in the world, was hit by a ransomware attack. Threat actors gained access via two F5 BIG-IP servers vulnerable to CVE-2020-5902, an unauthenticated remote code execution vulnerability. The company was forced to take all its global systems offline.

FinSpy

During September, FinSpy for Microsoft Windows and Android was distributed through a fake Adobe Flash Player download website. FinSpy is a commercially available spyware suite popular with threat actors, but also used by law enforcement agencies and governments around the world. Produced by Munich-based FinFisher GmbH, FinSpy is known to be used for spying on Human Rights Defenders (HRDs) such as activists, journalists, and dissidents. Once installed, FinSpy can intercept communications, access private data, and record audio and video.

RedDelta

We are concluding this wrap-up with the cyberattacks aimed at the Vatican. China-based RedDelta launched cyberattacks against the Vatican and Catholic institutions ahead of the renewal of the China-Holy See deal. Using spear-phishing emails containing the PlugX remote access tool (RAT), the threat actors gained insight into the negotiating position of the Vatican ahead of renewal. RedDelta used multiple PlugX C2 servers as well as Poison Ivy and Cobalt Strike Beacon C2 infrastructure to communicate with the compromised servers of the Vatican.

To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!

Stay cyber-safe!

Cymulate empowers organizations to fortify their defenses through continuous assessment and validation of their security posture. With a focus on threat simulation, comprehensive security assessments, and a commitment to innovation, Cymulate equips organizations with the tools and insights needed to stay ahead of cyber threats.

More about Author

Table of Contents

Ransomware Hits Hospitals OldGremlin FinSpy RedDelta

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

blog

7 Essential Steps to Becoming Ransomware Resilient

Practical steps to reduce ransomware risk and improve your defenses against evolving threats.

CUSTOMERS

Nemours Increases Visibility to Improve Detection and Response

Nemours can evaluate its defenses against the latest threats, better prioritize remediation efforts and increase team productivity.

Read Case Study

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo

Frequently Asked Questions

Cyberattack Trends & Ransomware (September 2020)