Good morning. This week, a ransomware gang shut down a non-profit's cash registers across an entire city. A different gang is quietly building a business model around targeting small companies with old software. And Business Email Compromise — the scam that tricks your team into wiring money to criminals — targeted 7 in 10 businesses last year.

Let's get into it.

STORY OF THE WEEK

Ransomware walked into a Goodwill store and took the tills offline

On Thursday morning, shoppers walking into any Goodwill store in Greater Grand Rapids, Michigan found a sign at the counter: cash only. No card payments. No tap. No Apple Pay. The non-profit's entire point-of-sale network had been knocked offline by a ransomware attack, confirmed publicly by Goodwill on March 27.

The culprit according to claims on dark web leak sites is a group called Interlock ransomware. They say they have Goodwill's data. Goodwill says it doesn't store card data on its systems (a small mercy), but the organisation's ability to serve customers and process donations was disrupted across every location in the region while cybersecurity investigators worked to restore systems.

What makes this story worth your attention isn't just the technical details. It's the image of it: a non-profit serving vulnerable communities, suddenly reduced to cash-only, unable to process the everyday transactions that keep its doors open. A cyberattack didn't just cost money, it disrupted the mission.

STORY OF THE WEEK

Ransomware walked into a Goodwill store and took the tills offline

The culprit, according to claims on dark web leak sites is a group called Interlock ransomware. They say they have Goodwill's data. Goodwill says it doesn't store card data on its systems (a small mercy), but the organisation's ability to serve customers and process donations was disrupted across every location in the region while cybersecurity investigators worked to restore systems.

WHY IT MATTERS TO YOU

If you run a non-profit, a retail business, or any organisation where customers pay in-store, your payment processing is your lifeline. Ransomware doesn't need to steal your data to hurt you, it just needs to lock your systems long enough to cost you customers, revenue, and trust. The question to ask yourself this week: if your payment system went offline tomorrow morning, what would happen to your business?

WHAT YOU CAN DO RIGHT NOW
Check whether your point-of-sale system is on a separate network from the rest of your business computers. If ransomware hits your back-office machine, it shouldn't automatically reach your payment terminals. Your IT provider can confirm this in a ten-minute conversation.

THE RIPPLE EFFECT
Three stories, and what they actually mean for your business

1. There's a ransomware gang that specifically hunts businesses like yours
CosmicBeetle is a ransomware group with an unusual business model: they deliberately target small and medium businesses that haven't kept their software up to date. Rather than hunting large enterprises, they've built a playbook around exploiting old vulnerabilities in common tools that small businesses set up years ago and never revisited, particularly backup software and Windows systems. They've hit businesses across healthcare, legal, financial, and technology sectors across Europe, Asia, and beyond.

What it means for you: There are criminal groups that have specifically decided small businesses are their market. Ask your IT provider: what software in our environment hasn't been updated in more than six months?

2. Business Email Compromise is the most expensive threat you've probably never heard of
Business Email Compromise (BEC) where criminals impersonate your boss, your accountant, or your suppliers via email to trick you into transferring money costs businesses a combined $2.9 billion every year. The average loss per incident is $137,000. Seven in ten businesses were targeted last year, and almost a third of those lost money as a result. The newer variant, Vendor Email Compromise, is rising even faster. Criminals compromise your actual supplier's email account and wait for the perfect moment to swap payment details on a real invoice.

What it means for you: BEC looks completely normal — no malware, no suspicious links, just an email from someone you trust. The money leaves before anyone realises it's gone, and it almost never comes back. If you don't have a verbal confirmation policy for payment detail changes, this week is the week to put one in place.

3. A new ransomware gang is targeting government contractors — and their supply chains
TridentLocker, a ransomware operation that emerged in late 2025, hit Sedgwick Government Solutions — a company that manages insurance claims for the Department of Homeland Security, CISA, and dozens of federal and municipal agencies. The gang stole 3.4GB of data from an isolated file transfer system before being detected.

What it means for you: If your business works with government agencies or with companies that do, you are part of a supply chain that criminal groups are actively mapping. Ask any government-adjacent vendor: have you had any security incidents in the past 12 months?

STAT OF THE WEEK

70%

of businesses were targeted by a Business Email Compromise attack in the past 12 months — and nearly a third of those lost money as a result.

BEC has cost businesses a combined $55 billion over the last decade. With AI now helping criminals write more convincing emails and clone voices on calls, the threat is accelerating.

¹ Arctic Wolf State of Cybersecurity: 2024 Trends Report. Survey of 1,000+ senior IT and security decision-makers globally.

ONE THING YOU CAN DO THIS WEEK
Call your supplier before changing their payment details… every time

Vendor Email Compromise works because it arrives as a normal email from your supplier, sometimes from their actual compromised account, asking you to update their bank details for the next payment. It looks completely legitimate. The new account belongs to criminals.
“Any change to a supplier’s payment details requires a phone call to a known contact at that company before any change is made.”
Not a reply email. A phone call. To a number you already have. Every time. No exceptions.

QUICK BITES

Ransomware attacks on small businesses jumped 34% in 2025 and are accelerating into 2026, driven by criminal services that let low-skill attackers rent professional tools by the month, no technical knowledge required.

US cybersecurity authorities warned this week about a serious flaw in widely used networking equipment that criminals are actively exploiting right now. If your business has an IT provider or managed services company, forward this newsletter to them and ask: are our network devices patched and up to date?

Criminals hid password-stealing software inside a file that looked like a harmless audio clip — published online on March 27. If your business uses developers or IT contractors who install third-party software, ask them: how do you check what you're installing is safe?

Four in five small businesses have experienced a data breach. If you're in the 20% who haven't, that's not a reason to relax — it's a reason to make sure your defences are in place before you join the majority.

PARTING THOUGHT

The Goodwill story this week isn't really about ransomware. It's about what happens when the infrastructure we take for granted. The ability to swipe a card, complete a sale, or serve a customer. It disappears without warning on a Thursday morning.
Resilience isn't about being immune to attacks. Goodwill will restore its systems. They'll be back to normal. The organisations that survive cyber incidents are the ones who, when the worst happens, already know what to do next.
That preparation doesn't require a big IT budget. It requires a plan.

See you next Friday
Cyber Resilient Leaders

Ransomware took the tills offline

STORY OF THE WEEK

STORY OF THE WEEK

Ransomware walked into a Goodwill store and took the tills offline

70%

Keep reading

Cyber Resilient Leaders