Tag: ransomware
All items tagged ransomware.
- The Gentlemen — EDR-killer framework documented, OT-adjacent victim claimed, operator named
- Healthcare — third-party exposure and a 16-month notification gap
- Threat actor: INC ransomware's Rust rewrite and BYOVD evolution
- Check Point State of Ransomware Q1 2026 — ecosystem consolidation, with Switzerland and Germany named
- HCRG Care Group first notifies patients of a February 2025 Medusa breach — 16 months on `[SINGLE-SOURCE]`
- UPDATE: The Gentlemen (Storm-2697) claims OT-adjacent Mackay Sugar attack; operator attributed to a Russian national
- ESET: the Gentlemen RaaS gang centrally builds and maintains its affiliates' EDR-killer framework
- CVE-2026-50751 — Check Point Security Gateway: IKEv1 VPN authentication bypass exploited by a Qilin affiliate `[SINGLE-SOURCE]`
- Law-enforcement follow-through — Conti loader developer pleads guilty, AudiA6 laundering service dismantled
- Conti loader developer Oleksii Lytvynenko pleads guilty in US federal court after extradition from Ireland
- AudiA6 ransomware crypto-laundering service dismantled — two charged, Switzerland among the participating countries
- The Gentlemen ransomware: 478 claimed leak-site victims, self-propagating Go encryptor, operator publicly named
- CVE-2026-44963 — Veeam Backup & Replication: authenticated domain-user deserialization RCE on the backup server (CVSS 9.4)
- CVE-2026-50751 — Check Point Security Gateway: IKEv1 VPN authentication bypass, actively exploited by a Qilin affiliate
- Sophos 2026 Active Adversary Report — identity the dominant intrusion root cause; Impacket and AnyDesk most-observed post-exploitation [SINGLE-SOURCE]
- UK National Federation of Subpostmasters hit by ransomware via a cPanel flaw; disruption persists into June
- OFAC sanctions Nobitex and three Iranian exchanges as conduits for IRGC-affiliated ransomware proceeds
- Sophos finds an attacker-built, AI-orchestrated EDR-evasion testing lab during incident response
- ANNUAL REPORT — Sophos 2026 Active Adversary Report: identity is the dominant intrusion root cause [SINGLE-SOURCE]
- UPDATE: The Gentlemen ransomware — Microsoft publishes full technical dissection of the Storm-2697 Go-encryptor
- FBI FLASH CSA 260526 — Silent Ransom Group sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social engineering fails
- SANS ISC — Akira ransomware kill chain reconstructed entirely from SSLVPN syslog and Windows EVTX, no EDR [SINGLE-SOURCE]
- Check Point Q1 2026 State of Ransomware — ecosystem reconsolidates; LockBit returns with a deliberate Europe pivot
- The Gentlemen / Storm-2697 — internal "Rocket" backend leaked by a rival; KELA and Check Point dissect the operator inner circle
- Six German university hospitals lose ~97,600+ patient records to a breach at billing processor Unimed
- Rhysida claims Stuttgart municipal-data theft for 5 BTC; city denies a confirmed incident
- ANNUAL REPORT — Rapid7 Q1 2026 Threat Landscape Report: vulnerability exploitation now top initial-access vector at 38 %; KEV median time to listing collapses to 5 days
- Operation Saffron dismantles First VPN — 33+ servers seized, user database captured, Switzerland named JIT participant; Phobos RaaS infrastructure link confirmed
- UPDATE: West Pharmaceutical Services — 8-K/A confirms full operational restoration, data investigation ongoing
- SonicWall Gen6 SSL-VPN incomplete-patching (CVE-2024-12802) — Akira-linked actors brute-force MFA via UPN/SAM account-name split, February–March 2026 intrusions
- Microsoft DCU disrupts Fox Tempest malware-signing-as-a-service feeding Rhysida, INC, Qilin and Akira ransomware operations
- UPDATE: TheGentlemen RaaS lists Czech university and Swiss engineering firm on leak site
- ARWINI (Lower Saxony statutory-prescription audit body) — investigators confirm data exfiltration after 4 May intrusion; Kairos ransomware group claims 2.87 TB; ~70,000 GDPR Art. 9 records in scope
- UPDATE: TeamPCP / Shai-Hulud — first copycat wave (Phantom Bot + SSH/cloud stealers), Checkmarx Jenkins plugin trojanised again, PCPJack rival worm hits exposed cloud services
- SonicWall Gen6 SSL-VPN CVE-2024-12802 — Akira-linked actors bypassing MFA on *officially-patched* firmware
- Healthcare (DACH) — the soft surface is the administrative intermediary, not the hospital
- Six German university hospitals — patient records exfiltrated via billing processor Unimed
- ARWINI (Lower Saxony prescription-audit body) — exfiltration confirmed; Kairos claims 2.87 TB including ~70,000 GDPR Art. 9 records
- Rhysida claims Stuttgart municipal data — city denies a confirmed incident [SINGLE-SOURCE / unconfirmed]
- Verizon 2026 DBIR — vulnerability exploitation is the #1 breach vector for the first time in 19 years; patching cadence regressed
- Rapid7 Q1 2026 Threat Landscape Report — corroborates the structural shift; KEV-to-listing window collapsing
- Fox Tempest — Microsoft DCU disrupts the malware-signing service feeding Rhysida, INC, Qilin and Akira
- The Gentlemen RaaS — Czech university and Swiss engineering firm listed; comms overhaul continues [SINGLE-SOURCE]
- Law-enforcement infrastructure takedowns — Operation Saffron (Switzerland JIT), FIOD/Stark Industries, Kimwolf, INTERPOL Ramz
- Canvas / Instructure extortion — ransom paid, US House investigation, second-intrusion vulnerability re-exploited
- Healthcare
- Manufacturing
- Foxconn — Nitrogen ransomware confirmed against North-American manufacturing sites
- Clinical Diagnostics / NMDL — Dutch IGJ formal NEN 7510 non-conformity ruling
- West Pharmaceutical Services — SEC Form 8-K Item 1.05 [SINGLE-SOURCE-OTHER]
- South Staffordshire Water — ICO £963,900 fine
- Check Point April 2026 ransomware analysis — Qilin leads at 15%, Germany at 5% of global victims
- "The Gentlemen" RaaS — operations continue post-leak, decryptor published, FortiOS / Erlang SSH initial access CVEs confirmed
- Qilin / Agenda RaaS — April 2026 lead at 15% of global ransomware activity, Germany 5% of global victims
- Canvas / Instructure — ShinyHunters / WorldLeaks ransom-paid, US House investigation
- Dutch IGJ rules Clinical Diagnostics/NMDL failed NEN 7510 information-security standard at time of July 2025 ransomware breach; ~941,000 patients affected, cervical-cancer screening data exposed
- UPDATE: The Gentlemen RaaS — backend "Rocket" database leaked (16.22 GB), Check Point analysis exposes operator handles, ZeroPulse C2 internals, 1,570+ victims, decryptor published on GitHub
- Foxconn confirms Nitrogen ransomware crippled North-American manufacturing sites; 8 TB / 11M files claimed
- UPDATE: Instructure Canvas — US House Homeland Security Committee opens formal investigation; Instructure paid ransom
- ICO fines South Staffordshire Water £963,900 — water-sector OES with partial SIEM coverage; Cl0p attribution and ZeroLogon kill-chain detail sourced to The Record
- [SINGLE-SOURCE-OTHER] West Pharmaceutical Services files SEC Form 8-K Item 1.05 — data exfiltrated, systems encrypted, global operations partially restarted
- UPDATE: Instructure (Canvas LMS) — ransom paid to ShinyHunters with "shred logs"; second intrusion confirmed; per-institution leak deadline reset to today
- Treat the Instructure Canvas "shred logs" as legally unverifiable; align with EU university IR teams on per-institution deadline today
- Audit SIEM/XDR telemetry coverage as a percentage of host inventory; the South Staffordshire 5%-coverage finding is the operational lesson
- Akira ransomware on Groupe 3R — 20 Swiss medical-imaging centres across seven cantons; second cyberattack on the same operator within twelve months
- Canvas / Instructure breach — five-day arc from first claim to seven Dutch universities executing emergency disconnects
- Healthcare (CH, NL)
- Education (NL, UK, DE)
- Media and political (HU, DE)
- Mandiant M-Trends 2026
- Google Threat Intelligence Group — Europe data-leak landscape 2025
- Kaspersky Q1 2026 Exploits and Vulnerabilities Report
- MuddyWater (Iran / MOIS) Chaos ransomware false-flag + Teams BEC
- Akira ransomware — Swiss healthcare case confirmed; broader European playbook unchanged
- Qilin / Agenda RaaS — Die Linke confirms Q2 2026 German activity continuity
- The Gentlemen RaaS — Europe-skewed operation surged approximately 448% QoQ; 32% of Q1 2026 victims in Europe; FortiGate CVE-2024-55591 initial-access funnel
- Akira playbook quarterly context — Q1 2026 healthcare concentration; Qilin remains the dominant operator on German healthcare victims
- Groupe 3R (Réseau Radiologique Romand) — Akira ransomware claims 48 GB; 20 imaging centres across seven Swiss cantons, second attack in twelve months
- UPDATE: Canvas/Instructure — ShinyHunters claims a *second* intrusion despite May 8 patches; seven Dutch universities executed emergency disconnects on/before May 9
- Validate Akira-targeted edge-device CVE patch state in CH/EU healthcare
- UPDATE: Canvas/Instructure extortion — Oxford, Cambridge, Liverpool issue public statements; 44 Dutch universities confirmed; May 12 deadline active
- MuddyWater (Iran/MOIS) deploys Chaos ransomware as false flag; harvests credentials via Teams
- Qilin ransomware hits Die Linke (Germany): 1.5 TB claimed, DPA notified (~April 2026, first coverage)
- Kaspersky Q1 2026 Exploits and Vulnerabilities Report: document-based exploits resurge; RaaS acquires zero-days
- UPDATE — Instructure/Canvas extortion: 330 institutions across six countries; May 12 extortion deadline; 44 Dutch institutions confirmed