Ransomware

International law enforcement seizes 33 servers and shuts down First VPN, a criminal service used by at least 25 ransomware groups since 2014. 15 nations participated.

Verizon's 2026 Data Breach Investigations Report reveals vulnerability exploitation surpassed credential theft as the leading breach vector for the first time in 19 years. Only 26% of KEV flaws get patched.

Microsoft's Digital Crimes Unit seizes infrastructure behind Fox Tempest, a malware-signing service that helped Rhysida, Akira, and Qilin ransomware gangs disguise malicious code as legitimate software.

Internal database of #2 ransomware group leaked after 4VPS hosting breach exposes chat logs, affiliate rosters, and operational playbooks from 400+ attacks.

Nitrogen ransomware gang claims 8TB of data including Apple, Nvidia, and Intel files from Foxconn's Wisconsin and Texas facilities. Fourth major ransomware incident for the electronics giant.

Pharma supplier West Pharmaceutical Services discloses ransomware attack in SEC filing. Attackers exfiltrated data before encrypting systems. Unit 42 investigating.

A new proof-of-concept tool abuses Windows CreateFileW API to block file access across SMB shares. The technique evades all tested EDR products and requires no elevated privileges.

M-Trends 2026 reveals attackers now outpace patches, with AI accelerating exploitation and ransomware handoffs dropping to 22 seconds. Defenders are losing ground.

Go-based Sorry ransomware exploits cPanel auth bypass CVE-2026-41940, encrypting files with ChaCha20/RSA-2048. 44,000+ IPs compromised as attackers demand Tox ransom.

US Coast Guard Cyber Command issued an alert warning that INC Ransom is actively targeting maritime and logistics networks with double-extortion ransomware.

Former Sygnia and DigitalMint employees Ryan Goldberg and Kevin Martin sentenced for deploying ALPHV BlackCat ransomware while working as incident responders.

Peter Stokes, 19, was detained while boarding a flight to Japan. Federal prosecutors allege he participated in breaches that forced companies to pay millions in ransoms.

New extortion group BlackFile impersonates IT helpdesks via phone calls to steal credentials and demand seven-figure ransoms. Targets include retail chains and hospitality companies.

Check Point researchers gained access to a SystemBC C2 server operated by The Gentlemen ransomware group, uncovering over 1,570 compromised corporate networks that haven't been publicly disclosed.

New Kyber ransomware operation uses NIST-standardized Kyber1024 encryption on Windows while targeting VMware ESXi with a separate variant. Rapid7 analysis reveals the ESXi version's claims are false.

ShinyHunters claims breach of Canada Life Assurance exposing 5.6 million Salesforce records with PII. Ransom deadline passed April 21, 2026—data leak threatened.

New ransomware operation claims Medical Park Hospitals as first victim. 36 Turkish hospitals face data leak threats after 3.3TB exfiltration.

New ransomware operation linked to ex-BlackBasta affiliates runs Alpine Linux VMs on compromised hosts. Endpoint tools can't see inside the VM boundary.

FBI IC3 2025 report reveals record $20.9 billion in cybercrime losses. Investment fraud tops $8.6B, cryptocurrency scams reach $11.4B, and ransomware losses surge 259%.

Ransomware attack on ChipSoft forces 11 Dutch hospitals offline. The vendor manages patient records for most of the Netherlands. Attacker unknown.

Microsoft links China-based Storm-1175 to high-velocity Medusa ransomware attacks exploiting zero-day vulnerabilities. Healthcare, education, and finance sectors hit across Australia, UK, and US.

Sinobi, a suspected Lynx/INC rebrand, has grown from 40 victims to 215 since September 2025. The RaaS operation targets US midmarket companies with hybrid Curve25519/AES encryption.

Die Linke confirms Qilin stole internal data and employee info from party headquarters. Officials suggest attack may be politically motivated hybrid warfare.

New research maps the infostealer lifecycle from infection to dark web sale. Microsoft Entra ID appears in 79% of 2.05 million credential logs analyzed in 2026.

Toy giant Hasbro filed an SEC 8-K disclosing unauthorized network access discovered March 28. Systems remain offline with recovery expected to take weeks.

Bearlyfy has hit 70+ Russian companies since January 2025, now deploying custom GenieLocker ransomware. The group blends financial extortion with politically motivated sabotage.

Aleksei Volkov sentenced to nearly 7 years for selling network access to ransomware gangs. Facilitated dozens of attacks causing over $9 million in losses to US organizations.

Interlock ransomware operators weaponized Cisco Secure Firewall Management Center CVE-2026-20131 as a zero-day since January 26, gaining root access to enterprise networks.

LeakNet ransomware now uses ClickFix social engineering via hacked websites and a Deno-based in-memory loader to evade detection. Here's how the attack chain works.

IBM X-Force discovers Hive0163 using LLM-generated Slopoly malware in Interlock ransomware attacks, marking a shift in how threat actors weaponize AI to accelerate malware development.

Veeam releases emergency patches for five critical RCE vulnerabilities (CVSS 9.9) affecting Backup & Replication. Domain users can fully compromise backup servers.

Ransomware affiliate Velvet Tempest uses ClickFix social engineering to deploy DonutLoader and CastleRAT in 12-day intrusion linked to Termite ransomware staging.

Ryan Goldberg and Kevin Martin pleaded guilty to deploying ALPHV BlackCat ransomware while working in incident response and negotiation roles. Sentencing set for March 12.

Huntress responds to ClickFix intrusion deploying Matanbuchus 3.0 and custom AstarionRAT. Attackers achieved lateral movement within 40 minutes.

Japanese semiconductor test equipment maker Advantest hit by ransomware on Feb 15. Investigation ongoing as company assesses potential data exposure.

ShinyHunters claims 800,000+ Wynn Resorts employee records including SSNs, salaries, and personal details. Group demands 22 Bitcoin by February 23, exploited Oracle PeopleSoft.

University of Mississippi Medical Center shuts 35 clinics statewide after ransomware attack disables Epic EHR access. FBI investigating as doctors resort to pen and paper for patient care.

New ransomware family Reynolds embeds a vulnerable NsecSoft driver directly into its payload to disable CrowdStrike, Sophos, and other EDR tools before encryption begins.

BridgePay confirms ransomware attack crippled its payment processing platform, forcing merchants nationwide to cash-only. FBI and Secret Service are investigating.

Conpet, operator of 3,800km of Romanian oil pipelines, confirms cyberattack. Qilin claims 1TB of stolen data including financial records and passports.

Sophos finds 7,000+ servers with identical hostnames from ISPsystem VMmanager templates. LockBit, Qilin, and Conti all used the same bulletproof hosting VMs.

CVE-2025-22225 sandbox escape now confirmed as a ransomware attack vector. Exploitation toolkit predates Broadcom's patch by a full year.

CVE-2026-24423 lets unauthenticated attackers execute OS commands on SmarterMail servers. CISA confirms active ransomware exploitation and sets a February 26 patch deadline.

GreyNoise reveals CISA silently updated ransomware indicators on 59 vulnerabilities without alerts. New RSS feed tool catches changes within an hour.

Russian-linked gang dumps executive emails, employee IDs, and banking communications in first airline sector attack of 2026.