// #incident-response
22 articles
Gentlemen Ransomware Worm: Using Network Segmentation to Contain Propagation Before Detection
The confirmed worm capability in the Gentlemen ransomware payload — propagating via SMB exploitation and credential reuse — changes the containment calculus for enterprise incident response. Effective network segmentation stops worm propagation at VLAN boundaries. This guide maps the segmentation controls that constrain Gentlemen's lateral movement.
Why Ransomware Groups Target Veeam First: Backup Infrastructure as the Strategic Priority
CVE-2026-44963 in Veeam Backup & Replication is the third critical Veeam RCE vulnerability in three years, each exploited by ransomware operators to neutralise backup infrastructure before deploying encryption payloads. This article examines why backup systems have become the primary strategic target in ransomware operations and what structural security controls reduce exposure.
Gentlemen Ransomware Claims 478 Victims in 66 Countries as Worm-Like Lateral Movement Capability Confirmed
New analysis of the Gentlemen ransomware operation reveals the group has compromised 478 organisations across 66 countries, significantly exceeding initial healthcare-focused estimates. Researchers have confirmed the ransomware includes a worm module that leverages SMB vulnerabilities and credential reuse to spread autonomously across enterprise networks without human operator intervention.
Healthcare Ransomware Business Continuity: Prioritising Recovery When Clinical Systems Go Down
When ransomware hits a healthcare organisation, the recovery sequence matters as much as the containment response. Clinical systems have dependencies that make naive 'restore in alphabetical order' approaches catastrophic. This guide covers healthcare-specific BCP prioritisation for ransomware recovery, including the clinical dependency chain that drives sequencing decisions.
Gentelman Ransomware Surges: 9 Healthcare and Professional Services Victims in 72 Hours
The Gentelman ransomware group (tracked as Storm-2697) claimed 15 victims between 1–3 June with a heavy focus on healthcare providers and professional services firms in North America. The surge appears linked to exploitation of known vulnerabilities in remote management software. Healthcare organisations should review internet-exposed remote access and RMM tool exposure immediately.
ServiceNow Zero-Auth API Exploitation: Customer Instance Data Exposed Through Unauthenticated Endpoint
ServiceNow disclosed an active security incident beginning 2 June in which an unauthenticated API endpoint allowed attackers to query customer instance data including IT ticket contents, asset inventories, and stored credentials. Exploitation began 2 June; ServiceNow patched the endpoint by 5 June. No CVE was assigned at time of disclosure. Organisations should review ServiceNow access logs for the incident window.
Identity Containment After Domain Controller Compromise: IAM Response for CVE-2026-41089 Post-Exploitation
If forensic investigation reveals CVE-2026-41089 exploitation occurred before patching, the identity response is as critical as the technical remediation. All credential material accessible from the domain controller must be treated as compromised. This guide covers the identity containment sequence for a confirmed Active Directory domain controller breach.
Netlogon CVE-2026-41089 Detection and Forensics: Hunting for Domain Controller Compromise
With active exploitation of CVE-2026-41089 confirmed, security teams must run parallel tracks: patching domain controllers and investigating whether exploitation has already occurred. A successful Netlogon exploitation typically leads to Golden Ticket persistence and stealthy domain admin account creation — the forensic indicators are specific and searchable.
Netlogon CVE-2026-41089: Enterprise Risk Management Framework for Active Directory Compromise Scenarios
A CVSS 9.8 vulnerability with active exploitation and a public PoC against domain controllers requires risk management decisions at the business level, not just patching at the technical level. This guide covers the risk assessment, escalation triggers, and business continuity considerations that security leadership should present to boards and executives.
Citrix NetScaler CVE-2026-3055 Forensics: Post-Exploitation Detection for SAML IDP Compromise
With large-scale exploitation of CVE-2026-3055 confirmed as of 28 May, NetScaler ADC deployments that were internet-accessible while unpatched must be assessed for compromise. The SAML memory overread can leak session tokens and signing key material — understanding the forensic footprint helps determine whether compromise occurred.
UniFi OS Bulletin 064 Post-Disclosure Forensics: Detecting Compromise on Ubiquiti Controllers
Two days after Ubiquiti published Security Bulletin 064 with three CVSS 10.0 vulnerabilities, security teams should be confirming that patches have applied and hunting for indicators of pre-patch compromise. This guide covers the specific log sources, indicators, and commands available on UniFi OS devices for detecting exploitation activity.
GlobalProtect CVE-2026-0257 Compromise Indicators: Threat Hunting and Forensic Guide for VPN Gateway Authentication Bypass
Organisations running PAN-OS GlobalProtect gateways on versions vulnerable to CVE-2026-0257 must investigate for compromise during the exposure window, not just apply the patch. This guide covers the specific log sources, indicators of compromise, and post-exploitation patterns to hunt for on PAN-OS GlobalProtect gateways after an authentication bypass zero-day.
VPN Authentication Bypass: Identity and Access Containment Response After GlobalProtect Compromise
When a VPN authentication bypass like CVE-2026-0257 is exploited, the attacker enters the network without leaving identity provider audit trails. Standard identity-based detection misses the initial access. This creates a specific response challenge: containing a network breach where the entry event did not generate authentication telemetry and the scope of subsequent access is unknown.
Exchange CVE-2026-42897 One Week On: Active Exploitation Continues, No Patch Available — Updated Guidance
Microsoft Exchange Server's OWA session hijacking zero-day CVE-2026-42897 entered its second week without a permanent patch. Microsoft's Emergency Mitigation Service (EEMS) rule remains the only automated protection for Exchange Online-connected on-premises environments. Security teams should now focus on identifying whether exploitation occurred during the disclosure week and verifying their mitigation status.
Cisco SD-WAN CVE-2026-20182 Post-Compromise Forensics: Identifying Rogue Device Injection in Catalyst SD-WAN Deployments
CVE-2026-20182, the CVSS 10.0 Cisco Catalyst SD-WAN Manager zero-day added to CISA KEV on 14 May, was exploited before Cisco released the patch. Organisations that ran vManage on publicly accessible addresses during the exposure window must now forensically audit their SD-WAN device inventory and API authentication logs for signs of rogue device registration and traffic interception.
Exchange CVE-2026-42897 Threat Hunting Guide: Identifying Session Hijacking in OWA Logs
With no patch available for the actively exploited Exchange OWA session hijacking zero-day, security teams must hunt for existing compromise rather than waiting for a fix. This guide covers the specific log sources, KQL queries, and behavioural indicators that reveal CVE-2026-42897 exploitation in on-premises Exchange and Microsoft 365 hybrid environments.
'Sorry' Ransomware Deploys en Masse via cPanel CVE-2026-41940 — 44,000 Hosts Compromised Within 48 Hours of Patch
A ransomware group tracking as 'Sorry' has leveraged the recently-patched cPanel/WHM authentication bypass (CVE-2026-41940) to compromise at least 44,000 web hosting servers globally, deploying a Go-compiled Linux encryptor within 48 hours of the vulnerability's public patch release. The speed of mass exploitation underscores the extreme urgency of applying the cPanel/WHM hotfix.
VECT 2.0 Ransomware Irreversibly Corrupts Files Over 131KB on Windows, Linux, and ESXi
VECT 2.0 is a new cross-platform ransomware variant that partially corrupts files larger than 131KB rather than encrypting them — rendering files permanently unrecoverable even after ransom payment, as the overwritten data cannot be reconstructed. Active campaigns have targeted manufacturing, logistics, and healthcare. Standard backup-based recovery strategies may fail against VECT 2.0 if backups were mounted or reachable at the time of attack.
April Patch Tuesday Bug Crashes LSASS on PAM-Enabled Domain Controllers — No Fix Yet
KB5082063, Microsoft's April 2026 cumulative update, is causing LSASS to crash on non-Global Catalog domain controllers in Privileged Access Management environments, triggering unrecoverable reboot loops that take down Active Directory authentication. Microsoft has confirmed the issue across all Windows Server versions from 2016 to 2025 and is developing a corrected update, but none is available yet.
Standard Bank Breach: 1.2TB of Client Data — Including Credit Card Details — Published Online
A threat actor claiming to have spent three weeks inside Standard Bank's network has published approximately 1.2TB of stolen data online, including client names, national identity numbers, account details, and a subset of credit card numbers. One of Africa's largest banks, Standard Bank operates across more than 20 countries and holds significant international exposure. The double-extortion attack pattern and lessons for database-layer monitoring are directly relevant to financial services defenders globally.
DPRK-Linked Hackers Steal $285 Million from Drift Protocol in Six-Month Social Engineering Operation
North Korean threat actors attributed to UNC4736 (Citrine Sleet/AppleJeus) stole $285 million from Solana-based Drift Protocol after a six-month infiltration campaign combining social engineering of multisig signers with a novel durable nonce pre-signing technique. The incident reveals social engineering tactics directly transferable to enterprise environments.
Anubis Ransomware Hits Signature Healthcare, Brockton Hospital Diverts Ambulances
A ransomware attack on Signature Healthcare's Brockton Hospital in Massachusetts forced the facility to divert ambulances to neighbouring hospitals and cancel chemotherapy treatments. The Anubis ransomware group claimed responsibility on April 9, marking another significant attack on US healthcare infrastructure at a time when the sector remains one of the most targeted by ransomware operators.
Commentary tagged #incident-response
The Week That Had Everything: June 2026 and What It Reveals About Enterprise Security Capacity
The week of 9–13 June 2026 delivered a record Microsoft Patch Tuesday, a CVSS 10.0 Ivanti exploit, a wormable Linux kernel proof-of-concept, Veeam and SAP critical advisories, and an accelerating ransomware worm across 66 countries. It was not a crisis — it was a normal week in 2026. That is the diagnosis.
CipherWatch Editorial
Security Intelligence Platform
Seven Thousand Ransomware Victims in a Year and We're Still Surprised Every Time
Fortinet's 2026 threat landscape report documents 7,831 confirmed ransomware victims last year — nearly five times the 2024 figure. The industry will spend a week discussing what this means. Then a new disclosure will arrive, and the conversation will move on. The problem is not that we lack threat intelligence. The problem is that threat intelligence is not changing behaviour fast enough to matter.
CipherWatch Editorial
Security Intelligence Platform
When Ransomware Deploys via Group Policy, You Were Already Owned
The Gentlemen ransomware group's use of Group Policy Objects to distribute encryption payloads domain-wide is not just a clever tactic — it's a forensic signal. GPO deployment requires Domain Admin access. The ransomware event you detected was not the attack. It was the end of an attack that was already over.
CipherWatch Editorial
Security Intelligence Platform
Ransomware in Healthcare Is a Patient Safety Crisis, Not an IT Problem
The ransomware attack on ChipSoft paralysing 80% of Dutch hospitals and the Anubis attack on Signature Healthcare this week are not data breach incidents with clinical inconvenience as a side effect. They are patient safety events. The healthcare sector's continued treatment of ransomware as a cybersecurity problem rather than a clinical risk is costing lives.
CipherWatch Editorial
Security Intelligence Platform
Ransomware Has Industrialised — Your Response Strategy Probably Has Not
Qilin's 131 confirmed victims in March alone is not a spike — it is what a mature criminal enterprise operating at scale looks like. The ransomware ecosystem has industrialised completely, with dedicated development, HR, and affiliate management functions. Enterprise response strategies built for a different threat model are overdue for review.
CipherWatch Editorial
Security Intelligence Platform