// #ransomware
34 articles — page 1 of 2
iRhythm Cardiac Monitoring Breach Exposes Patient PHI for 12 Million Zio Patch Wearers
iRhythm Holdings disclosed a data breach after social engineering granted attackers access to third-party systems hosting protected health information for approximately 12 million patients. A ransom demand was received on 9 June, and HIPAA breach notification timelines are now active for any covered entity whose patient data iRhythm processes.
Europol Dismantles AudiA6 Cryptocurrency Laundering Service That Processed €336M+ for Ransomware Gangs
Europol, in coordination with German BKA, Dutch FIOD, and Lithuanian law enforcement, has dismantled AudiA6 — a professional cryptocurrency money laundering service that processed more than €336 million in criminal proceeds for ransomware groups including Conti, REvil, and BlackCat/ALPHV. Seven individuals have been arrested across three countries and the service's infrastructure seized.
The Gentlemen Ransomware Hits Mackay Sugar — Mill Operations Shut Down as OT Systems Disrupted
The Gentlemen ransomware group has claimed an attack on Mackay Sugar, Australia's second-largest sugar producer, causing the shutdown of mill crushing operations during the critical harvest season. The attack disrupted operational technology systems controlling sugar processing at two mills in Queensland, representing a significant escalation of The Gentlemen group's targeting of OT-dependent industrial operations.
Why Ransomware Groups Target Veeam First: Backup Infrastructure as the Strategic Priority
CVE-2026-44963 in Veeam Backup & Replication is the third critical Veeam RCE vulnerability in three years, each exploited by ransomware operators to neutralise backup infrastructure before deploying encryption payloads. This article examines why backup systems have become the primary strategic target in ransomware operations and what structural security controls reduce exposure.
Gentlemen Ransomware Claims 478 Victims in 66 Countries as Worm-Like Lateral Movement Capability Confirmed
New analysis of the Gentlemen ransomware operation reveals the group has compromised 478 organisations across 66 countries, significantly exceeding initial healthcare-focused estimates. Researchers have confirmed the ransomware includes a worm module that leverages SMB vulnerabilities and credential reuse to spread autonomously across enterprise networks without human operator intervention.
Veeam Backup & Replication CVE-2026-44963 (CVSS 9.4): Domain Users Can Execute Remote Code on Backup Infrastructure
Veeam has patched CVE-2026-44963, a CVSS 9.4 remote code execution vulnerability in Veeam Backup & Replication that allows any domain user to execute arbitrary code on the Veeam backup server. The vulnerability exploits insufficient authorisation in the Veeam Backup Service API. Organisations using Veeam in Active Directory environments should apply the patch immediately.
CVE-2026-50751: Check Point Security Gateway Authentication Bypass Actively Exploited in Ransomware Campaigns
CISA added CVE-2026-50751 to the Known Exploited Vulnerabilities catalogue on 8 June with a three-day remediation deadline and confirmed ransomware campaign use. The vulnerability is a CVSS 9.3 authentication bypass in Check Point Security Gateway's IKEv1 VPN protocol handling that allows unauthenticated attackers to bypass remote access VPN authentication entirely. An emergency hotfix is available.
Healthcare Ransomware and Identity: The IAM Controls That Limit Gentelman's Blast Radius
The Gentelman ransomware group gains initial access through RMM vulnerabilities, but its ability to encrypt an entire healthcare network depends on how identity and access management is configured. Strong IAM controls — privileged access segmentation, MFA enforcement on administrative accounts, and service account restrictions — significantly limit what a ransomware operator can encrypt once inside the perimeter.
Healthcare Ransomware Business Continuity: Prioritising Recovery When Clinical Systems Go Down
When ransomware hits a healthcare organisation, the recovery sequence matters as much as the containment response. Clinical systems have dependencies that make naive 'restore in alphabetical order' approaches catastrophic. This guide covers healthcare-specific BCP prioritisation for ransomware recovery, including the clinical dependency chain that drives sequencing decisions.
Gentelman Ransomware Surges: 9 Healthcare and Professional Services Victims in 72 Hours
The Gentelman ransomware group (tracked as Storm-2697) claimed 15 victims between 1–3 June with a heavy focus on healthcare providers and professional services firms in North America. The surge appears linked to exploitation of known vulnerabilities in remote management software. Healthcare organisations should review internet-exposed remote access and RMM tool exposure immediately.
Oracle WebLogic CVE-2024-21182 Added to CISA KEV — Federal Deadline June 4 as Ransomware Payloads Observed
CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalogue on 1 June, citing confirmed active exploitation of the Oracle WebLogic Server unauthenticated remote attack vulnerability. Honeypot data shows attackers delivering Cobalt Strike beacons and ransomware payloads via the T3/IIOP protocol attack path. Federal civilian agencies must remediate by 4 June.
Food and Beverage Sector Ransomware: Why Critical Infrastructure Classification Has Not Improved Security Outcomes
The US food and agriculture sector was designated critical infrastructure in 2003. In 2026, ransomware attacks against it are rising 80 per cent year on year. The gap between regulatory classification and actual security maturity reflects structural problems in how cybersecurity investment decisions are made in distributed, margin-sensitive industries.
Qilin Claims Sysco on Ransomware Leak Site — World's Largest Food Distributor Faces Deadline
Qilin ransomware operators have listed Sysco Corporation — the world's largest foodservice distribution company — on their dark web extortion site, claiming to hold data extracted from the company's networks. Sysco has not confirmed a breach. The listing appears amid an 80 per cent rise in ransomware pressure against the food and beverage sector in Q2 2026.
SonicWall Gen6 SSL-VPN: Patch for CVE-2024-12802 Fails to Close MFA Bypass — Akira Ransomware in 86% of Compromises
ReliaQuest published research on 19 May confirming that SonicWall's official firmware patch for CVE-2024-12802 on Generation 6 SSL-VPN devices requires six manual reconfiguration steps to fully close the MFA bypass vulnerability. Devices that reached end-of-life on 16 April 2026 will receive no further patches. Akira ransomware is present in 86% of SonicWall-involved intrusion claims reviewed by ReliaQuest.
Foxconn Confirms Nitrogen Ransomware Attack on North American Factories — 8 TB of Customer Data Stolen
Electronics manufacturing giant Foxconn confirmed a Nitrogen ransomware attack on its North American operations that encrypted factory systems and exfiltrated approximately 8 TB of data including Apple, NVIDIA, and Intel supply chain documentation. Production lines at multiple facilities were disrupted before recovery procedures were activated.
West Pharmaceutical Services Files SEC 8-K After Ransomware Encrypts Systems and Exfiltrates Manufacturing Data
West Pharmaceutical Services, an S&P 500 drug delivery component manufacturer, disclosed a ransomware attack via SEC Form 8-K, confirming system encryption and data exfiltration affecting its manufacturing and quality systems. The incident highlights regulatory obligations for publicly listed companies to disclose material cybersecurity incidents and the specific risks facing pharmaceutical supply chain manufacturers.
Fortinet 2026 Global Threat Landscape: Ransomware Victims Up 389% Year-over-Year, AI Crime Industrialising
Fortinet's 2026 Global Threat Landscape Report documents 7,831 confirmed ransomware victims in 2025 — a 389% increase over 2024's approximately 1,600 — alongside the first systematic evidence of AI-enabled cybercrime tooling (WormGPT, FraudGPT, BruteForceAI) being used at scale. Manufacturing, business services, and retail are the hardest-hit sectors. The report reframes the threat environment as fundamentally changed, not merely intensified.
Two Former Cybersecurity Professionals Sentenced to Four Years for BlackCat/ALPHV Ransomware Operations
A US federal court has sentenced two individuals with professional cybersecurity backgrounds to four-year prison terms for their roles in the BlackCat/ALPHV ransomware-as-a-service operation, marking a notable law enforcement outcome that demonstrates insider security knowledge is not a prosecution shield. The sentences follow guilty pleas and cooperation with investigators.
'Sorry' Ransomware Deploys en Masse via cPanel CVE-2026-41940 — 44,000 Hosts Compromised Within 48 Hours of Patch
A ransomware group tracking as 'Sorry' has leveraged the recently-patched cPanel/WHM authentication bypass (CVE-2026-41940) to compromise at least 44,000 web hosting servers globally, deploying a Go-compiled Linux encryptor within 48 hours of the vulnerability's public patch release. The speed of mass exploitation underscores the extreme urgency of applying the cPanel/WHM hotfix.
VECT 2.0 Ransomware Irreversibly Corrupts Files Over 131KB on Windows, Linux, and ESXi
VECT 2.0 is a new cross-platform ransomware variant that partially corrupts files larger than 131KB rather than encrypting them — rendering files permanently unrecoverable even after ransom payment, as the overwritten data cannot be reconstructed. Active campaigns have targeted manufacturing, logistics, and healthcare. Standard backup-based recovery strategies may fail against VECT 2.0 if backups were mounted or reachable at the time of attack.
Germany BKA Identifies REvil and GandCrab Leader 'UNKN' as Russian National Daniil Shchukin
Germany's federal criminal police (BKA) publicly attributed the REvil and GandCrab ransomware-as-a-service platforms to 31-year-old Russian national Daniil Shchukin, holding him responsible for 130+ attacks in Germany causing over €35 million in economic damage. Shchukin operates from Krasnodar and remains beyond extradition reach, but the attribution breaks the historical anonymity of top-tier RaaS operators and may precede US OFAC sanctions.
Seized Gentlemen Ransomware C2 Server Exposes 1,570 Victims — GPO Deployment Reveals Full Domain Compromise
Check Point Research's analysis of a seized SystemBC command-and-control server linked to The Gentlemen ransomware operation exposed 1,570+ victim IP addresses and documented the group's use of Group Policy Objects to deploy ransomware domain-wide. GPO-based distribution is a forensic marker that attackers achieved Domain Admin access days before encryption — defenders should treat it as an indicator of extended dwell time, not a starting point.
Kyber Ransomware Deploys Dual Windows and VMware ESXi Variants — Claims Post-Quantum Encryption
A new ransomware operation named Kyber is targeting enterprise Windows servers and VMware ESXi infrastructure with two distinct variants analysed by Rapid7. The Windows variant written in Rust implements genuine Kyber1024 post-quantum key encapsulation; the ESXi variant falsely markets the same capability while using ChaCha8 and RSA-4096. Both variants share Tor-based ransom infrastructure and have been deployed simultaneously on the same networks.
Everest Ransomware Claims Citizens Bank Breach — 380 GB Including 250,000 SSNs and 3.4 Million Records
The Everest ransomware group claims to have stolen 380 GB of Citizens Bank customer data via a third-party vendor, including 250,000 Social Security Numbers and 3.4 million banking records. Citizens attributes the breach to a vendor, not its core systems — but regulatory notification obligations apply regardless.
Commentary tagged #ransomware
The Week That Had Everything: June 2026 and What It Reveals About Enterprise Security Capacity
The week of 9–13 June 2026 delivered a record Microsoft Patch Tuesday, a CVSS 10.0 Ivanti exploit, a wormable Linux kernel proof-of-concept, Veeam and SAP critical advisories, and an accelerating ransomware worm across 66 countries. It was not a crisis — it was a normal week in 2026. That is the diagnosis.
CipherWatch Editorial
Security Intelligence Platform
Vulnerability Management Is Failing Because the Volume Is Unmanageable. We Need to Admit It.
The June 2026 Patch Tuesday delivered 198 CVEs from one vendor in one day. Security teams also had to process concurrent critical advisories from SAP, Ivanti, Palo Alto, and CISA on the same day. The volume is not a temporary surge — it is the permanent state of software security. The current vulnerability management model is not designed for this scale and the consequences are being measured in ransomware payments.
CipherWatch Editorial
Security Intelligence Platform
VPN Gateways Are Where Ransomware Gets In. CVE-2026-50751 Is Not the Last One.
Check Point CVE-2026-50751 joins a long list of critical authentication bypass and remote code execution vulnerabilities in enterprise VPN gateways that have been exploited in ransomware campaigns. The pattern is consistent enough that it is no longer useful to treat each as a one-off incident — it is a structural category of risk that requires a structural response.
CipherWatch Editorial
Security Intelligence Platform
Healthcare Ransomware Is a Structural Problem. The Gentelman Surge Is Not a Surprise.
The Gentelman ransomware surge hitting healthcare this week follows a pattern that has repeated with near-mechanical regularity for five years. The security industry has correctly diagnosed the problem: legacy infrastructure, high willingness to pay, broad RMM attack surface, and regulatory environments that prioritise availability over security. The diagnosis is correct. The treatment is not happening fast enough.
CipherWatch Editorial
Security Intelligence Platform
Seven Thousand Ransomware Victims in a Year and We're Still Surprised Every Time
Fortinet's 2026 threat landscape report documents 7,831 confirmed ransomware victims last year — nearly five times the 2024 figure. The industry will spend a week discussing what this means. Then a new disclosure will arrive, and the conversation will move on. The problem is not that we lack threat intelligence. The problem is that threat intelligence is not changing behaviour fast enough to matter.
CipherWatch Editorial
Security Intelligence Platform
The Patch-to-Exploit Window Has Collapsed — cPanel in 48 Hours Is Not an Anomaly, It's the New Baseline
The 'Sorry' ransomware group compromised 44,000 cPanel servers within 48 hours of a critical patch release. The industry still plans patch cycles in weeks. These two realities are incompatible, and the gap between them is where organisations keep getting destroyed.
CipherWatch Editorial
Security Intelligence Platform
When Ransomware Deploys via Group Policy, You Were Already Owned
The Gentlemen ransomware group's use of Group Policy Objects to distribute encryption payloads domain-wide is not just a clever tactic — it's a forensic signal. GPO deployment requires Domain Admin access. The ransomware event you detected was not the attack. It was the end of an attack that was already over.
CipherWatch Editorial
Security Intelligence Platform
Ransomware in Healthcare Is a Patient Safety Crisis, Not an IT Problem
The ransomware attack on ChipSoft paralysing 80% of Dutch hospitals and the Anubis attack on Signature Healthcare this week are not data breach incidents with clinical inconvenience as a side effect. They are patient safety events. The healthcare sector's continued treatment of ransomware as a cybersecurity problem rather than a clinical risk is costing lives.
CipherWatch Editorial
Security Intelligence Platform
BYOVD Is a Commodity Technique Now — Your EDR Vendor Knows
Qilin's Warlock toolkit, capable of disabling over 300 security tools using Bring Your Own Vulnerable Driver techniques, is not a nation-state capability — it is an affiliate-accessible ransomware tool. EDR is a necessary control. It is not a sufficient one, and the industry's marketing has outpaced what the technology can actually guarantee.
CipherWatch Editorial
Security Intelligence Platform
Ransomware Has Industrialised — Your Response Strategy Probably Has Not
Qilin's 131 confirmed victims in March alone is not a spike — it is what a mature criminal enterprise operating at scale looks like. The ransomware ecosystem has industrialised completely, with dedicated development, HR, and affiliate management functions. Enterprise response strategies built for a different threat model are overdue for review.
CipherWatch Editorial
Security Intelligence Platform