Ransomware

A new report identifies a suspected real-world operator behind The Gentlemen, one of 2026's most active ransomware groups. KrebsOnSecurity, drawing on Check Point, Intel 471, Flashpoint, and Constella data, says the ransomware-as-a-service group has claimed at least 332 victims since mid-2025 and more than 240 in 2026, recruits affiliates with a 90/10 ransom split, and commonly gains entry through internet-facing VPN and firewall devices before rapidly encrypting networks. — This is a major ransomware actor by victim volume, so the attribution and tradecraft details help defenders prioritize monitoring of exposed remote-access and edge devices. Organizations should review exposure of VPNs and firewalls, harden remote access, and watch for intrusion patterns associated with fast-moving affiliate-led ransomware attacks.

Check Point says attackers used a zero-day flaw to break into some of its VPN systems, and at least one confirmed follow-on intrusion was linked to the Qilin ransomware operation. The main issue, CVE-2026-50751, is an unauthenticated authentication-bypass bug affecting Remote Access VPN, Mobile Access / SSL VPN, and Spark gateways when configured with deprecated IKEv1, legacy clients, and no mandatory machine certificate; Check Point also disclosed CVE-2026-50752, an IKEv1 certificate-validation flaw that could enable man-in-the-middle attacks on site-to-site VPNs. Exploitation began May 7 and has hit a few dozen organizations globally. — Organizations using affected Check Point VPN setups could be exposed to break-ins without valid credentials, with ransomware risk if attackers get in. This is urgent: apply Check Point's updates immediately or disable IKEv1, require machine certificates, and follow the vendor's mitigations.

Mid and South Essex NHS Foundation Trust says the 2024 Qilin ransomware attack on pathology provider Synnovis exposed about 2,380 records tied to specialist diagnostic testing, and the total may rise as records are matched to individual patients. The incident is the same long-running data theft and service-disruption event that hit NHS pathology services in southeast London on June 3, 2024; patient data was later published after failed extortion, and affected trusts are still identifying who must be notified. — This shows the fallout from a major healthcare ransomware breach is still growing years later, with more patients and hospitals discovering exposed records. Affected NHS organizations need to keep tracing exposed data and notifying people, while patients contacted about past diagnostic testing should treat breach notices seriously and watch for scams or misuse of their information.

A ransomware attack forced Evanston Township High School in Illinois to close for at least two days, canceling summer school, sports camps, and other on-campus activities. The school said phone systems are down and staff have limited access to email, Google accounts, and other network systems including eSchool. External forensics specialists and breach counsel were engaged, and the FBI is involved. No ransomware group has publicly claimed responsibility yet. — This is a real-world operational disruption affecting students, families, and staff, not just an IT outage. Schools and local governments should review incident response readiness, offline recovery options, and communications plans, while affected families should watch for follow-up notices about any data exposure.

The FBI says Silent Ransom Group is targeting U.S. law firms by pretending to be IT support, then stealing data and extorting victims without encrypting files. In 2026 attacks, the group reportedly used callback phishing emails, phone-based social engineering, remote desktop access, and in some cases sent an operative on site to insert a USB or external drive after a failed remote-access attempt; the attackers then used tools such as WinSCP and Rclone to exfiltrate data. — Law firms and other organizations should treat unsolicited IT calls, emails, and in-person support visits as potential attack vectors, not just remote phishing. The warning is urgent because the attackers use legitimate admin tools and leave few traces, so organizations should verify IT identities, restrict external-drive use, and harden remote-access workflows now.

Sophos says it found a ransomware attack toolkit in a customer environment that was built with help from AI coding agents and used to hide from security software and map a victim's Windows network. The framework included Cobalt Strike traffic-masking profiles, Telegram-based command and control, a Cloudflare Worker redirector, and Python tools that generated Rust and Go payloads for evasion and execution. Sophos found operator logs referencing a ransom note and organizations listed on a ransomware leak site, indicating criminal use rather than legitimate red-team testing. — This shows AI tools are being used to speed up real ransomware tradecraft, especially defense evasion and internal network discovery. Defenders should review detections for Telegram and Cloudflare-backed command channels, unusual payload loaders, and suspicious Active Directory reconnaissance, and treat AI-assisted malware development as an operational threat rather than a theory.

The U.S. sanctioned Nobitex, Iran’s largest cryptocurrency exchange, saying it helped process transactions tied to ransomware actors and Iran’s Islamic Revolutionary Guard Corps. The Treasury’s Office of Foreign Assets Control also designated Nobitex executives and targeted other Iranian exchanges including Wallex, Bitpin, and Ramzinex as part of its "Economic Fury" campaign, alleging sanctions evasion and terrorist-financing support rather than a software flaw or CVE-tracked vulnerability. — This matters because ransomware groups and state-linked actors depend on payment channels to move money, and sanctions can disrupt those routes while raising compliance risk for exchanges, companies, and users who interact with them. Organizations handling crypto exposure should review sanctions screening and watch for links to designated wallets and entities.

IMA Diligence Services says attackers stole sensitive personal data from a legacy server managed by a third party, affecting 525,306 people. The company says the intruders accessed the server between December 8 and December 16 and exfiltrated files containing names, addresses, Social Security numbers, driver's license numbers, financial account and credit card data, medical and health insurance information, and in some cases passport and taxpayer ID numbers. SecurityWeek says the Genesis ransomware group previously claimed the attack and said it stole 700 GB of data. — This is a high-impact breach because it exposed the kinds of data that can be used for identity theft, fraud, and medical or financial scams. Affected people should watch for the company's notice, enroll in credit monitoring, and consider fraud alerts or account monitoring, while defenders should review third-party legacy systems and data-retention exposure.

Play ransomware operators have posted MyPillow to their leak site, claiming they stole sensitive internal data and will publish it if the company does not pay. According to the gang’s dark-web extortion post, the alleged haul includes personal and confidential data, client documents, budgets, payroll records, IDs, tax files, and finance information. The article does not provide technical details on the intrusion method, affected systems, or data volume, and MyPillow had not confirmed the breach at publication time. — If the claim is accurate, employees, customers, and business partners could face privacy risks, fraud, or follow-on phishing using stolen records. Defenders should watch for confirmation, review for signs of Play ransomware activity, and prepare incident-response, notification, and credential-reset steps if exposure is verified.

French and Dutch authorities, with Europol and partners from 16 countries, seized 33 servers and multiple domains tied to the 'First VPN' service, which investigators say was widely used in ransomware, fraud, and data-theft attacks. Authorities arrested or questioned a Ukrainian administrator, infiltrated the service, and said intelligence from the takedown identified thousands of users, with 506 users and 83 intelligence packages shared internationally. — The takedown targets a criminal privacy service that allegedly supported major cybercrime operations and may generate follow-on investigations into ransomware and data-theft cases. Defenders and incident responders should watch for new attribution and victim-notification leads emerging from the seized data.

ReliaQuest and SonicWall say attackers exploited CVE-2024-12802 on SonicWall Gen6 SSL-VPN appliances to bypass MFA when admins installed patched firmware but did not complete required LDAP reconfiguration steps. Intrusions observed from February to March involved brute-forced credentials, internal reconnaissance, RDP access, and attempted deployment of Cobalt Strike and a BYOVD tool across multiple sectors and geographies. — Organizations using SonicWall Gen6 SSL-VPN may still be exposed even if they believe they are patched, because firmware updates alone do not fully mitigate the flaw. Defenders should verify the manual remediation, hunt for listed indicators, and treat exposed Gen6 devices as potentially compromised.

Microsoft said it seized domains and hundreds of VMs tied to Fox Tempest, a criminal service that abused Microsoft Artifact Signing using more than 580 fraudulent accounts created with fake identities. The operation allegedly sold code-signing certificates used to sign malware including Oyster, Lumma, Vidar, and Rhysida, and was linked to ransomware actors including Vanilla Tempest as well as INC, Qilin, and Akira affiliates. — Trusted code-signing helps malware bypass user suspicion and some security controls, so this service likely enabled broader, more effective intrusions. Defenders should review detections and hunting for suspicious signed binaries and malware families named by Microsoft.