#ransomware
45 articles
Over the past month, ZCyberNews has tracked 51 ransomware-related articles, with The Gentlemen, LockBit, and ShinyHunters among the most frequently cited threat actors. The coverage spans from April 12 to May 13, 2026, and highlights several critical vulnerabilities, including CVE-2026-1731, CVE-2026-34197, CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Affected sectors range across multiple industries, with healthcare, manufacturing, technology, and critical infrastructure prominently featured. Geographically, incidents have been reported globally, with a concentration in North America, the United States, Europe, and Turkey. The severity mix includes 40 high, 6 critical, 1 medium, and 2 informational entries.
HIGHFoxconn Confirms Ransomware Attack on North American Factories
Nitrogen ransomware gang claims 8TB of stolen data from Foxconn's North American factories, including technical files from major tech clients.
CRITICALThe Gentlemen RaaS Internal Leak Exposes Admin, Affiliates, Tactics
A leaked backend database from The Gentlemen RaaS operation reveals 9 accounts, admin TOX ID, initial access via Fortinet/Cisco edge flaws, and a 190,000 USD ransom payout.
CRITICALInstructure Pays Ransom to ShinyHunters After Canvas Breach
Instructure paid ShinyHunters after two Canvas intrusions stole data from 9,000 institutions. Congress launched an investigation into the ed-tech vendor's incident response.
HIGHInstructure Pays ShinyHunters to Halt 3.65TB Canvas Data Leak
ShinyHunters agreed to delete 3.65TB of stolen Canvas data after Instructure paid an undisclosed ransom. The breach affects thousands of schools and universities worldwide.
HIGHUK Fines South Staffordshire Water $1.3M for 2022 Breach
ICO fined South Staffordshire Water £963,900 after Cl0p ransomware gang leaked data of 663,887 customers — phishing attack went undetected for 20 months.
HIGHWest Pharma Hit by Ransomware, Systems Disrupted Globally
West Pharmaceutical Services took systems offline globally after a May 4 ransomware attack with data exfiltration. Unit 42 is investigating; ransom may have been paid.
HIGHPro-Orbán Media Firm Mediaworks Breached by Ransomware Group
Ransomware group claims breach of Mediaworks, a pro-Orbán Hungarian media conglomerate. The firm confirmed unauthorized access and potential data exfiltration on Friday.
HIGHEx-Incident Responders Sentenced to 4 Years for Ransomware Attacks
Two cybersecurity incident responders who abused client access to deploy ransomware were sentenced to 4 years in prison — a rare case of responders turning attackers.
HIGHEx-Ransomware Negotiators Sentenced to 4 Years for BlackCat Attacks
Two former IR firm employees got 4 years each for laundering $18M+ in BlackCat ransom payments and advising attackers on negotiation tactics.
HIGHInc Ransom Breach at Sandhills Medical Exposes 170K Records
Inc Ransom group breached Sandhills Medical in 2025; the South Carolina healthcare provider took nearly a year to disclose the incident, affecting 170,000 patients.
HIGHCISA Details Interlock Ransomware TTPs, IOCs in Joint Advisory
CISA and FBI released a joint advisory on Interlock ransomware, detailing TTPs, IOCs, and a shift from double extortion to data-theft-only attacks targeting healthcare and…
CRITICALVECT 2.0 Ransomware Wiper Bug Destroys Files Over 131KB
VECT 2.0 ransomware contains a critical encryption flaw that irreversibly destroys files larger than 131KB on Windows, Linux, and ESXi — no recovery possible even with a…
HIGHRival Ransomware Gangs 0APT, KryBit Leak Each Other's Data
0APT and KryBit ransomware groups leaked each other's infrastructure data after a feud, exposing C2 servers, panel credentials, and victim lists to defenders.
HIGHUS Charges 19-Year-Old Scattered Spider Hacker Arrested in Finland
A 19-year-old US-Estonian dual citizen arrested in Finland faces federal charges as a prolific Scattered Spider member linked to ransomware attacks on MGM Resorts and Caesars.
MEDIUMESET: March 2026 Cyber Threats Show Resilience Gaps
ESET's Tony Anscombe warns that March 2026 attacks — including ransomware, supply chain compromises, and AI-driven phishing — reveal systemic gaps in organizational…
CRITICALTeamPCP Partners with Vect Ransomware in Supply Chain Attacks
Unit 42 reports TeamPCP has partnered with Vect ransomware group to target security software vendors in multi-stage supply chain attacks, compromising trusted update mechanisms.
HIGHGermany Identifies REvil, GandCrab Ransomware Leader 'UNKN'
German authorities name 31-year-old Russian Daniil Maksimovich Shchukin as 'UNKN,' the operator behind REvil and GandCrab ransomware groups linked to 130+ extortion attacks.
HIGHTrigona Ransomware Deploys Custom Exfil Tool for Faster Data Theft
Trigona ransomware attacks now use a custom CLI tool to exfiltrate data from compromised networks faster, targeting backups and cloud storage before encryption.
HIGHKyber Ransomware Deploys Post-Quantum Encryption in Attacks
The Kyber ransomware gang is using a variant that implements Kyber1024 post-quantum encryption to target Windows and VMware ESXi systems, according to a BleepingComputer analysis.
HIGHThe Gentlemen Ransomware Deploys Dual Lockers for Windows, Linux, and VMware
The Gentlemen ransomware-as-a-service operation has infected over 320 victims, deploying separate encryptors for Windows/Linux and VMware ESXi systems to maximize disruption and ransom pressure on enterprise networks.
HIGHRansomware Attackers Operate Like Businesses, ESET Research Reveals
ESET analysis of 100+ ransomware attacks shows threat actors run business operations with defined roles, KPIs, and supply chains, not just technical attacks.
CRITICALBomgar RMM Exploit Fuels Ransomware and Supply Chain Attacks
CVE-2026-1731, a critical 9.8 CVSS flaw in BeyondTrust's Bomgar RMM, is being actively exploited to deploy ransomware and compromise IT service providers in global supply chain attacks.
HIGHKyber Ransomware Deploys Dual Payloads for Windows and VMware ESXi
Kyber ransomware deploys two distinct payloads to encrypt both Windows systems and VMware ESXi servers, using a custom tool to wipe ESXi snapshots and hinder recovery. The attack chain begins with compromised RDP credentials.
INFORMATIONALFormer Ransomware Negotiator Pleads Guilty to BlackCat Attacks
Angelo Martino, a 41-year-old former employee of cybersecurity firm DigitalMint, pleads guilty to conspiring in BlackCat ransomware attacks against U.S. companies while working as a negotiator.
HIGHFrance Titres Data Breach Exposes Citizen Information for Sale
France Titres, the French government agency for ID documents, confirms a data breach after a threat actor offers to sell stolen citizen information, including names, addresses, and passport numbers.
HIGHThe Gentlemen Ransomware Botnet Infects 1,570+ Systems via SystemBC Proxy
Check Point Research uncovers a 1,570-victim botnet linked to The Gentlemen ransomware, using the SystemBC proxy malware to establish stealthy SOCKS5 tunnels for command and control.
HIGHDatto Warns Traditional Backups Fail to Maintain Business Operations During
Datto's 2026 report reveals 43% of businesses with backups still face over 24 hours of downtime after an attack, highlighting the critical gap between data backup and true business continuity and disaster recovery (BCDR).
HIGHThe Gentlemen Ransomware Deploys SystemBC Proxy for C2 Evasion
The Gentlemen ransomware-as-a-service group uses the SystemBC SOCKS5 proxy tool to hide command-and-control traffic, according to a Check Point DFIR report analyzing a recent affiliate attack.
HIGHSeiko USA Website Defaced, Customer Data Stolen in Ransom Attack
Seiko USA's website was defaced by a hacker claiming theft of its Shopify customer database, including names, emails, and order details for 30,000 individuals, with a ransom demand to prevent public leak.
CRITICALInterlock Ransomware Exploits Cisco FMC Zero-Day in Global Attacks
The Interlock ransomware group is actively exploiting a zero-day vulnerability in Cisco Firepower Management Center to breach networks. Recorded Future identified 31 high-impact flaws in March 2026, a 139% monthly increase.
HIGHTeamPCP Supply Chain Attack Fuels Payroll Fraud and Ransomware
TeamPCP threat actors compromised trusted software tools to steal credentials from over 100 organizations, enabling $1.5M in payroll fraud, logistics theft, and ransomware extortion.
INFORMATIONALNAKIVO Backup & Replication v11.2 Adds Ransomware Defense and Proxmox Support
NAKIVO Inc. has released version 11.2 of its Backup & Replication platform, introducing a ransomware defense module, support for Proxmox VE 9.0, and performance enhancements for VMware vSphere 9 environments.
HIGHApache ActiveMQ Vulnerability Exploited, Added to CISA KEV Catalog
A high-severity flaw in Apache ActiveMQ Classic, CVE-2026-34197 (CVSS 8.8), is under active exploitation, prompting CISA to add it to its Known Exploited Vulnerabilities catalog and mandate patching for federal agencies.
HIGHPayouts King Ransomware Deploys QEMU VMs as Stealthy Reverse SSH Backdoors
The Payouts King ransomware group is deploying the open-source QEMU emulator to create hidden virtual machines on compromised hosts, establishing a persistent reverse SSH backdoor that evades conventional endpoint detection.
HIGHDHL-Themed Phishing Campaign Delivers Remote Access Software
A new phishing campaign impersonates DHL to trick recipients into installing legitimate remote access software, which attackers then use as a foothold to deploy additional malware, including ransomware.
HIGHPayouts King Ransomware Emerges from BlackBasta's Shadow
The Payouts King ransomware group, linked to former BlackBasta affiliates, has conducted targeted attacks since April 2025, combining data theft with selective encryption to pressure victims.
HIGHJanaWare Ransomware Campaign Targets Turkish Homes and SMBs for Six Years
A ransomware campaign dubbed 'JanaWare' has been targeting Turkish homes and small-to-medium businesses since at least 2018, deploying a custom variant of the Adwind RAT to steal credentials before encryption.
HIGHRansomware Attack Disrupts Automotive Data Giant Autovista Group
Autovista Group, a major European automotive data and analytics firm, confirms a ransomware attack disrupting operations. The company is investigating with external experts, but impact on customer data remains unclear.
HIGHResearchers Map Over 1,250 Active C2 Servers Across Russian Hosting Providers
A three-month investigation has identified more than 1,250 active command-and-control servers operating across 165 Russian hosting providers, forming a resilient infrastructure for malware and ransomware operations.
HIGHRhysida Ransomware Group Breaches Tennessee Hospital, Exposes 337,000
Cookeville Regional Medical Center confirms a 2025 ransomware attack by the Rhysida group compromised the data of 337,000 individuals after the theft of 500GB of files.
HIGHTriad Nexus Cybercrime Operation Evades Sanctions via Major Cloud Providers
The Triad Nexus cybercrime syndicate leverages major cloud and hosting providers to obscure its infrastructure, evade sanctions, and facilitate ransomware, data theft, and financial fraud.
HIGHBasic-Fit Data Breach Exposes 1 Million Member Records
Hackers breached European gym chain Basic-Fit, accessing personal data of approximately one million members, including names, birthdates, and email addresses.
HIGHChipSoft Ransomware Attack Disrupts Dutch Healthcare IT Services
Dutch healthcare IT provider ChipSoft was hit by a ransomware attack, forcing it to take patient and provider portals offline, disrupting critical medical administration across the Netherlands.
HIGHShinyHunters Breaches Rockstar Games via Third-Party SaaS Platform
ShinyHunters breached Rockstar Games by exploiting the Anodot SaaS platform, accessing the company's Snowflake data environment and threatening to leak stolen data unless a ransom is paid.
HIGHRansomware Gangs Evolve EDR Evasion, Adopt New Driver-Based Killers
ESET Research reports ransomware operators are expanding their arsenal of EDR-killing tools, moving beyond exploiting vulnerable drivers to using legitimate but maliciously signed drivers for stealth.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.