Threat Alerts — Ransomware
A live, severity-rated stream of the threats actually hitting small and medium businesses worldwide, each with the one or two actions that matter most.
Active alerts
- New Ransomware Framework Evades Nine Major Security ToolsCritical · Ransomware · 2026-07-06Researchers have found a new modular ransomware framework called Avalon that is built specifically to slip past nine security products many small businesses run day to day, including Microsoft Defender, SentinelOne, and CrowdStrike. It arrives through a spoofed legal document and shows signs of AI-assisted development. By the time its CrownX ransomware component shows a ransom note, it has already stolen credentials and disabled recovery options.
- Ohio County Paid $1 Million to a Gang That Never Encrypted AnythingHigh · Ransomware · 2026-07-06A small Ohio county government paid roughly $1 million in bitcoin to a group calling itself Kairos, even though the attackers never locked a single file. A new case study, built from a leaked negotiation chat and the bitcoin trail the payment left, shows how a month-long negotiation moved from a $3 million opening demand down to seven figures. The case is a reminder that "ransomware" increasingly means stolen data held hostage, not scrambled files.
- AI Agent Runs an Entire Ransomware Attack AloneCritical · Ransomware · 2026-07-02Researchers at Sysdig say they've documented the first ransomware attack carried out end to end by an AI agent, no human at the keyboard. The agent broke into an exposed Langflow server through a year-old bug, stole cloud credentials, and encrypted a production database before leaving a ransom note. The entry point was a flaw that a patch already fixed months ago.
- Mass FortiGate Credential Theft Now Linked to RansomwareCritical · Ransomware · 2026-07-02A threat intelligence firm has tied the FortiBleed credential-harvesting campaign directly to two active ransomware operations, after finding a shared operator working negotiation panels for both groups. The campaign scanned more than 430,000 FortiGate firewalls worldwide and has already produced at least 12 ransomware deployments. If your business runs a FortiGate device, this is the moment to check whether your credentials were part of the haul.
- Fake Interpol Emails Push Ransomware at Small BusinessesHigh · Ransomware · 2026-07-02A ransomware campaign disguised as an Interpol fraud investigation is targeting small businesses across Europe, Asia, the Middle East, and the US. The email links to a password-protected archive that hides an executable disguised as video evidence, and once it runs, it encrypts local files. The one piece of good news: researchers found the decryption password baked into the malware itself.
- World Leaks Hits Tata Electronics, Releasing Apple Manufacturing SchematicsHigh · Ransomware · 2026-06-24Tata Electronics, a key iPhone component supplier in India, confirmed a breach by World Leaks, a data-extortion group that publishes stolen files without encrypting systems. Leaked documents include internal component schematics, PCB designs, and SDK files for Apple products. No customer or employee personal data appeared in the published materials.
- INTERPOL's Asia-Pacific Report: AI Scams and Ransomware Both AcceleratingWatch · Ransomware · 2026-06-22INTERPOL's 2025-2026 Asia-Pacific Cyberthreat Assessment covers 23 member countries and identifies phishing as the most widespread threat in the region, with AI-powered fraud and ransomware both growing faster than defensive adoption. Business email compromise and deepfake-enabled executive impersonation are producing the largest financial losses, hitting smaller businesses hardest. Organisations with any supply-chain or operational exposure to Asia-Pacific should treat this as a forward-looking threat indicator.
- Prinz Eugen Ransomware Targets Files in Active Use, Skips Ransom NotesWatch · Ransomware · 2026-06-21Security analysts at Threatdown have identified a new ransomware group called Prinz Eugen that breaks in via stolen Remote Desktop credentials and deliberately encrypts the files employees were most recently working on. Unlike most ransomware, the group leaves no note on infected systems, delivering demands by email and phone to complicate incident response. Standard Bank in South Africa has confirmed it is among the group's first victims.
- Stolen OAuth Tokens Let Hackers Loot Salesforce Data Through Klue AppHigh · Ransomware · 2026-06-20Salesforce has cut off the Klue Battlecards app after an extortion group called Icarus used stolen OAuth tokens to pull customer records from connected Salesforce accounts. Security firm Huntress and others have confirmed data theft. The case shows how one compromised vendor integration can expose hundreds of companies that never dealt with the attacker directly.
- Police Disrupt SocGholish Malware and Clean 15,000 Hacked SitesHigh · Ransomware · 2026-06-20Law enforcement from four countries seized 106 servers behind SocGholish, a malware operation that turns hacked WordPress sites into fake software-update traps, and cleaned 14,971 infected websites. The malware has fed ransomware crews including Evil Corp and LockBit since 2017. Owners of affected sites have been told to change credentials and update their CMS.
- INC Ransomware Tops 830 Victims as Affiliates Flock to the BrandHigh · Ransomware · 2026-06-19INC, a ransomware-as-a-service operation, has claimed more than 830 victims since August 2023 and now ranks among the busiest ransomware brands of 2026. US organisations make up over 65% of its targets, with legal, manufacturing, construction, technology, and healthcare firms hit hardest. INC grew by sticking to well-known techniques rather than exotic tooling.
- DragonForce Hides Ransomware C2 Traffic Inside Microsoft Teams RelaysHigh · Ransomware · 2026-06-19DragonForce ransomware affiliates used a custom backdoor that tunnels its command-and-control traffic through Microsoft Teams relay servers, leaving defenders blind for one to two months. Symantec and Carbon Black documented the attack against a US services firm. Because the traffic looks like ordinary Teams activity, standard firewall monitoring did not catch it.
- ClickFix Scams Now Deliver Three New Loaders Tied to Ransomware CrewsHigh · Ransomware · 2026-06-16Researchers at Morphisec, BlueVoyant, and Huntress have documented three malware loaders, BabaDeda, Lorem Ipsum, and Potemkin, all delivered through ClickFix scams that trick people into pasting commands into their own computers. The campaigns hit education, legal, financial, and construction firms and end in stealers, RATs, and Rhysida ransomware. Train staff to never paste a command they did not write.
- ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach UniversitiesCritical · Ransomware · 2026-06-12The ShinyHunters extortion crew exploited a critical Oracle PeopleSoft zero-day (CVE-2026-35273) to steal data from more than 100 organizations, most of them US universities. The bug scores 9.8, needs no login, and was unpatched while attacks ran. Any business running PeopleSoft with internet-facing management endpoints is exposed. CVEs: CVE-2026-35273.
- Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware GangsWatch · Ransomware · 2026-06-12Europol and the US Justice Department dismantled AudiA6, a cryptocurrency laundering service that washed more than 336 million euros in criminal profits since 2021. Two men were arrested and charged. The takedown cuts a cash-out pipeline ransomware crews relied on, but the gangs that hit small businesses are still operating.
- The Gentlemen: Second Busiest Ransomware Gang Uses 90/10 Splits to RecruitHigh · Ransomware · 2026-06-11Security researchers have identified the operator behind The Gentlemen ransomware as a 36-year-old from Izhevsk, Russia, running the second most active ransomware-as-a-service platform of 2026. The group targets internet-facing VPNs and firewalls and has logged 332 victims since mid-2025.
- Critical Veeam Backup Flaw Gives Domain Users Remote Code ExecutionCritical · Ransomware · 2026-06-09Veeam patched CVE-2026-44963 in Backup and Replication today, a 9.4 CVSS flaw that lets any domain user execute code on backup servers running version 12. No active exploitation yet, but ransomware groups target Veeam backup infrastructure to disable recovery before deploying ransomware. The fixed version is 12.3.2.4854. CVEs: CVE-2026-44963.
- Check Point VPN Zero-Day Exploited by Qilin Ransomware in Active Global CampaignCritical · Ransomware · 2026-06-08A critical authentication bypass in Check Point's Remote Access VPN is under active exploitation, with a confirmed Qilin ransomware affiliate using it to enter networks without credentials. The flaw, CVE-2026-50751, affects Spark firewalls marketed to SMBs and managed service providers. Patches were released June 8. CVEs: CVE-2026-50751.
- Silent Ransom Group Targets US Law Firms with Phone Extortion and DNS Fast FluxHigh · Ransomware · 2026-06-08The Silent Ransom Group is running a phone-based extortion campaign against US law firms, accounting for nearly 25% of all law firm ransomware incidents in Q1 2026. The group steals data without encrypting files, then demands payment under threat of publication. DNS fast flux across 22 ISPs in 18 countries makes their infrastructure difficult to block.
- New Ransomware Group 'Viperwave' Hits Professional Services Firms Across 14 CountriesCritical · Ransomware · 2026-06-06A newly identified ransomware group, Viperwave, has claimed responsibility for attacks on professional services firms across 14 countries. The group skips encryption entirely in favour of data exfiltration and targets businesses with 10–200 employees.