ransomware

Rapid7 links a Chaos ransomware intrusion in early 2026 to Iranian state-linked MuddyWater, finding no encryption deployed — only credential theft and data exfiltration under ransomware cover.

The 2026 DBIR finds 31% of breaches now begin with unpatched vulnerabilities -- surpassing credential abuse for the first time in the report's 19-year history -- as median patch time climbs to 43 days and ransomware reaches 48% of all breaches.

Microsoft's Digital Crimes Unit seized signspace.cloud and revoked more than 1,000 fraudulent code-signing certificates after Fox Tempest sold access to Azure Artifact Signing for $5,000–$9,000 per transaction to ransomware groups including Rhysida, Akira, and Qilin.

World's largest electronics manufacturer acknowledges cyberattack claimed by Nitrogen ransomware group on North American factories; attackers allege 8 TB data theft including confidential schematics for Apple, Nvidia, Google and others, with production now resuming.

CISA's April 24 KEV update flags four actively exploited vulnerabilities tied to ransomware against managed service providers and Mirai DDoS botnets, with a May 8 federal patching deadline.

A researcher's protest disclosure turned Microsoft Defender's remediation engine into an attack vector, with two of three zero-days remaining unpatched as ransomware actors move in.

Flashpoint's 2026 report documents a 1,500 percent spike in AI-related criminal forum activity, 3.3 billion stolen credentials from infostealers, and a 53 percent rise in ransomware incidents.

Qilin ransomware group claims attack on German political party Die Linke, threatening to leak 1.5 terabytes of internal data in what the party calls a hybrid warfare operation.

An incident response manager at Sygnia and a ransomware negotiator at DigitalMint admitted to moonlighting as ALPHV/BlackCat affiliates, targeting five US companies and causing over $9.5 million in losses.

Amazon threat intelligence reveals that the Interlock ransomware group exploited a critical Cisco Secure Firewall Management Center zero-day vulnerability for over five weeks before Cisco disclosed and patched the flaw in early March 2026.

A critical pre-authentication remote code execution vulnerability in BeyondTrust Remote Support and Privileged Remote Access products, rated CVSS 9.9, is being actively exploited in ransomware attacks across six countries, with thousands of on-premises instances still unpatched.

Telus Digital confirmed a breach after ShinyHunters claimed to have stolen up to one petabyte of data using cloud credentials obtained in a prior third-party compromise.