Ransomware
MuddyWater Wears Chaos Ransomware as a Disguise — Teams Screen-Sharing Funnels Iranian Espionage Through Fake Extortion
Rapid7 attributes a Chaos-branded ransomware intrusion to Iran's MuddyWater. No files were ever encrypted — the ransom note was cover for Stagecomp/Darkcomp espionage delivered via Microsoft Teams screen-share.
SimpleHelp Trio Hits CISA KEV as DragonForce Ransomware Tears Through MSP Fleets
CISA dragged three SimpleHelp RMM bugs into the KEV catalog with a May 8 federal deadline after DragonForce operators chained them to push ransomware across MSP customer fleets in a single shot.
Kyber Ransomware: First Production PQC Deployment — Rust Windows Variant, ESXi Variant, Same Affiliate
Rapid7 recovered two Kyber variants from a single incident: a Rust-based Windows encryptor that actually implements Kyber1024 + X25519 + AES-CTR, and an ESXi encryptor whose 'post-quantum' claim is just ChaCha8 under RSA-4096. Same campaign ID, same Tor infrastructure, same affiliate.
The Gentlemen RaaS: SystemBC Proxy Botnet Reveals 1,570 Corporate Victims
A DFIR engagement against The Gentlemen RaaS exposed a SystemBC C2 server proxying over 1,570 likely corporate victims, with affiliates leaning on a 14,700-device FortiGate inventory for initial access.
The Ransomware Dwell Time Collapse: When the Entire Kill Chain Fits Inside an Hour
Akira is encrypting domains 60 minutes after a VPN login. Storm-1175 is going from zero-day to domain-wide Medusa deployment in under 24 hours. The industry's average detection time is still measured in days. The math no longer works.
Payouts King Runs Hidden QEMU VMs to Bypass EDR — STAC4713 and CitrixBleed 2 Campaigns
Sophos tracks two Payouts King campaigns running Alpine Linux inside QEMU on Windows hosts to tunnel reverse SSH and evade endpoint security. STAC3725 chains in CitrixBleed 2 (CVE-2025-5777) against NetScaler.
Ransomware Hits ChipSoft, the EHR Vendor Behind 80% of Dutch Hospitals
A ransomware attack on Dutch EHR vendor ChipSoft has disrupted hospital systems nationwide and may have exposed millions of patient records.
Anubis Ransomware Gang Claims 2TB Exfiltration from Signature Healthcare as Brockton Hospital Diverts Ambulances
Anubis RaaS group claims theft of 2TB of patient data from Signature Healthcare while Brockton Hospital diverts ambulances, cancels chemo, and operates on paper charts a week after the attack.
Storm-1175 Chains Zero-Days to Deploy Medusa Ransomware in Under 24 Hours
Microsoft exposes Storm-1175 as a primary Medusa ransomware affiliate, weaponizing zero-days in SmarterMail and GoAnywhere MFT with sub-24-hour dwell times.
Akira Ransomware Now Encrypts in Under an Hour: SonicWall VPNs Are the Front Door
Akira ransomware operators are completing full attack chains from initial VPN access to encryption in under 60 minutes, targeting SonicWall SSL VPNs even on patched devices.
Ransomware Hits Minot Water Treatment Plant SCADA System, FBI Investigating
Ransomware compromised the SCADA server at Minot, North Dakota's water treatment plant, forcing 16 hours of manual operations. FBI released a statement today confirming active investigation.
TeamPCP's Supply Chain Cascade: Trivy, KICS, LiteLLM, Telnyx Compromised — Now Pivoting to Ransomware via Vect
TeamPCP poisoned Trivy, KICS, LiteLLM, and Telnyx across GitHub Actions and PyPI in March 2026, harvested ~300 GB of CI/CD secrets, breached Cisco and AstraZeneca, and has now partnered with Vect RaaS to convert stolen credentials into ransomware deployments.
Your Firewall Is the Foothold: Q1 2026's Edge Device Exploitation Epidemic
Three months into 2026, edge devices are the dominant entry point for attackers. A deep dive into the FortiGate SSO bypass and Ivanti EPMM RCE chains, and why this pattern shows no signs of stopping.
Cisco FMC Zero-Day Exploited by Interlock Ransomware for 36 Days Before Disclosure
CVE-2026-20131 scores a perfect CVSS 10.0. Interlock ransomware had 36 days of free rein before Cisco went public.