January 27, 2026
Week 4 of 2026 was marked by a significant healthcare incident in Europe as Belgian hospital AZ Monica suffered a ransomware attack that forced the cancellation of 70+ surgeries, transfer of 7 critical patients, and postponement of chemotherapy treatments for 150 oncology patients. The Qilin ransomware group maintained high activity levels, expanding into Southeast Asian manufacturing with attacks on Singapore’s Neo Group and Thailand’s Charoenchai Transformer. WorldLeaks (formerly Hunters International) made headlines by claiming a massive 1.4TB data exfiltration from Nike, allegedly containing product designs and supply chain information. South Korean conglomerate Kyowon confirmed a major breach potentially affecting 9.6 million accounts. In a notable law enforcement development, two US cybersecurity professionals (one from incident response firm Sygnia, another a ransomware negotiator) pleaded guilty to ALPHV/BlackCat ransomware attacks. Black Basta’s alleged leader was added to Europol’s Most Wanted list following raids in Ukraine.
Key Statistics: - Global: 285+ victims in first 15 days of January 2026; law enforcement actions against Black Basta, ALPHV affiliates - Europe: AZ Monica hospital (Belgium) major healthcare disruption; Endesa (Spain) 20M+ customer data breach; Black Basta leader identified - Asia: Kyowon (South Korea) 9.6M accounts compromised; Qilin targeting Singapore, Thailand, Malaysia manufacturers - US: Two cybersecurity professionals guilty of ALPHV attacks; Nike investigating 1.4TB WorldLeaks claim; Frederick Health 934K patients affected - Other: Venezuela’s PDVSA infrastructure attack; Morocco’s Marjane Group targeted by Stormous
No new government incidents reported this week.
AZ Monica Hospital (Belgium) - Ransomware Attack (January 13-19, 2026) - Two campuses in Antwerp and Deurne affected - 70+ surgeries cancelled; 7 critical care patients transferred to other hospitals via Red Cross - 8,000+ appointments cancelled; chemotherapy delayed for 150 oncology patients - Emergency, MUG, and Intensive Care services operating at reduced capacity - Doctors lost access to electronic medical records - Investigation by Federal Police cybercrime unit; Prime Minister convened crisis meeting - Flemish Minister pledged €10 million for Antwerp province hospitals - Five other Belgian hospitals potentially affected via shared patient registration software - Source: The Record, BleepingComputer
Dresden State Art Collections (Germany) - Cyberattack (January 2026) - Digital infrastructure disrupted - Online ticket sales, visitor services, and museum shop systems disabled - No evidence of data theft reported - Source: Check Point Research
Endesa / Energía XXI (Spain) - Data Breach (January 12, 2026) - Spain’s largest electric utility (10M+ customers in Spain and Portugal) - Unauthorized access to commercial platform - Exposed: customer IDs, contact details, DNI numbers, contract info, IBANs - Threat actor “Spain” claims 1.05TB database with 20M+ individuals - Data samples published on dark web forum January 4 - No evidence of ransomware deployment - Source: BleepingComputer, SecurityWeek
Centrotherm International (Germany) - Qilin Ransomware (January 25, 2026) - Industrial equipment manufacturer - Listed on Qilin data leak site - Source: Ransomware.live
OKIN GROUP (Europe) - Qilin Ransomware (January 25, 2026) - Listed on Qilin leak site - Source: Ransomware.live
Şemsioğlu Uşak Ev Tarhanası (Turkey) - Qilin Ransomware (January 25, 2026) - Turkish food company targeted - Source: Ransomware.live
ILCA Targhe s.r.l. (Italy) - Qilin Ransomware (January 2026) - Italian manufacturing company - Source: Ransomware.live
Schulz GmbH (Germany) - Qilin Ransomware (January 2026) - German company listed on leak site - Source: Ransomware.live
RLC Transportes / Rau Load Cargo, S.L. (Spain) - Ransomware (January 24, 2026) - Spanish logistics company - Source: Ransomware.live
No government incidents reported this week.
No incidents reported this week.
Kyowon Group (South Korea) - Ransomware Attack (January 10, 2026) - Major conglomerate with 8 affiliates (tutoring, appliance rentals, funeral services) - ~600 of 800 servers compromised - Up to 9.6 million user accounts potentially affected; ~5.54 million unique individuals - Korea Internet & Security Agency (KISA) classified as group-wide ransomware infection - Data exfiltration confirmed; customer data impact under investigation - No attribution claimed by any ransomware group - Source: The Record, BleepingComputer
Neo Group (Singapore) - Qilin Ransomware (January 2026) - Food & Beverages industry - Confidential and sensitive company information compromised - Source: CYFIRMA
Charoenchai Transformer Co., Ltd (Thailand) - Tengu Ransomware (January 2026) - Manufacturing sector - ~60 GB stolen including personal IDs, financial records, sensitive materials - Source: CYFIRMA
Perdana Petroleum Berhad (Malaysia) - Dire Wolf Ransomware (January 2026) - Energy, Utilities & Waste sector - ~150 GB including financial documents, legal documents, supplier and customer data - Source: CYFIRMA
Fujitsu Component (Malaysia) SDN. BHD - Qilin Ransomware (January 2026) - Electronics manufacturing - Source: Ransomware.live
Sanko Air Conditioning Co., Ltd (Japan) - Qilin Ransomware (January 2026) - Manufacturing sector - Source: Ransomware.live
Raaga (India) - Data Breach (December 2025, disclosed January 2026) - Music streaming platform - 10.2 million user records compromised - Exposed: names, emails, demographics, locations, passwords (unsalted MD5 hashes) - Source: Check Point Research
VietISO (Vietnam) - Data Breach (January 2026) - Travel & Tourism technology sector - 209,000+ individuals with KYC information exposed (national IDs, addresses, phone numbers) - Threat actor “Solonik” responsible - Source: CYFIRMA
Mastertech International Co., Ltd (Thailand) - Data Breach (January 2026) - Manufacturing sector - Personal identifiable information including national IDs exposed - Source: CYFIRMA
Sagolink (South Korea) - Data Breach (January 2026) - Insurance & Accident Compensation - ~12,000 customer and adjuster records with personal data and insurance claim documentation - Source: CYFIRMA
Aforeserve (India) - Data Breach (January 2026) - IT Services sector - Customer service logs and personal contact information exposed - Source: CYFIRMA
Warren County Sheriff’s Office (Kentucky) - Ransomware Attack (January 14-15, 2026) - Local law enforcement agency - Discovery date: January 15, 2026 - Specific ransomware group not disclosed - Source: Ransomware.live
Frederick Health Medical Group (Maryland) - Ransomware Attack (January 27, 2025, notification ongoing) - 934,326 patients affected - Exposed: names, addresses, DOB, SSNs, driver’s licenses, medical record numbers, health insurance info - Shared drive accessed; EMR system not compromised - At least 5 class action lawsuits filed - No ransomware group has claimed responsibility (ransom may have been paid) - Source: HIPAA Journal, BleepingComputer
HealthBridge Chiropractic (Philadelphia) - Qilin Ransomware (January 6, 2026) - Multispecialty healthcare provider (orthopedic, chiropractic, pain management) - Systems and data compromised - Source: SharkStriker
Cardiovascular Medical Group - Shinobi Ransomware (January 2026) - Heart hospital offering specialized cardiovascular services - Source: SharkStriker
Artisans’ Bank / VeraBank - Marquis Software Supply Chain Attack (Disclosed January 2026) - Two US banks affected by August 2025 ransomware attack on financial software provider - Customers notified via Maine regulators - Source: The Record
Nike, Inc. - WorldLeaks Data Exfiltration (January 24-26, 2026) - 1.4TB data / 188,000+ files allegedly stolen - Claims include: design schematics (Jordan Brand SP27), product tech packs, supply chain details, factory audits, internal documents (2020-2026) - Nike investigating; no confirmation of customer/employee data exposure - WorldLeaks (formerly Hunters International) uses data theft extortion without encryption - Source: The Register, Cybernews
Under Armour - Data Breach (January 2026) - 72 million customer records leaked following November ransomware attack - Exposed: names, emails, genders, dates of birth, addresses - Source: Check Point Research
Luxshare (Apple/Nvidia/Tesla supplier) - RansomHub Claim (January 2026) - Electronics manufacturer - Group claims access to 3D CAD models, circuit board designs, engineering documentation - Breach not confirmed by company - Source: Check Point Research
Mills Products - Qilin Ransomware (January 26, 2026) - Listed on Qilin data leak site - Source: Ransomware.live
Shiffler Equipment Sales - Qilin Ransomware (January 24, 2026) - Listed on Qilin leak site - Source: Ransomware.live
Herzing - Qilin Ransomware (January 2026) - Educational institution - Source: Ransomware.live
David M. Schwarz Architects - Qilin Ransomware (January 2026) - Architecture firm - Source: Ransomware.live
LTS Group Inc. - World Leaks (January 24, 2026) - Listed on World Leaks leak site - Source: Ransomware.live
Supriya Aesthetic Dermatology - Ransomware (January 24, 2026) - Healthcare provider - Source: Ransomware.live
PDVSA - Petróleos de Venezuela SA (Venezuela) - Infrastructure Cyberattack (December 2025, impact ongoing) - State oil company - Complete digital systems shutdown affecting payments, production tracking, SCADA operations - Source: CYFIRMA
No incidents reported this week.
Marjane Group (Morocco) - Stormous Ransomware (January 2026) - Morocco’s largest retail company - Stormous publicly claimed responsibility, threatened full data leak - Types of data stolen unknown - Source: Check Point Research
CIDEF Argentina S.A. (Argentina) - Qilin Ransomware (January 2026) - Listed on Qilin leak site - Source: Ransomware.live
Prosura (Australia/New Zealand) - Data Breach (January 2026) - Car rental insurance provider - Driver licenses and policy documents exposed - Online self-service paused - Source: Check Point Research
Black Basta Leadership Identified (January 15-17, 2026) - Two Ukrainian suspects’ homes raided in Lviv and Ivano-Frankivsk (joint Ukraine/Germany operation) - Suspects worked as “hash crackers” for password extraction - Alleged leader Oleg Evgenievich Nefedov (35, Russian national) added to EU Most Wanted and INTERPOL Red Notice - Nefedov suspected of being responsible for attacks on 100+ German companies and 600+ worldwide - Digital storage devices and cryptocurrency seized - Source: The Hacker News, The Record
ALPHV/BlackCat Affiliates Plead Guilty (January 2026) - Ryan Goldberg (40, Georgia) - worked for incident response firm Sygnia - Kevin Martin (36, Texas) - ransomware negotiator for DigitalMint - Both pleaded guilty to conspiracy to commit extortion - Face up to 20 years in prison; sentencing March 12, 2026 - Source: The Record, SecurityWeek
Qilin Ransomware - Continues as most prolific group globally - January W4 targets: Mills Products, Centrotherm International, OKIN GROUP, Neo Group (Singapore), Fujitsu Component (Malaysia), Sanko Air Conditioning (Japan) - 1,000+ victims claimed on leak site since inception - 700+ attacks in 2025 alone - Source: Ransomware.live, CYFIRMA
WorldLeaks (formerly Hunters International) - Rebranded in January 2025 from ransomware to pure data theft/extortion - Major claim: Nike (1.4TB) - Other January victims: LTS Group Inc., Might Electronic Co. LTD - No longer encrypts systems; focuses on data exfiltration and leak threats - Source: The Register
Tengu Ransomware - Active in Southeast Asia targeting manufacturing - January victim: Charoenchai Transformer (Thailand) - 60GB - Source: CYFIRMA
Dire Wolf Ransomware - Targeting Asian energy and property sectors - January victim: Perdana Petroleum Berhad (Malaysia) - 150GB - Source: CYFIRMA
RansomHub - Claims attack on Luxshare (Apple/Nvidia supplier) - Allegedly accessed CAD models and engineering documentation - Source: Check Point Research
Exfiltration-Only Attacks Rising - WorldLeaks exemplifies shift from encryption to pure data theft - Police pressure and declining ransom payments driving tactical change - Focus on intellectual property and supply chain data over customer databases - Source: Morphisec
Insider Threat from Security Professionals - ALPHV affiliate guilty pleas highlight risk of security professionals turned attackers - Incident responders and negotiators have unique access to victim networks - Industry must strengthen background checks and access controls - Source: The Record
Healthcare Under Siege: AZ Monica attack in Belgium demonstrates continued targeting of hospitals with devastating patient care impact. Frederick Health breach affecting 934K patients shows scale of US healthcare exposure.
Asian Manufacturing Expansion: Qilin, Tengu, and Dire Wolf groups increasingly targeting Southeast Asian manufacturers (Thailand, Malaysia, Singapore), with data volumes in the 60-150GB range.
Data Theft Over Encryption: WorldLeaks/Hunters International shift to pure exfiltration signals industry-wide tactical evolution away from traditional ransomware encryption.
Insider Threat Materialized: ALPHV affiliate arrests reveal security professionals (incident responders, negotiators) exploiting their positions for criminal gain.
Supply Chain Targeting: Attacks on Luxshare (Apple/Nvidia supplier), Nike design data, and Marquis Software affecting multiple banks demonstrate focus on high-value supply chain nodes.
Healthcare-Specific Controls: Implement network segmentation for clinical systems; ensure emergency paper-based procedures are current; establish mutual aid agreements with nearby facilities
Third-Party Software Monitoring: Financial institutions should assess exposure to shared vendors like Marquis Software; implement SBOM tracking
Insider Threat Programs: Enhanced vetting for security personnel; limit access to production systems; monitor for anomalous privileged activity
Data Classification: Prioritize protection of design documents, CAD files, and supply chain information given WorldLeaks/RansomHub targeting patterns
Regional Threat Intelligence: Asian organizations should monitor Qilin, Tengu, and Dire Wolf IOCs; implement enhanced monitoring on manufacturing SCADA/OT networks