Executive Summary
Week 7 of 2026 was dominated by the BridgePay ransomware attack, which knocked the US payment gateway offline starting February 6 and caused cascading outages across municipalities, utilities, and businesses nationwide. Qilin continued its prolific campaign with at least eight new victims claimed during the week, spanning the US, UK, Chile, and Mexico. A notable new ransomware strain, Reynolds, emerged with an embedded BYOVD (Bring Your Own Vulnerable Driver) technique to disable EDR security tools — a significant evolution in ransomware evasion. The Warlock ransomware gang’s breach of SmarterTools was publicly disclosed, revealing how a single unpatched SmarterMail instance led to the exfiltration of 1.2 million documents. In Europe, Dutch telecom giant Odido disclosed a breach affecting 6.2 million customers, while Romania’s Conpet confirmed data theft by Qilin. The 0APT group, initially claiming hundreds of victims, was increasingly identified as largely fraudulent by security researchers.
Key Statistics: - Global: 15+ confirmed new ransomware incidents and claims; Qilin, DragonForce, INC Ransom, and Warlock among most active groups - Europe: 3 significant incidents (Odido Netherlands, Anchor Computer Systems UK, Conpet Romania ongoing confirmation) - Asia: 2 incidents (AOT Japan, A1 Capital Turkey) - US: 6+ incidents including BridgePay nationwide outage, Augusta Housing Authority, multiple Qilin victims - Rest of World: 3+ Qilin victims in Chile and Mexico; Epworth HealthCare (Australia) targeted by fraudulent 0APT group
1. EUROPE
1.1 Government
No new European government ransomware incidents reported this week. (Note: Spain’s Ministry of Science shutdown from week 6 remains under investigation.)
1.2 Health, Municipalities & Non-commercial
No new incidents reported this week. (Note: The OLV Pulhof school extortion in Belgium from late January continued to be covered in media this week but the incident itself predates this reporting period.)
1.3 Business
Odido (Netherlands) — Data Breach Disclosed February 12 Dutch telecommunications provider Odido disclosed a cyberattack affecting 6.2 million customers. The breach was detected on the weekend of February 7 when attackers compromised the company’s customer contact system. Exposed data includes names, addresses, email addresses, phone numbers, dates of birth, bank account numbers, and ID document details. No passwords, call logs, or billing information were affected. No ransomware group has claimed responsibility, though the attackers contacted Odido directly. (Bleeping Computer, The Record, TechCrunch)
Anchor Computer Systems (UK) — Qilin, February 12 UK-based technology firm Anchor Computer Systems was listed on Qilin’s dark web leak site on February 12, 2026. The company specializes in IT services. Details of data exfiltration have not been independently confirmed. (RedPacket Security, Ransomware.live)
Conpet S.A. (Romania) — Qilin, Data Theft Confirmed February 12 Romania’s national oil pipeline operator Conpet S.A. confirmed on February 12 that data was stolen in the Qilin ransomware attack first reported on February 3. The Qilin group claims to have exfiltrated nearly 1TB of data including financial records, passport scans, and personal identification information. Security researchers traced the initial compromise to an infostealer infection on an employee’s computer on January 11, weeks before the ransomware deployment. Operational technology systems, including pipeline controls, remained unaffected. (Bleeping Computer, The Record, Industrial Cyber)
Betesan (Bosnia-Herzegovina) — DragonForce, February 13 Betesan, a Tuzla-based engineering company specializing in ship electrical contracting, was listed as a DragonForce ransomware victim on February 13. (RedPacket Security, Ransomware.live)
2. ASIA
2.1 Government
No incidents reported this week.
2.2 Health, Municipalities & Non-commercial
No incidents reported this week.
2.3 Business
AOT Japan Ltd. (Japan) — INC Ransom, February 5 AOT Japan Ltd., a Tokyo-based logistics and freight forwarding company operating since 1986, was listed as a victim of the INC Ransom group on February 5. AOT Japan is a member of JIFFA and holds an NVOCC license for global ocean shipments. The INC ransomware group employs double extortion tactics. (HookPhish, RedPacket Security, CYFIRMA)
A1 Capital Yatırım (Turkey) — DragonForce, February 12 A1 Capital, an Istanbul-based brokerage firm established in 1990 offering equity trading, investment advisory, and portfolio management across 20+ branches, was claimed by the DragonForce ransomware group on February 12. (Ransomware.live)
3. UNITED STATES
3.1 Government
Augusta Housing Authority (Georgia) — Qilin, February 9 The Augusta, Georgia Housing Authority, serving more than 15,000 residents annually, was listed on Qilin’s dark web leak site on February 9. Sample documents posted include personal data from low-income housing applicants and city employees, including names, addresses, payroll data, and utility reimbursement reports. The AHA website displayed a notice about ongoing issues. (Cybernews, SC Media)
3.2 Health, Municipalities & Non-commercial
BridgePay Network Solutions — Ransomware, February 6 (Ongoing) Florida-based payment gateway provider BridgePay confirmed a ransomware attack on February 6 that caused system-wide service disruption. The outage began at approximately 3:29 a.m. EST with degraded performance, and by 7:08 p.m. the company confirmed ransomware as the cause. The attack crippled core services including the BridgePay Gateway API (BridgeComm), PayGuardian Cloud API, MyBridgePay virtual terminal, hosted payment pages, and PathwayLink portals.
The cascading impact affected municipalities, utilities, and businesses across the US: - Bryan Texas Utilities (BTU): 70,000 customers lost online billing access - Grand Traverse County, Michigan: Credit card payment outages - Palm Bay, Florida: Utility payment disruptions - Wichita, Kansas: Payment disruptions resolved February 11 via workaround - Wisconsin: Municipal campground reservation system disrupted
BridgePay stated that initial forensic investigation indicated no payment card data was compromised and any potentially accessed data was encrypted. The FBI and US Secret Service forensic team are investigating. As of February 12, recovery efforts showed positive progress. No ransomware group has claimed responsibility. (Bleeping Computer, Infosecurity Magazine, GovTech, eSecurity Planet)
3.3 Business
SmarterTools (US) — Warlock (Storm-2603), Disclosed February 9-10 SmarterTools confirmed that the Warlock ransomware gang (aka Storm-2603, Gold Salem) breached its network on January 29 by exploiting an unpatched SmarterMail instance. An employee had set up a virtual machine running an outdated SmarterMail server, which the attackers compromised using CVE-2026-23760 to reset the local administrator password. Using Active Directory, the attackers reached over a dozen critical servers and exfiltrated more than 1.2 million sensitive documents. CISA added CVE-2026-24423 (unauthenticated RCE in SmarterMail) to its Known Exploited Vulnerabilities catalog on February 5. (Bleeping Computer, The Hacker News, Help Net Security, Dark Reading)
Sakata Seed America (US) — Qilin, February 12 Sakata Seed America, a subsidiary of the Japanese seed company, was claimed by Qilin on February 12 as part of a batch of six new victims. (Ransomware.live)
On-Point Defense Technologies (US) — Qilin, February 11 US-based defense technology company On-Point Defense Technologies was listed on Qilin’s leak site on February 11. (RedPacket Security, Ransomware.live)
Campbell Rappold & Yurasits (US) — Qilin, February 12 US-based firm Campbell Rappold & Yurasits was listed as a Qilin victim on February 12. (Ransomware.live)
4. REST OF WORLD
4.1 Government
No incidents reported this week.
4.2 Health, Municipalities & Non-commercial
Epworth HealthCare (Australia) — 0APT (Likely Fraudulent), February 2026 Victoria’s largest not-for-profit private hospital group, Epworth HealthCare, was targeted by the 0APT group, which claimed to have exfiltrated 920GB of clinical data including surgical records and patient billing. However, Epworth HealthCare stated that after investigation with independent cybersecurity specialists, there is “no verified evidence of any impact to our systems or data.” Security researchers have concluded 0APT is likely a fake operation using empty files and psychological pressure for extortion. (Cyber Daily, Cyber News Centre)
4.3 Business
Conectados Chile S.A. (Chile) — Qilin, February 12 Chilean telecommunications company Conectados Chile S.A. was listed as a Qilin victim on February 12. (HookPhish, RedPacket Security)
Ducasse Comercial Ltda (Chile) — Qilin, February 12 Chilean commercial company Ducasse Comercial Ltda was listed as a Qilin victim on February 12. (HookPhish, RedPacket Security)
Derbez (Mexico) — Qilin, February 12 Mexican company Derbez was listed as a Qilin victim on February 12. (Ransomware.live)
5. THREAT ACTOR ACTIVITY
Qilin — Most Prolific Group of the Week Qilin dominated week 7 with at least 8 new claimed victims across the US, UK, Chile, Mexico, and Japan. The group has claimed 150+ victims in 2026 so far, making it the most active ransomware operation. Qilin employs double extortion, supports cross-platform encryption (Windows and Linux/VMware ESXi), and continues to target diverse sectors including government housing, defense technology, agriculture, and telecommunications. (CYFIRMA, Barracuda)
Reynolds Ransomware — New BYOVD Technique A new ransomware family dubbed Reynolds was disclosed this week, notable for embedding a Bring Your Own Vulnerable Driver (BYOVD) component directly within the ransomware payload. It exploits CVE-2025-68947 in the NsecSoft NSecKrnl driver to terminate EDR processes from CrowdStrike Falcon, Palo Alto Cortex XDR, Sophos, Symantec, and others. By bundling the vulnerable driver with the ransomware itself rather than deploying it separately, Reynolds reduces detection opportunities. (The Hacker News, Dark Reading, SECURITY.COM)
Warlock (Storm-2603 / Gold Salem) The SmarterTools breach revealed Warlock’s capabilities — exploiting CVE-2026-23760 for initial access, pivoting through Active Directory, and exfiltrating over 1.2 million documents. Warlock primarily targets organizations in North America, Europe, and South America. (ReliaQuest)
DragonForce — Cartel-Like RaaS Expansion DragonForce listed at least two new victims this week (A1 Capital Turkey, Betesan Bosnia-Herzegovina), continuing its evolution into a cartel-like RaaS ecosystem. The group now offers comprehensive affiliate support including professional file analysis and decryption services, having listed 363+ victim organizations since December 2023. (GBHackers, LevelBlue)
0APT — Exposed as Largely Fraudulent The 0APT group, which emerged in late January 2026 claiming roughly 200 victims, was increasingly discredited this week. GuidePoint Security confirmed that alleged victims who conducted incident response assessments found no breach or data theft. The group’s data leak site went offline February 8, returning February 9 with a narrower list of 15+ multinational organizations. Researchers concluded 0APT’s leak files are empty shells or random data streams designed to create illusions of compromise. (CyberScoop, GuidePoint Security, BankInfoSecurity)
INC Ransom INC Ransom continued targeting Asian logistics with the AOT Japan breach, employing its standard double extortion approach. (CYFIRMA)
6. KEY TAKEAWAYS
Supply chain attacks amplify impact: The BridgePay ransomware attack demonstrated how a single payment gateway compromise can cascade across dozens of municipalities, utilities, and businesses nationwide. Third-party vendor risk management remains critical.
Qilin dominance continues: With 150+ victims claimed in 2026 and 8+ new claims this week alone, Qilin remains the most prolific ransomware operation. Organizations across all sectors and geographies should prioritize defenses against Qilin’s known TTPs.
BYOVD techniques evolving: The Reynolds ransomware family’s approach of embedding a vulnerable driver directly within the payload represents a dangerous evolution — reducing the attack footprint and making detection harder. Organizations should monitor for unauthorized driver installations and ensure kernel-level protections are current.
Infostealer-to-ransomware pipeline: The Conpet breach forensics revealed that a single infostealer infection on January 11 provided the credentials that enabled the Qilin ransomware deployment weeks later. Credential monitoring and infostealer detection should be integrated into ransomware prevention strategies.
Fake ransomware groups emerge as a trend: The 0APT exposure as a largely fraudulent operation highlights a new threat model — psychological extortion without actual compromise. Organizations should verify breach claims through independent forensic assessment before assuming data has been stolen.
Patch management failures continue: The Warlock breach of SmarterTools via their own unpatched product underscores that even security-aware vendors can fall victim when shadow IT creates unpatched attack surfaces.