Executive Summary
The week of April 3–10, 2026, was defined by a devastating supply-chain-style ransomware attack on ChipSoft, the electronic health record vendor serving approximately 80% of Dutch hospitals. The April 7 incident forced at least eleven hospitals to temporarily disconnect their patient record systems, disrupted pharmacy and portal services across the Netherlands and Belgium, and raised the spectre of patient data theft — all without a single hospital being directly breached. In the United States, the Anubis ransomware group claimed Signature Healthcare’s Brockton Hospital in Massachusetts on April 9, after a cyberattack detected on April 6 forced ambulance diversions, cancelled chemotherapy treatments, and shut down pharmacy prescription-filling capabilities, with the group alleging 2 TB of stolen patient data.
A ransomware attack on Winona County, Minnesota, on April 6 was severe enough to prompt Governor Walz to authorise the deployment of the Minnesota National Guard — marking one of the rare instances of military cyber assistance for a local government ransomware incident. Meanwhile, the Silent Ransom Group (SRG) emerged as a significant threat to the US legal sector, with Jones Day confirming a breach on April 6 involving a $13 million ransom demand, and Orrick, Herrington & Sutcliffe’s stolen data fully leaked after failed negotiations. A joint CISA/FBI/NSA advisory on April 7 warned of CyberAv3ngers (IRGC-affiliated) exploitation of Rockwell Automation PLCs across US water, energy, and government facilities.
On the threat intelligence front, Microsoft published a detailed analysis on April 6 of Storm-1175, a China-linked financially motivated threat actor deploying Medusa ransomware at “high velocity,” often moving from initial access to full encryption within 24 hours by exploiting zero-day vulnerabilities in SmarterMail and GoAnywhere before patches were available. Qilin maintained its position as the world’s most prolific ransomware operation, posting seven new victims on April 9–10 alone — spanning Higashiyama Industries (Japan), Autogalerie Heister and Heister Gruppe (Germany), Sonn Law Group and Guerin Glass (US), SAAM Towage (Chile), and Nan Liu Enterprises (Taiwan) — while continuing to expand its EDR-killer capabilities. NightSpire made headlines by claiming TTAF Defense, a key Turkish defence industry contractor, with 200 GB of alleged military documents exfiltrated, alongside attacks on Notre-Dame du Grandchamp school in France and the GMP Group recruitment firm in Singapore.
Key Statistics:
- Global: 148 victims recorded in the first week of Q2 2026; Qilin leads with 107 victims in the trailing 30 days; 775 attacks by 55 groups in the past month; Storm-1175/Medusa campaigns exploiting zero-days at unprecedented speed
- Europe: 16+ incidents — Collins Aerospace cyberattack disrupted 1,600+ flights at Heathrow, Brussels, Frankfurt, and other major airports; ChipSoft ransomware disrupted 80% of Dutch hospitals; LockBit 5.0 claimed three Italian targets in one day; NightSpire hit Notre-Dame du Grandchamp (France) and Association OCACIA (France); Akira struck Mabetex (Switzerland) and Gauthier Connectique (France); INC Ransom hit BERGE-BAU (Germany) and Infonet Media (Slovenia); Qilin claimed Autogalerie Heister/Heister Gruppe and A Roettgers (Germany); BKA unmasked REvil/GandCrab leaders behind 130 German attacks
- Asia: 5+ incidents — NightSpire targeted TTAF Defense (Turkey, 200 GB military data) and GMP Group (Singapore, 2 TB); Qilin claimed Higashiyama Industries (Japan) and Nan Liu Enterprises (Taiwan); DragonForce hit Kopran pharmaceuticals (India)
- US: 12+ incidents — Winona County (MN) required National Guard deployment; Anubis claimed Signature Healthcare/Brockton Hospital (ambulance diversions, 2 TB claimed); Silent Ransom Group targeted Jones Day ($13M demand) and Orrick Herrington & Sutcliffe (data leaked); Worldleaks hit Deaconess Health System (IN); Interlock hit Center for Hearing & Speech; CoinbaseCartel claimed Idera (1.5 TB); DragonForce claimed Bit-Wizards; Qilin posted Sonn Law Group and Guerin Glass; BQTLock targeted Metro Hospital; CISA advisory on CyberAv3ngers targeting ICS/PLCs
- Other: Qilin claimed SAAM Towage (Chile); Anubis hit Shine Aviation (Australia, 57 GB); NightSpire struck Ghazi Brothers (Pakistan); Everest hit PT Brantas Abipraya (Indonesia, 236 GB state-owned construction); Payload claimed El Wastani Petroleum (Egypt)
1. EUROPE
1.1 Government
A cyberattack on Collins Aerospace, the RTX subsidiary providing aviation IT systems, was detected on April 4 and caused widespread disruption to check-in and baggage handling at major European airports including Heathrow, Brussels, Berlin, Frankfurt, Copenhagen, and Oslo. Over 1,600 flights were delayed or cancelled on April 6 alone, with airlines including KLM reverting to manual boarding pass issuance and tens of thousands of passengers stranded. The UK’s National Cyber Security Centre (NCSC) issued a public statement and launched an investigation alongside the Department for Transport. No ransomware group has claimed the attack, and the incident is being investigated as a broader cyberattack on aviation infrastructure rather than a conventional ransomware event, though the operational disruption mirrors the cascading effects seen in ransomware supply-chain attacks.
1.2 Health, Municipalities & Non-commercial
The week’s most consequential incident was the ransomware attack on ChipSoft, the Dutch healthcare IT vendor whose HiX electronic health record platform serves approximately 80% of all hospitals in the Netherlands. Z-CERT, the Netherlands’ healthcare computer emergency response team, received notification on April 7 that ChipSoft had been compromised. The company immediately disabled connections to several of its platforms, including Zorgportaal, HiX Mobile, and the Zorgplatform integration layer. At least eleven hospitals temporarily disconnected ChipSoft software from their networks, including Sint Jans Gasthuis in Weert, Laurentius Hospital in Roermond, VieCuri Medical Center in Venlo, and Flevo Hospital in Almere. While the majority of hospitals were able to maintain core patient portal functionality, ChipSoft confirmed a “data incident” involving possible unauthorised access and could not rule out that patient data had been accessed or stolen. The impact extended beyond the Netherlands, with Belgian hospital services also affected. No ransomware group had claimed responsibility as of April 10.
NightSpire claimed Notre-Dame du Grandchamp on April 1, a well-known educational institution in France. The group alleges it exfiltrated 330 GB of data including students’ medical records, HR and employee personal data, student academic records, and administrative contracts. The targeting of a school holding sensitive minor-related data represents a particularly concerning development.
NightSpire also struck Association OCACIA around April 1–3, a French non-profit organisation. Approximately 700 GB of data was reportedly exfiltrated, making this NightSpire’s largest single claimed data theft during the week.
1.3 Business
LockBit 5.0 claimed three Italian organisations on April 6 in a single day: Defcon 5 Italy, a manufacturer of tactical and military equipment; WIBEATS, an asset management and financial services company; and Servizi all’Avanguardia a Ravenna, a services organisation. The coordinated triple posting against Italian targets illustrates LockBit 5.0’s continued operational capacity despite repeated international law enforcement disruptions, and its affiliates’ focus on Italy — now the second most targeted European country after the UK.
INC Ransom claimed BERGE-BAU GmbH & Co. KG on April 3, a German construction company, threatening to publish “hundreds” of exfiltrated items including personal data, contracts, and non-disclosure agreements within three days. The group also targeted Infonet Media d.o.o. around April 3–4, one of Slovenia’s largest radio network operators running stations including Radio 1 and Radio Antena, marking a rare ransomware incident against Slovenian media infrastructure.
Qilin posted a seven-victim batch on April 9–10 that included two German targets: Autogalerie Heister, a consumer services company, and the broader Heister Gruppe. A separate listing for A Roettgers, a German business services firm, also appeared on April 10. These postings continue Qilin’s sustained targeting of German mid-market companies, following the Die Linke, ASB Saarland, and Jursaconsulting claims in previous weeks.
Akira posted a batch of victims on April 7–8 that included European targets: Gauthier Connectique, a French manufacturing company, and Mabetex Group, a Swiss construction conglomerate, alongside multiple US firms. The Sophos Active Adversary Report 2026, published during the week, identified Akira as the most commonly observed ransomware brand across its incident response cases (22% of all incidents), reinforcing the group’s position as a persistent mid-market threat.
Krybit, a lesser-known ransomware group, claimed Gerald Zisser GmbH on April 8, a small Austrian construction and building services company, demonstrating that even micro-enterprises are not beneath ransomware operators’ attention.
2. ASIA
2.1 Government
NightSpire claimed TTAF Defense on April 3, a significant player in Turkey’s defence industry. The group alleges it exfiltrated approximately 200 GB of data including project documentation, financial documents, and quality and technical internal records. The compromise of a defence contractor holding sensitive military procurement and engineering data carries national security implications for Turkey and underscores the growing willingness of ransomware operators to target defence-industrial-base organisations regardless of the geopolitical consequences.
2.2 Health, Municipalities & Non-commercial
No incidents reported this week.
2.3 Business
Qilin listed Higashiyama Industries Co., Ltd. on April 9, a Japanese manufacturing company. Japan continues to face a sustained ransomware threat, with police reporting 226 ransomware incidents in 2025 and Qilin now among the most active groups targeting Japanese industry, as Cisco Talos recently documented in a detailed analysis of Qilin’s operational patterns against Japanese organisations.
Qilin also claimed Nan Liu Enterprises on April 10, a Taiwanese company, extending the group’s batch posting across East Asian targets.
DragonForce targeted Kopran Limited on April 4, a major Indian pharmaceutical company that manufactures finished dosage forms and active pharmaceutical ingredients. The attack on a pharmaceutical manufacturer — a sector handling proprietary drug formulations, clinical trial data, and regulatory filings — represents a high-value target where data exfiltration could have both commercial and patient safety implications.
NightSpire claimed the GMP Group around April 2, a premier Singapore-based recruitment firm with a strong presence across Southeast Asia. The group alleges approximately 2,000 GB of exfiltrated data including financial documents, salary records, and candidate information such as personally identifiable information, resumes, and CVs. The compromise of a recruitment firm holding sensitive employment and personal data of candidates across multiple countries amplifies the downstream risk of identity theft and social engineering attacks.
NightSpire also struck Ghazi Brothers on April 1, a company in Pakistan’s commerce sector, with threats to release sensitive data unless negotiations commenced.
3. UNITED STATES
3.1 Government
Winona County, Minnesota, suffered a ransomware attack on April 6 that severely impaired emergency and municipal services, prompting Governor Tim Walz to authorise the deployment of the Minnesota National Guard on April 7–8 to assist with cyber recovery. The FBI, Minnesota Bureau of Criminal Apprehension, and League of Minnesota Cities also responded. While 911 and emergency dispatch were restored quickly, other county services remained offline as of April 10. Remarkably, this was Winona County’s second ransomware attack in 2026, with officials confirming it was unrelated to the January incident — suggesting either persistent vulnerability in the county’s infrastructure or separate threat actors independently identifying the same target. The National Guard deployment is one of the rare instances of military cyber assistance for a local government ransomware incident and signals the severity of disruption to essential services.
On April 7, CISA, the FBI, NSA, EPA, DOE, and US Cyber Command published joint advisory AA26-097A warning that CyberAv3ngers — an IRGC-affiliated threat actor also tracked as Storm-0784 — had been exploiting internet-exposed Rockwell Automation Allen-Bradley PLCs across US water/wastewater, energy, and government facilities. Some victims experienced operational disruption and financial loss. While not a ransomware incident per se, the advisory underscores the convergence of nation-state ICS targeting with the broader threat landscape affecting US government infrastructure.
The Faulkner County Sheriff’s Office (Arkansas) and State Road and Tollway Authority (Georgia) incidents claimed by Qilin in week 14 remained under investigation, with the Jackson County Sheriff’s Office (Indiana) still rebuilding systems and Foster City, California, entering its fourth week under a state of emergency.
3.2 Health, Municipalities & Non-commercial
The Anubis ransomware group claimed Signature Healthcare on April 9, following a cyberattack detected on April 6 that crippled Brockton Hospital in Massachusetts. The incident forced ambulances to be diverted to alternate facilities, cancelled chemotherapy infusion treatments for cancer patients, and left pharmacies unable to fill prescriptions. Staff reverted to paper records and analog methods while the hospital activated downtime procedures. Inpatient care, walk-in emergency services, and scheduled surgeries continued with delays. The hospital engaged external cybersecurity experts and notified the FBI and State Police. Anubis claimed 2 TB of stolen patient data on its leak site, though Signature Healthcare was subsequently removed from the listing, possibly indicating ongoing negotiations. Hospital officials warned that recovery may take weeks.
Interlock claimed the Center for Hearing & Speech on April 2, a US healthcare provider. The attack resulted in the leak of sensitive data including personal information of clients and employees. The nature and full quantity of compromised information remains under investigation.
Worldleaks claimed Deaconess Health System on April 8, a major healthcare network based in Evansville, Indiana, that operates hospitals, clinics, and specialty care centres across Indiana, Illinois, and Kentucky. The group alleges system encryption and data exfiltration including Social Security numbers and sensitive medical records. This marks Deaconess’s second breach of 2026, following a January incident involving a third-party vendor (MediCopy), underscoring the compound risk that healthcare systems face from both direct ransomware attacks and supply-chain compromises.
INC Ransom listed Kannarr Eye Care on April 10, a Kansas-based optometry practice, in a data leak posting. The targeting of small specialist healthcare practices continues a pattern seen throughout 2026, where ransomware operators exploit the limited cybersecurity resources available to independent medical offices.
BQTLock, the pro-Iranian ransomware-as-a-service platform that consolidated with Sicarii in March, targeted Metro Hospital in the United States during the week, demonstrating that the group’s free-affiliate model is now generating attacks against US healthcare targets beyond its original focus on Israeli entities.
3.3 Business
The Silent Ransom Group (SRG, also known as Luna Moth / Chatty Spider) had a prominent week targeting the US legal sector. Jones Day confirmed on April 6 that a phishing-driven intrusion had granted SRG access to files belonging to ten clients, with the group demanding $13 million in ransom. Separately, Orrick, Herrington & Sutcliffe — a global law firm with over $1.5 billion in 2025 revenue — had its stolen data fully published by SRG on April 10 after negotiations collapsed. SRG had accessed Orrick’s systems around January 20, remained for approximately a week, and demanded a seven-figure ransom; Orrick offered up to $225,000 before talks broke down. This is Orrick’s second major breach (after a 2023 incident affecting 461,000 individuals), and the dual Jones Day / Orrick attacks demonstrate SRG’s systematic focus on high-value law firms where attorney-client privileged data creates acute extortion leverage.
Qilin’s April 9–10 posting batch included two US targets: Sonn Law Group, a legal services firm, and Guerin Glass, a US-based manufacturing company. With SRG’s dual law firm attacks and Qilin’s Sonn Law Group claim, the legal sector saw at least three distinct ransomware incidents in a single week.
CoinbaseCartel claimed Idera on April 8, a Houston-based software company, alleging approximately 1.5 TB of exfiltrated data. CoinbaseCartel specialises in pure data exfiltration without encryption, reflecting the broader trend toward extortion-only operations that bypass the detection signatures associated with traditional ransomware encryption.
DragonForce claimed Bit-Wizards around April 7, a Florida-headquartered technology company. The attack continues DragonForce’s pattern of targeting mid-sized US technology and services firms.
Anubis listed Star Fuels on April 7, a US-based fuel provider in the energy sector, extending the group’s targeting beyond healthcare into critical energy supply chains.
Akira posted multiple US victims on April 3 including American Vintage Home, Briggs Plumbing Products, Genco Manufacturing, Charles River Insurance, and Westamerica Communications, with 11 GB of sensitive data exposed. On April 7, the group targeted School Health, a company providing health and wellness supplies to K-12 schools, threatening 15 GB of data. Lynx also struck Smith Dollar on April 7–8, a California law firm, adding to the legal sector’s heavily targeted week.
4. REST OF WORLD
4.1 Government
No government-sector ransomware incidents were reported in Africa, South America, or Oceania this week. The Statistics South Africa (XP95) and National Water Authority of Peru incidents from prior weeks remained under investigation.
4.2 Health, Municipalities & Non-commercial
Everest claimed PT Brantas Abipraya, an Indonesian state-owned construction company, during the week, alleging the exfiltration of 236.58 GB of data including employee identities, medical records, HR files, executive communications, and financial reports. The targeting of a state-owned enterprise in Southeast Asia extends Everest’s geographic reach into Indonesia’s government-linked infrastructure sector.
4.3 Business
Qilin claimed SAAM Towage on April 10, a major Chilean maritime towage and port services company with operations across the Americas. SAAM Towage is a subsidiary of SAAM S.A., a publicly traded logistics conglomerate, making this one of Qilin’s higher-profile Latin American targets. The attack on a maritime logistics provider follows the Port of Vigo ransomware incident in Spain (week 14) and highlights the growing threat to global maritime supply chains.
Anubis claimed Shine Aviation on April 4, a Western Australian aviation operator based in Geraldton. The group posted that it had obtained 57 GB of data comprising over 68,000 files, including employee credentials, records, scans of access cards, airworthiness certificates, and aircraft registration documents. Shine Aviation primarily provides fly-in, fly-out services for the mining industry, operating a fleet of 15 aircraft. The compromise of airworthiness and registration certificates raises aviation safety concerns, as falsified or manipulated documentation could theoretically affect maintenance and operational decisions.
NightSpire struck Ghazi Brothers on April 1, a prominent commercial entity in Pakistan, threatening to release sensitive company data unless negotiations were initiated.
5. THREAT ACTOR ACTIVITY
Qilin continued its dominance as the world’s most prolific ransomware operation, posting seven new victims in a single batch on April 9–10: Higashiyama Industries (Japan), Guerin Glass (US), Total Integrated Solutions (Ukraine), Sonn Law Group (US), Autogalerie Heister/Heister Gruppe (Germany), SAAM Towage (Chile), and Nan Liu Enterprises (Taiwan). With 107 confirmed victims in the trailing 30 days, Qilin accounts for nearly 14% of all tracked ransomware activity globally. On the technical front, researchers documented that both Qilin and a new group called Warlock are deploying vulnerable driver exploitation (BYOVD) to disable over 300 EDR tools, representing a significant investment in defence evasion that makes detection substantially harder for security operations teams.
Storm-1175/Medusa received detailed public attribution from Microsoft on April 6, when the Microsoft Security Blog published an analysis of this China-linked, financially motivated threat actor. Storm-1175 conducts “high-velocity” ransomware campaigns, moving from initial access to data exfiltration and Medusa deployment often within 24 hours. The group exploits zero-day vulnerabilities — including CVE-2026-23760 in SmarterMail and CVE-2025-10035 in GoAnywhere — during the window between vulnerability disclosure and widespread patching. Healthcare, education, professional services, and finance organisations in Australia, the United Kingdom, and the United States have been heavily impacted.
Anubis had its most active week of 2026, claiming three significant victims: Signature Healthcare/Brockton Hospital (US, 2 TB claimed), Shine Aviation (Australia, 57 GB), and Star Fuels (US). The group now has 70 total victims since emerging in February 2025. Trend Micro has characterised Anubis as adding “a destructive edge to the typical double-extortion model” through a built-in file-wiping capability that can permanently destroy data if victims refuse to negotiate.
NightSpire conducted a multi-continent campaign, claiming TTAF Defense (Turkey, 200 GB military data), Notre-Dame du Grandchamp (France, 330 GB student/medical data), Association OCACIA (France, 700 GB), GMP Group (Singapore, 2 TB recruitment data), and Ghazi Brothers (Pakistan). The group’s willingness to target defence contractors, educational institutions, and non-profits — all holding particularly sensitive data — alongside commercial organisations underscores its indiscriminate and aggressive operating model.
DragonForce continued its expansion, claiming Kopran Limited (India pharmaceuticals) on April 4 and Bit-Wizards (US technology) around April 7, alongside its ongoing operations documented in the Ransom-DB daily digest showing five victims on April 5 alone. The group’s victim count now exceeds 438 organisations.
Interlock targeted the Center for Hearing & Speech (US) on April 2 and continued its campaign against Goodwill Industries of North Central Pennsylvania (initially claimed in late March). Amazon’s threat intelligence team published analysis of Interlock’s campaign targeting enterprise firewalls for initial access.
Silent Ransom Group (SRG / Luna Moth) emerged as a major threat to the US legal sector, confirming breaches at two of the world’s largest law firms in a single week: Jones Day (files from 10 clients accessed, $13 million ransom demand) and Orrick, Herrington & Sutcliffe (data fully leaked after failed negotiations). SRG uses phishing-driven initial access and pure data exfiltration without encryption, a model that avoids the noisy file-encryption signatures that many security tools detect. The FBI had previously warned about SRG targeting law firms, and the group’s April campaign validates that concern at scale.
CoinbaseCartel claimed Idera (US software, 1.5 TB) on April 8, operating as a pure exfiltration group that steals data without deploying encryption. This emerging actor adds to the trend of extortion-only operations that seek to evade traditional ransomware detection mechanisms.
Worldleaks claimed Deaconess Health System (Indiana) on April 8, continuing to target US healthcare and education sectors. The group also claimed Alamo Heights School District (Texas), originally attacked around March 23, with a leak-site posting on April 10.
LockBit remained the single most active group in daily victim postings, with nine new compromises reported on April 4 alone according to Ransom-DB tracking, focused on construction, insurance, and government sectors in the US, Italy, and France. The group claimed three Italian targets on April 6 alone (Defcon 5 Italy, WIBEATS, Servizi all’Avanguardia). Despite repeated international law enforcement disruptions, LockBit 5.0 continues to expand its affiliate programme and sector targeting.
Law enforcement: Germany’s Federal Criminal Police (BKA) publicly identified two Russian nationals on April 6 as leaders of the REvil and GandCrab ransomware operations: Daniil Shchukin (31, alias “UNKN”) and Anatoly Kravchuk (43, developer). They were linked to approximately 130 ransomware attacks against German organisations causing over EUR 35.4 million in damages. Both suspects are believed to be in Russia. The unmasking of “UNKN” — one of the most notorious ransomware operators of the past decade — represents a significant intelligence achievement even if arrests remain unlikely given Russia’s refusal to extradite cybercriminals.
6. KEY TAKEAWAYS
The ChipSoft incident demonstrates how a single ransomware attack on a healthcare software vendor can cascade across an entire national healthcare system. By compromising the company that provides electronic health records to 80% of Dutch hospitals, the attackers effectively disrupted patient data access across the Netherlands without needing to breach a single hospital directly. This supply-chain amplification model — one breach, dozens of affected institutions — represents the most efficient attack vector available to ransomware operators targeting healthcare, and defenders should treat critical software vendors as single points of failure requiring the same security scrutiny as the hospitals themselves.
Microsoft’s Storm-1175 disclosure reveals a troubling convergence: a China-linked threat actor operating for financial gain through ransomware, exploiting zero-day vulnerabilities faster than defenders can patch them. The group’s ability to move from initial access to full Medusa deployment within 24 hours collapses the traditional detection window that many incident response plans assume. Organisations relying on perimeter-facing applications — particularly SmarterMail, GoAnywhere, and similar file transfer and communication platforms — should treat zero-day exploitation as a near-certainty rather than a theoretical risk, and invest in detection capabilities that focus on post-compromise behaviour rather than initial access prevention alone.
Anubis’s attack on Signature Healthcare, forcing ambulance diversions and cancelling chemotherapy for cancer patients, represents one of the most directly harmful ransomware incidents of 2026 to date. The group’s built-in file-wiping capability adds a destructive dimension that distinguishes it from traditional double-extortion operators: victims face not only data theft and encryption but the permanent loss of records if they refuse to negotiate. Healthcare organisations should ensure their backup and disaster recovery plans account for wiper-class threats, not just encryption.
Winona County’s second ransomware attack in four months, severe enough to require National Guard deployment, illustrates the compounding risk facing small local governments. Even after recovering from a January incident, the county remained vulnerable to a completely separate group — suggesting that post-incident remediation was insufficient to close all attack vectors. Local governments should treat ransomware recovery as the beginning of a hardening programme, not the end of an incident.
The Silent Ransom Group’s simultaneous targeting of Jones Day and Orrick — two of the world’s largest and most prestigious law firms — signals a deliberate campaign against the legal sector. SRG’s pure exfiltration model, combined with seven-figure ransom demands calibrated to the value of attorney-client privileged data, represents a particularly potent threat to firms where confidentiality is the core product. The fact that Orrick suffered its second major breach in three years reinforces the need for law firms to invest in post-breach resilience, not just perimeter defence.
The geographic spread of this week’s incidents — from the Netherlands to Turkey, Japan, Chile, Australia, and across the United States — confirms that ransomware remains a borderless threat requiring international coordination. NightSpire’s willingness to target a Turkish defence contractor and exfiltrate military documents, combined with BQTLock’s expansion from Israeli-focused attacks to US healthcare, illustrates how rapidly threat actors’ targeting parameters can evolve.