Executive Summary
The week of April 24 to May 1, 2026 produced a relatively focused picture compared to the sprawling multi-continent campaigns documented in week 17, but it delivered two structural events that will shape the threat landscape for months to come. Qilin continued its relentless posting pace, adding at least eight named victims across North America and Europe in the final days of April, with a pronounced concentration in construction, contracting, and professional services. INC Ransom’s attack on BELFOR Asia — a Singapore-based disaster-recovery and restoration services company — was the week’s single most operationally consequential incident, combining critical-infrastructure sensitivity with the particular irony of a disaster-response firm being rendered incapable of responding to disasters.
The week’s most significant contextual development came from Europol, whose Internet Organised Crime Threat Assessment for 2026 was published on April 28. The IOCTA documented over 120 active ransomware brands and confirmed a structural shift underway across the ecosystem: an increasing proportion of groups are abandoning encryption entirely in favour of pure data exfiltration and extortion, reducing technical complexity while preserving or improving leverage over victims. The report also documented AI-enabled attack automation and the emergence of coordinated pressure tactics combining ransomware demands with simultaneous DDoS attacks, victim-notification spam to employees and customers, and cold-calling of executives and board members.
The ShinyHunters Salesforce exfiltration campaign, active throughout April, produced its most publicly visible week 18 disclosure when Pitney Bowes confirmed that 8.2 million customer records had been stolen through a compromised Salesforce CRM instance. The disclosure, arriving April 27–28, added Pitney Bowes to a growing list of organisations whose data was siphoned through a campaign that threat intelligence analysts describe as the most prolific pure-extortion operation of the year so far.
Key Statistics:
- Global: April 2026 saw 772 ransomware victims across 70 groups in 79 countries — a 4.5% decline from March but 27% above the 2025 monthly average; week 18 specifically produced at least 15 named victims across confirmed ransomware and extortion operations
- Europe: At least five confirmed victims across UK, Finland, Netherlands, Germany, and Spain; Qilin and ShinyHunters were the primary active groups
- Asia: BELFOR Asia (Singapore) was the week’s most operationally significant victim; Asian Football Confederation data surfaced on a dark web forum during the week
- US: Five confirmed Qilin victims posted April 29–30, spanning government-adjacent labour funds, education technology, and construction; ADT confirmed a ShinyHunters breach via compromised Okta credentials
- Other: Canada produced two Qilin victims — a document management company and a real estate developer — in the closing hours of April
1. EUROPE
1.1 Government
No ransomware incidents affecting European government agencies or ministries were confirmed during the week of April 24 to May 1. The ongoing legislative response to the Dutch ChipSoft attack — which had paralysed systems serving approximately 80% of Dutch hospitals in early April — continued to shape policy debate, but no new government-sector incidents emerged within the week 18 window.
1.2 Health, Municipalities & Non-commercial
No new healthcare or municipal incidents were confirmed in Europe during the strict April 24 to May 1 window. The broader April context is nevertheless significant: April 2026 was the worst month on record for the European healthcare sector, with 64 healthcare victims globally — a figure driven in part by ongoing Qilin and DragonForce activity that peaked in weeks 15 through 17. The absence of a new European health incident in week 18 reflects a temporary pause in a sustained campaign rather than any structural improvement in the sector’s security posture.
1.3 Business
Qilin posted two UK-based construction companies in the closing days of April. Zinkan & Barker Development, a UK property developer, appeared on Qilin’s leak site on April 30. The same day, Jayeff Construction — a construction contractor with operations spanning the UK and North America — was also claimed by Qilin. The back-to-back posting of two UK construction firms reflects a pattern visible in Qilin’s activity across multiple sectors: affiliates appear to be targeting sector clusters, either through shared initial access brokers who specialise in particular verticals or through tooling optimised for the IT environments common in construction companies.
In Finland, The Switch Enterprises, a business services provider, was listed on Qilin’s leak site on April 30. In the Netherlands, Basic-Fit — Europe’s largest budget gym chain, operating over 1,600 clubs across the continent — was affected by a ransomware attack during April, though the responsible group has not been publicly confirmed. The attack carries scale beyond the immediate operational disruption: Basic-Fit holds financial and personal data for millions of European members, and the incident occurred against the backdrop of the Netherlands suffering a higher-than-average number of ransomware incidents across the month.
The week’s most consequential European business disclosure came from Pitney Bowes, the US-headquartered logistics technology company with substantial European operations. The company confirmed on April 27–28 that ShinyHunters had exfiltrated 8.2 million customer records — including names, email addresses, and phone numbers — through a compromised Salesforce CRM instance. The method follows a pattern consistent with the broader ShinyHunters Salesforce campaign documented throughout April: phishing attacks targeting Salesforce administrator credentials, followed by bulk API extraction of customer relationship data with minimal forensic footprint. ShinyHunters additionally published data associated with Inditex — the Spanish parent company of Zara — and Mytheresa, a German luxury fashion retailer, as part of the same April exfiltration campaign, with those disclosures surfacing during week 18.
2. ASIA
2.1 Government
No ransomware incidents targeting Asian government agencies were confirmed during the week.
2.2 Health, Municipalities & Non-commercial
The Asian Football Confederation — the governing body for association football across 47 member associations — had data from an intrusion surfaced on a dark web forum during April 2026, with the disclosure circulating in week 18. Reports indicated over 8.7 million records, including member personally identifiable information, were involved. The responsible group and the exact timing of the underlying compromise have not been publicly attributed, but the data volume and scope are consistent with the extended-dwell intrusion models favoured by groups such as TheGentlemen and CoinbaseCartel, which typically maintain persistent access for months before publishing victim data.
2.3 Business
The week’s most operationally significant Asian incident was the INC Ransom attack on BELFOR Asia Pte Ltd, the Singapore-based subsidiary of the global disaster recovery and property restoration company. INC Ransom claimed the attack on April 26–27 and threatened to release 430 gigabytes of corporate data. BELFOR provides emergency response and remediation services to industrial, commercial, and residential clients following floods, fires, and environmental contamination events; an attack that disrupts a disaster recovery firm’s own systems creates a particular operational paradox. The Singapore entity is part of a global network, and exposure of internal project files, client contracts, and remediation protocols could have downstream implications for ongoing emergency response engagements — and, more broadly, could give a threat actor pre-positioned intelligence about the vulnerabilities and critical systems of every client BELFOR has served.
3. UNITED STATES
3.1 Government
Metro-ILA Funds, a US labour administration fund associated with the International Longshoremen’s Association, was listed on Qilin’s leak site on April 29. The organisation administers benefits, pension, and welfare programmes for ILA members — one of the largest dock worker unions in North America. A compromise of its systems would expose sensitive financial and personal records belonging to union members and their families, with potential implications under ERISA fiduciary obligations governing retirement and benefit plan data.
3.2 Health, Municipalities & Non-commercial
Eduporium, a US education technology company supplying digital learning tools and STEM equipment to schools and districts, was claimed by Qilin on April 29. While Eduporium is a commercial vendor, it holds student data and institutional records from the school districts it serves, giving the incident a non-commercial dimension that may trigger state student-privacy notification requirements. The targeting of an edtech supplier rather than a school district directly follows the supply-chain targeting logic evident in Qilin’s attacks on healthcare IT integrators in prior weeks: by compromising a vendor, affiliates may gain access to data from multiple downstream clients simultaneously.
3.3 Business
Qilin posted Probity Contracting Group, a US construction and contracting company, on April 29 — adding a third construction-sector victim to the group’s week 18 tally alongside the UK’s Zinkan & Barker Development and Jayeff Construction. The pattern is consistent with intelligence reporting that Qilin affiliates in late April were specifically pursuing construction-sector targets using a common initial access vector, likely exploiting misconfigured VPN appliances common in the project-based IT environments of mid-sized contractors.
ADT Inc., one of the United States’ largest residential and commercial security monitoring companies, confirmed during April that ShinyHunters had exfiltrated data on approximately 5.5 million individuals. The attacker gained access by compromising an Okta single sign-on account through voice phishing — impersonating a vendor representative to obtain administrator credentials. The breach carries a particular resonance: a home security company whose customers rely on it to protect physical premises was itself compromised through social engineering of its identity management infrastructure. The ADT disclosure joins Pitney Bowes as a significant week 18 revelation from the ShinyHunters Salesforce and SaaS credential campaign.
4. REST OF WORLD
4.1 Government
No government-sector ransomware incidents were confirmed in regions outside Europe, Asia, and the United States during the week.
4.2 Health, Municipalities & Non-commercial
No incidents reported this week.
4.3 Business
Canada produced two confirmed Qilin victims in the final days of April. MES Hybrid Document Systems, a Canadian document management and printing services company, was listed on Qilin’s leak site on April 30 with a threatened data release of 430 gigabytes. Edenshaw Developments, a Toronto-based real estate developer and condominium builder, was posted on April 29. The two Canadian victims follow a week 17 pattern in which Qilin demonstrated consistent willingness to pursue mid-market Canadian businesses across multiple sectors, suggesting either a Canada-focused affiliate or a shared initial access broker supplying targets across North American verticals.
5. THREAT ACTOR ACTIVITY
Qilin maintained the dominant pace established in prior weeks, posting at least eight confirmed victims between April 29 and May 1 alone — Zinkan & Barker Development and Jayeff Construction in the UK, The Switch Enterprises in Finland, Probity Contracting Group, Eduporium, and Metro-ILA Funds in the US, and MES Hybrid Document Systems and Edenshaw Developments in Canada. The group ended April 2026 as the month’s leading ransomware operation by victim count, claiming 103 victims for the full month and approximately 1,730 total since October 2022. The construction-sector concentration in week 18 is statistically notable: three construction or contracting companies across two continents were posted within 48 hours, suggesting affiliate-level coordination around a shared target vertical. Qilin’s technical tradecraft continues to include Cobalt Strike, Evilginx for credential harvesting, and BYOVD kernel-driver techniques to disable endpoint detection prior to encryption and data theft.
ShinyHunters produced its most visible disclosures of the week on April 27–28 with the Pitney Bowes confirmation, but the group’s Salesforce-focused campaign had been active across the full month, with the ADT disclosure representing another week 18 revelation from the same operation. The method is consistently non-destructive from a systems perspective: rather than deploying encryption, ShinyHunters extracts large volumes of CRM and identity data via legitimate API calls using compromised administrator credentials, then threatens publication unless a ransom is paid. The technique generates minimal forensic artefacts and may evade detection entirely until the extortion demand arrives — a characteristic that is driving insurance and legal exposure for the affected organisations even though no systems were encrypted or operationally disrupted.
INC Ransom continued its expansion with the BELFOR Asia attack on April 26–27, posting victims in Singapore, Germany, Australia, the UK, and the US across the broader April period. The group is assessed to use spear-phishing for initial access and deploys its custom encryptor across Windows and VMware ESXi environments. Its targeting of BELFOR Asia reflects a consistent preference for professional services and infrastructure-adjacent companies with significant internal data holdings.
TheGentlemen, ranked second for April with 82 victims, had its infrastructure partially exposed during the week when Check Point Research published analysis of a SystemBC command-and-control server linked to the group. The exposed server revealed 1,570 corporate victims across multiple continents, suggesting TheGentlemen operates as a data broker or reseller leveraging SystemBC proxy malware — which uses SOCKS5 tunnels with RC4-encrypted C2 communications — to maintain persistent access across a large portfolio of compromised networks before batch-publishing victim data. The infrastructure exposure provides defenders with unusual visibility into a group that has largely avoided direct attribution.
DragonForce ranked third for April with 63 victims. The group grew substantially following RansomHub’s operational collapse in April 2025 and continues to absorb affiliates from disrupted operations. Its victim profile in April spanned healthcare IT, pharmaceutical manufacturing, legal services, and residential construction across Germany, Greece, Australia, and the United States.
KRYBIT emerged in late March 2026 as a new ransomware-as-a-service operation and posted approximately 20 victims by week 18 across Germany, Japan, Austria, and Brazil. The group operates an 80/20 revenue split with affiliates and appends a .KRYBIT extension to encrypted files. An inter-gang turf war with rival group 0APT during mid-April resulted in both groups listing each other as victims on their respective leak sites, accidentally exposing operational details of both operations — a development that provided defenders with uncommon visibility into the groups’ infrastructure and victim networks.
BERT — also tracked as Water Pombero — was publicly identified by Trend Micro in April as a previously undocumented ransomware family targeting Windows and Linux environments. Victims span healthcare, technology, and events sectors across Asia, Europe, and the United States. BERT’s emergence represents the continuing fragmentation of the ransomware ecosystem, where 70 active groups claimed victims in April alone and new RaaS operations enter continuously.
The week also saw Europol publish its Internet Organised Crime Threat Assessment 2026 on April 28–29. The IOCTA confirmed over 120 active ransomware brands globally and identified several structural trends: a growing proportion of groups abandoning encryption in favour of pure data exfiltration, AI-enabled automation of attack phases previously requiring manual operator involvement, and multi-vector extortion combining ransom demands with DDoS attacks, employee notification spam, and direct executive contact. The report also noted that ransomware infrastructure has become increasingly commoditised, with RaaS platforms, initial access brokers, and data-hosting services available as discrete purchased services in criminal markets — lowering the technical barrier for new entrants while enabling experienced operators to scale without expanding headcount.
6. KEY TAKEAWAYS
The defining theme of week 18 is the progressive separation of ransomware from encryption. ShinyHunters’ Salesforce campaign, TheGentlemen’s SystemBC-backed data collection, and the broader extortion-without-encryption trend documented in the Europol IOCTA 2026 all point toward a model where the threat actor’s leverage derives entirely from data exfiltration rather than operational disruption. This has significant implications for defence posture: traditional ransomware defences centred on backup integrity and recovery time objectives provide no protection against a threat actor who never deploys an encryptor. Organisations that have invested heavily in resilience against encryption-based ransomware but have not comparably invested in data-loss prevention, outbound traffic monitoring, and SaaS anomaly detection face a growing exposure gap that this week’s incidents illustrate in concrete terms.
The concentration of Qilin activity in the construction sector warrants sector-specific attention. Three confirmed construction victims across two continents posted within 48 hours — Zinkan & Barker Development and Jayeff Construction in the UK, and Probity Contracting Group in the US — suggest either a shared initial access broker specialising in construction-sector targets or a coordinated affiliate campaign exploiting a common vulnerability profile. Mid-sized construction companies typically operate project-based IT environments with high VPN usage, frequent third-party contractor access, and limited security operations maturity — a combination that makes them attractive targets relative to their cybersecurity investment.
The BELFOR Asia attack carries systemic implications beyond the immediate victim. Disaster-recovery firms hold detailed information about the emergency response capabilities, vulnerabilities, and critical systems of every client they have served. A threat actor with access to BELFOR’s case files has, in effect, a pre-positioned reconnaissance database for attacks on the firm’s client base. Security teams at organisations that have engaged BELFOR or similar disaster-recovery providers should review what data was shared during engagements and assess whether that information represents an exploitable attack surface for future targeting.
The ShinyHunters Salesforce campaign underscores a systemic risk in cloud CRM deployments. Salesforce holds customer, partner, and internal sales data that organisations rarely classify as critical infrastructure but that may be among their most commercially sensitive assets. The combination of high-privilege administrator accounts, bulk export APIs, and limited anomaly detection on legitimate API calls creates conditions where a single compromised credential results in the exfiltration of millions of records with minimal operational footprint. Organisations running Salesforce should treat CRM administrator credentials as critical assets with commensurate controls: hardware MFA, just-in-time privileged access, and API call-volume alerting calibrated to detect bulk extraction behaviour.
Sources
Primary Sources
- Europol Internet Organised Crime Threat Assessment 2026 (April 28, 2026): https://www.europol.europa.eu/publication-events/main-reports/iocta-2026-evolving-threat-landscape
- The Register — Pitney Bowes ShinyHunters breach disclosure (April 27-28, 2026): https://www.theregister.com/2026/04/28/pitney_bowes_is_the_latest/
- DeXpose.io — INC Ransom BELFOR Asia attack (April 26-27, 2026): https://www.dexpose.io/incransom-strikes-belfor-asia-with-major-ransomware-attack/
- Breachsense April 2026 Ransomware Report: https://www.breachsense.com/ransomware-reports/april-2026/
- CM-Alliance April 2026 Cyber Attacks Summary: https://www.cm-alliance.com/cybersecurity-blog/major-cyber-attacks-data-breaches-ransomware-attacks-in-april-2026
- The Hacker News — SystemBC/TheGentlemen C2 infrastructure exposure: https://thehackernews.com/2026/04/systembc-c2-server-reveals-1570-victims.html
- CYFIRMA Weekly Intelligence Report, May 1, 2026: https://www.cyfirma.com/news/weekly-intelligence-report-01-may-2026/
- Kaseya Week in Breach, April 29, 2026: https://www.kaseya.com/?post_type=post&p=27751
- Cybernews — ShinyHunters multi-victim data dump: https://cybernews.com/news/shinyhunters-myteresa-zara-carnival-7eleven-data-leak/
- RedPacket Security / ransomware.live victim tracking: https://www.ransomware.live/group/qilin
- SharkStriker April 2026 Data Breaches: https://sharkstriker.com/blog/april-2026-data-breaches/
- Infosecurity Magazine — 0APT vs. KRYBIT ransomware turf war: https://www.infosecurity-magazine.com/news/ransomware-turf-war-0apt-krybit/
- Paubox — Medtronic ShinyHunters data extortion: https://www.paubox.com/blog/medtronic-confirms-cyberattack-as-shinyhunters-escalates-data-extortion