Executive Summary
Week 24 of 2026 was dominated by a single story: Qilin ransomware affiliates exploiting CVE-2026-50751, a critical authentication bypass zero-day in Check Point Remote Access VPN, Mobile Access, and Quantum Spark firewall products. Rated CVSS 9.3, the flaw allows unauthenticated remote attackers to establish a VPN session without credentials by abusing the IKEv1 protocol. Check Point confirmed that exploitation began as far back as May 7, with activity intensifying in early June and at least one confirmed post-compromise ransomware deployment linked to a Qilin affiliate. CISA added CVE-2026-50751 to its Known Exploited Vulnerabilities catalog on June 8-9 and directed federal civilian agencies to remediate within days. Qilin’s week-on-week dominance was further illustrated by a 15-victim spree across nine countries in the June 2-5 window, striking an Austrian aviation company, a Portuguese energy operator at the Port of Sines, and US healthcare providers.
Alongside Qilin, ThreeAM staged a striking mass-posting on June 12, listing 11 victims in a single batch spanning Croatia, Germany, Belgium, Argentina, Brazil, Mexico, Vietnam, Australia, and the United States — including the Croatian municipality of Jastrebarsko. DragonForce claimed two Asia-Pacific industrial sector targets the same day. The overall monthly volume tracked at approximately 309 new victims recorded on ransomware.live as of June 12, consistent with the pace of prior months.
Key Statistics: - Global: ~309 victims recorded month-to-date as of June 12; Qilin leads for its third consecutive quarter with 338 victims in Q1 2026 - Europe: 5 named victims across Austria, Portugal, Germany, Belgium, and Croatia; Qilin and ThreeAM active - Asia: 2 named victims in Hong Kong and Vietnam; DragonForce and ThreeAM active - US: 6 named victims across healthcare and business; Qilin and ShinyHunters active - Other: 7+ named victims across UAE, Argentina, Brazil, Mexico, and Australia; DragonForce and ThreeAM active
1. EUROPE
1.1 Government
No government or ministerial incidents were directly reported during the week. The Croatian municipal victim Jastrebarsko is covered under section 1.2.
1.2 Health, Municipalities & Non-commercial
ThreeAM’s mass-posting on June 12 included jastrebarsko.hr, the official website of the Jastrebarsko municipality in Croatia. No technical details of the breach have been disclosed and the municipality had not issued a public statement at time of writing. The incident fits a well-established ThreeAM pattern of targeting smaller local government bodies that typically operate with limited cybersecurity resources and without dedicated incident response teams.
1.3 Business
Europe recorded the most significant confirmed business incidents of the week. Qilin posted data allegedly stolen from Avcon Jet, an Austrian private aviation operator, on June 4. The leaked material reportedly included employee passport copies, aircraft maintenance work orders, export airworthiness certificates, pilot training records, and — notably — the company’s internal cyber incident response plan. The exfiltration of a response plan is particularly consequential: it reveals detection triggers, containment procedures, and communication chains to any future attacker who downloads the data.
Also attributed to Qilin was MEISA-Sines, a Portuguese energy operator with industrial infrastructure at the Port of Sines — one of Europe’s largest container and liquefied natural gas terminals. Targeting port-adjacent energy infrastructure signals a continued strategic interest by Qilin affiliates in high-impact, operationally critical European targets where disruption costs justify faster payment decisions.
ThreeAM’s June 12 batch added two further European business victims: bsynchro.com, a German technology company, and consultic.be, a Belgian consulting firm. Neither organization had made a public disclosure by the time sources were checked.
2. ASIA
2.1 Government
No incidents reported this week.
2.2 Health, Municipalities & Non-commercial
No incidents reported this week.
2.3 Business
Asia saw two confirmed business-sector incidents this week. DragonForce claimed Cheoy Lee Shipyards, a Hong Kong-based shipbuilding company with over a century of maritime history, on June 12. The claim follows DragonForce’s pattern of targeting capital-intensive industrial firms where operational data — vessel designs, contracts, maintenance records — carries significant value. ThreeAM’s June 12 batch separately listed Hop Long Technology, a Vietnamese technology firm, though no further technical details were available at time of publication.
3. UNITED STATES
3.1 Government
No incidents reported this week.
3.2 Health, Municipalities & Non-commercial
US healthcare remained squarely in Qilin’s crosshairs. Nova Medical Products, a US medical devices company, was posted as a victim on June 2. Central Florida Cosmetic and Family Dentistry followed on June 5. Both incidents fit the group’s documented campaign against the US healthcare sector — a campaign that has now logged over 168 cumulative healthcare victims by mid-2026 according to Check Point Research’s sector tracking. The sector’s attractiveness to ransomware operators lies in its combination of critical data, regulatory sensitivity, and the operational pressure healthcare providers face to restore systems quickly.
3.3 Business
US business targets this week split across two distinct actors. ThreeAM included JetMach Productions in its June 12 mass-posting without releasing additional technical details.
The larger story involved ShinyHunters, a data-theft-and-extortion group that does not deploy encryption ransomware but instead steals databases and issues payment deadlines under threat of public release. On June 12, ShinyHunters claimed three high-profile US organizations with a payment deadline set for June 15: Madison Square Garden Sports, the sports and entertainment holding company; JCPenney, the national retail chain; and American Tower Corporation, a major telecommunications tower infrastructure operator with over 43,000 US sites. The potential exposure of site configuration data or access credentials at a company of American Tower’s scale raises concerns beyond the immediate breach. ShinyHunters’ extortion model produces outcomes functionally equivalent to ransomware for the victim, which is why the group is routinely tracked alongside traditional ransomware operators despite the absence of encryption.
4. REST OF WORLD
4.1 Government
No incidents reported this week.
4.2 Health, Municipalities & Non-commercial
ThreeAM’s June 12 batch included amc.org.au, an Australian domain associated with a non-commercial organization. Further details were not publicly available at time of writing.
4.3 Business
The rest-of-world category saw the broadest geographic spread of any region this week, driven almost entirely by ThreeAM’s June 12 mass-posting. In the Middle East, DragonForce claimed Al Ishrak Contracting, a UAE-based construction company. In Latin America, ThreeAM listed two Argentine firms — Insamani and Molinos Cabodi — as well as Agro Export Avocados in Mexico and a Brazilian entity registered under ws.com.br. The Argentine and Mexican victims operate in agriculture and food processing, sectors that have drawn increasing attention from ransomware groups due to their high dependency on operational continuity and, in the case of exporters, time-sensitive logistics.
5. THREAT ACTOR ACTIVITY
Qilin remained the defining presence in the week’s ransomware landscape and, by all available tracking metrics, the most active ransomware operation globally in 2026. The group’s Q1 2026 tally of 338 confirmed victims marks its third consecutive quarter in first place across all tracked groups. Qilin operates as a Ransomware-as-a-Service (RaaS) platform, with affiliates retaining 80-85% of ransom payments. The group routinely employs double extortion — combining file encryption with data exfiltration and threatened publication — and has now accumulated over 168 healthcare victims and 291 manufacturing victims by mid-year. The most significant TTP shift observed this week was the exploitation of CVE-2026-50751, marking a clear upgrade from opportunistic credential abuse and phishing toward active zero-day exploitation of network perimeter devices. That shift compresses the defensive window considerably: organizations cannot rely on routine patch cycles to outpace this kind of targeted access activity.
ThreeAM, a group that emerged in late 2023 with links to Conti-lineage infrastructure, raised attention with its 11-country, 11-victim single-day posting on June 12. The geographic breadth — spanning Central America, Southeast Asia, Western Europe, and South America simultaneously — suggests either an expanding affiliate recruiting operation or tooling that accelerates victim processing and leak-site publication. Either interpretation points to a maturing operation rather than an opportunistic one.
DragonForce, which transitioned from hacktivism to for-profit ransomware in 2024 and subsequently offered cartel-style shared infrastructure to other groups, continued targeting industrial firms in the Asia-Pacific region. Its June 12 claims against Cheoy Lee Shipyards and Al Ishrak Contracting are consistent with a sector preference for capital-intensive businesses where operational data carries intrinsic financial value.
ShinyHunters remains misclassified in most ransomware tracking databases but warrants inclusion based on the extortion mechanism and the scale of its US targets this week. The group’s June 12 deadline of June 15 for Madison Square Garden Sports, JCPenney, and American Tower Corporation suggests active negotiations may have been underway at time of publication.
CVE-2026-50751 stands as the most significant vulnerability disclosure of the week. The Check Point IKEv1 authentication bypass, rated CVSS 9.3, enables unauthenticated remote access without credentials. With confirmed exploitation by at least one Qilin affiliate and CISA’s inclusion in the Known Exploited Vulnerabilities catalog, organizations running Check Point Remote Access VPN, Mobile Access, or Quantum Spark products should treat this as an urgent remediation priority.
6. KEY TAKEAWAYS
Week 24 illustrated two structural dynamics that have defined 2026 ransomware activity. First, leading groups are demonstrably investing in zero-day research and acquisition. Qilin’s exploitation of CVE-2026-50751 follows a broader pattern of top-tier ransomware affiliates moving up the exploitation chain from commodity credential theft toward purchased or developed zero-days targeting network perimeter devices. This is a significant tactical evolution: VPN zero-days provide authenticated network access before any endpoint detection can fire, bypassing many controls that defenders have spent years hardening. Second, the healthcare and critical infrastructure sectors continue to attract disproportionate targeting from high-capability groups. Qilin’s cumulative 168+ healthcare victims and the MEISA-Sines energy incident both reflect a sustained strategic logic: these sectors face the highest cost of downtime and the strongest regulatory and reputational pressure to restore operations quickly, which historically produces faster and larger ransom payments.
For defenders, the immediate priority is patching CVE-2026-50751 on any Check Point VPN product in the environment. Beyond that, the week reinforces three standing recommendations: maintaining tested offline backup integrity, segmenting VPN termination points from internal networks so that VPN compromise does not equal network compromise, and proactively hunting for IKEv1 anomalies in VPN session logs as an indicator of reconnaissance or initial access activity.
Sources
Primary Sources
Check Point VPN Zero-Day / Qilin - BleepingComputer — “Check Point Links VPN Zero-Day Attacks to Qilin Ransomware Gang”: https://www.bleepingcomputer.com/news/security/check-point-links-vpn-zero-day-attacks-to-qilin-ransomware-gang/ - BleepingComputer — “CISA Orders Feds to Patch Check Point Flaw Exploited by Ransomware Gangs”: https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-check-point-flaw-exploited-by-ransomware-gangs/ - Help Net Security — “Check Point CVE-2026-50751 and Qilin Ransomware” (June 8, 2026): https://www.helpnetsecurity.com/2026/06/08/check-point-cve-2026-50751-qilin-ransomware/ - SecurityWeek — “Check Point VPN Zero-Day Exploited in Qilin Ransomware Attacks”: https://www.securityweek.com/check-point-vpn-zero-day-exploited-in-qilin-ransomware-attacks/ - TechCrunch — “CISA Gives US Federal Agencies Three Days to Fix a VPN Bug Under Attack by a Ransomware Gang” (June 9, 2026): https://techcrunch.com/2026/06/09/cisa-gives-us-federal-agencies-three-days-to-fix-a-vpn-bug-under-attack-by-a-ransomware-gang/ - Rapid7 — “ETR: Critical Check Point VPN Zero-Day CVE-2026-50751 Exploited in the Wild”: https://www.rapid7.com/blog/post/etr-critical-check-point-vpn-zero-day-exploited-in-the-wild-cve-2026-50751/
Qilin Victim Activity - ZeroFox — “Qilin’s Latest Spree of Alleged Victims” (June 8, 2026): https://www.zerofox.com/intelligence/qilins-latest-spree-of-alleged-victims/ - Check Point Research — “The State of Ransomware Q1 2026”: https://research.checkpoint.com/2026/the-state-of-ransomware-q1-2026/ - Check Point Research — “8th June Threat Intelligence Report”: https://research.checkpoint.com/2026/8th-june-threat-intelligence-report/ - Industrial Cyber — “Ransomware Sector Reconsolidating as Qilin, LockBit and The Gentlemen Expand Influence in Q1 2026”: https://industrialcyber.co/ransomware/ransomware-sector-reconsolidating-as-qilin-lockbit-and-the-gentlemen-expand-influence-in-q1-2026/ - Halcyon — “Ransomware on the Move: Akira, Hunters International, Qilin, RansomHub”: https://www.halcyon.ai/attacks-news/ransomware-on-the-move-akira-hunters-international-qilin-ransomhub - Moxfive — “Qilin Ransomware 2026: TTPs, Victims, and Defense Guide”: https://www.moxfive.com/blog/qilin-ransomware-2026-ttps-victims-and-defense-guide
Victim Tracking - Ransomware.live (aggregated leak-site tracking): https://www.ransomware.live/ - CyberThreatIntelligence.net (victim tracking): https://cyberthreatintelligence.net/ransomware-victims - Privacy Guides — “Data Breach Roundup June 5-11, 2026”: https://www.privacyguides.org/news/2026/06/12/data-breach-roundup-june-5-11-2026/ - TechCrunch — “The Worst Hacks and Breaches of 2026 So Far” (June 7, 2026): https://techcrunch.com/2026/06/07/the-worst-hacks-and-breaches-of-2026-so-far/
Threat Intelligence Context - Kaspersky Securelist — “State of Ransomware in 2026”: https://securelist.com/state-of-ransomware-in-2026/119761/ - The Cyber Express — “Qilin, INC Ransom Drive 2026 Ransomware Surge”: https://thecyberexpress.com/qilin-inc-ransom-drive-2026-ransomware-surge/ - The Record by Recorded Future — “ChipSoft Ransomware Attack Disrupts Dutch Hospitals” (contextual background, April 2026): https://therecord.media/chipsoft-ransomware-attack-disrupts-dutch-hospitals