Executive Summary
Week 25 (June 12–19, 2026) was defined less by raw volume than by the simultaneous emergence of several newer ransomware operations and the belated public accounting of a major law enforcement success. Southeast Asia bore the heaviest operational burden, with five confirmed incidents in Thailand and India — the majority claimed by groups that did not exist a year ago. In the United States, ShinyHunters’ extortion against Kodak and the Qilin breach notification affecting nearly half a million Covenant Health patients dominated headlines, while Symantec’s disclosure of a DragonForce campaign using Microsoft Teams relay infrastructure for C2 raised fresh detection concerns. At the law enforcement level, Europol confirmed the conclusion of Operation Checkmate against BlackSuit, and Operation Endgame’s second phase took down the SocGholish botnet. Cisco Talos simultaneously published analysis linking the nascent Chaos group to BlackSuit’s former infrastructure and tooling, suggesting the ecosystem is already reconstituting.
Key Statistics:
- Global: 8 confirmed incidents/breach disclosures; multiple law enforcement actions concluded
- Europe: 0 confirmed victim incidents; 2 major LE operations concluded (Operation Checkmate, Operation Endgame)
- Asia: 5 confirmed incidents — Thailand (3), India (1), Japan (1); groups: World Leaks, The Gentlemen, Dire Wolf
- US: 3 incidents — ShinyHunters/Kodak, Qilin/Covenant Health (notification), DragonForce/US services firm (disclosure)
- Other: 0 confirmed incidents
1. EUROPE
1.1 Government
No incidents reported this week.
1.2 Health, Municipalities & Non-commercial
No incidents reported this week.
1.3 Business
No confirmed victim incidents were reported in Europe during week 25. However, Europe was the focal point for two significant law enforcement actions. Operation Endgame, coordinated by the Dutch National Police with participation from Canada, the US, and Germany, disrupted the SocGholish (FakeUpdates) botnet on June 18, seizing more than 100 servers and cleaning nearly 15,000 compromised websites. The FBI had characterized SocGholish as a critical initial-access enabler that routinely handed footholds to ransomware operators. Separately, Europol announced the conclusion of Operation Checkmate, the multinational takedown of the BlackSuit ransomware group, involving police from Germany, France, the United Kingdom, Ireland, Ukraine, Lithuania, Canada, and the US. Full details are covered in the Threat Actor Activity section below.
2. ASIA
2.1 Government
No incidents reported this week.
2.2 Health, Municipalities & Non-commercial
No incidents reported this week.
2.3 Business
Southeast Asian manufacturing absorbed repeated blows during week 25, with three distinct groups each claiming Thai victims within the same reporting cycle.
World Leaks — the data-theft-only successor to Hunters International that abandoned encryption in January 2025 — listed a Thai construction and engineering company on June 12, claiming to have exfiltrated approximately 870 GB across more than 567,000 files. The group’s shift to pure exfiltration extortion without deploying encryptors makes it particularly difficult for victims to quantify operational disruption versus pure data exposure risk.
The Gentlemen, a RaaS operation that emerged in mid-2025 and has been tracked by Check Point Research and the Microsoft Security Blog, claimed a Thai wood-based panel manufacturer on June 12 — described as a producer of particle board and MDF with more than 70 years of operating history. The same group also posted a Kyoto-based handcrafted indigo-dyed textile company in Japan on or around June 19, with data not yet published at the time of reporting, suggesting the victim may still be in active negotiations.
Dire Wolf, a double-extortion group that has been active since May 2025 and was flagged by Singapore’s Cyber Security Agency in a 2025 advisory, claimed a Thailand-based manufacturer of motorcycle drive chains and power transmission components on June 19. The group alleges approximately 260 GB was taken, including financial records, customer data, and tax filings. Dire Wolf’s confirmed victim list of 41 organizations to date spans Malaysia, Thailand, the United Kingdom, Singapore, and the US, with a clear emphasis on manufacturing and logistics.
Back in India, World Leaks claimed a second victim on June 19 — a global electronics manufacturing services and semiconductor company — with roughly 630 GB and more than 204,000 files described as exfiltrated. The dual posting by World Leaks across Thailand and India in a single week underlines the group’s operational tempo after its rebranding.
3. UNITED STATES
3.1 Government
No incidents reported this week.
3.2 Health, Municipalities & Non-commercial
Covenant Health, a Catholic healthcare network operating hospitals and facilities across six states — Maine, Massachusetts, New Hampshire, Pennsylvania, Rhode Island, and Vermont — disclosed that a Qilin ransomware attack originally carried out in May 2025 affected 478,188 individuals. The breach notification, filed during week 25, revealed that Qilin claimed 852 GB and approximately 1.35 million files. Operationally, at least one system within the network, St. Mary’s Health System, was forced onto paper-based laboratory processing during the incident, with increased patient wait times reported. The disclosure timeline illustrates how healthcare ransomware events continue generating regulatory and legal exposure long after attackers have moved on.
3.3 Business
Kodak confirmed on June 15–16 that an unauthorized third party gained temporary access to a limited amount of company data, validating ShinyHunters’ extortion claim. The group alleged it held more than 2.2 million records and set a June 18 deadline to publish the data unless contacted. Kodak’s own characterization as a “limited” access event was notably more restrained than ShinyHunters’ figures; the precise volume and content of the exposed data remain disputed. ShinyHunters operates as a pure extortion actor without ransomware encryption, following the same data-theft model that has characterized several of this week’s other incidents.
Separately, Symantec and Carbon Black disclosed on June 16–17 that a US services company had been compromised by DragonForce operators in December 2025 using a custom Go-based backdoor named Backdoor.Turn. The malware obtained anonymous visitor tokens from Microsoft Teams and routed its command-and-control traffic through legitimate Microsoft TURN relay servers via the QUIC protocol, causing security tools to observe only outbound connections to Microsoft infrastructure. The attack predates week 25, but its public disclosure and technical analysis fell squarely within the reporting period.
4. REST OF WORLD
4.1 Government
No incidents reported this week.
4.2 Health, Municipalities & Non-commercial
No incidents reported this week.
4.3 Business
No incidents reported this week.
5. THREAT ACTOR ACTIVITY
Operation Checkmate — BlackSuit dismantled. The week’s most consequential law enforcement development was Europol’s confirmation that Operation Checkmate had concluded the BlackSuit ransomware operation. BlackSuit itself was a 2023 rebrand of the Royal ransomware group, which in turn emerged in September 2022. Over the group’s operational lifetime it extracted $370 million in ransom payments from more than 450 US entities. The operation drew police from eight countries. Cisco Talos published a concurrent analysis assessing with moderate confidence that a newer group called Chaos — with samples compiled as early as February 2025 — is either a rebranding effort by BlackSuit operators or a project run by some of its former members. The technical basis includes shared command-line parameters for encryption (the /lkey, /encrypt_step, and /work_mode flags), matching ransom note structures, and overlapping use of living-off-the-land binaries and remote management tools. The Checkmate takedown may therefore have accelerated Chaos adoption by displaced affiliates rather than ending the threat lineage.
DragonForce’s Teams relay C2 (Backdoor.Turn). The Symantec disclosure of Backdoor.Turn represents a meaningful evolution in C2 evasion. By obtaining anonymous Microsoft Teams visitor tokens — a capability accessible to unauthenticated external users under default Teams configurations — and tunneling QUIC traffic through Microsoft’s own TURN relay infrastructure, operators effectively hid malicious C2 traffic inside an allowlisted Microsoft service. Security products that inspect only connection destinations, rather than payload content or behavioral patterns, would see legitimate Teams relay traffic and generate no alert. The attack on the unnamed US services firm in December 2025 appears to be the first publicly documented use of this specific relay-abuse technique.
VECT ransomware — accidental wiper. Check Point Research published a technical breakdown of VECT ransomware revealing a critical implementation flaw in its ChaCha20-IETF encryption: for files larger than 128 KB, the malware generates four independent nonces but overwrites the same memory buffer on each pass, writing only the final nonce to disk and discarding the first three. Since decryption requires the exact nonce per chunk, 75% of every large file is mathematically irrecoverable by anyone, including the ransomware operator. Victims paying a ransom for VECT-encrypted data would receive a decryptor incapable of restoring the majority of their large files.
GodDamn ransomware. A newly identified strain targeting Windows systems appends a victim-specific identifier followed by the .God8Damn extension. CYFIRMA attributed advanced TTPs to the group including Windows Management Instrumentation abuse, process injection, registry modification, bootkit persistence, credential dumping, and keylogging — though independent corroboration of the full TTP set remains limited.
World Leaks, The Gentlemen, Dire Wolf. All three groups posted multiple victims during week 25, marking a collectively active period for operations that began or rebranded within the past 18 months. None of these groups appeared in prior weeks’ summaries, underscoring how rapidly the RaaS and extortion-only ecosystem regenerates following law enforcement actions against more established brands.
6. KEY TAKEAWAYS
The dominant theme of week 25 is the bifurcation between encryption-based ransomware and pure data-extortion models. World Leaks and ShinyHunters both operated without deploying encryptors, relying solely on the threat of exposure to extract leverage. This trend reduces the operational footprint of an attack — no encryption means fewer process signals, no recovery race against a decryptor clock, and no need for the attacker to maintain decryption key custody — while preserving the core business model intact.
The concentration of incidents in Southeast Asian manufacturing is also worth noting. Thailand appeared in claims by three separate groups (World Leaks, The Gentlemen, Dire Wolf) in the same week. Whether this reflects coordinated initial access brokerage, shared affiliate networks, or independent convergence on a region perceived as under-defended remains an open question.
For defenders, the DragonForce Teams relay technique represents a concrete detection gap to address. Organisations that rely on domain-based firewall rules to block outbound C2 will not catch traffic relayed through legitimate Microsoft infrastructure. Behavioral detection — anomalous QUIC sessions, unexpected processes initiating Teams API calls, or outbound data volumes inconsistent with normal Teams usage — provides more durable coverage than connection-destination inspection.
Finally, the VECT wiper-by-accident story is a reminder that ransomware code quality varies enormously. Victims facing VECT encryption should engage forensic responders and request the decryptor before paying — a decryptor cannot help if the nonces for three-quarters of each large file were never recorded.
Sources
Primary Sources
- CYFIRMA Weekly Intelligence Report, June 12, 2026 — https://www.cyfirma.com/news/weekly-intelligence-report-12-jun-2026/
- CYFIRMA Weekly Intelligence Report, June 19, 2026 — https://www.cyfirma.com/news/weekly-intelligence-report-19-jun-2026/
- Check Point Research: VECT ransomware — by design wiper by accident — https://research.checkpoint.com/2026/vect-ransomware-by-design-wiper-by-accident/
- SecurityWeek: Microsoft Teams relay servers abused in DragonForce ransomware attack — https://www.securityweek.com/microsoft-teams-relay-servers-abused-in-dragonforce-ransomware-attack/
- SecurityWeek: BlackSuit ransomware group transitioning to Chaos amid leak site seizure — https://www.securityweek.com/blacksuit-ransomware-group-transitioning-to-chaos-amid-leak-site-seizure/
- The Record: Covenant Health breach — Qilin — https://therecord.media/covenant-health-breach-qilin
- The Record: SocGholish botnet disrupted — https://therecord.media/socgholish-botnet-disrupted
- The Record: US confirms BlackSuit takedown — https://therecord.media/us-confirms-blacksuit-takedown
- Bleeping Computer: Kodak confirms data breach claimed by ShinyHunters extortion gang — https://www.bleepingcomputer.com/news/security/kodak-confirms-data-breach-claimed-by-shinyhunters-extortion-gang/