Week 25 brought a notable concentration of ransomware and extortion activity across Southeast Asia and the US, with emerging groups World Leaks, The Gentlemen, and Dire Wolf each claiming Thai manufacturing victims, while Operation Checkmate confirmed the Europol-led dismantling of BlackSuit and its $370 million extortion trail.
Week 24 was defined by Qilin affiliates exploiting a critical Check Point VPN zero-day, while ThreeAM staged an 11-victim mass-posting across nine countries and DragonForce hit shipbuilding in Hong Kong.
Week 23 brought a relentless assault on the US healthcare sector — with ShinyHunters exposing 2.6 million DentaQuest dental benefit recipients, The Gentlemen batch-targeting three Michigan medical facilities in a single operation, and the law firm Weil Gotshal paying an estimated 18 to 20 million dollars in a pure data-extortion settlement — while Qilin continued its global reach from Austria to Chile.
Week 22 saw The Gentlemen RaaS operation surge to become the second most active ransomware group globally, simultaneously claiming victims across Italy, Japan, Mexico, and the US, while DragonForce swept through American real estate and healthcare and a newly identified group called Aur0ra quietly accumulated targets across fourteen countries.
Week 21 brought a surge in cartel-coordinated ransomware activity with Qilin, APT73, and affiliated groups posting nearly 100 victims across 25 countries, while the disclosure of a 1.8-million-person breach at NYC Health + Hospitals — including stolen biometric fingerprint data — marked the week’s most consequential single incident.
Week 20 saw Nitrogen ransomware strike Foxconn’s North American manufacturing plants, claiming 8 TB including confidential data tied to Apple, Nvidia, and Google, while West Pharmaceutical Services suffered a silent encryption attack and Australian gold miners were disrupted through a supply-chain breach of IT provider Scope Systems.
Week 19 was dominated by ShinyHunters’ breach of Instructure’s Canvas LMS exposing data across 8,800 educational institutions during US finals week, while Qilin claimed Sysco and Everest ransomware targeted financial technology giant Fiserv, and Hungary’s pro-government Mediaworks suffered a 15-million-file data dump by the World Leaks extortion group.
Week 18 was dominated by Qilin’s sustained targeting of North American and European construction and services companies, INC Ransom’s attack on Singapore disaster-recovery firm BELFOR Asia, and the publication of Europol’s IOCTA 2026 report documenting a structural shift toward encryption-free extortion across the ransomware ecosystem.
Week 17 saw Qilin dominate globally with 30+ victims including Toyota supplier Denso and Canada’s Manulife Wealth, while two significant developments signalled an evolution in ransomware tradecraft: the Kyber group deployed the first confirmed production-grade post-quantum encryption in a ransomware attack, and Trigona resumed operations after nearly three years of dormancy with a custom data exfiltration tool.
Week 16 brought confirmation that patient data was stolen in the ChipSoft attack disrupting Dutch hospitals, Medusa/Storm-1175 claimed the University of Mississippi Medical Center and Passaic County, Qilin struck German automotive supplier Herth+Buss and Florida’s Clearwater Marine Aquarium, and an emerging group called Gunra targeted Thailand’s Nok Air and a petroleum trading company in rapid succession.
Week 15 was dominated by the ChipSoft ransomware attack disrupting 80% of Dutch hospitals, Anubis forcing ambulance diversions at Massachusetts’ Signature Healthcare, a Winona County attack requiring National Guard deployment, Silent Ransom Group targeting two major law firms (Jones Day and Orrick), Microsoft exposing Storm-1175’s zero-day Medusa campaigns, and NightSpire striking Turkey’s TTAF Defense with 200 GB of military documents exfiltrated.
Qilin dominated week 14 with attacks on US government targets including Georgia’s State Road and Tollway Authority, Arkansas’s Faulkner County Sheriff’s Office, and Indiana’s Jackson County Sheriff’s Office, while DragonForce struck Berlin’s Fernheizwerk Neukolln district heating provider, ShinyHunters published 350 GB of European Commission data and attempted to extort Cisco, and a new criminal marketplace called Leak Bazaar emerged to monetize ransomware-stolen data at industrial scale.
Week 13 saw the European Commission breached via its AWS cloud, the Dutch Ministry of Finance hacked, and Foster City declaring a state of emergency after a ransomware-induced municipal shutdown, while Qilin posted a massive batch of victims spanning Belgium healthcare to Native American tribal government, JAXA faced a 6.9 TB extortion claim by newcomer ALP-001, and WorldLeaks listed the City of Los Angeles alongside LA Metro disruptions.
Week 12 saw Interlock exploit a Cisco FMC zero-day (CVE-2026-20131) for root access on enterprise firewalls, Medusa claiming Henry County Illinois and demanding $500,000, DragonForce listing Liverpool Philharmonic and Salford City College in the UK alongside Mercedes-Benz of Arlington, while Akira posted Czech manufacturer Motorpal and German industrial firm bdtronic, Payload ransomware hit Royal Bahrain Hospital threatening 110 GB of patient data, and LeakNet adopted ClickFix social engineering through compromised websites to scale operations.
Week 11 was defined by the Handala wiper attack on medtech giant Stryker — which wiped 200,000 devices across 79 countries via Microsoft Intune — alongside Qilin claiming a Spanish school, Singaporean oilfield services, and South American manufacturers, while Genesis burst onto the scene listing eight US victims in a single day including healthcare providers and a Michigan municipality, and ShinyHunters demanded $65 million from Telus Digital after claiming nearly 1 petabyte of stolen data.
Week 10 was dominated by the geopolitical fallout from Operation Epic Fury, with Iranian APT Seedworm backdooring a US bank, airport, and defense supplier, while Handala breached Sharjah National Oil Corporation exfiltrating 1.3 TB, and Qilin claimed Tennessee Valley Electric Cooperative and multiple manufacturing targets across three continents as DragonForce hit a Brazilian university and US healthcare.
Week 9 saw ShinyHunters extort Wynn Resorts for $1.5M and breach CarGurus exposing 12.4 million accounts, while Qilin claimed Malaysia Airlines and the 67,000-member NYC Transit Workers Union, Handala targeted Israel’s largest healthcare network Clalit, and Chainalysis reported that 2025 ransomware payments cratered to $820M despite a 50% surge in attacks.
Week 8 saw the University of Mississippi Medical Center shut down all clinics after a devastating ransomware attack, while NightSpire emerged as the most prolific group with 26 new victims in a single day, and LockBit 5.0 continued its cross-platform resurgence targeting organizations from Austrian healthcare to Mauritian hospitality.
BridgePay payment gateway ransomware attack causes nationwide US payment outages affecting municipalities and utilities, while Qilin ransomware dominates with fresh victims across three continents including Augusta Housing Authority and Tulsa International Airport.
Week 6 saw Qilin ransomware hit Romania’s Conpet oil pipeline operator and La Sapienza University in Rome, while DragonForce claimed a 97GB breach of German insurer HanseMerkur. CL0P continued targeting Australian organizations via IT service providers, and LockBit led daily ransomware claims in early February.
Week 5 saw the FBI seize the RAMP cybercrime forum in a landmark takedown, while Qilin ransomware claimed Tulsa International Airport and Philippine Savings Bank among 34 daily victims. Two former US cybersecurity professionals pleaded guilty to ALPHV/BlackCat attacks, and TA584 expanded initial access operations with new Tsundere Bot malware.
Week 4 saw the Belgian hospital AZ Monica ransomware attack disrupting patient care across Antwerp, while Qilin continued targeting Asian manufacturing with attacks on Singapore’s Neo Group and Thailand’s Charoenchai Transformer. WorldLeaks claimed 1.4TB from Nike, and two US cybersecurity professionals pleaded guilty to ALPHV ransomware attacks.
Week 3 saw Qilin targeting Vietnam Airlines and Japanese manufacturers while Akira launched aggressive campaigns against US businesses. TridentLocker’s attack on Sedgwick Government Solutions exposed federal contractor vulnerabilities, and Ingram Micro disclosed a July 2025 breach affecting 42,000 employees.