Ransomware Intelligence – jonas.colmsjo.com

Ransomware summary week 18, 2026

Week 18 was dominated by Qilin’s sustained targeting of North American and European construction and services companies, INC Ransom’s attack on Singapore disaster-recovery firm BELFOR Asia, and the publication of Europol’s IOCTA 2026 report documenting a structural shift toward encryption-free extortion across the ransomware ecosystem.

Ransomware summary week 17, 2026

Week 17 saw Qilin dominate globally with 30+ victims including Toyota supplier Denso and Canada’s Manulife Wealth, while two significant developments signalled an evolution in ransomware tradecraft: the Kyber group deployed the first confirmed production-grade post-quantum encryption in a ransomware attack, and Trigona resumed operations after nearly three years of dormancy with a custom data exfiltration tool.

Ransomware summary week 16, 2026

Week 16 brought confirmation that patient data was stolen in the ChipSoft attack disrupting Dutch hospitals, Medusa/Storm-1175 claimed the University of Mississippi Medical Center and Passaic County, Qilin struck German automotive supplier Herth+Buss and Florida’s Clearwater Marine Aquarium, and an emerging group called Gunra targeted Thailand’s Nok Air and a petroleum trading company in rapid succession.

Ransomware summary week 15, 2026

Week 15 was dominated by the ChipSoft ransomware attack disrupting 80% of Dutch hospitals, Anubis forcing ambulance diversions at Massachusetts’ Signature Healthcare, a Winona County attack requiring National Guard deployment, Silent Ransom Group targeting two major law firms (Jones Day and Orrick), Microsoft exposing Storm-1175’s zero-day Medusa campaigns, and NightSpire striking Turkey’s TTAF Defense with 200 GB of military documents exfiltrated.

Ransomware summary week 14, 2026

Qilin dominated week 14 with attacks on US government targets including Georgia’s State Road and Tollway Authority, Arkansas’s Faulkner County Sheriff’s Office, and Indiana’s Jackson County Sheriff’s Office, while DragonForce struck Berlin’s Fernheizwerk Neukolln district heating provider, ShinyHunters published 350 GB of European Commission data and attempted to extort Cisco, and a new criminal marketplace called Leak Bazaar emerged to monetize ransomware-stolen data at industrial scale.

Ransomware summary week 13, 2026

Week 13 saw the European Commission breached via its AWS cloud, the Dutch Ministry of Finance hacked, and Foster City declaring a state of emergency after a ransomware-induced municipal shutdown, while Qilin posted a massive batch of victims spanning Belgium healthcare to Native American tribal government, JAXA faced a 6.9 TB extortion claim by newcomer ALP-001, and WorldLeaks listed the City of Los Angeles alongside LA Metro disruptions.

Ransomware summary week 12, 2026

Week 12 saw Interlock exploit a Cisco FMC zero-day (CVE-2026-20131) for root access on enterprise firewalls, Medusa claiming Henry County Illinois and demanding $500,000, DragonForce listing Liverpool Philharmonic and Salford City College in the UK alongside Mercedes-Benz of Arlington, while Akira posted Czech manufacturer Motorpal and German industrial firm bdtronic, Payload ransomware hit Royal Bahrain Hospital threatening 110 GB of patient data, and LeakNet adopted ClickFix social engineering through compromised websites to scale operations.

Ransomware summary week 11, 2026

Week 11 was defined by the Handala wiper attack on medtech giant Stryker — which wiped 200,000 devices across 79 countries via Microsoft Intune — alongside Qilin claiming a Spanish school, Singaporean oilfield services, and South American manufacturers, while Genesis burst onto the scene listing eight US victims in a single day including healthcare providers and a Michigan municipality, and ShinyHunters demanded $65 million from Telus Digital after claiming nearly 1 petabyte of stolen data.

Ransomware summary week 10, 2026

Week 10 was dominated by the geopolitical fallout from Operation Epic Fury, with Iranian APT Seedworm backdooring a US bank, airport, and defense supplier, while Handala breached Sharjah National Oil Corporation exfiltrating 1.3 TB, and Qilin claimed Tennessee Valley Electric Cooperative and multiple manufacturing targets across three continents as DragonForce hit a Brazilian university and US healthcare.

Ransomware summary week 09, 2026

Week 9 saw ShinyHunters extort Wynn Resorts for $1.5M and breach CarGurus exposing 12.4 million accounts, while Qilin claimed Malaysia Airlines and the 67,000-member NYC Transit Workers Union, Handala targeted Israel’s largest healthcare network Clalit, and Chainalysis reported that 2025 ransomware payments cratered to $820M despite a 50% surge in attacks.

Ransomware summary week 08, 2026

Week 8 saw the University of Mississippi Medical Center shut down all clinics after a devastating ransomware attack, while NightSpire emerged as the most prolific group with 26 new victims in a single day, and LockBit 5.0 continued its cross-platform resurgence targeting organizations from Austrian healthcare to Mauritian hospitality.

Ransomware summary week 07, 2026

BridgePay payment gateway ransomware attack causes nationwide US payment outages affecting municipalities and utilities, while Qilin ransomware dominates with fresh victims across three continents including Augusta Housing Authority and Tulsa International Airport.

Ransomware summary week 06, 2026

Week 6 saw Qilin ransomware hit Romania’s Conpet oil pipeline operator and La Sapienza University in Rome, while DragonForce claimed a 97GB breach of German insurer HanseMerkur. CL0P continued targeting Australian organizations via IT service providers, and LockBit led daily ransomware claims in early February.

Ransomware summary week 05, 2026

Week 5 saw the FBI seize the RAMP cybercrime forum in a landmark takedown, while Qilin ransomware claimed Tulsa International Airport and Philippine Savings Bank among 34 daily victims. Two former US cybersecurity professionals pleaded guilty to ALPHV/BlackCat attacks, and TA584 expanded initial access operations with new Tsundere Bot malware.

Ransomware summary week 04, 2026

Week 4 saw the Belgian hospital AZ Monica ransomware attack disrupting patient care across Antwerp, while Qilin continued targeting Asian manufacturing with attacks on Singapore’s Neo Group and Thailand’s Charoenchai Transformer. WorldLeaks claimed 1.4TB from Nike, and two US cybersecurity professionals pleaded guilty to ALPHV ransomware attacks.

Ransomware summary week 03, 2026

Week 3 saw Qilin targeting Vietnam Airlines and Japanese manufacturers while Akira launched aggressive campaigns against US businesses. TridentLocker’s attack on Sedgwick Government Solutions exposed federal contractor vulnerabilities, and Ingram Micro disclosed a July 2025 breach affecting 42,000 employees.

Ransomware summary week 02, 2026

Week 02 of 2026 saw continued high-volume ransomware activity with Qilin emerging as the dominant threat group. Notable incidents include attacks on Romania’s critical…

Ransomware summary week 51, 2025

Week 51 of 2025 saw continued escalation in ransomware attacks globally, with Clop ransomware dominating headlines through its exploitation of Oracle E-Business Suite and…

Ransomware summary week 49, 2025

Week 49 of 2025 continued the alarming trend of escalating ransomware attacks globally, with significant incidents reported across all major regions. The United States…