Ransomware Activity and Related Threat Intelligence Updates
Reporting highlighted elevated ransomware activity and evolving access-broker ecosystems. BlackFog’s February ransomware roundup counted 82 publicly disclosed ransomware incidents across 20 countries, with the U.S. most affected (51 incidents) and healthcare the most targeted sector (31%). The report attributed publicly claimed attacks to 24 ransomware groups, led by Shiny Hunters (8) and Qilin (6), while noting 41% of incidents were not yet attributed; it also cited individual victim disclosures/claims involving Nova Biomedical (PII exposure affecting 10,764 people), Hosokawa Micron (files accessed; Everest claimed ~30GB theft), and Iron Mountain (Everest claim of 1.4TB theft, while Iron Mountain stated access was limited to a single marketing folder via a compromised credential).
Separately, Huntress described how investigation of a “routine” RDP brute-force success led to discovery of credential-hunting behavior and geo-distributed infrastructure consistent with a ransomware-as-a-service ecosystem and associated initial access activity, illustrating how exposed remote access can connect to broader ransomware operations. Arctic Wolf warned of heightened cyber risk following the February 2026 U.S./Israel-Iran escalation (Operation Epic Fury), advising increased vigilance—especially for sectors historically targeted by Iranian-linked actors (e.g., energy, defense, transportation, healthcare, government)—and anticipating potential wiper activity, DDoS, targeted intrusions, supply-chain risk, and possible collaboration with ransomware-affiliate activity amid geopolitical retaliation dynamics.
Related Entities
Sources
Related Stories
Ransomware Activity Updates: January 2026 Trends, Milkyway Variant, and Lakelands Public Health Incident
Ransomware reporting in early February highlighted both broad **January 2026** activity and specific new developments. BlackFog tracked **91 publicly disclosed ransomware attacks** to open 2026, with **healthcare** the most targeted sector (27 incidents) and nearly **half (49%)** of recorded attacks not publicly claimed by a known group; among claimed activity, **Qilin** led with eight incidents and the **U.S.** accounted for 58% of disclosed attacks. Separately, CYFIRMA reported identifying a ransomware strain dubbed **Milkyway**, which encrypts files and appends the `.milkyway` extension, presents a full-screen ransom message, and uses typical extortion pressure (including threats to leak stolen data), with recovery generally dependent on offline/secure backups absent cryptographic flaws. A healthcare-specific incident in Ontario was also disclosed: **Lakelands Public Health** reported a cybersecurity intrusion discovered **Jan 29** and reported **Feb 3**, which disrupted internal systems and some public services during containment while stating infectious disease and clinical appointment systems were not impacted. The **Lynx** ransomware group publicly claimed responsibility by listing the organization on a leak site and implying data theft; Lakelands Public Health engaged a specialized cybersecurity firm and worked with law enforcement and forensics to validate the claim and determine scope. UpGuard characterized Lynx as a **RaaS** operation and an alleged successor to the **INC** ransomware group, consistent with double-extortion tactics (encryption plus threatened data exposure).
1 months ago
Ransomware and Cyber-Extortion Trends: Shift to Data Theft and Evolving RaaS Ecosystem
Cyber insurance and threat reporting indicate **ransomware operators are increasingly leaning on data theft and extortion** as organizations improve backup and recovery. Coalition’s 2025 claims data (across 100,000+ policyholders) shows **business email compromise (BEC)** and **funds transfer fraud (FTF)** dominated claims volume, while **ransomware** represented a smaller share but featured **sharply higher initial demands** (average just over **$1.0M**, with some as high as **$16M**) even as average loss severity declined—consistent with improved restoration and response reducing the leverage of pure encryption-only attacks. In parallel, the broader ransomware ecosystem continues to **reorganize rather than shrink** despite sustained law-enforcement disruption of major RaaS brands (e.g., LockBit/Hive/ALPHV), with reporting citing high victim-post volumes across dozens of active operations. Halcyon reported a **tactical shift among pro-Iranian/pro-Palestinian-aligned operators** away from *Sicarii* toward **BQTLock (Baqiyat 313 Locker)**, including promotion of “free” RaaS access via Telegram and targeting focused on the UAE, US, and Israel. Separately, **ShinyHunters** claimed a major theft from AI merchant-data platform *Woflow* (alleging internal data, PII, and transaction/order details) but provided no sample for verification at the time of reporting, while a separate SC Media piece used the **SoundCloud** incident (reported exposure of data tied to ~**29.8M** accounts) to highlight incident-response and crisis-management considerations rather than new technical findings.
1 weeks ago
Ransomware and Extortion Trend Reporting and Threat-Activity Roundups
Multiple sources published **trend-focused reporting** on ransomware/extortion rather than describing a single discrete incident. Analyst1’s 2025 year-in-review reports a record rise in ransomware **data leak site (DLS)** postings (7,819 claims in 2025, up ~49.7% YoY), with the **U.S.** representing roughly half of observed claims and a concentration of activity among a small set of groups (e.g., **Qilin**, **Akira**, **CLOP**, **PLAY**). Ransom-DB similarly promotes ongoing “weekly trends” and group analyses (e.g., Qilin and other crews driving high weekly volumes), reinforcing that extortion ecosystems continue to scale and diversify across geographies and sectors. Several other items in the set are **not about ransomware trend reporting** and should be treated as separate stories: Kaspersky-reported supply-chain compromise of Android tablet firmware with the **Keenadu** backdoor (persistence via Android `Zygote`), Dragos reporting continued PRC-linked **Volt Typhoon/Voltzite** activity in U.S. energy/OT environments, and a Check Point weekly bulletin summarizing multiple unrelated breaches (e.g., Odido, BridgePay, Flickr, ApolloMD) plus AI-misuse research. Additional content is either **generic thought leadership** (cybersecurity predictions; secure-by-design op-ed) or **out-of-timeframe/marketing-leaning reposting** (Arete summarizing a 2020 TrickBot healthcare alert; identity-attack discussion based on an IR report), and does not materially contribute to a single cohesive event narrative.
3 weeks ago