Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ransomware (25 articles)Clear

Cyberattack halts Australia's second-largest sugar producer mid-harvest

Mackay Sugar, Australia's second-largest sugar producer, has shut down two of its Queensland mills after a cybersecurity incident, halting production and stopping sugarcane harvesting at the peak of the season. The company confirmed the attack on Wednesday and has brought in outside cybersecurity experts and local authorities to investigate and restore systems. It has not yet said who was responsible or whether data was stolen, but the operational shutdown is consistent with a ransomware attack. The incident is the latest example of attackers disrupting food and agriculture operations, a sector whose industrial systems are increasingly targeted for maximum pressure.

Check
Food, agriculture, and manufacturing operators should review how cleanly their IT and operational-technology networks are separated, and confirm a ransomware shutdown of IT could not halt production lines.
Affected
Industrial and agricultural organizations where a compromise of business IT systems can cascade into operational-technology environments and force a full production shutdown, as happened at Mackay Sugar's mills.
Fix
Segment IT from operational-technology networks, keep offline tested backups, rehearse ransomware recovery for production systems, and pre-arrange incident-response and authority contacts before an attack hits.

Veeam backup server flaw lets low-privilege domain users run code

Veeam has patched a critical flaw in Backup and Replication, one of the most widely deployed enterprise backup tools, that lets any authenticated low-privilege domain user run code remotely on the backup server. The bug (CVE-2026-44963, rated 9.4) only affects version 12 installations joined to an Active Directory domain; version 13, which uses a different architecture, is not affected, and workgroup setups are safe. No exploitation has been seen yet, but Veeam warns attackers often move quickly once patches reveal the flaw, and backup servers are a prime ransomware target because compromising them cripples recovery. The fix is build 12.3.2.4854.

Check
Identify Veeam Backup and Replication version 12 servers, determine which are joined to an Active Directory domain, and review the domain-user access granted to the backup console.
Affected
Domain-joined Veeam Backup and Replication 12.3.2.4465 and earlier version 12 builds (CVE-2026-44963). Version 13 and workgroup-only deployments are not affected.
Fix
Upgrade to Veeam Backup and Replication 12.3.2.4854 now. Where patching must wait, isolate backup servers from the domain network and tighten which domain users can reach the console.

AI-built ransomware toolkit uses Cursor and Claude Opus agents to automate EDR evasion and Active Directory discovery, Sophos finds

Sophos has detailed a threat actor using an AI-assisted ransomware toolkit that automates Active Directory discovery and EDR evasion. Tool and payload development was aided by Cursor and Claude Opus agents across coding, analysis, and revision, with some agents tasked to scrape security-research posts for fresh bypass techniques; resulting malware was tested in VMs against Sophos, CrowdStrike, and Microsoft EDR. The framework includes Cobalt Strike profiles mimicking legitimate web traffic, a Telegram-bot C2, Python shellcode injectors preserving host-binary functionality, and a Cloudflare Worker front-end redirector. Despite the AI orchestration, the workflow is entirely human-driven. Operator logs and a ransomware-leak-site reference confirmed criminal, not red-team, use.

Check
Hunt endpoints for payloads under C:\Users\*\Documents\test, Telegram-bot C2 traffic, and Cobalt Strike beacons fronted by Cloudflare Workers. Apply Sophos IoCs across EDR-monitored hosts.
Affected
Organizations relying on EDR signatures alone. This toolkit was AI-tuned specifically to bypass Sophos, CrowdStrike, and Microsoft EDR, and routes C2 through Telegram and Cloudflare Workers to blend in.
Fix
Layer behavioral detection and AD-tiering on top of EDR. Block unauthorized Telegram API and anomalous Cloudflare Worker egress. Monitor for AD-discovery patterns and shellcode injection into signed binaries.

First VPN service taken offline by Europol - 33 servers in 27 countries seized, Ukrainian operator questioned, used in ransomware

A joint operation between French, Dutch and 14 other authorities, coordinated by Europol and Eurojust, has taken down First VPN, a privacy-focused VPN service that was advertised on cybercrime forums as a no-logs option that ignored law enforcement requests. Authorities seized 33 servers across 27 countries, took down the 1vpns.com, 1vpns.net, 1vpns.org domains and the onion mirrors, and questioned a Ukrainian suspect. Investigators infiltrated the infrastructure before takedown and pulled the user database, sharing 506 user identifications and 83 intelligence packages internationally. Europol says the service name turned up in nearly every major cybercrime investigation it has supported in recent years.

Check
Search VPN allowlists and detection alerts for users connecting from First VPN exit IPs in the last two years. Check 1vpns.com / 1vpns.net / 1vpns.org references in firewall and proxy logs.
Affected
Investigators or threat hunters whose historical IoC sets included First VPN exit IPs. 506 specific users have been internationally referred; affected parties should expect law-enforcement contact.
Fix
Refresh detection rules with seized First VPN exit IPs once Europol shares them. If your historical attacker IoCs included First VPN nodes, re-correlate against the freshly identified users.

Microsoft dismantles Fox Tempest 'malware-signing-as-a-service' that abused Azure Artifact Signing for 1,000+ certificates

Microsoft's Digital Crimes Unit, supported by law enforcement, has disrupted Fox Tempest, a 'malware-signing-as-a-service' offering that abused Azure Artifact Signing (formerly Trusted Signing) to issue legitimate Microsoft-signed certificates for malware. Operators created more than 1,000 certificates and hundreds of Azure tenants using stolen US and Canadian identities, all valid for 72 hours to reduce takedown risk. Microsoft has revoked the certificates, seized the signspace[.]cloud domain, and taken hundreds of supporting VMs offline. The service signed Oyster, Lumma Stealer, Vidar, and ransomware payloads for Rhysida, Akira, INC, Qilin, and BlackByte, used by groups including Vanilla Tempest and Storm-0501.

Check
Search EDR and Defender SmartScreen logs for binaries signed by Microsoft Azure Artifact Signing certificates between 2025 and 2026-05-19. Cross-reference Microsoft's revoked certificate list.
Affected
Endpoints that trust Microsoft Azure Artifact Signing certificates without additional publisher verification. Especially relevant if previously targeted by Vanilla Tempest, Storm-0501, Storm-2561, or Storm-0249.
Fix
Tighten Defender SmartScreen and AppLocker rules so a publisher signature alone is not sufficient trust. Verify the named publisher of any Microsoft Artifact Signing-signed binary matches the expected software vendor.

West Pharmaceutical Services hit by ransomware - $3B injectable-packaging supplier disclosed data theft and encryption in SEC 8-K, global shipping and manufacturing disrupted

West Pharmaceutical Services - the Pennsylvania-based S&P 500 maker of injectable pharmaceutical packaging and drug delivery components, with annual revenues over $3 billion and 10,800 employees - filed an SEC 8-K disclosing a 'material cybersecurity attack.' The company detected the intrusion on May 4, 2026, and confirmed on May 7 that attackers had exfiltrated data and encrypted certain systems. West took infrastructure offline globally for containment, engaged Palo Alto Networks' Unit 42 for forensics, and partially restored core enterprise, shipping, and manufacturing systems by May 13. No ransomware group has publicly claimed the attack, and West says it has 'taken steps intended to mitigate the risk of dissemination of the exfiltrated data.'

Check
Check whether your organization is a downstream customer of West Pharmaceutical Services (injectable vials, syringes, stoppers, drug delivery components), audit purchase orders and delivery delays from May 4 onward, and review supplier-risk assessments.
Affected
Customers and supply-chain partners of West Pharmaceutical Services - primarily biopharma manufacturers and contract drug fillers that depend on West for injectable packaging and delivery systems. Scope of stolen data not yet disclosed.
Fix
Engage West directly for an authoritative status update on your specific product lines, activate alternate-supplier contingencies for time-critical injectables, and treat any new emails referencing West order numbers as untrusted until verified through known account contacts.

Backend of 'The Gentlemen' ransomware operation leaked - 9 named operators, ransom chat transcripts, and chain-victimization tactics now public

The Gentlemen, the second most prolific public ransomware operation of 2026 with over 320 listed victims, has had its own internal database leaked. Check Point Research and others obtained the data after a breach of the group's hosting provider 4VPS exposed their Rocket backend. The leak unmasks roughly 9 named operators centered on an administrator known as zeta88 (aka hastalamuerte), who built the RaaS panel in three days using DeepSeek and Qwen AI coding assistants, runs payouts, and joins encryption events personally. Internal chats also confirm chain-victimization: in April the group hit a UK software consultancy and then weaponized stolen client credentials to compromise one of the consultancy's customers in Turkey.

Check
Pull historical access logs for Fortinet and Cisco edge appliances and check for credentials matching infostealer log dumps, then hunt for NTLM relay activity consistent with CVE-2025-33073 in Windows event logs.
Affected
Organizations exposed to The Gentlemen include any running FortiGate or Cisco edge gear with CVE-2024-55591, CVE-2025-32433, or CVE-2025-33073 unpatched, and downstream clients of compromised IT service providers.
Fix
Patch CVE-2024-55591, CVE-2025-32433, and CVE-2025-33073. Enforce MFA on every edge-management interface, rotate credentials that appear in infostealer logs, and load Check Point's 'Thus Spoke The Gentlemen' IoCs into your EDR and firewall blocklists.

UK water company hit by Cl0p had hackers hidden in its network for nearly 2 years - ICO fines South Staffordshire Water 964K

The UK Information Commissioner fined South Staffordshire Water 963,900 pounds over a 2022 Cl0p ransomware breach that exposed 633,887 customer and employee records. The penalty notice reveals attackers were inside the network nearly two years before discovery - initial access happened September 2020 via a malicious email attachment, but they were not detected until July 2022 when IT performance issues triggered an investigation. The ICO found basic security failures: an unpatched ZeroLogon flaw on two domain controllers, no principle of least privilege, an outsourced SOC monitoring just 5 percent of the IT estate, and Windows Server 2003 boxes still running in production.

Check
Pull your most recent domain-controller vulnerability scan. If nothing exists in the last 90 days, that is itself a finding. Verify ZeroLogon (CVE-2020-1472) is patched on every DC.
Affected
Any organization where domain controllers run unpatched, where the outsourced SOC monitors less than the full IT estate, where legacy systems like Windows Server 2003 remain in production, or where vulnerability scanning has not been performed in over 90 days. Critical national infrastructure and regulated industries face especially harsh penalties for these gaps.
Fix
Patch ZeroLogon (CVE-2020-1472) on every domain controller now if not already done. Confirm your SOC contract requires monitoring coverage of 100 percent of in-scope assets, with endpoint telemetry and authentication logs integrated. Run quarterly internal and external vulnerability scans and retain the reports for regulator inspection. Retire any Windows Server 2003 boxes still in production - extended support ended July 2015.

Citizens Bank and Frost Bank breached via third-party vendor - Everest ransomware claims 3.4M and 250K records, deadline expires today

The Everest ransomware group listed Citizens Financial Group and Frost Bank on its leak site on April 20 with a six-day deadline that expires today. Everest claims 3.4 million Citizens records (names, addresses, account numbers) and 250,000 Frost records with the more sensitive set: SSNs, tax IDs, mortgage rates, and income data. Both banks confirmed the breach traces to a third-party vendor - a statement-printing provider for Citizens, a tax-document fulfillment firm for Frost - rather than direct compromise. Citizens disclosed publicly April 21; class-action lawsuits were filed April 23.

Check
If you bank with Citizens or Frost, monitor accounts and credit reports closely, and treat any inbound communication referencing real account or mortgage details as hostile.
Affected
Citizens Financial Group customers (3.4M records claimed; addresses, names, account numbers in samples) and Frost Bank customers (~250K records; samples include SSNs, tax IDs, mortgage rates - high identity-theft risk). Any organization that shares customer PII with statement-printing, tax-document, or marketing-mail vendors faces equivalent third-party exposure.
Fix
Affected consumers: place a credit freeze, enable 2FA on banking apps, and watch for tax and mortgage fraud since the leak window straddles US filing deadlines. Organizations: pull your vendor PII inventory, identify which downstream printers and tax processors hold equivalent record types, and renegotiate contracts to mandate at-rest encryption and breach notification SLAs.

Trigona ransomware operators ship a custom command-line data-theft tool to speed exfil and reduce dwell time

BleepingComputer reported on April 23 that recent Trigona ransomware intrusions are using a purpose-built command-line exfiltration tool rather than off-the-shelf rclone or MEGAcmd. The custom utility is small, supports parallel uploads, filters by file extension and size before transferring, and logs progress in a format optimized for ransomware operator dashboards. Researchers say the tool reduces dwell time meaningfully - operators are now exfiltrating high-value files in hours rather than days. The shift fits a broader trend (Akira, Black Basta, Play) toward bespoke tooling and away from detectable third-party utilities, making static endpoint signatures less reliable.

Check
Tighten outbound DLP and egress rules around document and source-code repositories - detect bulk reads regardless of which utility is doing the reading.
Affected
Organizations in Trigona's typical victim profile (manufacturing, healthcare, education, mid-market enterprises) without modern data-exfiltration detection. Static endpoint signature lists for rclone, MEGAcmd, FileZilla won't catch this custom tool. Networks without egress-bandwidth alerting on file servers or document-management hosts are equally exposed.
Fix
Switch outbound detection from utility names to behavior: alert on processes opening many files in many directories within a short window, on outbound TLS sessions transferring more than ~500MB from non-server endpoints, and on uploads to consumer cloud storage (Mega, Dropbox personal accounts) from corporate hosts. Add canary files in document repositories and alert on any read.