Mackay Sugar, Australia's second-largest sugar producer, has shut down two of its Queensland mills after a cybersecurity incident, halting production and stopping sugarcane harvesting at the peak of the season. The company confirmed the attack on Wednesday and has brought in outside cybersecurity experts and local authorities to investigate and restore systems. It has not yet said who was responsible or whether data was stolen, but the operational shutdown is consistent with a ransomware attack. The incident is the latest example of attackers disrupting food and agriculture operations, a sector whose industrial systems are increasingly targeted for maximum pressure.
Veeam has patched a critical flaw in Backup and Replication, one of the most widely deployed enterprise backup tools, that lets any authenticated low-privilege domain user run code remotely on the backup server. The bug (CVE-2026-44963, rated 9.4) only affects version 12 installations joined to an Active Directory domain; version 13, which uses a different architecture, is not affected, and workgroup setups are safe. No exploitation has been seen yet, but Veeam warns attackers often move quickly once patches reveal the flaw, and backup servers are a prime ransomware target because compromising them cripples recovery. The fix is build 12.3.2.4854.
Sophos has detailed a threat actor using an AI-assisted ransomware toolkit that automates Active Directory discovery and EDR evasion. Tool and payload development was aided by Cursor and Claude Opus agents across coding, analysis, and revision, with some agents tasked to scrape security-research posts for fresh bypass techniques; resulting malware was tested in VMs against Sophos, CrowdStrike, and Microsoft EDR. The framework includes Cobalt Strike profiles mimicking legitimate web traffic, a Telegram-bot C2, Python shellcode injectors preserving host-binary functionality, and a Cloudflare Worker front-end redirector. Despite the AI orchestration, the workflow is entirely human-driven. Operator logs and a ransomware-leak-site reference confirmed criminal, not red-team, use.
A joint operation between French, Dutch and 14 other authorities, coordinated by Europol and Eurojust, has taken down First VPN, a privacy-focused VPN service that was advertised on cybercrime forums as a no-logs option that ignored law enforcement requests. Authorities seized 33 servers across 27 countries, took down the 1vpns.com, 1vpns.net, 1vpns.org domains and the onion mirrors, and questioned a Ukrainian suspect. Investigators infiltrated the infrastructure before takedown and pulled the user database, sharing 506 user identifications and 83 intelligence packages internationally. Europol says the service name turned up in nearly every major cybercrime investigation it has supported in recent years.
Microsoft's Digital Crimes Unit, supported by law enforcement, has disrupted Fox Tempest, a 'malware-signing-as-a-service' offering that abused Azure Artifact Signing (formerly Trusted Signing) to issue legitimate Microsoft-signed certificates for malware. Operators created more than 1,000 certificates and hundreds of Azure tenants using stolen US and Canadian identities, all valid for 72 hours to reduce takedown risk. Microsoft has revoked the certificates, seized the signspace[.]cloud domain, and taken hundreds of supporting VMs offline. The service signed Oyster, Lumma Stealer, Vidar, and ransomware payloads for Rhysida, Akira, INC, Qilin, and BlackByte, used by groups including Vanilla Tempest and Storm-0501.
West Pharmaceutical Services - the Pennsylvania-based S&P 500 maker of injectable pharmaceutical packaging and drug delivery components, with annual revenues over $3 billion and 10,800 employees - filed an SEC 8-K disclosing a 'material cybersecurity attack.' The company detected the intrusion on May 4, 2026, and confirmed on May 7 that attackers had exfiltrated data and encrypted certain systems. West took infrastructure offline globally for containment, engaged Palo Alto Networks' Unit 42 for forensics, and partially restored core enterprise, shipping, and manufacturing systems by May 13. No ransomware group has publicly claimed the attack, and West says it has 'taken steps intended to mitigate the risk of dissemination of the exfiltrated data.'
The Gentlemen, the second most prolific public ransomware operation of 2026 with over 320 listed victims, has had its own internal database leaked. Check Point Research and others obtained the data after a breach of the group's hosting provider 4VPS exposed their Rocket backend. The leak unmasks roughly 9 named operators centered on an administrator known as zeta88 (aka hastalamuerte), who built the RaaS panel in three days using DeepSeek and Qwen AI coding assistants, runs payouts, and joins encryption events personally. Internal chats also confirm chain-victimization: in April the group hit a UK software consultancy and then weaponized stolen client credentials to compromise one of the consultancy's customers in Turkey.
The UK Information Commissioner fined South Staffordshire Water 963,900 pounds over a 2022 Cl0p ransomware breach that exposed 633,887 customer and employee records. The penalty notice reveals attackers were inside the network nearly two years before discovery - initial access happened September 2020 via a malicious email attachment, but they were not detected until July 2022 when IT performance issues triggered an investigation. The ICO found basic security failures: an unpatched ZeroLogon flaw on two domain controllers, no principle of least privilege, an outsourced SOC monitoring just 5 percent of the IT estate, and Windows Server 2003 boxes still running in production.
The Everest ransomware group listed Citizens Financial Group and Frost Bank on its leak site on April 20 with a six-day deadline that expires today. Everest claims 3.4 million Citizens records (names, addresses, account numbers) and 250,000 Frost records with the more sensitive set: SSNs, tax IDs, mortgage rates, and income data. Both banks confirmed the breach traces to a third-party vendor - a statement-printing provider for Citizens, a tax-document fulfillment firm for Frost - rather than direct compromise. Citizens disclosed publicly April 21; class-action lawsuits were filed April 23.
BleepingComputer reported on April 23 that recent Trigona ransomware intrusions are using a purpose-built command-line exfiltration tool rather than off-the-shelf rclone or MEGAcmd. The custom utility is small, supports parallel uploads, filters by file extension and size before transferring, and logs progress in a format optimized for ransomware operator dashboards. Researchers say the tool reduces dwell time meaningfully - operators are now exfiltrating high-value files in hours rather than days. The shift fits a broader trend (Akira, Black Basta, Play) toward bespoke tooling and away from detectable third-party utilities, making static endpoint signatures less reliable.