Artificial Intelligence (AI)
Sophos documented a threat actor using AI agents — including a Claude Opus 4.5 coordinator — to run a lab testing malware against Sophos, CrowdStrike and Microsoft Defender. Notably, the lab's own claims of rising evasion success were not borne out by Sophos's data.
Ransomware
Microsoft Threat Intelligence has named the operators of The Gentlemen ransomware Storm-2697, and its new deep technical analysis dissects a Go encryptor that uses per-file ephemeral keys and an aggressive self-propagation module.
Policy & Government
A Europol- and Eurojust-coordinated operation dismantled First VPN — a service Europol calls the most widely used in the cybercrime underground — arresting an admin, seizing 33 servers, and identifying thousands of cybercrime-linked users. The intelligence yield is the story.
Ransomware
The DOJ sentenced Latvian national Deniss Zolotarjovs to 102 months in prison on May 4, 2026 — the first U.S. prosecution of a Karakurt member ever. Court documents tie the Conti-affiliated negotiator to extortion of more than 54 organizations, $56 million in losses across 13 victims alone, and a
Ransomware
World Leaks — the rebrand of Hunters International — published 8.5 terabytes and roughly 15 million files from Mediaworks, Hungary's pro-Orbán media giant. Mediaworks asked journalists not to report on the leak, citing criminal data-handling law. At least one Hungarian outlet refused. The data-extortion group World
Trending
Ryan Goldberg (Sygnia) and Kevin Martin (DigitalMint) were sentenced to 4 years in federal prison for acting as BlackCat ransomware affiliates while employed as incident response professionals — attacking the same clients they were hired to help.
Policy & Government
Europol's IOCTA 2026 warns that cybercrime has industrialized — AI, encryption, and CaaS are widening the velocity gap between criminal innovation and law enforcement capability, with 120+ ransomware variants and $10.5T in projected 2026 costs.
Ransomware
Sandhills Medical Foundation discloses a ransomware breach by Inc Ransom affecting 169,017 patients — nearly 12 months after the attack was detected and 10 months after stolen data was published publicly.
Ransomware
The Trigona ransomware-as-a-service (RaaS) group, linked to the Rhantus cybercrime umbrella, has begun using a privately-built exfiltration tool instead of common utilities like Rclone and MegaSync. The new “uploader_client.exe” client helps Trigona move data quickly, rotate connections to hide from network monitoring, and maintain
Data Breaches
Ransomware group Incransom has targeted TruGreen, a major lawn-care and consumer-services provider, in a double-extortion attack that threatens the leaking of sensitive customer and operational data. MEMPHIS, TN — On April 22, 2026, the ransomware collective known as Incransom publicly claimed responsibility for a compromise of TruGreen Limited
Data Breaches
The delayed 2026 notification of a massive 1.7-million-record exposure at Kettering Health highlights the "long tail" of healthcare ransomware, where the clinical recovery of a hospital often precedes the true regulatory and legal fallout by nearly a year. DAYTON, OH — A 2025 ransomware attack on
Data Breaches
Same group behind ADT 10M breach claims 1.4M Udemy users via SaaS vishing. Education sector PII and corporate data at risk. April 27 leak deadline looms. SAN FRANCISCO, CA — Less than a week after the ADT data breach exposed 10 million records, the notorious threat collective ShinyHunters has claimed