RANSOMNEWS // 2026

Tracking the criminal infrastructure of the internet.

Ransomware operators, breach economics, threat-actor profiles, and the open-source investigation toolkit that makes it all visible. Updated daily.

Latest stories

Ransomware runs office hours: what 16,699 leak posts revealJune 1, 2026
We analysed 16,699 ransomware leak-site posts from 200 groups over 24 months. The data shows ransomware now runs on a workweek calendar: 84% of leaks land Monday to Friday, half of all activity happens in 8 UTC hours, October is open season, and the ecosystem is growing not consolidating. Here is the full timing picture.
Registrų centras breach: 600,000 records exposedMay 27, 2026
Lithuania’s Centre of Registers (Registrų centras) disclosed a May 2026 breach exposing roughly 600,000 records. Attackers reused credentials of authorised institutions, queried from abroad. Alerts.bar data shows 117 stealer-log accounts tied to the agency and 60+ live infected staff endpoints across the wider Lithuanian institutional ecosystem.
62% of database ransom wallets were never paidMay 26, 2026
A 5-year census of 65,907 exposed databases found 30,515 carry a ransom or wipe marker. Of 512 attacker wallets we traced on-chain, 318 received nothing. The 9.78 BTC ($753K) that did move concentrates into the top 10 wallets, which captured 43% of receipts. Mass database extortion is industrial, automated, and mostly failing.

// FOCUS

Ransomware

The defining cybercrime of the decade. How it works, who runs it, and where the money goes.

MSPs: ransomware’s #1 target of 2026 [Field Report]May 11, 2026
Managed service providers entered 2026 as the single highest-leverage target class in the ransomware economy. Why the channel is now the front line, which TTPs operators are running against MSPs specifically, and what the better-run shops have already changed.
LockBit, 2 years after Operation Cronos: where are they now?May 11, 2026
A 2026 retrospective on the international takedown that displaced LockBit at the top of the ransomware ecosystem — what stuck, what reverted, where the affiliate workforce migrated, and what the next coordinated action should learn from the playbook.
2026 ransomware victim toll: countries, sectors, operatorsMay 11, 2026
A data-led snapshot of who’s actually being ransomed in 2026 — which sectors are losing ground, which operators are pulling away from the pack, and which national-level patterns the leak-site economy reveals.

// PROFILES

Threat Groups

From LockBit and Conti to Akira and Cl0p, anatomies of the operations behind the headlines.

LockBit, 2 years after Operation Cronos: where are they now?May 11, 2026
A 2026 retrospective on the international takedown that displaced LockBit at the top of the ransomware ecosystem — what stuck, what reverted, where the affiliate workforce migrated, and what the next coordinated action should learn from the playbook.
Ransomware attribution 2026: TTPs, notes, fingerprintsMay 10, 2026
A 2026 attribution playbook for ransomware investigations — combining TTP fingerprinting against MITRE ATT&CK, ransom-note artifact analysis, leak-site monitoring, and the open-source intelligence pivots that hold up under scrutiny.
Active Directory hardening 2026: Tier 0, DSRM, PRT theftMay 10, 2026
A 2026 practitioner walkthrough of Active Directory hardening against the lateral-movement, credential-theft, and persistence techniques that modern ransomware operators rely on — Tier 0 isolation, DSRM rotation, PRT theft mitigation, and AD audit baselines.

// DEFENCE

Security

EDR, Zero Trust, MFA, patching, IR, what actually works against modern threats.

Registrų centras breach: 600,000 records exposedMay 27, 2026
Lithuania’s Centre of Registers (Registrų centras) disclosed a May 2026 breach exposing roughly 600,000 records. Attackers reused credentials of authorised institutions, queried from abroad. Alerts.bar data shows 117 stealer-log accounts tied to the agency and 60+ live infected staff endpoints across the wider Lithuanian institutional ecosystem.
RDP attacks 2026: ransomware’s #1 entry vectorMay 16, 2026
Remote Desktop Protocol remains the single most-abused initial-access vector for ransomware operators in 2026. We break down the current attack patterns — credential stuffing, broker-sold access, BlueKeep-era CVE echoes, and weaponised RDS misconfigurations — and the controls that actually move the needle.
Alerts.bar review 2026: dark-web monitoring testedMay 12, 2026
Alerts.bar is a continuously-updated dark-web monitoring and stealer-log intelligence platform. We’ve used it in production to power Ransomnews’s free Stealercheck tool. Here’s our independent review — features, pricing, real-world testing, and how it stacks up against HIBP, SpyCloud, Constella, and Hudson Rock.

// SURVEILLANCE

Privacy

GDPR, data brokers, encryption, fingerprinting, VPNs, the surveillance economy and its limits.

Stealer logs bypassing MFA in 2026 [Field Guide]May 16, 2026
Multi-factor authentication was supposed to end the credential-theft era. In 2026, it hasn’t — because adversaries skip the credential entirely and steal the session cookie that the authentication produced. Here’s how the attack works, why MFA doesn’t stop it, and the four controls that do.
SEC 4-day cyber rule: 2.5 years in, what CISOs learnedMay 11, 2026
A 2026 retrospective on Item 1.05 of Form 8-K — the SEC’s four-day cyber-incident disclosure rule. How filings have actually played out, what the enforcement signals look like, and the practical playbook the better-prepared CISOs now run.
Audit your digital footprint 2026: Sherlock, Holehe, WhoxyMay 10, 2026
A 2026 self-doxxing tutorial — run the same OSINT tools attackers use, on yourself, to find every account, leaked credential, and broker entry tied to your identity. With remediation steps for each finding.

// MACHINE LEARNING

AI

Prompt injection, deepfakes, model theft, the EU AI Act, security and policy at the frontier.

Prompt injection: the 2026 LLM defender’s playbookMay 16, 2026
Prompt injection is now the dominant attack vector against LLM-powered applications — and most teams shipping AI features don’t have a defensive playbook. We map the attack taxonomy, walk through real exploit patterns, and lay out the controls that actually contain the blast radius.
MCP for WordPress: set up an MCP server in 2026May 12, 2026
A step-by-step tutorial for wiring an MCP server into a WordPress site — using the AI Engine MCP adapter — so Claude, Cursor, or any MCP-compatible client can read posts, run admin tasks, and edit content. With auth, scope, and security hardening you actually need.
What is MCP? A 2026 guide to Model Context ProtocolMay 12, 2026
Model Context Protocol (MCP) is the emerging open standard for connecting AI assistants to tools, data, and live systems. This guide explains how MCP servers work, the architecture behind them, and how to build your first one — with security caveats security teams need to know.

// INVESTIGATIONS

OSINT

Tools, methods, and case studies from the open-source investigation discipline.

Ransomware leak-site OSINT: 2026 investigation walkthroughMay 16, 2026
A practical OSINT walkthrough for investigating ransomware leak sites — workflow, sources, pitfalls, and how to verify victim claims without breaking operational security.
Audit your digital footprint 2026: Sherlock, Holehe, WhoxyMay 10, 2026
A 2026 self-doxxing tutorial — run the same OSINT tools attackers use, on yourself, to find every account, leaked credential, and broker entry tied to your identity. With remediation steps for each finding.
Attack-surface mapping 2026: Shodan, Censys, FOFA, NucleiMay 10, 2026
A 2026 OSINT workflow for mapping the external attack surface of any organisation using only public data — internet-scan engines, certificate transparency, and authenticated vulnerability templates.

// PRIMERS

Explainers

Long-form primers on the underlying concepts. Built to be referenced, not skimmed.

What is double extortion ransomware? An explainer for non-technical executives in 2026May 10, 2026
An executive-level explainer of double extortion — the dominant ransomware playbook in 2026 — covering how it works, why backups don’t fully defeat it, and the policy choices boards now have to make in the first hour of an incident.
Building an OSINT investigation workflow: from intake to reportApril 30, 2026
The five-stage workflow that separates an OSINT analyst from someone with a bookmarks bar full of tools.
Geolocating a photo from scratch: the Bellingcat workflow for normal humansApril 30, 2026
A practitioner walkthrough of the photo-geolocation method used by Bellingcat and most newsroom verification teams. Worked example included.

Ransomnews