Lithuania’s Centre of Registers (Registrų centras) disclosed a May 2026 breach exposing roughly 600,000 records. Attackers reused credentials of authorised institutions, queried from abroad. Alerts.bar data shows 117 stealer-log accounts tied to the agency and 60+ live infected staff endpoints across the wider Lithuanian institutional ecosystem.

Remote Desktop Protocol remains the single most-abused initial-access vector for ransomware operators in 2026. We break down the current attack patterns — credential stuffing, broker-sold access, BlueKeep-era CVE echoes, and weaponised RDS misconfigurations — and the controls that actually move the needle.

Alerts.bar is a continuously-updated dark-web monitoring and stealer-log intelligence platform. We’ve used it in production to power Ransomnews’s free Stealercheck tool. Here’s our independent review — features, pricing, real-world testing, and how it stacks up against HIBP, SpyCloud, Constella, and Hudson Rock.

A 2026 retrospective on Item 1.05 of Form 8-K — the SEC’s four-day cyber-incident disclosure rule. How filings have actually played out, what the enforcement signals look like, and the practical playbook the better-prepared CISOs now run.

Managed service providers entered 2026 as the single highest-leverage target class in the ransomware economy. Why the channel is now the front line, which TTPs operators are running against MSPs specifically, and what the better-run shops have already changed.

A 2026 retrospective on the international takedown that displaced LockBit at the top of the ransomware ecosystem — what stuck, what reverted, where the affiliate workforce migrated, and what the next coordinated action should learn from the playbook.

Through 2024 and 2025 a quiet rebalancing happened: password-phishing fell, session-cookie theft via infostealers surged, and “we have MFA” stopped meaning what defenders thought it meant. A 2026 field guide to the technique and the controls that actually answer it.

A data-led snapshot of who’s actually being ransomed in 2026 — which sectors are losing ground, which operators are pulling away from the pack, and which national-level patterns the leak-site economy reveals.

A 2026 walkthrough of the typical infostealer-log archive — what files it contains, what each one means, and how defenders parse them with Python and jq for downstream incident response.

A 2026 practitioner walkthrough of Active Directory hardening against the lateral-movement, credential-theft, and persistence techniques that modern ransomware operators rely on — Tier 0 isolation, DSRM rotation, PRT theft mitigation, and AD audit baselines.

A practitioner walkthrough of building a ransomware-specific incident response runbook in 2026 — combining NIST SP 800-61 r3, CISA’s #StopRansomware playbook, and the lessons from named incidents on the Ransomtracker leak feed.

A 2026 OSINT workflow for mapping the external attack surface of any organisation using only public data — internet-scan engines, certificate transparency, and authenticated vulnerability templates.

A 2026 workflow for telling AI-generated phishing apart from real correspondence — combining email-header forensics, public LLM-detection classifiers, and DKIM/SPF replay analysis.

A practitioner’s step-by-step tutorial for hardware-key MFA in 2026. Which YubiKey to buy, how to enroll it on Google, Microsoft, GitHub, AWS, and your password manager, plus the recovery-key gotcha that locks people out.

A step-by-step tutorial for building a real home SOC with Wazuh, Suricata, and an OPNsense router on hardware that costs under $400. Endpoint EDR, network IDS, and log correlation — the same stack used by mid-market enterprises.

A practitioner’s tutorial for running Llama 3 70B locally with Ollama, Open WebUI, and the right hardware. Privacy-sensitive AI work without sending a byte to OpenAI or Anthropic.

A 2026 tutorial for running structured prompt-injection and jailbreak red-team tests against your own LLM application using NVIDIA Garak, Microsoft PyRIT, and Promptfoo. Open-source, repeatable, CI-friendly.

A practitioner’s tutorial for investigating a suspicious URL safely — fingerprinting the kit, attributing it to a campaign, and reporting it to takedown services. Real tools, step-by-step, no enterprise budget required.

A step-by-step tutorial for building a free malware analysis sandbox at home — Windows reverse-engineering with FlareVM, Linux analysis with REMnux, and automated detonation with Cuckoo.

A practitioner’s tutorial for assembling a working threat-actor profile from public sources — MITRE ATT&CK for TTPs, Mandiant and CrowdStrike for attribution context, Malpedia for malware lineage, plus a clean note-taking template.

A 2026 tutorial on building a layered defence against infostealers — endpoint EDR settings that catch stealer behaviour, browser hardening that protects cookie stores, and the user-side training that closes the actual gap.

Stealing your password used to be the goal. In 2026 it’s the consolation prize — modern infostealers go for session cookies, which let attackers impersonate authenticated users without needing to defeat MFA. Here’s how the model works.

A practitioner’s forensic playbook for working backwards from a stealer log to the originating infection — what the log file structure tells you, where the malware sits, and how to clean it up properly.

Scattered Spider — UNC3944, Octo Tempest — survived the 2024 arrests and remains one of the most operationally aggressive English-speaking threat groups. Their 2026 playbook, capabilities, and how they keep getting in.