Weekly Ransomware Intelligence Report – June 1, 2026
By ScruteX Team Published Updated
Summary
This is the Scrutex ransomware weekly for June 2026, covering the May 26 to June 1 window. Our CTI team tracked 176 unique ransomware victim claims across 33 active groups during the period. The week was mid-week heavy, with 101 of those 176 posts (57%) landing on May 27 and 28. DragonForce led on volume, The Gentlemen and Qilin tied for second, and US-based firms made up nearly half of all victims. Manufacturing and business services took the heaviest hits.
This report covers who was most active, which sectors and countries were hit, the high-profile claims worth your attention, and the specific CVEs these groups are exploiting to get in. The standout story is The Gentlemen, now the second most active RaaS brand globally despite not existing a year ago.
176 posts, 33 groups, 37 countries in a single week. Reading every one to find the three that touch your own organisation or your suppliers is most of a working day, and that is before you cross-reference each group against the flaws sitting on your perimeter. The value is rarely in the full list. It is in the handful of lines that are actually about you.
A note on how to read the numbers. Counts reflect leak site postings, not confirmed compromises, and by the time a victim is posted the intrusion is usually 30 to 90 days old. We deduplicated postings that appeared under multiple names and resolved them to one entry.
This Week at a Glance
| Metric | Value |
|---|---|
| Total unique victims posted | 176 |
| Active groups | 33 |
| Countries hit | 37 |
| Heaviest single day | May 28 (51 posts) |
| Second-heaviest day | May 27 (50 posts, driven by DragonForce and Qilin batches) |
| Most targeted country | USA (48% of postings) |
| Most targeted sector | Manufacturing (32 victims) |
| Fastest-growing group | The Gentlemen (20 posts, now second only to Qilin globally) |
| Notable major-brand claims | Vodafone, DentaQuest, GS Yuasa Lithium Power |
The shape of the week is mid-week heavy. 101 of 176 victims (57%) landed on May 27 and 28. The Sunday lull (4 posts on May 31) is normal: affiliates batch their leak posts to the start and middle of the work week, then go quiet over the weekend before a Monday top-up (20 posts on June 1).
Group Activity Breakdown
Five groups produced 54% of the week's volume. The long tail (more than 20 groups with five or fewer posts) shows the leak site space stays fragmented after the LockBit and ALPHV takedowns of 2024 to 2025. New brands keep entering, and affiliate crews keep splitting off to launch their own programs.
| Rank | Group | Victims | Sector Focus | Notable Activity |
|---|---|---|---|---|
| 1 | DragonForce | 36 | US SMBs, professional services, construction, manufacturing | 50-post cluster shared with Qilin on May 27; long roll-up of small US and UK firms |
| 2 | The Gentlemen | 20 | Manufacturing, technology, healthcare, logistics | Two clusters on May 28 and June 1; fastest-scaling RaaS this quarter |
| 2 | Qilin | 20 | Healthcare, manufacturing, business services, education | Steady daily output; large May 28 batch across US, AU, EU |
| 4 | Akira | 10 | Manufacturing, aerospace, hospitality, fitness | Claimed GS Yuasa Lithium Power; steady cadence into June |
| 5 | Nova | 9 | Education, agriculture, technology, real estate | Posts include universities and a national food agency |
| 6 | Everest | 9 | Healthcare, finance, logistics | One large May 28 batch across the US, Germany, Kuwait, Japan |
| 7 | Genesis | 8 | US healthcare, financial services, fuel distribution | Multiple redaction-style placeholder names, consistent with active negotiation |
| 8 | INC Ransom | 6 | Public sector, healthcare, legal, energy | Claimed Champaign-Urbana Public Health District and Belimed |
| 9 | Titan | 6 | Logistics, legal, manufacturing, finance | Spread across the US, Singapore, Sri Lanka, South Korea, Mexico |
| 10 | Krybit | 5 | Healthcare, education, manufacturing, consumer | Asia and Latin America focus (India, Taiwan, Thailand, Mexico) |
| 11 | 0day Syndicate | 5 | Technology, business services | Saudi, Brazil, Ghana, Bulgaria targets |
| 12 | Spacebears | 5 | Legal, business services, skincare, logistics | Ridge Law Firm, Base S.p.A., Filabe, Hunter |
A long tail of groups (Play, Lapsus$, Chaos, Coinbase Cartel, Bravox, Cmdorganization, AiLock, ShinyHunters, Worldleaks, M3rx, Lamashtu, Kairos, Gunra, Pear, Anubis, Nightspire, AuditTeam, SilentRansomGroup, Bavacai, Medusalocker, Safepay, Rhysida) each posted between one and four victims.
Two observations:
- DragonForce alone produced about 20% of the week's volume, most of it in a single mid-week cluster. The list reads like a mid-market US and UK SMB roll-up: roofing firms, CPAs, law offices, insurance adjusters, scaffold suppliers. That pattern usually points to one affiliate working a target list bought from an initial access broker, or a shared upstream provider (an MSP supply-chain effect) that opened several footholds at once.
- The Gentlemen tied Qilin for second place this week. That matters because The Gentlemen did not exist a year ago. We cover why below.
New and Emerging Groups
The Gentlemen: the group to brief your board on
The Gentlemen is the fastest-growing ransomware operation right now. It has climbed to the second most active RaaS brand globally in Q2 2026, behind only Qilin, and already commands roughly 10% of all observed ransomware activity. During the group's first five months it listed the same number of victims that took Akira twelve months and Qilin eighteen months to reach. The brand did not appear until mid-2025.
The origin story explains the speed. The Gentlemen is run by a Russian-speaking operator using the alias hastalamuerte (also tracked as LARVA-368), who previously worked as an affiliate crew leader inside the Qilin program before splitting off after a payment dispute in July 2025. The program offers affiliates a 90/10 revenue split against the 80/20 industry standard, which has pulled experienced operators across from competing brands. Pay affiliates more, and the volume follows.
What makes them dangerous is the toolkit, not just the marketing. Three things stand out:
- A self-propagating, cross-platform locker. Microsoft Threat Intelligence describes The Gentlemen as a Go-based ransomware that pairs per-file ephemeral key encryption with an aggressive self-propagation module, deploying itself across an entire network using simultaneous lateral movement techniques per target. Affiliates get a Go locker for Windows, Linux, NAS, and BSD, plus a dedicated C-based locker for ESXi hypervisors. That covers nearly every system in a typical enterprise.
- SystemBC for covert tunnelling. During an incident response engagement, a Gentlemen affiliate deployed SystemBC, a proxy malware that establishes SOCKS5 tunnels inside the victim network and connects to its C2 over a custom RC4-encrypted protocol, and can download and execute further payloads in memory. Telemetry from the related C2 server revealed a botnet of more than 1,570 hosts, with the profile pointing at companies rather than home users.
- GPO-driven, domain-wide deployment. Affiliates combine the locker with SystemBC and Cobalt Strike, harvest credentials with Mimikatz, and push the ransomware across the domain using weaponised Group Policy Objects.
The danger to defenders is timing. The encrypted SystemBC tunnels help affiliates bypass network monitoring, the self-propagation module moves laterally faster than manual operators, and the cross-platform lockers hit Windows, Linux, and ESXi in one coordinated push. The window to intercept shrinks to near zero once they are inside.
One more tactic worth knowing: data stolen from one victim has been reused to attack that victim's client, a documented chain-victimisation pattern. If you are a supplier to a larger organisation, a Gentlemen hit on you can become their problem too. The reverse is just as true. Your exposure this week may not be your own name on a leak site at all. It may be a vendor's, sitting three days from a follow-on attack that lands on you, and you would have no way of knowing unless someone was watching that vendor's name as closely as your own.
Sector Targeting Analysis
Across the 176 victim postings this week:
| Sector | Victims | Share |
|---|---|---|
| Manufacturing | 32 | 18% |
| Business Services | 29 | 16% |
| Other / unclassified | 20 | 11% |
| Healthcare | 15 | 9% |
| Technology | 13 | 7% |
| Agriculture and Food | 9 | 5% |
| Consumer Services | 9 | 5% |
| Financial Services | 7 | 4% |
| Transportation and Logistics | 7 | 4% |
| Professional Services | 6 | 3% |
| Education | 6 | 3% |
What this tells us:
Manufacturing took the heaviest hit with 32 victims (18% of all postings). The supply-chain effect is the draw: downstream disruption pressures faster payment, and plants often run flat networks with legacy OT alongside IT. The Gentlemen and Akira both lean into this sector, and Akira specifically continues to favour manufacturing and transportation targets.
Business Services came second with 29 victims. Mid-sized consulting, accounting, legal, and outsourced services firms carry large client data volumes with lighter controls than regulated industries. They are the affiliate sweet spot, and DragonForce's mid-week roll-up was full of them.
Healthcare held 15 victims, including the DentaQuest data extortion claim and several US clinics and hospices. Dental and behavioural health practices keep appearing. They hold sensitive records, and many run on small IT teams without 24/7 monitoring.
Technology stayed in the top five with 13 victims. Most are mid-market SaaS, IT services, and telecom adjacents. When a security or infrastructure vendor lands in this column, the blast radius extends to their customers.
Financial Services stayed low at seven postings, all SMB credit, finance, and advisory firms. Major banks remain outside the typical RaaS affiliate profile, consistent with our multi-month observation: better detection, regulatory pressure, and sanctions risk for the attacker keep the largest institutions off the leak sites.
Country Distribution
The United States accounts for 48% of all postings this week, a higher concentration than the prior week.
| Rank | Country | Victims |
|---|---|---|
| 1 | United States | 84 |
| 2 | United Kingdom | 9 |
| 3 | Germany | 8 |
| 4 | Canada | 7 |
| 5 | Mexico | 6 |
| 6 | Spain | 5 |
| 6 | Italy | 5 |
| 8 | Brazil | 4 |
| 8 | Netherlands | 4 |
| 10 | Switzerland | 3 |
| 10 | India | 3 |
| 10 | Saudi Arabia | 3 |
| 10 | France | 3 |
| 10 | Australia | 3 |
| 15 | Thailand | 2 |
A further 22 countries had one to two victims each, including Egypt, South Korea, Colombia, Russia, Japan, Portugal, Vietnam, Sri Lanka, Malaysia, Indonesia, Ghana, Bulgaria, Kuwait, Singapore, Denmark, Chile, Hungary, Israel, Romania, Taiwan, Ireland, and Uzbekistan.
The breadth (37 countries) shows how affiliate-driven RaaS now operates globally. Geographic distribution tracks revenue opportunity, not threat actor location. The US share rose this week largely on the DragonForce SMB cluster.
For readers outside the US, the regional point still holds: The Gentlemen's heaviest concentrations after the US are the UK, Germany, Thailand, Brazil, and France, so APAC and European mid-market firms are squarely in scope. Map your incident reporting obligations to your own regime (CERT-In's six-hour window in India, the SEC disclosure rules in the US, GDPR notification in the EU, APRA CPS 234 in Australia) before an incident forces the question.
Notable Claims and Incidents
1. Lapsus$ claims Vodafone
Lapsus$ posted a Vodafone claim on May 29 citing full infrastructure access, source code, a GitHub tree, and internal network maps. If the access is genuine, the impact is high: source code and network maps give downstream value to other affiliates and brokers, and a telecom operator of this size carries large regulatory and customer exposure. We have not validated the samples.
Confidence: Medium. Lapsus$ has a history of high-profile claims that range from real source-code theft to exaggerated access. We are reviewing samples for freshness before treating this as a confirmed intrusion.
2. DentaQuest data already leaked after talks broke down
ShinyHunters listed DentaQuest with a 234GB+ compressed dataset and a posted SHA256 hash, and moved the status to leaked after negotiations failed. ShinyHunters operates as a data extortion crew, not a traditional encryptor, so this is a theft-and-leak event rather than a lockdown. A dental insurer holds records for a large US population, which puts this squarely in HIPAA and state breach notification territory.
Confidence: High on the data being released, given the posted hash and the leaked status. Validate against your own exposure if you are a DentaQuest partner or downstream processor.
3. Akira claims GS Yuasa Lithium Power
Akira listed GS Yuasa Lithium Power on May 28. The claim names Boeing satellite project directories, drawings, and NDAs. A battery maker serving aerospace and defence raises supply-chain and export-control sensitivity if the documents are authentic. This fits Akira's pattern of naming the specific data categories early to apply pressure.
Confidence: Medium. The named directories are specific, which is a mild authenticity signal, but we have not reviewed samples.
4. Lapsus$ Mercor and Mapfre posts look like brokered resale
Two Lapsus$ posts on May 31, against Mercor and Mapfre Assurance, both state the data was acquired by a private party with no public leak planned. There are no samples and no encryption indicator. This pattern usually means a brokered resale or a notoriety post, not an active extortion case.
Confidence: Low. Treat both as unverified. The "sold privately, no leak" framing is the tell. Wait for evidence before acting.
5. DragonForce runs a mid-market US roll-up
DragonForce drove the May 27 to 28 peak with a long list of small US and UK firms: roofing, CPAs, law offices, scaffold suppliers, insurance adjusters, packaging. The volume and uniformity suggest a single affiliate working a purchased target list, or a shared MSP upstream that opened several doors at once. We flag the MSP angle as plausible but unconfirmed.
Top CVEs These Groups Are Exploiting
The groups leading this week are not relying on novel zero-days. They are exploiting a small set of known edge-device and remote-management flaws, plus credential reuse. If you run any of the products below and have not confirmed patching, treat this as your priority list.
| CVE | Product | CVSS | Who is using it | Why it matters |
|---|---|---|---|---|
| CVE-2024-40766 | SonicWall SonicOS (Gen 5/6/7) | 9.3 | Akira | Improper access control on SSL VPN. Disclosed and patched August 2024, it is being actively targeted again by Akira affiliates, often via credentials stolen before patching and replayed against updated devices. |
| CVE-2024-57727 | SimpleHelp RMM (5.5.7 and earlier) | 9.9 | DragonForce | CISA warned that ransomware groups are exploiting unpatched SimpleHelp RMM, and ThreatDown tied DragonForce to this flaw. RMM access yields every endpoint the server manages at once. |
| CVE-2024-55591 | Fortinet FortiOS / FortiProxy | 9.6 | The Gentlemen | An authentication bypass that can give a remote attacker super-admin privileges through crafted requests; researchers say The Gentlemen leans heavily on it, backed by a large inventory of pre-compromised FortiGate devices. |
| CVE-2025-32433 | Erlang/OTP SSH | 10.0 | The Gentlemen | Named in the leaked Gentlemen playbook as part of their edge-device exploitation set, alongside CVE-2024-55591. Unauthenticated access to exposed SSH services. |
A few practical notes:
- The SonicWall problem is a credential problem as much as a patch problem. Even patched devices have been compromised when threat actors reused credentials stolen before the fix and abused MFA setup misconfigurations. Rotate VPN credentials and re-issue MFA enrolment for any device that was exposed while unpatched.
- RMM software is a single point of mass compromise. A SimpleHelp server managing 200 client environments is, from DragonForce's perspective, 200 simultaneous deployment opportunities. If you are an MSP, this is your top exposure.
- Edge appliances are the front door. SonicWall, Fortinet, and exposed SSH cover most of the initial access we are seeing from this week's leaders. Internet-facing, unpatched, and credential-exposed devices are how affiliates get in before any locker runs.
We are reporting these as the flaws most associated with this week's most active groups. Knowing these four are being exploited is the easy part. Knowing whether any of them are sitting on your own external perimeter right now, on a forgotten branch-office firewall or an MSP's RMM server, is the part most teams cannot answer on a Monday morning. Confirm your own exposure rather than assuming a vendor advisory covers your specific version.
Infrastructure and Operational Shifts
Three things worth flagging on the operational side:
- The Gentlemen's tooling is maturing fast. The combination of a self-propagating Go locker, an ESXi-specific C locker, SystemBC tunnelling, and GPO-based deployment is a full enterprise kill chain in one affiliate package. The group has also used AI coding assistants, including DeepSeek and Qwen, to accelerate development, with the administrator reportedly building the RaaS admin panel in three days. Expect faster iteration than older brands.
- Genesis is using placeholder victim names. Several Genesis postings this week carried redaction-style placeholder names (asterisk-masked company names). That usually signals active negotiation rather than a refusal to claim. We expect those to resolve to full names within one to two weeks if no payment lands.
- Re-posting and chain-victimisation as pressure tactics. Coinbase Cartel re-posted the same victims across multiple days, a standard escalation move when a victim stalls. The Gentlemen's documented reuse of one victim's data against that victim's client is a sharper version of the same pressure logic.
Key Takeaways for Defenders
- Patch the edge first. SonicWall (CVE-2024-40766), Fortinet (CVE-2024-55591), SimpleHelp (CVE-2024-57727), and exposed Erlang/OTP SSH (CVE-2025-32433) account for most of the initial access tied to this week's top groups. Confirm patch status and rotate any credentials exposed while a device was unpatched.
- Treat The Gentlemen as a critical-priority threat. If you run Fortinet edge devices, rely heavily on Active Directory, or operate in manufacturing, technology, or healthcare, you are in their elevated-risk profile. Harden GPO permissions and watch for SystemBC SOCKS5 tunnelling and Cobalt Strike.
- RMM and MSP compromise is the force multiplier. The DragonForce cluster looks supply-chain shaped. Validate your MSP's controls, especially privileged access and remote management tooling, and restrict which RMM tools can run in your environment.
- Leak site appearance is a late signal. By the time a victim is posted, the intrusion is typically 30 to 90 days old. If your name is on a list like this one, the foothold likely opened around the time of your last quarterly review. You just had no way to see it yet. Watching external exposure, leaked credentials, and dark web chatter as it happens is what closes that gap, and it is not something a weekly manual scan of leak sites can do.
- Have an unverified-claim response ready. The Lapsus$ Mercor and Mapfre posts are the kind of low-evidence, high-noise claim that drives news cycles. Your communications team should have a pre-approved holding response for moments like these, and your CTI team should validate samples before anyone reacts.
Everything above points to the same gap: the threat data is public, but the work of filtering 176 posts down to the few that touch your domains, your brands, and your vendors, then matching those groups to the flaws on your own perimeter, is what nobody has time for on a Monday. That is the gap Scrutex closes. It surfaces only the leak site activity tied to you and your supply chain, and flags the exploited CVEs that sit on your external surface.
Start a free workspace at scrutex.ai/signup. No credit card. Five minutes to first signal.
See how Scrutex Threat Intelligence works: scrutex.ai/solution/threat.
Frequently Asked Questions
How many ransomware attacks happened the week of May 26 to June 1, 2026?
176 unique victim postings appeared on dark web leak sites in that window, across 33 distinct ransomware and extortion groups. This counts leak site postings, not all attacks. Many incidents are settled privately and never appear publicly.
Which ransomware group is most active right now?
DragonForce led this week with 36 posts. The Gentlemen and Qilin tied for second with 20 each. Across Q2 2026, Qilin and The Gentlemen are the two most active brands globally.
Why is The Gentlemen growing so fast?
It is run by a former Qilin affiliate crew leader, offers a 90/10 revenue split that attracts experienced operators, and ships a self-propagating cross-platform locker plus SystemBC tunnelling. In its first five months it matched victim counts that took older groups a year or more to reach.
Did Vodafone get hit by ransomware?
Lapsus$ posted a Vodafone claim on May 29 citing infrastructure and source code access. The claim is unverified pending sample review. Treat it as medium confidence until evidence emerges.
What CVEs are these groups exploiting?
Mainly known edge and RMM flaws: SonicWall CVE-2024-40766 (Akira), SimpleHelp CVE-2024-57727 (DragonForce), and Fortinet CVE-2024-55591 plus Erlang/OTP SSH CVE-2025-32433 (The Gentlemen). Credential reuse against patched-but-previously-exposed devices is a recurring theme.
What sectors should I worry about most this week?
Manufacturing and Business Services together took a third of all postings. Healthcare and Technology round out the top targets. US-based firms accounted for 48% of victims.
Where can I get this data in real time?
Scrutex Threat Insights surfaces ransomware leak site activity filtered to your organisation, brands, and vendors, so you see only the postings that touch your domains, brands, or supply chain.
Tags: ransomware, ransomware weekly, DragonForce, The Gentlemen, Qilin, Akira, Nova, SystemBC, SonicWall CVE-2024-40766, SimpleHelp CVE-2024-57727, Fortinet CVE-2024-55591, dark web monitoring, leak site
Related reading: