Weekly Ransomware Intelligence Report, June 14, 2026

This is the Scrutex ransomware weekly for June 2026, covering the June 8 to June 14 window. Our CTI team tracked 192 unique ransomware victim claims across 40 active groups during the period. That is a sharp jump from last week's 119, a 61% rise in a single week, and the increase came from a fuller top of the chart rather than one outlier group. The week ran mid-week heavy: 79 of the 192 postings (41%) landed on June 10 and June 12. Qilin led with 25 victims, The Gentlemen and LockBit 5.0 tied behind it at 20 each, and United States firms made up 33% of all victims. Business Services took the heaviest hit, with Technology, Consumer Services, and Manufacturing tied close behind.

This report covers who was most active, which sectors and countries were hit, the high-profile claims worth your attention, and the specific CVEs these groups are exploiting to get in. The standout story is ShinyHunters: a data-extortion crew that spent the week naming large, recognisable US brands on its leak site, from JCPenney to American Tower, in a pressure campaign built on stolen data rather than encryption.

192 posts, 40 groups, 45 countries in a single week. Reading every one to find the three that touch your own organisation or your suppliers is most of a working day, and that is before you cross-reference each group against the flaws sitting on your perimeter. The value is rarely in the full list. It is in the handful of lines that are actually about you.

A note on how to read the numbers. Counts reflect leak site postings, not confirmed compromises, and by the time a victim is posted the intrusion is usually 30 to 90 days old. We deduplicated postings that appeared under multiple names and resolved them to one entry.

The week ran heavy through the middle and collapsed over the weekend. June 12 carried 40 postings and June 10 carried 39, with the Monday-to-Friday stretch holding above 30 every day. Then Saturday dropped to 7 and Sunday to 11. That rhythm is typical of affiliate batch-posting, where crews stage victims during the working week and leak sites go quiet over the weekend. The weekend dip is not a pause in attacks. It is a pause in publishing.

The week-over-week jump is worth a closer look. Last week we logged 119 victims across 31 groups. This week it is 192 across 40. That is a 61% rise in volume and nine more active brands posting. The increase is not one group running hot. Last week The Gentlemen alone carried 25 of 119 (21% of the total). This week the top of the chart is fuller and flatter: Qilin's 25 is only 13% of a much larger pie, and three separate groups cleared 20. A rising count spread across more brands points to more affiliates posting in parallel, not a single campaign inflating the figure.

The top 5 groups produced 47% of the week's volume (90 of 192 postings). The long tail stays crowded: more than 30 groups posted six or fewer victims each. The leak site space stays fragmented after the LockBit and ALPHV takedowns of 2024 to 2025. New brands keep entering, and affiliate crews keep splitting off to launch their own programs.

A long tail of groups (INC Ransom, Payload, DireWolf, Pear, Gunra, Termite, Play, SpaceBears, Coinbase Cartel, Insomnia, and roughly 20 more) each posted between one and five victims.

Two observations:

Qilin's 25 is dominated by a single tight cluster. On June 10 alone it posted a run of US law firms and legal-services outfits: Miller and Zois, Dulany Leahy Curtis and Brophy, Wright Constable and Skeen, Bekman Marder Hopper Malarkey and Perlin, Milstein Siegel, and Plaxen and Adler. Six small-to-mid legal practices named the same day points to one affiliate working a bought target list, or a shared practice-management or IT supplier that opened several doors at once. The uniformity is the tell. It is plausible but unconfirmed.

The most interesting mover is ShinyHunters. It posted only eight victims, but they were the most recognisable names of the week: JCPenney and its Authentic Brands Group parent, Madison Square Garden Sports, American Tower, Ralph Lauren, Zayo, Nexstar, and the University of Nottingham. No encryption indicator on any of them. This is pure data extortion against brands chosen for press value. See the deep-dive below.

LockBit was the most disrupted brand of the 2024 law-enforcement wave, yet LockBit 5.0 tied for second this week with 20 victims. That matters because it shows how durable a brand and affiliate base can be even after infrastructure seizures, indictments, and a damaged reputation. The 5.0 line is the operator's attempt to rebuild trust with affiliates who drifted to Qilin, Akira, and newer programs after the 2024 takedown.

The victim mix this week was almost entirely website domains rather than named companies: probat.com, sweetome.com, groupe-mbm.com, scbgroup.com.sg, and dozens more, spread across the US, Germany, Brazil, the Netherlands, and Latin America on June 9. That posting style, raw domains rather than curated company profiles, suggests automated intake from a credential or access feed rather than hand-picked targets.

What makes the brand dangerous is not novel tooling but reach. LockBit's affiliate model and cross-platform lockers for Windows, Linux, and ESXi remain in circulation, and the 5.0 relaunch gives affiliates a known toolkit with a known payment pipeline. The danger to defenders is complacency. The 2024 headlines suggested the brand was finished. The leak site says otherwise. Treat any LockBit 5.0 claim as live, and do not assume the takedown removed the affiliates behind it.

Across the 192 victim postings this week:

What this tells us:

Business Services took the heaviest hit with 33 victims, 17% of all postings. Law firms, consultancies, and professional-services outfits hold large volumes of client data on relatively light security budgets, which makes them an affiliate sweet spot. Qilin's June 10 legal-sector cluster sits inside this number. The sector lead has shifted from Manufacturing last week to Business Services this week, driven almost entirely by that legal-firm run.

Technology, Consumer Services, and Manufacturing tied at 20 victims each. The technology hits matter most for blast radius: when a SaaS or IT-services vendor is breached, the stolen data and access can reach every downstream customer. DragonForce drove much of the manufacturing total, with engineering and industrial firms across Hong Kong, the UAE, India, and Germany.

Healthcare drew 10 victims, including Blue Nile Medical Center, Central Arkansas Pediatrics, and Sierra Vista Hospital. Healthcare claims carry HIPAA and PHI exposure, and the providers named are mostly small facilities with thin IT teams that struggle to detect intrusions early.

Financial Services stayed low at seven, and the names were mostly small lenders, insurers, and a fund manager rather than major banks. Large banks stay off leak sites because of stronger detection, regulatory pressure, and the sanctions risk an attacker takes on by hitting them. A low count here is not a low threat. It reflects who gets posted, not who gets attacked.

The United States accounts for 33% of all postings this week (64 of 192), a slightly lower concentration than last week's 38%, as European and APAC volume picked up.

A further 30 countries had one to three victims each, including Russia, Sweden, the UAE, Spain, Italy, Canada, Indonesia, South Korea, Vietnam, Uruguay, Bolivia, Norway, Singapore, the Netherlands, and Taiwan.

The breadth, 45 countries in a single week, shows how affiliate-driven RaaS now operates globally. Geographic distribution tracks revenue opportunity, not threat actor location. India's eight victims stood out this week because of who was named: WorldLeaks listed Tata Electronics, Reliance Group, and Apollo Pipes, three large conglomerates, alongside HDFC Fund and 3i Infotech. That is a deliberate move up-market into India's largest corporate names.

For readers outside the United States, the regional point still holds. DragonForce's heaviest concentrations after the US sit in Hong Kong and the UAE, and WorldLeaks is working India hard, so APAC and Gulf mid-market and enterprise firms are squarely in scope. Map your incident reporting obligations to your own regime, CERT-In's six-hour window in India, the SEC disclosure rules in the US, GDPR notification in the EU, APRA CPS 234 in Australia, before an incident forces the question.

The four claims below all appear on public leak sites. We name only what the actor posted, summarise the data categories claimed, and end each with a confidence line. None of these were independently confirmed as a compromise at the time of writing.

ShinyHunters posted JCPenney on June 12, naming it alongside several subsidiaries under Catalyst Brands and the Authentic Brands Group. The claim is data extortion, not encryption: the group says it holds customer and corporate data and is using the leak site to pressure payment. If genuine, the blast radius spans multiple retail brands under one parent, which raises the stakes on shared back-office and loyalty-platform data.

Confidence: Medium. ShinyHunters has a real track record of large retail and consumer data theft, but no sample hash or directory listing was attached at posting, and the multi-brand framing can inflate the apparent scope. Validate before reacting.

On June 12 ShinyHunters also named American Tower, the major US telecommunications-infrastructure REIT. A genuine compromise of a tower and network-infrastructure operator carries supply-chain risk for the carriers that lease its sites and systems. The post named no encryption and no sample.

Confidence: Medium. The actor is credible on data theft, but infrastructure-operator claims are high-value targets for fabricated or recycled posts. Treat as unverified until samples appear.

WorldLeaks listed Tata Electronics on June 10, part of a broader push against large Indian conglomerates that also named Reliance Group and Apollo Pipes the same week. The group frames these as data-theft cases. For a manufacturing and electronics arm of the Tata Group, the concern is intellectual property, supplier contracts, and employee data rather than production downtime.

Confidence: Medium. The clustering of three major Indian groups in one week is consistent with a deliberate campaign, but the absence of public samples means scope and freshness are unconfirmed.

Morpheus posted Indian IT services provider 3i Infotech on June 8. This one matters less for the direct victim and more for the supply-chain vector: IT services firms hold privileged access into many client environments, including BFSI customers. A compromise here is a potential pivot point downstream. This aligns with the supply-chain exposure Scrutex flagged in 3i Infotech's Vendor..

Confidence: Medium. The supplier-as-vector concern is well founded, but the leak site post alone does not establish what client data or access was taken. Suppliers and customers should confirm exposure directly.

A note on the low-signal claims this week. Posts naming Nintendo and INGKA Group (the largest IKEA franchisee) circulated under newer or lesser-known actor brands with no encryption indicator and, in the Nintendo case, a reference to a file-tree dump rather than a dataset. These carry the hallmarks of recycled or repackaged data and warrant low confidence until samples prove otherwise.

The groups leading this week are not relying on novel zero-days. They exploit a small set of known edge-device, hypervisor, and remote-management flaws, plus credential reuse. If you run any of the products below and have not confirmed patching, treat this as your priority list. Each attribution below is tied to a named vendor or government source. Where we could not tie a flaw to a specific group, we left it out rather than padding the table.

A note on attribution accuracy. We attribute a CVE to a group only where a named vendor or government source supports the link. LockBit 5.0 tied for second this week, but we found no public source tying the 5.0 relaunch to a specific, verifiable CVE, so we have not invented one. The same caution applies to The Gentlemen: its self-propagating Go encryptor is well documented by Microsoft, but the initial-access vector is reported as credential abuse and lateral movement rather than a single named flaw.

A few practical notes:

The credential-reuse angle. Patched devices still get hit when actors replay credentials stolen before the fix. Both Fortinet flaws above were used to harvest credentials that outlive the patch. Rotate VPN credentials and re-issue MFA enrolment for any device that was internet-facing while unpatched.

RMM is a single point of mass compromise. CVE-2024-57727 in SimpleHelp is the week's clearest example: one managed-services server can mean every client environment it touches. MSPs and their customers carry the top exposure here. Restrict which RMM tools can run and confirm the SimpleHelp patch level.

Edge appliances are the front door. Internet-facing, unpatched, credential-exposed VPNs, firewalls, and RMM servers are how affiliates get in before any locker runs. Fortinet, Cisco, Citrix, and SimpleHelp lead this week's confirmed initial-access flaws.

We are reporting these as the flaws most associated with this week's most active groups. Knowing these are being exploited is the easy part. Knowing whether any of them sit on your own external perimeter right now, on a forgotten branch-office firewall or an MSP's RMM server, is the part most teams cannot answer on a Monday morning. Confirm your own exposure rather than assuming a vendor advisory covers your specific version.

Data extortion without encryption is now a full operating model, not a side tactic. ShinyHunters posted eight major brands this week with no locker indicator on any of them. The pressure is reputational and regulatory, not operational downtime. That changes the defender's playbook: backups do not solve a pure data-theft claim, and the response is closer to a breach-disclosure exercise than a recovery one.

Website domains are replacing company names in high-volume postings. LockBit 5.0 and KryBit both leaned on raw domain lists rather than curated victim profiles. That style points to automated intake from access or credential feeds, and it inflates weekly counts with lower-confidence entries that still need triage. Part of this week's 61% jump sits in exactly this category, which is why the headline rise deserves a careful read rather than a panic.

Up-market moves into specific regions are visible. WorldLeaks worked India's largest conglomerates in a single week, and DragonForce concentrated on Hong Kong and the UAE. Affiliates are following corporate data volume into new geographies rather than staying anchored to the US.

Patch the edge and the RMM layer first. Confirm patch status for Fortinet FortiOS (CVE-2024-21762, CVE-2024-55591), SimpleHelp (CVE-2024-57727), VMware ESXi (CVE-2024-37085), Cisco ASA/FTD (CVE-2023-20269), and Citrix NetScaler (CVE-2023-3519). Rotate any credentials exposed while a device was unpatched.

Treat Qilin as a critical-priority threat for professional services. Its June 10 cluster of US law firms and consultancies shows where the affiliate base is hunting. Legal and professional-services firms should harden Fortinet edge access and watch for the lateral movement that follows.

RMM and MSP compromise is the force multiplier. The DragonForce SimpleHelp activity is the week's clearest one-to-many risk. Validate MSP controls, restrict which remote-management tools can run, and confirm your providers have patched.

Read the 61% jump carefully. Volume rose from 119 to 192 in a week, but the increase spread across more brands and more domain-only postings rather than one new campaign. A higher count is not automatically a higher threat to you. What matters is whether any of the 192 touch your domains or your suppliers.

Leak site appearance is a late signal. By the time a victim is posted, the intrusion is typically 30 to 90 days old. Watching external exposure, leaked credentials, and dark web chatter as it happens is what closes that gap.

Have an unverified-claim response ready. Several brand-name claims this week, including the Nintendo and INGKA posts, carry low confidence. Your communications team needs a pre-approved holding response, and CTI should validate samples before anyone reacts.

Everything above points to the same gap: the threat data is public, but the work of filtering 192 posts down to the few that touch your domains, your brands, and your vendors, then matching those groups to the flaws on your own perimeter, is what nobody has time for on a Monday. That is the gap Scrutex closes. It surfaces only the leak site activity tied to you and your supply chain, and flags the exploited CVEs that sit on your external surface.

Start a free workspace at scrutex.ai/signup. No credit card. Five minutes to first signal.

See how Scrutex Threat Intelligence works: scrutex.ai/solution/threat

How many ransomware attacks happened the week of June 8 to 14, 2026? 192 unique victim postings appeared on dark web leak sites in that window, across 40 distinct ransomware and extortion groups. That is up 61% on the prior week's 119. This counts leak site postings, not all attacks. Many incidents are settled privately and never appear publicly.

Why did ransomware postings jump this week? The count rose from 119 to 192, a 61% week-over-week increase. The rise came from a fuller top of the chart, three groups cleared 20 victims each, and a larger share of low-confidence domain-only postings from LockBit 5.0 and KryBit, rather than one single campaign. More affiliates posting in parallel, not one outlier group, drove the number.

Which ransomware group is most active right now? Qilin led this week with 25 posts, reclaiming the top slot from The Gentlemen. The Gentlemen and LockBit 5.0 tied at 20 each, followed by DragonForce at 13 and 3AM at 12. Qilin and The Gentlemen have traded the lead for several weeks running.

Why is LockBit 5.0 still active after the 2024 takedown? The 5.0 relaunch is the operator's effort to rebuild its affiliate base after law-enforcement disruption. It tied for second this week with 20 victims, mostly website domains across the US and Europe, which shows the brand and its affiliates survived the infrastructure seizures.

Did JCPenney get hit by ransomware? ShinyHunters posted a JCPenney claim on June 12, naming subsidiaries under Catalyst Brands and Authentic Brands Group and citing stolen data rather than encryption. The claim is unverified. Treat it as medium confidence until samples emerge.

What CVEs are these groups exploiting? Mainly known edge, RMM, and hypervisor flaws: CVE-2024-21762 and CVE-2024-55591 (Fortinet, Qilin), CVE-2024-57727 (SimpleHelp, DragonForce), CVE-2024-37085 (VMware ESXi, Akira), CVE-2023-20269 (Cisco, Akira), and CVE-2023-3519 (Citrix, INC Ransom). Credential reuse against patched-but-previously-exposed devices is a recurring theme.

What sectors should I worry about most this week? Business Services led with 33 victims (17%), followed by Technology, Consumer Services, and Manufacturing at 20 each. United States firms made up 33% of all postings.

Where can I get this data in real time? Scrutex Threat Insights surfaces ransomware leak site activity filtered to your organisation, brands, and vendors, so you see only the postings that touch your domains, brands, or supply chain.

Tags: ransomware, ransomware weekly, qilin, the gentlemen, lockbit 5.0, shinyhunters, dragonforce, worldleaks, CVE-2024-21762, CVE-2024-57727, CVE-2024-37085, dark web monitoring, leak site

Related reading: