Weekly Ransomware Intelligence Report, June 21, 2026

This is the ScruteX ransomware weekly for June 2026, covering the June 15 to June 21 window. Our CTI team tracked 282 unique ransomware victim claims across 41 active groups during the period. That reads as a 47% jump on last week's 192, but almost the entire rise sits in a single Monday batch. DeadLock posted 61 victims in one upload on June 15, with no country, no sector, and a single source behind any of them. Strip that backfill out and the week runs about 220 claims, up a modest amount on last week rather than half again as large.

The headline number deserves that caveat before anything else. DeadLock led the chart with 62 victims, The Gentlemen took second with 38, and LockBit 5.0 took third with 34. United States firms made up 23% of all victims, down sharply from last week's 33%, though that drop is partly an artifact of the unattributed DeadLock batch. Business Services took the heaviest named hit, with Manufacturing close behind.

This report covers who was most active, which sectors and countries were hit, the high-profile claims worth your attention, and the specific CVEs these groups are exploiting to get in. The standout story is the changing of the guard at the top. Last week's leaders DragonForce and 3AM went almost silent. In their place, The Gentlemen nearly doubled their count and LockBit 5.0 kept climbing, while SafePay broke into the top five for the first time in our weekly tracking. Qilin slipped from first to fourth but stayed busy.

282 posts, 41 groups, 47 countries in a single week. Reading every one to find the three that touch your own organisation or your suppliers is most of a working day, and that is before you cross-reference each group against the flaws sitting on your perimeter. The value is rarely in the full list. It is in the handful of lines that are actually about you.

A note on how to read the numbers. Counts reflect leak site postings, not confirmed compromises, and by the time a victim is posted the intrusion is usually 30 to 90 days old. We deduplicated postings that appeared under multiple names and resolved them to one entry. We also flag where a single batch or a single source inflates a figure, because this week is a clear case of that.

The daily curve has two peaks and one anomaly. June 15 carried 120 postings, but 61 of those came from a single DeadLock upload with no metadata attached to any entry. June 18 carried 58, driven by a LockBit 5.0 run of website domains. The week then did something unusual: instead of going quiet over the weekend, Saturday June 20 held 30 postings because The Gentlemen pushed out a batch of 14 victims that day. Sunday fell back to 11.

That pattern matters for how you read the total. Most weeks, leak site volume drops on Saturday and Sunday because affiliates stage victims during the working week and publish on a weekday rhythm. The weekend dip is a pause in publishing, not a pause in attacks. This week broke the rhythm twice, once with the Monday DeadLock batch and once with the Saturday Gentlemen batch, which is why the 47% week-over-week figure needs a careful read rather than a headline reaction.

The week-over-week jump comes down to three things. The Gentlemen rose from 20 to 38, LockBit 5.0 from 20 to 34, and DeadLock appeared from nowhere with 62. Set against that, last week's fourth and fifth place groups dropped out: DragonForce fell from 13 victims to a single post, and 3AM went silent. So the chart did not get uniformly busier. A few risers and one large batch carried the increase, while the previous leaders cooled. A rising count concentrated in a handful of groups points to specific campaigns and one bulk listing, not a broad surge across the ecosystem.

The top 5 groups produced 60% of the week's volume (170 of 282 postings), a higher concentration than last week's 47%. That concentration is real but partly inflated by the DeadLock batch. The long tail stays crowded: more than 30 groups posted six or fewer victims each. The leak site space remains fragmented after the LockBit and ALPHV takedowns of 2024 to 2025, and new brands keep entering as affiliate crews split off to launch their own programs.

A long tail of groups (RansomHouse, Akira, Play, Pear, Cmdorganization, Stormous, WorldLeaks, Genesis, Cloak, and roughly 20 more) each posted between one and five victims.

Two observations:

DeadLock's 62 is not what it looks like. DeadLock is a family that Group-IB and Cisco Talos have tracked since July 2025, and its defining trait is that it does not run a public data leak site. Victims are pushed to negotiate over the Session messenger, and the group monetises stolen data through underground sales rather than a name-and-shame blog. So a sudden batch of 61 entries on a single tracking source, all without a country or sector, does not match the group's known behaviour. The most likely reads are a one-time data dump being indexed, a marketplace listing being scraped, or a tracking artifact, rather than 61 fresh encryption victims posted in one day. We are reporting the number because it appeared, but we are flagging it as low confidence and recommend treating it as a single-source batch, not 61 distinct incidents.

The most important real mover is The Gentlemen. The group rose from 20 victims to 38 and posted through the weekend, which most affiliate crews do not do. Group-IB's analysis of a leaked Gentlemen internal database, published earlier this year, showed the operation broke away from Qilin affiliate activity and runs an operational list of roughly 14,700 already-exploited FortiGate devices plus a stock of brute-forced FortiGate VPN credentials. That kind of pre-built access pipeline explains how the group sustains a high posting rate without the dips that usually follow affiliate churn or infrastructure seizures. The Gentlemen now look less like a flash in the pan and more like a fixture.

DeadLock is worth a closer look precisely because this week's number is out of character. Cisco Talos documented a DeadLock campaign that gained access through compromised valid accounts, enabled Remote Desktop on the victim host by editing the registry and opening port 3389, and used a previously unknown loader to abuse a Baidu Antivirus driver flaw (CVE-2024-51324) to kill endpoint protection before encryption. Group-IB separately documented DeadLock's use of Polygon smart contracts to store and rotate its command-and-control proxy addresses, a blockchain indirection technique that makes the back-end harder to block and track.

None of that profile fits a group that name-and-shames 61 victims in a single batch. DeadLock has historically kept a low profile with a small victim count and no leak site, which is exactly why a one-day spike on a single source should be read with caution. For defenders, the practical takeaway is not the count. It is the tradecraft: valid-account access, RDP enablement, driver-based EDR kill, and decentralised C2. Those are the behaviours to detect, regardless of what the weekly tally says.

SafePay posted 14 victims this week and entered our weekly top five for the first time. The group surfaced around September 2024 and became one of the most active operations of 2025, with researchers at Bitdefender, Sygnia, and Check Point all documenting its rapid-fire style. What sets SafePay apart is that it rejects the ransomware-as-a-service model and runs an in-house team with consistent, repeatable tradecraft. The speed is the signature: SafePay often moves from initial access to full encryption in under 24 hours.

Initial access is the part defenders need to act on. Across multiple vendor reports, SafePay gets in through valid credentials on VPN gateways and RDP, brute-force and password spraying, and misconfigured FortiGate firewalls that lack multi-factor authentication. Sygnia's investigation traced one intrusion to a firewall misconfiguration that handed the group local administrative credentials. There is no single novel exploit here. The opening is almost always an exposed edge account without MFA, which makes SafePay a clean argument for hardening every internet-facing login before worrying about the locker itself.

LockBit 5.0 took third place with 34 victims, most of them website domains rather than named companies, in a run concentrated on June 18. The brand was the most disrupted name of the 2024 law-enforcement wave, yet the 5.0 line, released for the group's sixth anniversary in September 2025, keeps gaining ground. Trend Micro and Acronis both analysed the new variant and found a cross-platform locker built for Windows, Linux, and VMware ESXi, with heavy obfuscation, Event Tracing for Windows patching, and log clearing to blind detection. The ESXi build is the dangerous one for enterprises, because encrypting a single hypervisor can take down dozens or hundreds of virtual machines at once.

The domain-heavy posting style is the tell here, the same pattern we noted last week. Raw domain lists rather than curated company profiles point to automated intake from an access or credential feed, and they inflate weekly counts with lower-confidence entries that still need triage. Trend Micro and Acronis report that LockBit 5.0 access still runs on phishing, credential stuffing, and exploitation of unpatched remote services rather than a single signature flaw, so the defensive answer is the familiar one: patch internet-facing services, enforce MFA, and treat hypervisors as Tier 0.

A caveat shapes this whole section. DeadLock's 62 postings, the single largest block of the week, carry no sector data at all. So the sector mix below is drawn from the roughly 220 victims that do have a category, which skews the picture toward the groups that post curated profiles.

What this tells us:

Business Services took the heaviest named hit with 33 victims. Consultancies, professional-services firms, outsourcing providers, and law practices hold large volumes of client data on relatively light security budgets, which makes them a steady affiliate target. The Gentlemen and Qilin both contributed heavily here, with named victims spanning Europe, North America, and Asia.

Manufacturing followed at 26 and is the sector to watch this week. The Gentlemen, Aurora, and LockBit 5.0 all hit industrial and engineering firms, including automotive and components suppliers in Germany, Taiwan, and Turkey. Manufacturing breaches matter for two reasons: production downtime is expensive, and supplier and design data feeds directly into downstream supply chains. The Gentlemen's documented focus on manufacturing, noted by Trend Micro, shows up clearly in this week's named victims.

Technology and Healthcare tied at 15 each. The technology hits carry the most blast radius, because a breach at a SaaS or IT-services vendor can reach every downstream customer. Healthcare drew claims against clinics, dental practices, and a Portuguese mercy hospital, alongside the higher-profile One Medical claim covered below. Healthcare claims carry HIPAA and PHI exposure where they are genuine, and the named providers are mostly small facilities with thin IT teams.

Financial Services again stayed low at five, with the names being small lenders, an insurer, and a mortgage firm rather than major banks. Large banks stay off leak sites because of stronger detection, regulatory pressure, and the sanctions risk an attacker takes on by hitting them. A low count here reflects who gets posted, not who gets attacked. Treat the visible sector mix as a 30 to 90 day risk signal for professional and industrial SMBs, not a complete map of where attacks are landing.

The United States accounts for 23% of all postings this week (65 of 282), a sharp drop from last week's 33%. Most of that drop is mechanical rather than meaningful: the week's single largest batch, DeadLock's 61, carries no country attribution, which dilutes every country's share. Among victims with a known country, the United States remains the most-hit by a wide margin.

A further 32 countries had one to three victims each, including Singapore, China, Bangladesh, Switzerland, Hong Kong, the UAE, Chile, Spain, Colombia, the Netherlands, Austria, Egypt, Argentina, Saudi Arabia, Ireland, Slovenia, Finland, the Philippines, Peru, Portugal, South Korea, the United Kingdom, Poland, Belgium, and Croatia.

The breadth, 47 countries in a single week, shows how affiliate-driven RaaS now operates globally. Geographic spread tracks revenue opportunity, not threat actor location. Germany stood out at 14, driven by SafePay and The Gentlemen, which fits Check Point's earlier finding that SafePay has concentrated heavily on German firms. Thailand's seven, mostly from a LockBit 5.0 run, lines up with The Gentlemen's documented Asia-Pacific focus and shows that Southeast Asian mid-market firms are squarely in scope.

For readers outside the United States, the regional point holds. Map your incident reporting obligations to your own regime before an incident forces the question: CERT-In's six-hour window in India, the SEC disclosure rules in the US, GDPR and NIS2 notification in the EU, APRA CPS 234 in Australia, and MAS guidance across parts of APAC. Knowing the clock you are on is far easier to sort out now than during a live response.

The four claims below all appear on public leak sites. We name only what the actor posted, summarise the data categories claimed, and end each with a confidence line. None of these were independently confirmed as a compromise at the time of writing.

ShinyHunters posted Sysco, the Fortune 100 foodservice distributor, on June 15. The claim is data theft, not encryption: no locker indicator appeared on the post. A genuine breach of a distribution business at Sysco's scale would expose customer, supplier, and logistics data across a vast network. ShinyHunters has a long track record of large-scale data theft, and this post sits inside a wider run of recognisable US names the group listed the same week, including Kodak, Ralph Lauren, several universities, and the NAIC.

Confidence: Medium. ShinyHunters is credible on data theft, but no sample or directory listing was attached at posting, and the group has a documented habit of listing recycled or non-sensitive data alongside genuine sets. Validate before reacting.

On June 18 ShinyHunters named One Medical, the Amazon-owned primary-care provider, alongside other US firms in the same run. A healthcare claim carries HIPAA and PHI exposure if genuine. The post named no encryption and attached no sample.

Confidence: Medium. The actor is credible on data theft, but healthcare claims against large, well-defended parents are high-value targets for fabricated or recycled posts. Treat as unverified until samples appear, and note that a claim against an Amazon subsidiary will draw outsized attention regardless of substance.

Qilin listed Skupina Don Don, a European arm tied to Grupo Bimbo, the world's largest bakery group, on June 18. Qilin frames this as data extortion. For a food-production business, the likely concern is supplier contracts, recipe or production data, and employee records rather than direct downtime.

Confidence: Medium. Qilin is one of the most active and credible operations of the year, but the leak site post alone does not establish what data or access was taken from which entity. Confirm scope directly before treating the parent group as exposed.

Nova posted a claim against the New South Wales state government in Australia on June 15. Public-sector claims warrant verification because naming a government entity carries political and reputational value for the attacker, which raises the incentive to exaggerate.

Confidence: Low. Treat as unconfirmed until samples appear. Government claims by lesser-known brands frequently turn out to reference a small contractor, a subsidiary system, or recycled data rather than a core government breach.

A note on the low-signal claims this week. A few posts warrant extra caution. An actor brand called Fulcrumsec listed Novo Nordisk, the Danish pharmaceutical giant, with no corroboration and no track record behind the name. A post referencing Nintendo circulated under a newer brand with a file-tree dump rather than a dataset, a hallmark of repackaged data. And a number of entries this week were heavily redacted or carried placeholder names. All of these warrant low confidence until samples prove otherwise, and none should drive a response on their own.

The groups leading this week are not relying on novel zero-days for the way in. They exploit a small set of known edge-device and remote-access flaws, plus credential reuse, and they lean on vulnerable drivers to disable endpoint protection once inside. If you run any of the products below and have not confirmed patching, treat this as your priority list. Each attribution is tied to a named vendor or research source. Where we could not tie a flaw to a specific group, we left it out rather than padding the table.

A note on attribution accuracy. We attribute a CVE to a group only where a named source supports the link. Two of this week's top five do not have a single verifiable CVE behind them, and we will not invent one. LockBit 5.0 (third this week) runs on phishing, credential stuffing, and exploitation of unpatched remote services, per Trend Micro and Acronis, with no public source tying the 5.0 relaunch to a specific flaw. SafePay (fifth) runs on valid credentials, brute force, and misconfigured FortiGate firewalls without MFA, per Bitdefender, Sygnia, and Check Point, again with no single named exploit. ShinyHunters (seventh) does not use edge CVEs at all: its June 2026 access pattern is an Oracle PeopleSoft exploit chain plus SaaS and OAuth token abuse, covered in the operational shifts section below.

A few practical notes:

The credential-reuse angle keeps showing up. Patched devices still get hit when actors replay credentials stolen before the fix or carried over during a migration. The SonicWall wave behind Akira is the clearest example: SonicWall itself attributed it to old credentials surviving a Gen 6 to Gen 7 upgrade, not a new exploit. Rotate VPN credentials and re-issue MFA enrolment for any device that was internet-facing while unpatched or recently migrated.

Vulnerable drivers are the new defense-evasion default. The Gentlemen and DeadLock both load a legitimate but flawed driver to kill endpoint protection from the kernel before they encrypt. Bring-your-own-vulnerable-driver activity is hard to stop with detection alone, so block known-vulnerable drivers where your tooling allows it and treat any attempt to load one as an escalation trigger.

Edge appliances are still the front door. Internet-facing, unpatched, credential-exposed VPNs and firewalls are how affiliates get in before any locker runs. Fortinet, SonicWall, and Citrix lead this week's confirmed initial-access flaws. Confirm your own exposure rather than assuming a vendor advisory covers your specific version, because the device that gets you hit is usually the one nobody remembered was online.

Data extortion without encryption keeps gaining ground as a full operating model. ShinyHunters posted Sysco, One Medical, Ralph Lauren, Kodak, the NAIC, and several universities this week with no locker indicator on any of them. The group sits inside the broader Scattered Lapsus$ Hunters cluster and runs an industrialised data-theft operation built on voice phishing and OAuth or SSO token abuse rather than endpoint exploitation. Its current vector, reported by BleepingComputer and corroborated by Mandiant in June 2026, is a mass-exploitation campaign against Oracle PeopleSoft servers using a chain of old and zero-day flaws. The defender's playbook changes when the threat is pure data theft: backups do not solve it, and the response looks more like a breach-disclosure exercise than a recovery one.

Single-source and single-batch postings are inflating weekly counts. DeadLock's 61-in-one-upload is this week's clearest case, and LockBit 5.0's domain run is another. Both push numbers up without 61 or 30 distinct, verified incidents behind them. This is why a headline week-over-week figure can mislead. Part of the value of tracking is knowing which entries are curated company profiles worth triaging and which are bulk listings that need a quick low-confidence tag and little else.

Weekend posting is no longer a safe assumption. The Gentlemen pushed out 14 victims on Saturday June 20, breaking the usual pattern where leak sites go quiet at the weekend. Combined with the group's pre-built FortiGate access pipeline, that consistency points to an operation mature enough to publish on its own schedule rather than an affiliate batch rhythm. Teams that watch leak sites only on weekdays will see Gentlemen activity late.

Patch the edge first, then block vulnerable drivers. Confirm patch status for Fortinet FortiOS (CVE-2024-55591, CVE-2024-21762), SonicWall SonicOS (CVE-2024-40766), and Citrix NetScaler (CVE-2023-3519). Rotate any credentials exposed while a device was unpatched or migrated. Then block the known-vulnerable drivers that The Gentlemen and DeadLock use to kill EDR, and alert on any attempt to load one.

Treat The Gentlemen as a rising critical-priority threat. The group nearly doubled its count, posts through the weekend, and runs a stock of pre-exploited FortiGate access. Manufacturing, business services, and healthcare firms should harden Fortinet edge access and watch for the kernel-level defense evasion that precedes encryption.

Close the MFA gap on every internet-facing login. SafePay's entire model rests on exposed VPN, RDP, and firewall accounts without MFA, and SonicWall traced the Akira wave to credentials that survived a migration. The opening these groups need is almost always an edge account you can protect today.

Read the 47% jump carefully. Volume rose from 192 to 282, but a single DeadLock batch of 61 and a LockBit domain run account for most of it, while last week's leaders DragonForce and 3AM went quiet. A higher count is not automatically a higher threat to you. What matters is whether any of the 282 touch your domains, your brands, or your suppliers.

Leak site appearance is a late signal. By the time a victim is posted, the intrusion is typically 30 to 90 days old. Watching external exposure, leaked credentials, and dark web chatter as it happens is what closes that gap.

Have an unverified-claim response ready. Several claims this week, including the Novo Nordisk, Nintendo, and NSW Government posts, carry low confidence. Your communications team needs a pre-approved holding response, and CTI should validate samples before anyone reacts.

Everything above points to the same gap: the threat data is public, but the work of filtering 282 posts down to the few that touch your domains, your brands, and your vendors, then matching those groups to the flaws on your own perimeter, is what nobody has time for on a Monday. That is the gap ScruteX closes. ScruteX is an external risk and threat intelligence platform that runs continuous discovery across the dark web and your internet-facing attack surface, prioritises findings by real-world exploitability rather than raw CVSS, and surfaces only the leak site activity and exploited CVEs tied to you and your supply chain. Threat Insights maps active groups, TTPs, and IOCs to your region and sector, so the three lines that are actually about you do not stay buried in the other 279.

Start a free workspace at https://scrutex.ai/signup. No credit card. Five minutes to first signal. See how ScruteX Threat Insights works at https://scrutex.ai/solution/threat.

How many ransomware attacks happened the week of June 15 to 21, 2026? 282 unique victim postings appeared on dark web leak sites in that window, across 41 distinct ransomware and extortion groups. That is up 47% on the prior week's 192, but a single DeadLock batch of 61 entries with no metadata accounts for most of the rise. The count reflects leak site postings, not confirmed compromises, and many incidents are settled privately and never appear publicly.

Why did ransomware postings jump this week? The count rose from 192 to 282, but the increase is concentrated, not broad. The Gentlemen rose from 20 to 38, LockBit 5.0 from 20 to 34, and DeadLock appeared with 62, of which 61 came in one batch. At the same time, last week's leaders DragonForce and 3AM went almost silent. A few risers and one bulk listing carried the number, so the headline figure overstates how much busier the ecosystem actually got.

Which ransomware group is most active right now? DeadLock topped the chart with 62 victims this week, but 61 of those came in a single June 15 upload and should be read with caution because DeadLock does not normally run a public leak site. The Gentlemen took a clearer second place with 38, LockBit 5.0 third with 34, and Qilin fourth with 22 after leading last week. The Gentlemen and LockBit 5.0 are the genuine risers.

Is DeadLock's victim count of 62 reliable? Treat it with low confidence. DeadLock is documented by Group-IB and Cisco Talos as a group that uses the Session messenger and underground sales rather than a public leak site, so a batch of 61 entries on a single tracking source, with no country or sector attached to any of them, does not match its known behaviour. It is more likely a one-time data dump or tracking artifact than 61 distinct fresh incidents in one day.

What CVEs are these groups exploiting? Mainly known edge and remote-access flaws plus vulnerable drivers: CVE-2024-55591 and CVE-2024-21762 (Fortinet, used by The Gentlemen and Qilin), CVE-2024-40766 (SonicWall, used by Akira), and CVE-2023-3519 (Citrix, used by INC Ransom). The Gentlemen and DeadLock also abuse vulnerable drivers (CVE-2025-7771 and CVE-2024-51324) to disable endpoint protection. LockBit 5.0 and SafePay rely on credential abuse and edge misconfiguration rather than a single named flaw.

What sectors should I worry about most this week? Business Services led the named victims with 33, followed by Manufacturing at 26, then Technology and Healthcare at 15 each. DeadLock's 62 postings carry no sector data, so the visible mix skews toward groups that post curated profiles, and it points to a 30 to 90 day risk window for professional and industrial SMBs.

Where can I get this data in real time? ScruteX Threat Insights surfaces ransomware leak site activity filtered to your organisation, brands, and vendors, so you see only the postings that touch your domains, brands, or supply chain, mapped to the exploited CVEs on your external surface.

Tags: ransomware, ransomware weekly, deadlock, the gentlemen, lockbit 5.0, qilin, safepay, shinyhunters, CVE-2024-55591, CVE-2024-40766, CVE-2024-21762, dark web monitoring, leak site

Related reading: