Weekly Ransomware Intelligence Report, June 28, 2026
By ScruteX Published
Summary
This is the Scrutex Ransomware Weekly for June 2026, covering the period from June 22 to June 28. Our CTI team tracked 168 unique ransomware victim claims across 38 active groups during the week. That represents a 40% decline from last week’s reported 282 victims, But A significant portion of last week’s total came from a one-time DeadLock backfill, which added 62 victims without metadata. Excluding that anomaly, last week’s figure was closer to 220 victims. This means the underlying decline is closer to 25% rather than 40%, indicating a genuine slowdown in activity, but not a dramatic collapse. Among active groups, The Gentlemen recorded the highest number of victim claims with 25, followed by Stormous with 21. Nova and Settra ranked next, tied at 11 victims each. Geographically, organisations in the United States accounted for 27% of all reported victims, making it the most affected country during the reporting period.
This report covers who was most active, which sectors and countries were hit, the high-profile claims worth your attention, and the specific CVEs these groups are exploiting to get in. The standout story this week is the run of high-value names posted on thin proof: The Gentlemen named two German naval-defence firms, APT73 (also tracked as Bashe) claimed Vienna Airport and the Brazilian federal government, and Qilin listed the Central Bank of Libya. Recognisable targets, little evidence attached.
168 posts, 38 groups, 38 countries in a single week. Reading every one to find the three that touch your own organisation or your suppliers is most of a working day, and that is before you cross-reference each group against the flaws sitting on your perimeter. The value is rarely in the full list. It is in the handful of lines that are actually about you.
A note on how to read the numbers. Counts reflect leak site postings, not confirmed compromises, and by the time a victim is posted the intrusion is usually 30 to 90 days old. We deduplicated postings that appeared under multiple names and resolved them to one entry. Where a single group backfills a large batch on one day, we flag it rather than letting it inflate the trend silently.
In This Post
| Section | What it covers |
|---|---|
| This Week at a Glance | Headline numbers and what the 40% drop hides |
| Group Activity Breakdown | Who posted most, and the stories worth reading |
| New and Emerging Groups | Settra, the week's domain-dump newcomer |
| Sector Targeting Analysis | Which industries took the named hits |
| Country Distribution | Where the 38 countries fall |
| Notable Claims and Incidents | Five named claims with confidence lines |
| Top CVEs These Groups Are Exploiting | The flaws driving initial access |
| Infrastructure and Operational Shifts | What is changing in how these crews work |
| Key Takeaways for Defenders | The short action list |
This Week at a Glance
| Metric | Value |
|---|---|
| Total unique victims posted | 168 |
| Change on prior week | Down 40% (from 282) |
| Active groups | 38 |
| Countries hit | 38 |
| Heaviest single day | June 22 (34 posts) |
| Joint-heaviest day | June 24 (34 posts) |
| Most targeted country | United States (27% of postings) |
| Most targeted sector | Business Services and Manufacturing (16 each) |
| Top group by volume | The Gentlemen (25 posts) |
| Notable major-brand claims | Vienna Airport, gov.br, Central Bank of Libya, Hologic, TKMS |
The week ran steady, without the single-day mass dump that defined last week. June 22 and June 24 tied as the busiest days at 34 postings each, and the working week from Monday to Friday averaged 28. The weekend thinned out as usual, dropping to 8 on Saturday June 27, the lightest day, before a Sunday rebound to 18. No single operator dominated one day, which is a healthier read of real attack tempo than last week's DeadLock spike allowed.
The week-over-week drop looks dramatic on the headline numbers, 282 down to 168, but part of it is an artefact. Last week's 282 included a one-off DeadLock dump of 62 victims with no metadata. Strip that backfill out and last week sits near 220, so the underlying decline is closer to a quarter than to the 40% the headline shows. Fresh leak-site activity eased this week. It did not collapse.
Group Activity Breakdown
The top 5 groups produced 46% of the week's volume (77 of 168 postings), a more even spread than last week's DeadLock-inflated 60%. The long tail stays crowded: more than 25 groups posted five or fewer victims each. The leak site space remains fragmented after the LockBit and ALPHV takedowns of 2024 to 2025. New brands keep entering, and affiliate crews keep splitting off to launch their own programs.
| Rank | Group | Victims | Share | Notable Activity |
|---|---|---|---|---|
| 1 | The Gentlemen | 25 | 15% | Back at the top. Named German naval firms TKMS and Atlas Elektronik, plus US professional services |
| 2 | Stormous | 21 | 13% | A batch of free "full data dump" posts against Italian e-commerce sites, low metadata |
| 3 | Nova | 11 | 7% | Transport and logistics focus, plus an NSW Rural Fire Service claim |
| 4 | Settra | 11 | 7% | Emerging crew posting website-domain victims across the US and APAC |
| 5 | APT73 (Bashe) | 9 | 5% | High-value claims: Vienna Airport, the gov.br federal portal, Indonesian retail |
| 6 | Icarus | 8 | 5% | Redacted-name posts, plus a claim against security vendor Huntress |
| 7 | Akira | 8 | 5% | US business services and manufacturing, its steady operational profile |
| 8 | INC Ransom | 7 | 4% | A cluster of US law firms and business services |
| 9 | Qilin | 7 | 4% | Financial services, including the Central Bank of Libya and 1-800-Dentist |
| 10 | CMD Organization | 5 | 3% | Healthcare and financial services, India and Colombia |
| 11 | Aurora | 5 | 3% | US specialty insurance, including a detailed NationsBuilders claim |
A long tail of groups (Chaos, Payload, Prinz Eugen, KryBit, Play, DragonForce, Redact, Lapsus$, Insomnia, and roughly 20 more) each posted between one and four victims.
Three observations:
The Gentlemen's defence double is the week's most consequential claim. Among its 25 postings were Thyssenkrupp Marine Systems (TKMS) and Atlas Elektronik, two German firms tied to naval and maritime-electronics work. A genuine compromise of either would carry supply-chain and national-security weight well beyond a routine corporate leak. The rest of the group's run was its usual mix of US professional-services and European industrial firms. The Gentlemen, which Microsoft tracks as Storm-2697 and Halcyon assesses as a Qilin splinter, has scaled fast since mid-2025 on the back of a broad exploit kit and a self-propagating, worm-like encryptor. See the CVE section for the specific flaws driving its intrusions.
Stormous ran this week's low-confidence bulk pattern. Roughly a third of its 21 postings were Italian online stores (maglificioliliana.com, lorenzoni-store.com, montechiaro-store.com, and others) tagged "UPDATE-FULL DATA DUMP FREE." A batch of free consumer-site dumps published together looks like a publicity exercise, not 21 fresh intrusions. Read the Stormous count the way we read last week's DeadLock dump: a publishing event with most entries carrying no sector and no detail.
APT73 (Bashe) chased headlines over evidence. Its nine postings included gov.br, the Brazilian government's main digital platform, and Vienna Airport, the operator of Vienna International Airport, both on June 23. High-value names like these pay off in attention whether or not real data changed hands. We cover both in the notable section with low-confidence lines.
New and Emerging Groups
Settra: the week's domain-dump newcomer
Settra posted 11 victims this week, enough to tie for third, and most arrived as website-domain entries rather than named companies (lifevantage.com, dystar.com, pchome.com.tw, qdi.com, and others). The spread skews US and APAC, with consumer services and manufacturing the most common sectors where a label was present.
Settra is a recent entrant to the leak-site space, and its posting style, raw domains in volume with thin victim profiles, is the signature of automated intake from an access or credential feed rather than hands-on intrusion of each target. New crews often front-load a domain batch to look established to affiliates before their real operational tempo is clear.
What makes a newcomer like Settra worth watching is not novel tooling. It is the mismatch between a fast, high-volume leak site and unproven attribution. Treat a Settra listing as a prompt to confirm your own exposure, not as proof of a fresh compromise, and weight its 11 against the strong chance that several are feed-sourced domains rather than this week's break-ins.
Sector Targeting Analysis
Across the 168 victim postings this week:
| Sector | Victims | Share |
|---|---|---|
| Business Services | 16 | 10% |
| Manufacturing | 16 | 10% |
| Consumer Services | 14 | 8% |
| Technology | 13 | 8% |
| Financial Services | 9 | 5% |
| Transportation and Logistics | 9 | 5% |
| Healthcare | 8 | 5% |
| Construction | 6 | 4% |
| Agriculture and Food | 6 | 4% |
| Education | 4 | 2% |
| Public Sector | 4 | 2% |
A caveat on these shares. Roughly 60 of the 168 postings carried no usable sector label this week, most of them the Stormous free-dump batch and assorted website-domain entries. The percentages above are of all postings, so they understate each sector's real share of the classified victims. Read the counts, not just the percentages.
What this tells us:
Business Services and Manufacturing tied for the lead at 16 victims each. Professional-services firms hold large volumes of client data on light security budgets, and industrial firms with flat OT and IT networks run a low tolerance for downtime. Both remain affiliate sweet spots, and The Gentlemen, Akira, and INC Ransom all leaned into one or the other this week.
Financial Services drew a heavier-than-usual nine named hits, including two national banks. Qilin posted the Central Bank of Libya and Lapsus$ named AYA Bank in Myanmar, while Aurora and The Gentlemen worked US insurers and asset managers. Banking and insurance claims carry regulatory and customer-data exposure that outlasts any downtime.
Healthcare drew eight named victims, including Hologic, the US medical-diagnostics maker, and several clinics. Healthcare claims carry HIPAA and PHI exposure, and the providers named skew towards clinics and specialty practices with thin IT teams.
Transportation and Logistics saw a distinct cluster from Nova, which built much of its 11-victim run around freight and logistics firms, alongside APT73's Vienna Airport claim. Logistics operators sit on tight delivery schedules that raise the pressure to pay.
Country Distribution
The United States accounts for 27% of all postings this week (46 of 168), a share in line with recent weeks once last week's Europe-weighted DeadLock dump is set aside. The US remains the single largest target market for affiliate-driven extortion by a wide margin.
| Rank | Country | Victims |
|---|---|---|
| 1 | United States | 46 |
| 2 | Germany | 11 |
| 3 | Italy | 10 |
| 4 | Canada | 8 |
| 5 | India | 6 |
| 6 | United Kingdom | 4 |
| 7 | Peru | 4 |
| 8 | Brazil | 3 |
| 9 | Australia | 3 |
| 10 | Austria | 3 |
| 11 | Mexico | 3 |
| 12 | Switzerland | 2 |
| 13 | Russia | 2 |
| 14 | South Korea | 2 |
| 15 | Colombia | 2 |
A further 23 countries had one or two victims each, including Indonesia, Portugal, Taiwan, Turkey, Libya, Netherlands, Thailand, Myanmar, France, Belgium, Argentina, Greece, Kuwait, Japan, and Tunisia. The Italy count is worth a note: much of it is the Stormous free-dump batch of Italian e-commerce sites rather than a wave of distinct intrusions.
The breadth, 38 countries in a single week, shows how affiliate-driven RaaS now operates globally. Geographic distribution tracks revenue opportunity, not threat actor location. Stormous concentrating on Italian consumer sites, Settra spreading across US and APAC domains, and Nova naming an Australian state-government body are this week's clearest examples of operators following data volume into specific regional pockets.
For readers outside the United States, the regional point holds this week. The Gentlemen worked German industrial and defence names, Stormous focused on Italian retail, and APT73 reached into Brazil, Indonesia, and Austria. Map your incident reporting obligations to your own regime, CERT-In's six-hour window in India, the SEC disclosure rules in the US, GDPR notification in the EU, APRA CPS 234 in Australia, before an incident forces the question.
Notable Claims and Incidents
The five claims below all appear on public leak sites. We name only what the actor posted, summarise the data categories claimed, and end each with a confidence line. None were independently confirmed as a compromise at the time of writing.
1. Qilin claims the Central Bank of Libya
Qilin posted Libya's national monetary authority on June 22, listing it on its leak blog with no sample data attached. A central-bank claim carries outsized political and financial weight, which is exactly why it needs proof before anyone treats it as real.
Confidence: Low. No encryption indicator, no file tree, and a national-institution name that pays off in attention regardless of whether data was taken. Treat as unconfirmed until evidence emerges.
2. APT73 (Bashe) claims Vienna Airport
APT73, also tracked as Bashe, listed Flughafen Wien AG, the operator of Vienna International Airport, on June 23. Airport operators sit inside critical infrastructure, so a genuine breach would touch operations and passenger data.
Confidence: Low. The same actor posted Brazil's federal portal the same day, a pattern that favours high-value names over verified access. No samples were attached. Validate before reacting.
3. APT73 (Bashe) claims gov.br
On June 23 APT73 (Bashe) also claimed gov.br, the Brazilian government's main digital platform and domain zone. A national e-government system would expose citizen records at scale if the claim held up.
Confidence: Low. The post offers a description only, with no sample data. Government-portal claims are a known target for posts engineered for notoriety. Treat as unconfirmed.
4. Redact claims Hologic
Redact listed Hologic, the US medical-diagnostics and device maker, on June 27, citing a $4B revenue figure. Hologic appeared alongside FCCI Insurance in the same Redact batch.
Confidence: Medium. Healthcare claims carry HIPAA and PHI exposure if a data set surfaces, but no directory listing or sample hash was posted at the time of writing. Validate before reacting.
5. Aurora claims NationsBuilders Insurance Services
Aurora posted a detailed claim against NationsBuilders Insurance Services (NBIS), an Atlanta specialty insurer, on June 22, counting 2.7 million file entries across 24 shares spanning claims, policy admin, HR, and finance.
Confidence: Medium. The specificity of the file-tree count points to real exfiltration rather than a bluff. Customer and underwriting data are the likely exposure, though scope and freshness are unconfirmed from the leak-site post alone.
Top CVEs These Groups Are Exploiting
The groups leading this week mostly exploit a known set of edge-device, hypervisor, remote-management, and driver flaws, plus credential reuse. The Gentlemen is the exception in breadth: leaked internal chats and vendor analysis show it running the widest kit of the week, from a Fortinet foothold through an Erlang SSH zero-day, a vulnerable-driver EDR killer, an NTLM relay for privilege escalation, and a Veeam flaw to gut backups. If you run any of the products below and have not confirmed patching, treat this as your priority list. Each attribution below is tied to a named vendor or government source. Where we could not tie a flaw to a specific group, we left it out rather than padding the table.
| CVE | Product | CVSS | Who is using it | Why it matters |
|---|---|---|---|---|
| CVE-2024-55591 | Fortinet FortiOS / FortiProxy | 9.6 | The Gentlemen, Qilin | Authentication bypass on the FortiGate management interface. The Gentlemen, a Qilin splinter that Microsoft tracks as Storm-2697, keeps a curated database of already-compromised FortiGate devices and valid VPN credentials for fast initial access. Qilin uses it alongside CVE-2024-21762 (Halcyon; Microsoft; CISA KEV). |
| CVE-2025-32433 | Erlang/OTP SSH | 10.0 | The Gentlemen | Unauthenticated pre-auth remote code execution in the Erlang/OTP SSH server, reaching root over the network, typically against Cisco and other appliances that embed it. Leaked group chats show The Gentlemen adopting it to diversify entry beyond Fortinet (Check Point Research; KELA). |
| CVE-2025-7771 | ThrottleStop.sys driver (BYOVD) | 8.7 | The Gentlemen | A legitimate driver with unrestricted IOCTL access to physical memory. The Gentlemen weaponise it (renamed ThrottleBlood.sys) in a bring-your-own-vulnerable-driver attack to run kernel code and disable EDR agents (Halcyon; Securonix; Surefire Cyber). |
| CVE-2025-33073 | Windows SMB Client (NTLM relay) | 8.8 | The Gentlemen | NTLM reflection flaw that escalates a low-privileged foothold to SYSTEM. The group automates domain-wide relay with a tool its leaked chats call RelayKing (Check Point Research; KELA). |
| CVE-2023-27532 | Veeam Backup & Replication | 7.5 | The Gentlemen | Lets an unauthenticated attacker inside the backup network pull stored credentials from the config database. The Gentlemen target backup infrastructure to seize or wipe backups before encryption (Halcyon; Veeam KB4424). |
| CVE-2024-37085 | VMware ESXi | 7.2 | Akira, The Gentlemen | Authentication bypass that hands an attacker full admin control of an ESXi host by creating a specific Active Directory group, enabling mass encryption of every VM on the host (CISA AA24-109A, updated 2025). |
| CVE-2024-21762 | Fortinet FortiOS SSL VPN | 9.8 | Qilin | Out-of-bounds write allowing unauthenticated remote code execution on FortiGate. PRODAFT and ReliaQuest tie Qilin's May to June 2025 campaign to this flaw. Tens of thousands of devices stayed exposed months after the patch. |
| CVE-2023-20269 | Cisco ASA / FTD VPN | 5.0 | Akira | Unauthorized-access flaw in the remote-access VPN feature. Akira's affiliates brute-force valid accounts and open clientless SSL VPN sessions (Cisco PSIRT; CISA AA24-109A). |
| CVE-2024-57727 | SimpleHelp RMM | 7.5 | DragonForce | Path-traversal flaw in SimpleHelp remote-management software. Documented as an MSP-to-client pivot, reaching downstream victims in one move (CISA AA25-163A; Halcyon). |
| CVE-2025-5777 | Citrix NetScaler ADC / Gateway | 9.3 | INC Ransom | Citrix Bleed 2, a pre-authentication out-of-bounds memory read that leaks session tokens and bypasses MFA on internet-facing NetScaler. INC Ransom is documented using it for initial access in 2025, alongside the older CVE-2023-3519 RCE on the same product (Trend Micro; CISA KEV). |
A note on attribution accuracy. We attribute a CVE to a group only where a named vendor or government source supports the link. Stormous, Settra, Nova, and APT73 also posted heavily this week, but we found no public source tying their current activity to a specific, verifiable CVE, so we left them out. Stormous, a pro-Russian crew that runs the STMX GhostLocker program with GhostSec, works stolen-credential dumps and unpatched public-facing systems for access. ConnectWise ScreenConnect (CVE-2024-1709) is exploited widely across the ransomware ecosystem, but no public source attributes it to Stormous specifically, so we do not list it as theirs. The website-domain and free-dump style of the Stormous and Settra postings is more consistent with credential-feed and access-broker intake than a single named exploit.
A few practical notes:
The credential-reuse angle. Patched devices still get hit when actors replay credentials stolen before the fix. Both Fortinet flaws above were used to harvest credentials that outlive the patch. Rotate VPN credentials and re-issue MFA enrolment for any device that was internet-facing while unpatched.
RMM is a single point of mass compromise. CVE-2024-57727 in SimpleHelp remains the clearest one-to-many risk. One managed-services server can mean every client environment it touches. MSPs and their customers carry the top exposure here.
Edge appliances are the front door. Internet-facing, unpatched, credential-exposed VPNs, firewalls, and RMM servers are how affiliates get in before any locker runs. Fortinet, Cisco, Citrix, and SimpleHelp lead this week's confirmed initial-access flaws.
These are the flaws most associated with this week's active groups where a named source supports the link. Knowing they are being exploited is the easy part. Knowing whether any of them sit on your own external perimeter right now, on a forgotten branch-office firewall or an MSP's RMM server, is the part most teams cannot answer on a Monday morning. Confirm your own exposure rather than assuming a vendor advisory covers your specific version.
Infrastructure and Operational Shifts
Free-dump batches are this week's version of the backfill tactic. Stormous published a run of Italian e-commerce sites tagged "FULL DATA DUMP FREE," releasing the data at no cost rather than ransoming it. Free dumps are a reputation and recruitment play, used to draw attention and signal capability, and they inflate weekly counts with entries that are publicity rather than fresh extortion.
High-value-name claims keep outrunning the proof attached to them. APT73 named Vienna Airport and the Brazilian federal portal, Qilin named the Central Bank of Libya, and The Gentlemen named two German defence-linked firms, all with little or no sample data on the leak post. The headline is the whole play, and the defensive task is to validate before briefing any of them as confirmed.
Website domains keep replacing company names in high-volume postings. Settra and several long-tail crews leaned on raw domain lists rather than curated victim profiles, a style that points to automated intake from access or credential feeds and inflates weekly counts with lower-confidence entries that still need triage.
Key Takeaways for Defenders
Read the drop before you read it as relief. This week's 168 is down 40% on last week, but part of that gap is last week's one-off DeadLock backfill. Net it out and the underlying decline is closer to a quarter, a real easing rather than a collapse. When a leak-site count swings, check whether one group or one batch drove it before briefing it as a trend.
Patch the edge and RMM layer first. Confirm patch status for Fortinet FortiOS (CVE-2024-21762, CVE-2024-55591), the Erlang/OTP SSH RCE (CVE-2025-32433), VMware ESXi (CVE-2024-37085), Cisco ASA/FTD (CVE-2023-20269), SimpleHelp (CVE-2024-57727), and Citrix NetScaler (CVE-2025-5777, Citrix Bleed 2). Rotate any credentials or session tokens exposed while a device was unpatched.
Block the post-foothold moves The Gentlemen relies on. Turn on the Microsoft Vulnerable Driver Blocklist to stop the ThrottleStop BYOVD EDR killer (CVE-2025-7771), patch the NTLM relay flaw (CVE-2025-33073), and lock down Veeam Backup (CVE-2023-27532) so backups survive an intrusion. Segment the backup network from production.
Validate the high-value claims before you react. Vienna Airport, gov.br, the Central Bank of Libya, and the two German naval firms are exactly the names built to draw attention on thin proof. CTI should confirm samples and your communications team should hold a pre-approved response before anyone treats a claim as a breach.
Watch your suppliers, not just yourself. The Gentlemen's defence-sector claims and Stormous's e-commerce dumps both point at third parties. A supplier or partner appearing on a leak site is your problem too. Map your vendor exposure the same way you map your own.
Leak site appearance is a late signal. By the time a victim is posted, the intrusion is typically 30 to 90 days old, and a free dump or domain batch can be far older. Watching external exposure, leaked credentials, and dark web chatter as it happens is what closes that gap.
Everything above points to the same gap: the threat data is public, but the work of filtering 168 posts down to the few that touch your domains, your brands, and your vendors, then matching those groups to the flaws on your own perimeter, is what nobody has time for on a Monday. That is the gap Scrutex closes. It surfaces only the leak site activity tied to you and your supply chain, and flags the exploited CVEs that sit on your external surface.
Start a free workspace at https://scrutex.ai/signup. No credit card. Five minutes to first signal.
See how Scrutex Threat Insights works: https://scrutex.ai/solution/threat.
Frequently Asked Questions
How many ransomware attacks happened the week of June 22 to 28, 2026?
168 unique victim postings appeared on dark web leak sites in that window, across 38 distinct ransomware and extortion groups. This counts leak site postings, not all attacks, and many incidents are settled privately and never appear publicly. The figure is down 40% on last week, but part of that gap is last week's one-off DeadLock backfill, so the underlying decline is closer to a quarter.
Which ransomware group is most active right now?
The Gentlemen led this week with 25 postings, followed by Stormous at 21. Nova and Settra tied at 11 each. The Gentlemen and Qilin have traded the lead with other crews for several weeks, and no single group dominated this week's volume.
Why did the weekly total drop to 168?
Last week's 282 was lifted by a DeadLock dump of 62 metadata-less victims posted in one batch. Strip that backfill out and last week sits near 220 against this week's 168, so underlying activity fell by roughly a quarter. That is a real drop, but a more modest one than the 40% headline suggests, not a collapse.
Did Vienna Airport or the Central Bank of Libya get hit by ransomware?
APT73 (Bashe) posted Vienna Airport and Qilin posted the Central Bank of Libya, both with no sample data attached. The claims are unverified. Treat them as low confidence until evidence emerges. High-value names are often posted for attention regardless of whether real data changed hands.
What CVEs are these groups exploiting?
Mainly known edge, RMM, hypervisor, and driver flaws. The Gentlemen runs the broadest set: CVE-2024-55591 (Fortinet), CVE-2025-32433 (Erlang/OTP SSH), CVE-2025-7771 (ThrottleStop driver, EDR kill), CVE-2025-33073 (NTLM relay), CVE-2023-27532 (Veeam), and CVE-2024-37085 (VMware ESXi). Others this week: CVE-2024-21762 and CVE-2024-55591 (Fortinet, Qilin), CVE-2023-20269 (Cisco, Akira), CVE-2024-57727 (SimpleHelp, DragonForce), and CVE-2025-5777, the Citrix Bleed 2 NetScaler flaw (INC Ransom). Credential and session-token reuse against patched-but-previously-exposed devices is a recurring theme.
What sectors should I worry about most this week?
Business Services and Manufacturing tied for the lead at 16 named victims each, followed by Consumer Services at 14 and Technology at 13. Financial Services drew nine hits, including two national banks. A high share of postings carried no sector label this week because of the Stormous free-dump and domain-only entries, so read the counts alongside the percentages.
Where can I get this data in real time?
Scrutex Threat Insights surfaces ransomware leak site activity filtered to your organisation, brands, and vendors, so you see only the postings that touch your domains, brands, or supply chain.