Weekly Ransomware Intelligence Report – June 8, 2026
By ScruteX Team Published
Summary
This is the Scrutex ransomware weekly for June 2026, covering the June 2 to June 8 window. Our CTI team tracked 119 unique ransomware victim claims across 31 active groups during the period. One mid-week spike carried the volume: 33 of the 119 postings (28%) landed on June 3 alone. The gentlemen led with 25 victims, Qilin followed with 15, and United States firms made up 38% of all victims. Manufacturing and Business Services took the heaviest hits.
This report covers who was most active, which sectors and countries were hit, the high-profile claims worth your attention, and the specific CVEs these groups are exploiting to get in. The standout story is the gentlemen: a RaaS brand that opened to affiliates in late 2025 and now sits at the top of the weekly chart, running a self-spreading Go encryptor that Microsoft has analyzed in detail.
119 posts, 31 groups, 35 countries in a single week. Reading every one to find the three that touch your own organisation or your suppliers is most of a working day, and that is before you cross-reference each group against the flaws sitting on your perimeter. The value is rarely in the full list. It is in the handful of lines that are actually about you.
A note on how to read the numbers. Counts reflect leak site postings, not confirmed compromises, and by the time a victim is posted the intrusion is usually 30 to 90 days old. We deduplicated postings that appeared under multiple names and resolved them to one entry.
This Week at a Glance
| Metric | Value |
|---|---|
| Total unique victims posted | 119 |
| Active groups | 31 |
| Countries hit | 35 |
| Heaviest single day | June 3 (33 posts) |
| Second-heaviest day | June 2 and June 5 (tied at 23 posts) |
| Most targeted country | United States (38% of postings) |
| Most targeted sector | Manufacturing (21 victims) |
| Fastest-growing group | the gentlemen (25 posts, top of the chart) |
| Notable major-brand claims | Cropwise (Syngenta), Cambridge Mobile Telematics, Singing River Health System |
The week ran mid-week heavy. June 3 carried 33 postings on its own, more than a quarter of the total, with Tuesday (23) and Friday (23) doing most of the remaining work. The weekend went quiet: Saturday saw 5 postings and Sunday saw zero. Monday topped back up to 21. That rhythm is typical of affiliate batch-posting, where crews stage victims during the working week and leak sites go dark over the weekend. The Sunday zero is not a pause in attacks. It is a pause in publishing.
Group Activity Breakdown
The top 5 groups produced 51% of the week's volume (61 of 119 postings). The long tail stays crowded: more than 25 groups posted five or fewer victims each. The leak site space stays fragmented after the LockBit and ALPHV takedowns of 2024 to 2025. New brands keep entering, and affiliate crews keep splitting off to launch their own programs.
| Rank | Group | Victims | Share | Notable Activity |
|---|---|---|---|---|
| 1 | the gentlemen | 25 | 21% | Top of the chart. Self-propagating Go encryptor, RaaS opened to affiliates late 2025 |
| 2 | qilin | 15 | 13% | Consistent high-volume operator, Fortinet-driven initial access |
| 3 | incransom | 8 | 7% | Public-sector and healthcare focus this week |
| 4 | akira | 8 | 7% | Steady baseline, VPN and ESXi exploitation |
| 5 | Black X | 5 | 4% | Mid-tier volume |
| 6 | play | 5 | 4% | Long-running operator |
| 7 | krybit | 5 | 4% | New RaaS, surfaced March 2026 |
| 8 | nova | 4 | 3% | |
| 9 | payload | 3 | 3% | |
| 10 | genesis | 3 | 3% | |
| 11 | worldleaks | 3 | 3% | |
| 12 | dragonforce | 3 | 3% |
A long tail of groups (nova, payload, genesis, worldleaks, dragonforce and others) each posted between one and four victims.
Two observations:
The gentlemen drove the week. 25 postings from a single brand (21% of all volume) is a large share for any one group. The victim mix spans sectors and regions rather than clustering around one supply chain, which fits an affiliate-driven RaaS model where multiple operators work different target lists under the same brand rather than one crew hitting a shared upstream. Treat the spread as plausible but unconfirmed until per-victim intrusion data emerges.
The most interesting mover is Krybit, a new RaaS that surfaced in late March 2026 and posted 5 victims this week. It is small in volume but notable for the internal feud described in the deep-dive below. We cover the gentlemen and Krybit in the next section.
New and Emerging Groups
the gentlemen: the group to brief your board on
The gentlemen led this week with 25 victims, 21% of all postings, and sat at the top of the chart ahead of established operators like Qilin and Akira. That is a fast climb for a brand that only opened to public affiliates in late 2025. NTT has separately assessed the gentlemen as one of the most active operators in recent reporting, ranking second only to Qilin at the time.
krybit: the new operator with a turf-war story
Krybit posted 5 victims this week. It surfaced in late March 2026 as a RaaS targeting Windows, Linux, and ESXi environments. Our research states a public dispute with a rival group called 0APT, in which 0APT tried to leak Krybit's admin panels and Krybit hacked back, defaced 0APT's infrastructure, and leaked its source code, which then showed 0APT's hundreds of posted victims were fabricated. We could not independently verify the Krybit and 0APT feud or the payout structure through public vendor reporting in the time available.
What is verifiable from this week is that Krybit posted 5 real claims, weighted toward lower-to-mid market manufacturing and infrastructure, the same sectors leading the overall week.
Sector Targeting Analysis
Across the 119 victim postings this week:
| Sector | Victims | Share |
|---|---|---|
| Manufacturing | 21 | 18% |
| Others | 18 | 15% |
| Business Services | 17 | 14% |
| Healthcare | 16 | 13% |
| Transportation/Logistics | 8 | 7% |
| Technology | 6 | 5% |
| Agriculture and Food Production | 5 | 4% |
| Hospitality and Tourism | 4 | 3% |
| Consumer Services | 4 | 3% |
| Construction | 4 | 3% |
| Financial Services | 4 | 3% |
What this tells us:
Manufacturing took the heaviest hit with 21 victims (18% of all postings). Manufacturers run flat OT and IT networks, carry low tolerance for downtime, and often depend on hypervisor infrastructure (VMware ESXi) to run production-line systems. A single hit on a shared host can stop a factory floor, which is exactly the pressure ransomware crews want. Groups exploiting ESXi authentication bypass (see the CVE section) lean into this.
Business Services came second with 17 victims. These firms hold large volumes of client data across many accounts, which hands an attacker a hold over the service provider and its downstream customers at once. Lighter security controls at mid-market service firms make them an affiliate sweet spot.
Healthcare placed fourth with 16 victims. The notable claims this week include Singing River Health System (a Gulf Coast hospital network) and Champaign-Urbana Public Health District. Health bodies hold dense PII and PHI, run small IT teams, and carry limited recovery budgets, which makes them a recurring soft target. HIPAA exposure raises the stakes on any confirmed breach.
Technology placed sixth with 6 victims, but the blast radius can be larger than the count suggests. The Cambridge Mobile Telematics claim (below) is a single posting that, if genuine, would touch many downstream auto insurers.
Financial Services sat low at 4 victims, which is the usual pattern. Major banks tend to stay off leak sites because of better detection, heavier regulatory pressure, and the sanctions risk an attacker takes on by hitting them. A low count here is not a low threat. It reflects who gets posted, not who gets attacked.
Country Distribution
The United States accounts for 38% of all postings this week (45 of 119), the dominant concentration by a wide margin.
| Rank | Country | Victims |
|---|---|---|
| 1 | United States | 45 |
| 2 | Germany | 6 |
| 3 | India | 5 |
| 4 | France | 5 |
| 5 | United Kingdom | 4 |
| 6 | Canada | 4 |
| 7 | Taiwan | 3 |
| 8 | Thailand | 3 |
| 9 | Spain | 3 |
| 10 | China | 2 |
A further 20 countries had one to two victims each, including Mexico, Poland, Malaysia, Denmark, Dominican Republic, Argentina, Vietnam, Hong Kong, Indonesia, Zimbabwe, Slovenia, Russia, Austria, Portugal, Lebanon, Turkey, Netherlands, Switzerland, Chile, and South Africa.
The breadth (35 countries) shows how affiliate-driven RaaS now operates globally. Geographic distribution tracks revenue opportunity, not threat actor location. The US share this week sits at the high end, consistent with the broad spread of the gentlemen's 25 victims and Qilin's continued US weighting.
For readers outside the US, the regional point still holds. India (5), Taiwan (3), Thailand (3), and Singapore (2) all appear, so APAC mid-market firms are squarely in scope, alongside Germany (6), France (5), and the UK (4) in Europe. Map your incident reporting obligations to your own regime (CERT-In's six-hour window in India, the SEC disclosure rules in the US, GDPR notification in the EU, APRA CPS 234 in Australia) before an incident forces the question.
Notable Claims and Incidents
Only victims that appear on a public leak site are named below.
1. apt73 claims Armenia's Ministry of Internal Affairs election infrastructure
apt73 (also tracked as eraleign and bashe, posting under the "WOLVES OF TURAN" banner) listed elections.mia.gov.am on June 2, a claim against Armenia's Ministry of Internal Affairs election systems. A direct hit on state electoral infrastructure carries outsized geopolitical weight if genuine. apt73 sits at the muddy edge of ransomware and hacktivism, and analysts have noted the group mixes genuine breaches with scraped public data and repurposed old leaks to inflate its profile and chase media attention.
2. Cropwise (Syngenta Group) data already leaked after talks appear to have broken down
shadowbyt3$ listed Cropwise, a digital-farming platform tied to agribusiness giant Syngenta, on June 2. The listing status is Data Leaked, which implies negotiations already collapsed rather than an active lockdown. Exposure spans agronomic and grower data across a global supply chain, which extends regulatory and contractual risk well beyond Syngenta itself to the growers and partners in the dataset.
3. anubis claims Singing River Health System
anubis posted a claim against Singing River Health System, a large Gulf Coast (Mississippi) hospital network, on June 3. A fresh extortion claim against a major health system raises HIPAA and patient-safety exposure. Samples are pending verification.
4. coinbasecartel claims Cambridge Mobile Telematics
coinbasecartel listed Cambridge Mobile Telematics on June 2, naming one of the largest telematics and driver-behavior platforms feeding auto insurers. A confirmed breach would expose sensitive location and driving datasets at very large scale. coinbasecartel is a fresh, low-profile entry that appears to focus on high-volume data exfiltration rather than encryption.
5. incransom claims Champaign-Urbana Public Health District
INC Ransom claimed the Champaign-Urbana Public Health District, a county public-health authority. Public-sector health bodies hold dense PII and PHI on limited recovery budgets, a recurring soft-target pattern this week.
A roll-up note on the week's peak: the gentlemen's 25 postings spread across sectors and regions rather than clustering on one shared upstream. The single-affiliate or shared-MSP theory for any sub-cluster is plausible but unconfirmed from leak site data alone.
Top CVEs These Groups Are Exploiting
The groups leading this week are not relying on novel zero-days. They exploit a small set of known edge-device, hypervisor, and remote-access flaws, plus credential reuse. If you run any of the products below and have not confirmed patching, treat this as your priority list.
| CVE | Product | CVSS | Who is using it | Why it matters |
|---|---|---|---|---|
| CVE-2024-21762 | Fortinet FortiOS SSL VPN | 9.6 | Qilin | Out-of-bounds write allowing unauthenticated remote code execution on FortiGate. PRODAFT and ReliaQuest tie Qilin's 2025 surge to this flaw. Roughly 150,000 devices stayed exposed months after the patch. |
| CVE-2024-55591 | Fortinet FortiOS / FortiProxy | 9.6 | Qilin | Authentication bypass on FortiGate, used alongside CVE-2024-21762 for automated initial access (PRODAFT, June 2025; CISA KEV). |
| CVE-2024-37085 | VMware ESXi | 7.2 | Akira | Authentication bypass that hands an attacker full admin control of an ESXi host by creating a specific Active Directory group, enabling mass encryption of every VM on the host (CISA AA24-109A). |
| CVE-2023-20269 | Cisco ASA / FTD VPN | 5.0 | Akira | Unauthorized-access flaw in the remote-access VPN feature. Akira's affiliates brute-force valid accounts and open clientless SSL VPN sessions (Cisco PSIRT; CISA AA24-109A). |
| CVE-2023-3519 | Citrix NetScaler ADC / Gateway | 9.8 | INC Ransom | Unauthenticated remote code execution on internet-facing NetScaler. INC Ransom is documented exploiting this public-facing-application flaw for initial access (Halcyon; threat-actor profiling). |
| CVE-2024-3400 | Palo Alto PAN-OS GlobalProtect | 10.0 | Ransomware operators broadly | Unauthenticated command injection giving root on the firewall and a pivot into the internal network. Google's GTIG lists it among the firewall flaws ransomware crews used for initial access through 2025. |
Check Point disclosed CVE-2026-50751 on June 8, a critical authentication bypass (CVSS 9.1) in Remote Access VPN and Mobile Access on the deprecated IKEv1 protocol. An unauthenticated attacker can open a VPN session with no valid password. Check Point confirmed active exploitation since May 7, one case tied to a Qilin affiliate. If you run Check Point VPN on IKEv1, apply the hotfix or disable the protocol now.
A few practical notes:
The credential-reuse angle. Patched devices still get hit when actors replay credentials stolen before the fix. Both Fortinet flaws above were used to harvest credentials that outlive the patch. Rotate VPN credentials and re-issue MFA enrolment for any device that was internet-facing while unpatched.
The hypervisor is a mass-encryption multiplier. CVE-2024-37085 turns one ESXi host into every VM on it. For manufacturers running production systems on shared hosts, that is the difference between one server down and the whole floor down. Confirm ESXi patch status and lock down the AD group creation path the flaw abuses.
Edge appliances are the front door. Internet-facing, unpatched, credential-exposed VPNs and firewalls are how affiliates get in before any locker runs. Fortinet, Cisco, Citrix, and Palo Alto devices lead this week's confirmed initial-access flaws.
We are reporting these as the flaws most associated with this week's most active groups. Knowing these are being exploited is the easy part. Knowing whether any of them sit on your own external perimeter right now, on a forgotten branch-office firewall or an MSP's edge device, is the part most teams cannot answer on a Monday morning. Confirm your own exposure rather than assuming a vendor advisory covers your specific version.
Infrastructure and Operational Shifts
Self-propagation is moving from feature to standard. The gentlemen's Go encryptor spreads on its own over SMB after harvesting credentials, removing the manual lateral-movement step. This is the same direction Qilin's parallelized Linux variant points: tooling that compresses the time from first foothold to full encryption.
Hacktivist-criminal blending continues. apt73's claim against Armenian election infrastructure, posted under a geopolitical banner while running working encryptors, shows the line between financially motivated ransomware and attention-seeking hacktivism staying blurred. Claims from these groups need extra verification because profile inflation is part of the model.
New brands keep entering at the small end. coinbasecartel, krybit, and others posted this week with little track record. Low-history brands making large claims (coinbasecartel and Cambridge Mobile Telematics) are the postings most likely to be unverified or exaggerated. Build that skepticism into your triage.
Key Takeaways for Defenders
Patch the edge first. This week's confirmed initial-access flaws are Fortinet CVE-2024-21762 and CVE-2024-55591 (Qilin), Cisco CVE-2023-20269 (Akira), Citrix CVE-2023-3519 (INC Ransom), and Palo Alto CVE-2024-3400 (broad ransomware use). Confirm patch status on every internet-facing VPN and firewall, and rotate credentials exposed while any device was unpatched.
Treat the gentlemen as a critical-priority threat. They led the week with 25 victims and run a self-propagating encryptor that spreads from one host to a whole network without hands on keyboard. Harden lateral movement: restrict SMB, watch for scheduled tasks created with SYSTEM privileges, monitor for Defender tampering and selective log clearing, and alert on encryptor staging from NETLOGON shares.
Protect the hypervisor. CVE-2024-37085 lets Akira gain full control of an ESXi host and encrypt every VM at once. Manufacturers running production systems on shared hosts carry the most exposure. Patch ESXi and lock down the Active Directory group path the flaw abuses.
Leak site appearance is a late signal. By the time a victim is posted, the intrusion is typically 30 to 90 days old. Watching external exposure, leaked credentials, and dark web chatter as it happens is what closes that gap.
Have an unverified-claim response ready. The coinbasecartel and apt73 claims this week are exactly the kind that can be inflated or scraped. Your communications team needs a pre-approved holding response, and your CTI function should validate samples before anyone reacts publicly.
Everything above points to the same gap: the threat data is public, but the work of filtering 119 posts down to the few that touch your domains, your brands, and your vendors, then matching those groups to the flaws on your own perimeter, is what nobody has time for on a Monday. That is the gap Scrutex closes. It surfaces only the leak site activity tied to you and your supply chain, and flags the exploited CVEs that sit on your external surface.
Start a free workspace at https://scrutex.ai/signup .No credit card. Five minutes to first signal.
See how Scrutex Threat Intelligence works: https://scrutex.ai/solution/threat
Frequently Asked Questions
How many ransomware attacks happened the week of June 2 to 8, 2026?
119 unique victim postings appeared on dark web leak sites in that window, across 31 distinct ransomware and extortion groups. This counts leak site postings, not all attacks. Many incidents are settled privately and never appear publicly.
Which ransomware group is most active right now?
The gentlemen led this week with 25 posts (21% of all volume), ahead of Qilin (15), INC Ransom (8), and Akira (8). The top 5 groups produced 51% of the week's total. NTT has separately ranked the gentlemen as one of the most active operators in recent reporting, second only to Qilin.
Why is the gentlemen growing so fast?
The brand opened to public affiliates in September 2025 and partnered with BreachForums to recruit penetration testers and access brokers. Microsoft tracks the operators as Storm-2697 and analyzed a self-propagating Go encryptor that pairs Curve25519 and XChaCha20 encryption with automated SMB-based spreading. The automation lets affiliates take a network from one foothold to full encryption with little manual work, which speeds up attacks and attracts operators from other brands.
Did Syngenta get hit by ransomware?
shadowbyt3$ posted a claim against Cropwise, a digital-farming platform tied to Syngenta Group, on June 2, listed as Data Leaked. The claim is unverified. Treat it as medium confidence until samples confirm the dataset and the Syngenta link.
What CVEs are these groups exploiting?Mainly known edge and hypervisor flaws: Fortinet CVE-2024-21762 and CVE-2024-55591 (Qilin), Cisco CVE-2023-20269 and VMware ESXi CVE-2024-37085 (Akira), Citrix CVE-2023-3519 (INC Ransom), and Palo Alto CVE-2024-3400 (broad ransomware use). Credential reuse against patched-but-previously-exposed devices is a recurring theme. Qilin affiliates are also now exploiting CVE-2026-50751, a critical Check Point VPN authentication bypass disclosed June 8, 2026. Apply the Check Point hotfix if you run Remote Access VPN or Mobile Access on IKEv1.
What sectors should I worry about most this week?
Manufacturing (21 victims), Business Services (17), and Healthcare (16) led the sector mix, together more than 45% of all postings. The United States accounted for 38% of victims.
Where can I get this data in real time?
Scrutex Threat Insights surfaces ransomware leak site activity filtered to your organisation, brands, and vendors, so you see only the postings that touch your domains, brands, or supply chain.
Tags: ransomware, ransomware weekly, the gentlemen, qilin, akira, incransom, CVE-2024-3400, CVE-2024-37085, CVE-2024-21762, CVE-2023-3519, dark web monitoring, leak site