Dragos Industrial Ransomware Analysis for the First Quarter of 2026

Ransomware remains a persistent and disruptive threat to industrial organizations, continuing to impact critical operations and challenge the security and resilience of essential infrastructure. Following the record-high ransomware activity observed in 2025, ransomware pressure remained high into Q1 2026, reinforcing that ransomware targeting of industrial sectors has entered a sustained state in which adversaries focus on entities with the lowest tolerance for downtime.

In Q1 2026, Dragos, through analysis of publicly disclosed victim data and ransomware groups’ postings on Data Leak Sites (DLS), identified 1,020 ransomware incidents impacting industrial organizations worldwide, consistent with the elevated baseline observed in late 2025. Manufacturing, transportation, industrial control system (ICS) equipment manufacturers, and engineering firms once again represented the most affected sectors. North America continued to account for the majority of incidents, with nearly 500 reported victim organizations, reflecting ongoing alignment with nation-state objectives focused on victims outside the Commonwealth of Independent States (CIS). Europe remained the second-most-affected region, with more than 250 incidents, while activity across Asia, South America, and the Middle East remained comparatively lower but persistent.

Manufacturing continued to be the most heavily targeted sector in Q1 2026, accounting for 62% percent of all observed industrial ransomware victims. Construction‑related manufacturing, industrial-equipment producers, and food and beverage manufacturers were particularly affected, underscoring the adversary’s continued focus on organizations where operational disruption can quickly translate into financial pressure. ICS‑adjacent organizations, including engineering firms, system integrators, and equipment suppliers, also remained a consistent target set, demonstrating ongoing supply chain‑driven victimization rather than a shift toward direct attacks on control systems themselves.

Dragos did not observe ransomware variants specifically engineered to manipulate industrial control protocols or process environments during Q1 2026. However, ransomware incidents continued to produce substantial operational consequences. Attacks affecting transportation and logistics providers, utilities, and manufacturing once again demonstrated how the loss of IT systems, Enterprise Resource Planning (ERP) platforms, and virtualization infrastructure can cascade into OT disruptions, safety risks, and extended downtime across industrial operations and supply chains. The continued convergence of IT and OT environments further amplified ransomware’s operational impact during Q1 2026. Disruptions originating in enterprise IT environments routinely affect engineering systems, production planning, and OT visibility, underscoring that ransomware does not require specialized ICS malware to meaningfully degrade industrial operations. Additionally, ransomware groups continued to leverage deceptive and coercive extortion practices, including exaggerated or unverified breach claims, complicating incident response, attribution, and stakeholder communications for affected organizations. Some ransomware attacks falsely adopt Middle Eastern or Russian narratives to delay or confuse attribution.

Ransomware groups and affiliates in Q1 2026 continued to rely on a combination of well‑established tactics, techniques, and procedures (TTPs). Persistent TTPs included credential theft, abuse of valid accounts, exploitation of remote access services, lateral movement via common enterprise protocols, and widespread use of double-extortion models involving data theft prior to encryption. While capabilities such as endpoint detection and response (EDR) evasion, VMWare ESXi encryption, and selective or encryption‑less extortion had been introduced in earlier periods, Q1 2026 data indicate these techniques continue to be operationalized and normalized, rather than representing new or novel attacker innovation.

The ransomware ecosystem in Q1 2026 also continued to exhibit sustained, well-established affiliate activity. Similar to activity observed throughout 2025, Qilin and Akira accounted for the highest volume of ransomware claims against industrial organizations, with The Gentleman, LockBit5.0, and Play operations rounding out the top 5 operations impacting industrial organizations.

• Manufacturing organizations accounted for the largest share of victims, with 633 incidents across all subsectors.
• ICS-related organizations (engineering firms, system integrators, and equipment manufacturers) accounted for 139 incidents, underscoring persistent exposure in the OT ecosystem. Industrial supply chains remain prime targets for ransomware.
• Transportation and logistics entities experienced 87 incidents, making this industry the third most impacted sector in Q1 2026.
• North America and Europe remained the most affected regions, collectively accounting for more than half of all observed victims.
• A small number of ransomware groups accounted for a disproportionate share of activity, with Qilin, Akira, and The Gentlemen responsible for the largest victim volumes in Q1.
• Geopolitical events continue to shape the ransomware landscape. Historically, most large ransomware ecosystems cluster in jurisdictions with minimal or politically constrained law enforcement pressure, particularly when victims are foreign entities. This drives higher victim counts in regions with poor relations with the ransomware affiliate’s home country.

Qilin continued to demonstrate sustained, high-volume activity across all industrial sectors in Q1 2026. Qilin has now been the top ransomware brand impacting industrial organizations since March 2025. This shift in early 2025, following law enforcement disruptions within legacy ransomware ecosystems, particularly LockBit and RansomHub, Qilin solidified its position by aggressively recruiting displaced, highly skilled affiliates. While Dragos noted LockBit’s return to the ransomware ecosystem in Q3 2025, “LockBit 5.0” has not outpaced Qilin’s impact. Akira remained the second most prolific group, heavily focused on manufacturing and industrial services, particularly in North America and Europe. Qilin and Akira operate under the highly popular Ransomware-as-a-Service (RaaS) model.

While not the most abundant group in Q1, the Gentleman operation warrants attention from network defenders. The Gentleman operation accounted for 83 incidents in Q1 2026, a sharp increase from the 18 incidents claimed in Q4 2025. The Gentlemen RaaS operation is a relatively new group that emerged around mid-2025. The operators advertise their services across multiple underground forums, promoting their ransomware platform and inviting penetration testers (and other technically skilled actors) to join as affiliates. Like most other RaaS operations, The Gentleman operates a double-extortion model. After gaining access to a victim’s network, the attackers exfiltrate sensitive data, encrypt systems, and threaten to publish stolen information on leak sites if ransom demands are not met. This approach increases pressure by combining operational disruption with reputational and regulatory risk. Like many ransomware affiliate programs, The Gentleman states in its dark web advertisements that it prohibits targeting organizations in Russia and CIS countries.

The Gentlemen’s targeting strategy emphasizes high-impact environments where enterprise access, shared systems, and operational dependency allow the group to maximize the effectiveness of its double-extortion model. This profile indicates disciplined, repeatable enterprise compromise workflows. There is no evidence of ICS-specific malware, OT protocol manipulation, or direct exploitation of control systems. Instead, operational impact occurs when ransomware is deployed on Windows or Linux servers hosting enterprise applications that support OT functions. The attackers gain entry by exploiting internet-exposed services or compromising administrative credentials, including those for exposed firewall and VPN management interfaces. The RaaS provides affiliates with multi‑OS lockers for Windows, Linux, NAS, and BSD, implemented in Go, and an additional locker for ESXi implemented in C.

Again, aligning with observed trends in the ransomware ecosystem, The Gentleman ransomware strain is capable of ESXi encryption, where affiliates shut down virtual machines on ESXi hosts to make their attack more effective and efficient. According to recent Mandiant reporting, in 43% of ransomware intrusions the company responded to in 2025, adversaries were observed targeting virtualization infrastructure (an increase from 29% in 2024). Industry reporting on The Gentlemen intrusions notes the affiliates’ use of AnyDesk, EDR disablement, and deletion of shadow copies, which are a primary mechanism for recovering encrypted files. Targeted processes by The Gentleman ransomware include VMware/Hyper-V, Veeam, SAP, Remote Access tooling (e.g. TeamViewer), among others.

Most large ransomware ecosystems historically clustered in jurisdictions with minimal or politically constrained law enforcement pressure, particularly when victims are foreign entities. According to reporting by the U.S. government, a disproportionate number of ransomware groups are linked to Russia and Iran and prohibit targeting of Russian businesses. States do not need to task or command ransomware groups for geopolitical benefit; selective law enforcement activity alone is enough to shape outcomes.

In late December 2025, Complexul Energetic Oltenia (Oltenia Energy Complex), Romania’s largest coal-based power producer, disclosed a ransomware incident attributed to The Gentlemen ransomware group. The organization operates multiple lignite-fired power plants and mining operations that form a significant component of Romania’s domestic energy supply. Public reporting indicates that the intrusion encrypted enterprise IT systems, rendering several critical business applications temporarily unavailable. Affected systems included the company’s ERP environment, document management platforms, corporate email infrastructure, and public-facing website. These systems support procurement, financial management, maintenance coordination, internal communications, and administrative workflows across generation and mining sites. The company confirmed that certain operational activities were partially affected; however, electricity generation and national grid supply remained stable. There were no reported interruptions to plant control systems, turbine management, Supervisory Control and Data Acquisition (SCADA) environments, or other industrial control processes. Romanian authorities and the company both emphasized that core generation assets and operational technology networks were not compromised. The Gentleman later claimed to have data belonging to the organization on its DLS.

Similarly, in December 2025, Romanian Waters (Administrația Națională Apele Române), the country’s national water management authority, announced that it had been the victim of a ransomware attack that left staff locked out of approximately 1,000 computer systems. The company stated that the attack affected equipment ranging from workstations to servers, but noted that operational technologies, including hydrotechnical infrastructure such as dams and flood defenses, were unaffected. Romanian authorities’ initial technical assessment was that the attackers used the legitimate Windows tool BitLocker to attempt to extort the organization. The incident has not been linked to any known adversary or ransomware operation.

The incidents affecting Romania’s critical infrastructure continued into Q1 2026, when Romania’s national oil pipeline operator, Conpet, said a cyberattack disrupted parts of its technology infrastructure and took its website offline in February 2026. Conpet operates approximately 2,360 miles of pipelines that supply domestic and imported crude oil and petroleum products to refineries across Romania. The company stated its OT systems, including its SCADA and telecommunications systems, remained fully functional. Conpet has not publicly identified the attackers or confirmed a data breach. However, the Qilin ransomware group listed the company on its DLS, claiming it had stolen nearly 1 terabyte of data. The group has also published images of alleged internal documents, financial records, and passport scans.

Following ransomware attacks on critical infrastructure in late 2025 and early 2026, Romanian government officials publicly stated that their country was facing increased cyber intrusions by both ransomware gangs and state-backed hackers, many of whom were believed to have ties to Moscow. Romania is a member of NATO and the EU, supporting Ukraine.

Not only do geopolitical events shape the targets sought by ransomware groups, but some brands also intensify their targeting amid increased tensions, rather than typical cybercriminal market incentives. Renewed activity from Pay2Key was observed in July 2025 following the Israel-Iran conflict and U.S.-led airstrikes against Iran’s nuclear sites. Pay2Key, an Iranian-backed RaaS operation, offered increased profit-sharing to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment. Crucially, Pay2Key activity has consistently intensified during periods of geopolitical tension involving Iran, with victim selection and attack timing closely aligned to real‑world events. According to open-source reporting, in June 2025, the Pay2Key operator shared posts on underground forums offering increased profit shares from 70% to 80% to incentivize affiliates to specifically target entities within Israel and the U.S. in support of the Israel-Iran conflict.

The group does not consistently prioritize ransom payment over environmental disruption, reinforcing assessments that strategic and political motivations, rather than purely financial gain, play a central role in its operations. Industry reporting on an early 2026 intrusion at a U.S. healthcare entity also revealed deviations from prevailing ransomware trends, notably the absence of data exfiltration, suggesting objectives beyond the traditional double-extortion tactics employed by many other groups. Technical details published in open-source reporting indicate that Pay2Key affiliates gained access through a compromised administrator account approximately seven days before active intrusion began, suggesting the access was likely purchased from an initial access broker (IAB) or intentionally retained while the attacker conducted additional reconnaissance. Initial internal activity included using TeamViewer on a compromised host, consistent with hands-on keyboard staging prior to ransomware deployment. The timing of the intrusion was closely aligned with the start of the U.S./Israel-Iran conflict in Q1 2026.

Ransomware affiliates continue to consistently use recently disclosed vulnerabilities to obtain initial access to victim networks. For example, Medusa ransomware quickly capitalizes on vulnerability disclosures during the period between disclosure and patch availability or adoption, exploiting the time when many organizations remain unprotected. According to open-source reporting, Medusa (also tracked as Storm-1175) has weaponized exploits for disclosed vulnerabilities in as little as one day, as was the case for CVE-2025-31324 impacting SAP NetWeaver: the security issue was disclosed on 24 April 2025, and Microsoft observed exploitation soon after on 25 April. After initial access, Medusa establishes persistence by creating new user accounts, deploying various tools, including remote monitoring and management (RMM) tooling for lateral movement, and conducting credential theft, before tampering with security solutions and deploying ransomware throughout the compromised environment. Medusa heavily relies on RMM tools during post-compromise activity, including: Atera, Level, N-able, DWAgent, MeshAgent, ConnectWise ScreenConnect, AnyDesk, and SimpleHelp. Reliance on these tools post-compromise is common across the ransomware ecosystem.

Ransomware has shifted from encryption-only attacks to data theft‑led extortion, while stolen credentials have become the dominant initial access mechanism. Initial Access Brokers (IABs) routinely sell valid enterprise access on dark web marketplaces to enable others active within the ransomware ecosystem.

Modern campaigns increasingly follow this flow:

Infostealer infection → credential markets / IABs → rapid enterprise access → data exfiltration → extortion (sometimes without encryption)

This evolution is driven by organizations being better prepared with backups and lower ransomware payment rates. Backups reduce operational impact but do nothing to address regulatory exposure, litigation risk, or reputational damage, leaving stolen data as an adversary’s most reliable leverage. According to recent Mandiant reporting, 77% of analyzed ransomware intrusions in 2025 included suspected data theft, a notable uptick from 57% in 2024.

Aside from sensitive data such as PII pertaining to an organization’s personnel and customers, data exfiltration is even more concerning when operational data is at stake. For example, electric utilities frequently rely on third‑party engineering and consulting firms for grid planning, protection engineering, modeling, and asset lifecycle management, necessitating access to sensitive operational datasets. These firms represent attractive targets, as compromising a single provider can yield data spanning multiple utilities, amplifying downstream operational and systemic risk. This is further evidenced by the alleged breach at Pickett and Associates (Pickett USA) in Q1 2026. Pickett USA is an engineering firm that works with electric utility companies, providing transmission, distribution, and substation design, surveying, aerial mapping, and LiDAR services. While not an electric organization themselves, Pickett and Associates held extensive engineering data for three major United States electric utilities, including transmission and distribution power line design, aerial surveying, and LiDAR services. The data was purportedly extorted and put up for sale, which presents an operational risk, as this sensitive information would give an adversary in-depth insight into the utility’s current operations and design.

In the first quarter of 2026, ransomware attacks continued to disrupt operations at industrial organizations, leading to operational halts, financial losses, and compromised data integrity. Notable incidents included:

Date: February 2026

Impact: Romania’s national oil pipeline operator, Conpet, confirmed a cyberattack that disrupted parts of its corporate IT environment and temporarily took its public website offline. According to Conpet, the incident affected internal business systems but did not impact operational technologies, including SCADA systems, telecommunications infrastructure, or pipeline control environments. Oil and petroleum product transport operations were reported to continue normally throughout the incident. The company stated that it initiated an investigation in coordination with national authorities and filed a criminal complaint. Public disclosures emphasized that critical operational systems remained isolated and functional, with on-site staff maintaining continuity of pipeline operations. Following Conpet’s announcement, the Qilin ransomware group claimed responsibility for the intrusion on its data leak site, alleging the exfiltration of nearly 1 TB of internal documents and publishing samples as proof of compromise. Conpet had not publicly confirmed the authenticity, scope, or sensitivity of the data claimed by the attackers. While no ICS or OT manipulation was reported and pipeline operations continued uninterrupted, this incident reflects a recurring ransomware pattern in the energy sector where adversaries focus on enterprise IT disruption and data theft claims to apply pressure. Even when operational systems remain isolated, disruption to corporate services and uncertainty around data exposure can introduce operational friction, regulatory scrutiny, and reputational risk for critical infrastructure operators.

Date: March 2026

Impact: City of Minot (Municipal Water Treatment Plant, North Dakota, United States) confirmed that its water treatment plant was impacted by a ransomware incident that affected certain computer systems within the facility’s network. Upon detection, officials activated incident response procedures, isolated affected systems, and engaged external cybersecurity specialists to support forensic investigation and recovery efforts. Public reporting indicates that administrative and network-connected systems were disrupted; however, city officials stated there was no evidence of interference with treatment processes, chemical dosing systems, or water distribution controls. Water treatment and delivery services reportedly continued without interruption, with plant operations maintained under enhanced monitoring conditions while IT systems were assessed and restored. No confirmed OT manipulation was reported, and no ransomware group has publicly claimed responsibility at this time.

In Q1 2026, ransomware activity impacting industrial organizations remained steady across all regions, reinforcing the global and persistent nature of the threat. Manufacturing, construction, and engineering continued to be targeted worldwide. North America remained the most impacted region by a wide margin, while Europe and Asia also saw notable activity. South America, the Middle East, Africa, and Australia/New Zealand experienced lower overall volumes, but continued to face consistent, opportunistic targeting of industrial organizations.

North America: Recorded 480 incidents in Q1 2026 (down from the 639 recorded in Q4 2025) but still maintaining its position as the most impacted region. Activity was driven by sustained targeting of industrial organizations across manufacturing, construction, engineering, transportation, and government sectors. The region’s high concentration of mid-market industrial firms, widespread use of remote access, and reliance on production-supporting IT systems continue to make it an attractive target for ransomware affiliates.

Europe: Reported 252 incidents, remaining the second-most impacted region. Activity continued to concentrate in industrially dense countries with strong manufacturing and engineering bases. Interconnected supply chains and cross-border operations contributed to Europe’s continued exposure during the quarter.

Asia: Documented 137 incidents this quarter, slightly up from the 113 in Q4 2025, reflecting continued growth compared to earlier quarters. Ransomware activity in the region primarily affected manufacturing, electronics, telecommunications, and logistics organizations. Taiwan and Japan notably led this region in the volume of incidents.

South America: Experienced 59 incidents, with targeting focused on manufacturing, construction, chemicals, and food production.

The Middle East: Recorded 54 incidents, with activity affecting construction, manufacturing, energy, and telecommunications organizations. While overall volume remained lower than in North America and Europe, the region’s strategic industrial assets and ongoing digital transformation continue to attract the attention of ransomware operators.

The ANZ region: Observed 19 incidents, primarily impacting manufacturing, engineering, and industrial equipment suppliers. Although activity levels were comparatively low, dependence on remote connectivity and geographically distributed operations remained a consistent risk factor.

Africa: Recorded 19 incidents. While reporting volume remained limited, the presence of industrial victims across multiple countries reflects continued opportunistic targeting of emerging markets.

Ransomware activity in Q1 2026 continued to significantly impact industrial organizations, reinforcing adversaries’ sustained focus on sectors with tight operational dependencies and low tolerance for downtime. Manufacturing remained the most heavily targeted sector by a wide margin, while transportation and ICS equipment and engineering providers continued to experience persistent activity. Energy-related sectors, including oil and natural gas and electric utilities, also remained consistently targeted throughout the quarter.

Manufacturing was the most heavily impacted sector in Q1 2026, with 633 claimed victim organizations spanning a wide range of subsectors. Suppliers of building materials, construction services, and specialty contractors were repeatedly targeted, consistent with their reliance on ERP systems, distributed locations, and tight project timelines.

Breakdown of Manufacturing Subsectors:

• Construction: 152 incidents
• Equipment: 116 incidents
• Food and beverage: 57 incidents
• Electronic: 46 incidents
• Metals: 44 incidents
• Consumer: 38 incidents
• Automotive: 35 incidents
• Chemical: 24 incidents
• Packaging: 23 incidents
• Aerospace 19 incidents
• Pharma: 19 incidents
• Textile: 16 incidents
• Plastics: 15 incidents
• Healthcare, paper, semiconductor, defense, glass, maritime, recycling, and rubber: 10 or fewer incidents each

Organizations directly supporting OT environments, including engineering services, integrators, and ICS equipment manufacturers, experienced 139 ransomware incidents in Q1 2026.

Breakdown of ICS Subsectors:

• ICS Equipment: 49 incidents
• ICS Engineering: 90 incidents

These organizations remain attractive targets due to their dependence on scheduling platforms, reservation systems, fleet management software, and time-sensitive operations. Disruption in these sectors often creates immediate, cascading effects that extend well beyond the victim organization itself. Of the 87 transportation-related incidents observed in Q1, activity was distributed across the following subsectors.

Breakdown of Transportation Subsectors:

• Logistics: 50 incidents
• Aviation: 20 incidents
• Maritime: 13 incidents
• Rail: 4 incidents

Government entities accounted for 42 incidents, largely at the municipal and regional level.

Electric utilities (15 incidents) and water utilities (6 incidents) continued to appear in ransomware victim disclosures, although at lower volumes than manufacturing and transportation.

Oil and Natural Gas (ONG) experienced 39 incidents, demonstrating persistent targeting of upstream, midstream, and downstream energy organizations, as well as the service providers that support them.

Renewable energy organizations (10 incidents) and mining organizations (12 incidents) were also impacted, indicating continued adversary interest in energy production and resource extraction environments.

Dragos’ analysis of ransomware activity in Q1 2026 shows a continued shift toward ecosystem consolidation, with long-standing ransomware brands like Qilin and Akira leading in the number of incidents claimed. While a variety of small and short-lived ransomware brands remained active, the majority of impactful activity continued to be generated by a relatively small number of established, consistently active RaaS operations.

Several dominant groups expanded their operational tempo during the quarter, while many emerging or rebranded identities remained low-volume and operationally limited:

• Qilin: Recorded 198 incidents, making it the most active ransomware operation impacting industrial organizations for the last year. Qilin’s sustained dominance reflects a mature and stable affiliate ecosystem, continued exploitation of internet-facing infrastructure, and persistent targeting of manufacturing, construction, and supply chain-dependent environments.
• Akira: Reported 100 incidents, remaining one of the most consistently active groups targeting industrial organizations. Activity continued to align with previously observed tradecraft, including the abuse of VPN infrastructure, credential compromise, and the rapid encryption of production-supporting IT systems.
• The Gentleman: Accounted for 83 incidents, a sharp increase from the 18 incidents claimed in Q4 2025.
• LockBit 5.0: Accounted for 71 incidents, reflecting a partial resurgence in activity following its disruptions by law enforcement in late 2024/early 2025.
• PLAY: Recorded 53 incidents, demonstrating consistent activity compared to earlier quarters.
• INC Ransom: 52 incidents continuing to benefit from affiliate migration and maintaining broad targeting across manufacturing, ICS engineering and equipment entities, and government.
• DragonForce: Recorded 45 incidents.
• NightSpire: Accounted for 41 incidents
• Sinobi: Accounted for 34 incidents.
• Emerging and Mid-Volume Groups:  Groups such as Coinbase Cartel (25), CL0P (23), Everest (21), Lynx (21), SAFEPAY (19), and Tengu (16) contributed to leak site volume but did not approach the scale or consistency of dominant RaaS operations.
• Lower-Volume and Peripheral Groups: A broad set of groups, including Payouts King, Payload, Eraleignews, Genesis, Medusa, AiLock, Gunra, Nitrogen, and World Leaks, and others recorded fewer than 15 incidents each. Some of these adversaries continued to populate the ransomware ecosystem, often appearing briefly with limited operational maturity. However, high-impact operations like Medusa tend to have a significant impact on the U.S. healthcare sector, which is out of scope for the report. Despite lower numbers in industrial sectors this quarter, Medusa remains an opportunistic and skilled threat.

As illustrated in Figure 5, ransomware activity continues to consolidate, with Qilin leading the charge against industrial organizations over the last year. This reinforces the assessment that ransomware activity in the industrial sector continues to be driven primarily by a small number of reliable, affiliate-supported RaaS operations, rather than by broad ecosystem fragmentation or brand proliferation.

The ransomware threat facing industrial organizations shows no signs of waning. Risk to industrial organizations is being shaped less by novel ICS-specific malware and more by adversaries’ deepening focus on the enterprise IT systems that underpin operational technology environments. Platforms such as ERP systems, MES, virtualization infrastructure, identity services, and remote access gateways represent high-value targets precisely because disrupting them can rapidly cascade into production shutdowns and supply chain impacts. Organizations should assume that all internet-facing assets are discoverable and actively sought by adversaries, making continuous external attack surface management a necessity. The consistent abuse of compromised credentials and remote management tools, including SimpleHelp, AnyDesk, and TeamViewer, underscores the importance of credential hygiene, MFA enforcement, and strict tooling policies. Ultimately, the organizations best positioned to withstand the evolving ransomware threat are those that treat security not as a series of reactive patches but as a continuous operational discipline, spanning both IT and OT domains, accounting for third-party and vendor connectivity, and keeping pace with adversary adaptations.

• Dark Web Profile: The Gentleman Ransomware–SocRadar
• The Gentlemen Ransomware Exposed on Russian Proton66 Server: Complete Toolkit, Victim Credentials, and Ngrok Tokens– Hunt.io
• Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape– Mandiant
• Romanian Energy Provider Hit by Gentlemen Ransomware Attack– Bleeping Computer
• Press Release–AdministrațiaNaționalăApeleRomâne
• Romanian National Water Agency Hit by BitLocker Ransomware Attack– The Record
• Romania’s Oil Pipeline Operator Confirms Cyberattack as Hackers Claim Data Theft– The Record
• Romania Under Daily Barrage of Cyberattacks, Defense Minister Says– The Record
• Ransomware Gangs Advancing Moscow’s Geopolitical Aims, Romanian Cyber Chief Warns– The Record
• Pay2Key’s Resurgence Iranian Cyber Warfare Targets the West–Morphisec
• Pay2Key Iranian-Linked Ransomware is Back, Back Again– Halcyon
• Storm-1175 Focuses Gaze on Vulnerable Web-Facing Assets in High-Tempo Medusa Ransomware Operations– Microsoft
• Hackers Hit Minot Water Treatment Plant Server in Ransomware Case, FBI Investigating– KXNET