S6 RANSOMWARE SIGNAL
Week of March 31 – April 6, 2026 | Published by S6 Tech
⚡ 60-SECOND VERSION
Biggest threat: Device code phishing attacks surged 3,700% this year, and they bypass your MFA completely.
Why it matters: Attackers trick employees into entering a code on Microsoft's legitimate login page, handing over full account access without ever stealing a password.
Do this now: Block device code authentication in Microsoft 365 (5 minutes, free) follow this guide.
📋 EXECUTIVE SUMMARY
1. Microsoft confirmed a China-linked ransomware group is exploiting vulnerabilities within 24 hours of public disclosure. Storm-1175 weaponized a SAP NetWeaver flaw the day after it went public, your patch window just collapsed from weeks to hours.
2. A new threat actor called "The Gentlemen" posted 52 victims this week. 53.6% of all disclosed ransomware victims globally. They're running a hyperactive mass-posting campaign targeting mid-market manufacturing, retail, and professional services firms.
3. Water and wastewater engineering firms face elevated risk: Akira posted 3 US-based engineering consultancies in 24 hours with 76GB of combined stolen data including employee passports and driver's licenses.
📊 METRICS & INTELLIGENCE
| Metric | This Week | What It Means |
|---|---|---|
| Total Disclosed Victims | 97 | Ransomware activity remains elevated; one actor responsible for over half |
| Active Threat Actors | 19 | Fragmented ecosystem; smaller crews harder to track |
| Device Code Phishing Volume | ↑ 3,700% | MFA-bypass attacks now mainstream; budget for hardware keys |
| Storm-1175 Time-to-Ransomware | <24 hours | Patch windows collapsed; need emergency protocols, not monthly cycles |
| AI-Enhanced Phishing Click Rate | 54% (vs 12% baseline) | AI-crafted lures are 4.5× more effective; training alone won't solve this |
US-based organizations accounted for 8 victims (8.2%). Thailand and Italy tied at 8 and 7 victims respectively, with the rest scattered across 20+ countries.
🚨 ACTIVE CAMPAIGNS
AI-Enabled Device Code Phishing 🏢
268+ organizations and 100+ MSPs confirmed compromised
What it does: Attackers send AI-generated phishing emails with role-specific lures (fake RFPs, invoices, voicemails). When victims click, they see a device code and get directed to Microsoft's real login page. Once they enter the code, attackers capture the session token, full account access, even with MFA enabled.
Why it matters: This attack uses Microsoft's legitimate infrastructure against you. Traditional MFA doesn't help because you're authenticating on the real site. Compromised accounts are used for email exfiltration, inbox rule manipulation to hide activity, and wire transfer fraud targeting employees with financial authority.
Source: Microsoft Security Blog, Huntress | Note: With 100+ MSPs compromised, downstream client exposure remains a concern, though no confirmed pivots have been reported yet.
Storm-1175 / Medusa Ransomware Blitz 🏢
China-linked group weaponizing vulnerabilities within 24 hours
What it does: Storm-1175 exploits internet-facing vulnerabilities in file transfer and remote support software within 24-48 hours of public disclosure. Current targets include CrushFTP, GoAnywhere MFT, SimpleHelp, SmarterMail, and BeyondTrust. They've demonstrated zero-day capability, exploiting SmarterMail one week before the vendor announced the flaw.
Why it matters: Microsoft reports attacks progressing from initial breach to ransomware deployment in under 24 hours. Victims face double extortion: encrypted systems plus data theft with leak threats. Healthcare, education, and professional services organizations with $50M-$500M revenue are most affected.
Source: Microsoft Security Blog | Note: Microsoft assesses Storm-1175's zero-day capability reflects either evolved internal development or access to exploit brokers: source remains unconfirmed.
Starkiller Phishing-as-a-Service 🏢
Real-time proxy captures passwords, MFA codes, and session tokens
What it does: Starkiller acts as an invisible proxy—it loads the actual login page from Microsoft or Google, sits between you and the real site, and records everything. The attacker's link looks like "login.microsoft.com@[malicious-url]"—the @ symbol is the trick; your browser ignores everything before it.
Why it matters: Traditional detection methods (blocking known phishing domains, scanning for fake login pages) don't work because the page is real. Session tokens captured allow immediate account takeover even after password resets.
Source: KrebsOnSecurity | Note: Starkiller operates as a subscription service with monthly fees, updates, and Telegram support: similar kits run ~$120/month.
✅ JUST DO THIS
Block Device Code Authentication Flow
⏱️ 5 minutes | 💰 Free (requires Microsoft 365 admin access)
Why now: The 37× surge in device code phishing attacks is actively targeting Microsoft 365 organizations. This single setting stops the entire attack chain.
| Platform | Steps |
|---|---|
| Microsoft 365 | Entra Admin Center → Protection → Conditional Access → New Policy → Name it "Block Device Code" → Users: All users → Conditions → Authentication flows → Device code flow: Yes → Grant: Block → Enable policy |
| Google Workspace | Not applicable—Google doesn't use this authentication flow |
| Other | Review any applications using OAuth device authorization grants and disable where not required |
Verify it worked: Go to microsoft.com/devicelogin and attempt to enter any code while signed in as a test user - you should receive an access denied message.
🎯 THREAT ACTOR SPOTLIGHT
The Gentlemen 🏭
52 victims this week (53.6% of all disclosures) — Hyperactive mass-posting campaign
Target profile: Mid-market companies globally with heavy focus on manufacturing, retail, and professional services. Geographic spread includes Thailand, Japan, Brazil, France, Sweden, South Africa, and Indonesia.
Known TTPs (plain English):
- Double extortion: They steal your data first, then threaten to publish it publicly if you don't pay
- Automated reconnaissance: Victim descriptions contain ZoomInfo sourcing, suggests an automated pipeline for identifying targets
- Initial access: Exploit exposed FortiGate firewall management interfaces (CVE-2024-55591) and compromised administrative credentials
Defensive Priorities:
| # | Action | Plain English |
|---|---|---|
| 1 | Data Loss Prevention | Monitor and block large file transfers leaving your network |
| 2 | Network Segmentation | Keep sensitive data in separate zones so attackers can't access everything |
| 3 | Backup Verification | Test that backups work and aren't connected to your main network |
Also Active: LockBit5 posted 20 victims across 12 countries this week, but primarily targeting larger enterprises, SMBs can deprioritize this actor for now.
🏭 SECTOR TARGETING
Professional Services (Law, Accounting, Engineering) — 14 victims 🏢
Threat actors: Bravox, Play, The Gentlemen, Akira
Notable incidents: VATIER (France, international law firm), Barnes Solicitors LLP (UK), Americo Advogados (Brazil, 201-500 employees), AKM Consulting Engineers (US, water/wastewater — 17GB claimed), Aqua-Serv Engineers (US, water treatment — 17GB with passports/DLs)
Data exposed: Client files, NDAs, HR records, employee identity documents
Manufacturing/Industrial — 12 victims 🏭
Threat actors: Qilin, The Gentlemen, Akira
Notable incidents: Muller Technology (industrial machinery), Zanzi S.p.A. (Italy, aerospace valves), Aichi Electric (Japan, power equipment), Gauthier Connectique (France, military/civilian aircraft connectors — 42GB claimed)
Data exposed: Production specs, supplier contracts, proprietary designs
Construction/Infrastructure — 6 victims 🏪
Threat actors: Qilin, LockBit5, The Gentlemen
Notable incidents: Pacific Building Solutions, Abu Hatim Co (UAE, engineering construction), Jati Tinggi Group (Malaysia, utilities engineering, won RM80M TNB contract)
Data exposed: Bid documents, project plans, subcontractor agreements
Healthcare/Medical — 4 victims 🏭
Threat actors: The Gentlemen, LockBit5
Notable incidents: Das Labor (Austria, diagnostic laboratory), IntraCare (New Zealand, interventional cardiology), DYSA Healthcare (Paraguay), Vitex Pharmaceuticals (Australia)
Data exposed: Patient records, insurance data, treatment histories
⚠️ SMB Sector Alert: Water/Wastewater Engineering
Akira posted 3 US-based engineering consultancies serving public agencies in 24 hours. Combined claimed data: 76GB including HR files, client documents, NDAs, and employee passports/driver's licenses. If you're a small engineering firm serving municipal water clients, you're being actively targeted.
🏪 SMB REALITY CHECK
If you're under 50 employees with no dedicated security staff, here's what actually matters this week:
The device code phishing attack is your top concern, it's cheap to execute, works against anyone using Microsoft 365, and your current MFA won't stop it. The five-minute fix in the "Just Do This" section costs nothing and blocks the entire attack. Do that first.
💡 The Hacker Mindset
Remember: attackers don't "break in" — they log in using real credentials. They study shortcuts we take under pressure, then exploit them. A 10-second pause to verify an unexpected login prompt or code request can prevent days of cleanup. The campaigns this week succeed because people move fast when they're busy. Slow down.
Your Stack, Your Actions:
| If You Use... | Do This | Time |
|---|---|---|
| Microsoft 365 | Block device code flow | 5 min |
| Google Workspace | Enable context-aware access to block logins from new devices | 10 min |
| QuickBooks Online | Enable two-factor authentication if not already on | 5 min |
| Any file-sharing | Audit who has active shared links to sensitive files | 15 min |
📞 When to Call for Help
If you receive Microsoft 365 alerts about "impossible travel" (someone signed in from two countries within an hour) or new inbox rules you didn't create, contact your IT support immediately, these are signs of the exact attacks discussed this week.
Safe to ignore this week: The Storm-1175 vulnerability details (unless you run CrushFTP, GoAnywhere, SimpleHelp, or SmarterMail — most SMBs don't) and the German ransomware attribution story (interesting but requires no action).
🔮 LOOKING AHEAD
LLMs Are Accelerating Ransomware Operations — But Not Revolutionizing Them
SentinelLabs research confirms what we're seeing in the threat landscape: AI is making ransomware crews faster and more capable, but isn't creating fundamentally new attack types.
What's changing: AI enables better target selection (analyzing leaked data to find lucrative victims), faster phishing localization (flawless German, Japanese, Arabic lures), and automated ransom negotiation. Attackers use local, open-source AI models (Ollama) to avoid safety guardrails from commercial providers.
Early indicators to watch: Phishing emails with unusually polished, context-aware language; ransom notes that reference specific stolen files; negotiation chats that seem to "know" your organization's financial position.
Bottom line: Traditional "spot the typo" phishing training is obsolete. Shift to behavioral indicators: unexpected login prompts, requests to enter codes, urgency pressure—regardless of how well-written the message appears.
📅 Next Month's Priority
Implement external attack surface monitoring. Storm-1175's success depends on finding vulnerable internet-facing systems before organizations patch them. Free tier available through Microsoft Defender External Attack Surface Management; commercial tools range $500-5,000/month depending on scope.
CLASSIFICATION: TLP:CLEAR
Sources: Microsoft Security Blog, BleepingComputer, Huntress, KrebsOnSecurity, SentinelLabs, Ransomware.live API, RansomLook.io API
S6 RANSOMWARE SIGNAL
Your data is an asset. We guard it like one.
Intelligence cutoff: April 6, 2026 14:00 ET | Next edition: April 13, 2026