S6 RANSOMWARE SIGNAL
Week of March 21–27, 2026 | Published by S6 Tech
⚡ 60-SECOND VERSION
Biggest threat: The Starkiller phishing platform intercepts MFA codes in real time, authenticator apps no longer protect admin accounts.
Why it matters: 268+ Microsoft 365 organizations already compromised; this is the attack vector behind most ransomware intrusions.
Do this now: Deploy physical security keys (YubiKey, $50) for anyone who can approve payments, access customer data, or manage user accounts. M365 setup →
📋 EXECUTIVE SUMMARY
1. Traditional MFA is now a false sense of security. A new phishing-as-a-service platform called "Starkiller" intercepts MFA codes in real time—including authenticator apps. Physical security keys are now required for meaningful protection against the attack vector behind most ransomware intrusions.
2. Healthcare and legal practices face elevated targeting. This week saw 8 healthcare and 12 legal/professional services victims posted. Small practices storing SSNs, medical records, or immigration documents match this week's victim profile.
3. Tax season phishing is peaking. Microsoft tracked 29,000 users targeted in a single tax-themed campaign. Through April 15: treat every tax-related email with elevated scrutiny.
📊 METRICS & INTELLIGENCE
| Metric | This Week | What It Means |
|---|---|---|
| Total Disclosed Victims | 107 | Sustained high volume across 32 active threat actors |
| US-Based Victims | 41 (38.3%) | US remains primary target; rest scattered across 20+ countries |
| Healthcare Sector Hits | 8 | 🏪 Patient data exposure; small practices in target set |
| Legal/Professional Services | 12 | 🏪 Client data (SSNs, passports, court docs) at risk |
| Construction Sector Hits | 11 | 🏢 Mid-market contractors targeted for project/bid data |
| Tax-Season Phishing | 29,000 | ⚠️ Users targeted in single campaign; peak through April 15 |
Sources: Ransomware.live, RansomLook.io, Microsoft Security Blog
⚡ ACTIVE CAMPAIGNS
Starkiller Phishing-as-a-Service Platform 🏢
Operator: Jinkusu cybercrime group | 268+ Microsoft 365 orgs already compromised
What it does: Starkiller loads the real Microsoft or Google login page inside the attacker's infrastructure, then captures everything you type, including MFA codes, in real time. The platform uses disguised URLs like login.microsoft.com@[malicious-domain] where the "@" trick makes everything before it appear legitimate.
Why it matters: Traditional MFA (text messages, authenticator apps) provides zero protection against this technique. The platform includes real-time screen monitoring and automated Telegram alerts when credentials arrive. This is the attack vector behind most ransomware intrusions.
Source: KrebsOnSecurity
TikTok Business Account Phishing 🏪
Marketing agencies, retail, e-commerce, any company with social presence
What it does: Phishing emails target TikTok for Business accounts with credential-harvesting pages specifically designed to block security scanners. Only human visitors see the fake login page.
Business impact: Brand account hijacking, fraudulent ad spend, customer-facing scams using your brand, regulatory exposure if customer data is accessed through connected business tools.
Action: If your marketing team manages social accounts, verify any TikTok communications by logging in directly—never through email links.
Source: BleepingComputer
🎯 JUST DO THIS
Deploy physical security keys for anyone with admin access
⏱️ 15 minutes per user | 💰 $50-55 per key (buy two per user for backup)
| What | Replace SMS codes or authenticator apps with hardware security keys (like YubiKey) for all users who can change settings, access financial systems, or manage other user accounts |
| Why Now | Starkiller intercepts traditional MFA codes in real time. Physical keys use cryptographic verification that cannot be captured remotely—even if someone clicks a phishing link |
| Microsoft 365 | Security.microsoft.com → Authentication methods → FIDO2 security keys → Enable. Documentation → |
| Google Workspace | Admin console → Security → Authentication → 2-Step Verification → Allow security keys. Documentation → |
| Verify It Worked | Attempt login without physical key—access should be blocked. Then login with key present—access should succeed |
🔍 THREAT ACTOR SPOTLIGHT
Most Active This Week: QILIN
23 victims (21.5% of all disclosures) | Targets: $10M–$500M revenue mid-market firms [VERIFY]
Operational Status: Sustained high-volume operations targeting mid-market firms—especially construction, healthcare, and retail.
Known TTPs:
- Initial Access: Phishing with malicious attachments; exploitation of exposed RDP (Remote Desktop Protocol—remote access service often left internet-facing)
- Lateral Movement: Credential harvesting and Active Directory enumeration (mapping of internal user accounts and permissions)
- Extortion: Double extortion—encrypts files AND threatens data publication
| Priority | Action | Plain English |
|---|---|---|
| 🏪🏭🏢 1 | Disable exposed RDP | Don't let remote desktop be reachable from internet |
| 🏪🏭🏢 2 | Enforce MFA on all admin accounts | Require second factor (preferably physical key) for privileged access |
| 🏭🏢 3 | Segment backup infrastructure | Keep backups isolated so attackers can't encrypt them |
Also Active: AKIRA posted 12 victims (11.2%) targeting engineering firms, manufacturing, and professional services. Explicitly advertising stolen PII (passports, SSNs, medical records) in victim posts. Four different groups hit insurance targets this week, suggesting coordinated interest in policy and claims data.
🏭 SECTOR TARGETING
🏪 Healthcare — 8 Victims | SMB PRIORITY
Threat Actors: Lynx, Qilin, INC Ransom, Black Nevas, Payload
Notable Incidents: NJ Pain Care Specialists (US), Aroostook Mental Health Services (US), Pulpdent (US), Louise Medical Center, Glenmark Pharma
Data Exposed: Patient records, insurance data, treatment histories
🏢 Construction & Building Materials — 11 Victims
Threat Actors: Qilin, Akira, Worldleaks
Notable Incidents: Kerjaya Prospek Group (Malaysia), ACR1.COM Commercial Roofing, BHS Bau (Germany), Mac Interiors, Leighton
Mid-market contractors handling project files, bid documents, and subcontractor data are in the target set.
🏪 Legal & Professional Services — 12 Victims
Threat Actors: Anubis, Akira, Black Nevas, INC Ransom
Notable Incidents: Schlam Stone & Dolan LLP (US—Fortune 500 clients), Mooers Immigration (US—claims celebrity passport data [VERIFY]), David Helfand Law
Data Types Claimed: Client passports, SSNs, court documents, immigration files
🏪 SMB REALITY CHECK
Under 50 employees with no dedicated IT staff? Here's what matters:
The Starkiller phishing platform is the threat that should change your behavior. If anyone at your company can approve wire transfers, access customer data, or manage social media, they need physical security keys—not just authenticator apps. Legal firms and healthcare practices: You saw 8 healthcare and 12 legal victims posted this week. If you store client SSNs, medical records, or immigration documents, assume you're in the target set.
Your Stack, Your Actions:
| If You Use... | Do This | Time |
|---|---|---|
| Microsoft 365 | Enable security keys for owners/admins | 20 min |
| Google Workspace | Enable Advanced Protection for admins | 15 min |
| QuickBooks Online | Enable 2FA + review user access list | 10 min |
| TikTok for Business | Warn marketing team: verify TikTok emails by logging in directly | 5 min |
📞 When to Call for Help
If you receive an email asking you to verify your Microsoft 365 or Google Workspace login and you're not 100% certain it's legitimate, stop and call your IT person or MSP before clicking anything. The 30 minutes this takes is cheaper than account takeover.
Safe to ignore this week: National Oil Ethiopia attack (you're not running on-premise Exchange), BMW supply chain breach (unless you're an automotive supplier).
🔮 LOOKING AHEAD
LLM-enabled attack automation is accelerating—but not revolutionizing—ransomware operations.
SentinelLabs research confirms large language models help ransomware operators work faster (better phishing, faster data triage, multilingual capabilities) but aren't creating fundamentally new attack techniques. Anthropic documented a threat actor using Claude Code to automate an entire extortion campaign including ransom amount calculation.
Early indicators to watch: Phishing emails with unusually fluent non-English text, ransom negotiations with sophisticated tailored pressure tactics, and faster attacker response times during active incidents.
Bottom line: Current defenses remain valid. Prioritize fundamentals (MFA, backups, patching) over AI-specific countermeasures. Adversaries are getting faster, not smarter, speed of response matters more than ever.
📅 Next Month's Priority
Extend phishing-resistant authentication (physical security keys) to all users—not just administrators. Any employee with access to sensitive data, customer information, or financial systems represents equivalent risk. Target: 100% enrollment by end of April.
CLASSIFICATION: TLP:CLEAR
Sources: Ransomware.live, RansomLook.io, KrebsOnSecurity, BleepingComputer, Huntress, Microsoft Security Blog, SentinelOne Labs
S6 Ransomware Signal
Your data is an asset. We guard it like one.
Intelligence cutoff: March 27, 2026 | Next edition: March 31, 2026