
S6 RANSOMWARE SIGNAL
Week of April 28 – May 4, 2026 | Published by S6 Tech
⚡ 60-SECOND VERSION
Biggest threat: A phishing campaign targeting 35,000 users at 13,000 organizations is capturing passwords AND multi-factor codes in real time — your standard MFA does not stop it.
Why it matters: The attack uses real Microsoft login pages routed through attacker servers. Healthcare, financial services, and professional services took 48% of the hits, and 92% of victims are in the US.
Do this now: Block sign-ins from countries where you don't operate (10–15 minutes, free) — Microsoft's guide.
📋 EXECUTIVE SUMMARY
1. Standard MFA has stopped being a defense at the high end. Microsoft documented an industrial-scale phishing operation that captures passwords and authenticator codes in the same flow — and it concentrated 92% of its targeting on US organizations, with healthcare and financial services in the lead. If your admins still log in with text-message or app-based MFA, plan the move to hardware keys this quarter.
2. Healthcare-sector targeting has now sustained for four consecutive weeks in our coverage — across more than thirty distinct threat actors. That's no longer a campaign; that's a market consensus that small US and Canadian medical and dental practices are easy money. If you run one, you are inside the target profile and the question is what's been done about it this month.
3. Your security and ed-tech vendors are now in the target set, not just defending it. Trellix confirmed unauthorized access to part of its source code repository, and Instructure (Canvas LMS) confirmed a breach with ShinyHunters claiming 275 million records — a figure Instructure has not verified. The pattern matters more than either incident: any vendor with a privileged connection to your systems is a candidate next-week headline.
📊 METRICS & INTELLIGENCE
| Metric | This Week | What It Means |
|---|---|---|
| Total Disclosed Victims | 107 | First break above 97 in five weeks; one actor drove a third of the rise |
| Active Threat Actors | 32 | Most fragmented week of 2026; smaller crews continue to fill space |
| US-Based Victims | 52 (48.6%) | US share more than doubled vs. last week; matches the AiTM phishing geography |
| AiTM Phishing Targets | 35,000+ users | Single campaign hit 13,000 organizations across 26 countries |
| Healthcare Sector Hits | 12 | Fourth straight elevated week; small practices took 7 of 12 |
Germany (6), UK (5), Australia (4), and China (4) followed the US, with the remainder spread across 25+ countries.
📈 TRENDLINE: Healthcare in our coverage, four weeks running
| Week of Apr 7–13 | 12 victims | 10+ distinct actors |
| Week of Apr 14–20 | 6 victims | 6 distinct actors |
| Week of Apr 21–27 | 9 victims | 7 distinct actors |
| Week of Apr 28–May 4 | 12 victims | 4 distinct actors |
The actor list rotates each week, but the sector doesn't. That tells you the targeting is structural — small medical, dental, and specialty practices are now a standing line item on the criminal calendar, not the topic of any single campaign.
THREAT ACTOR MARKET SHARE — THIS WEEK
Qilin enters its fourth straight week as the volume leader, having held or shared the top spot in every issue since April 13.
🚨 ACTIVE CAMPAIGNS
"Code of Conduct" AiTM Phishing Campaign 🏢
35,000+ users at 13,000 organizations targeted; 92% in the US
What it does: Emails impersonate internal HR or compliance notices — subjects like "Reminder: employer opened a non-compliance case log." A PDF leads through a CAPTCHA gate (filtering out automated security tools) to what looks like a real Microsoft login page. It is real — but routed through attacker infrastructure (an "adversary-in-the-middle" or AiTM proxy — a server that sits between you and the genuine login site, copying everything you type, including your MFA code). Once you sign in, the attackers capture your live session token and step in as you.
Why it matters: Standard MFA — text codes, app push prompts, time-based codes — does not stop this. The attacker authenticates on the real site at the same moment you do, then keeps the resulting session. Healthcare took 19% of the targeting, financial services 18%, professional services 11%, technology 11%. If your team uses Microsoft 365, treat this as a campaign that hit you, then check sign-in logs for the indicators in the source.
Source: Microsoft Security Blog
Trellix Source Code Repository Breach 🏭
Cybersecurity vendor confirms unauthorized access to part of its code
What happened: Trellix — the endpoint and XDR vendor formed from the McAfee Enterprise/FireEye merger — disclosed unauthorized access to a portion of its internal source code repository. The company says it has found no evidence the source code itself has been exploited or that its software release process was affected. Initial access method, attacker identity, and dwell time have not been disclosed.
Why it matters: Trellix protects more than 200 million endpoints across 50,000 customers. Source code is a roadmap to a security tool's blind spots, and any code that did leave the network is now a long-term study guide for attackers planning to evade Trellix-protected environments. If you run Trellix, ask your account representative two questions this week: which repositories were accessed, and whether your specific deployment is in scope.
Source: BleepingComputer, Trellix Official Statement
Instructure (Canvas LMS) Breach 🏢
Company confirms data exposure; ShinyHunters — the same group behind last week's ADT and Udemy breaches — claims 275 million records (not verified)
What happened: Instructure, maker of the Canvas learning platform used by roughly 8,000 schools, universities, and corporate training programs, confirmed exposure of names, email addresses, student ID numbers, and user-to-user messages. The company says no evidence so far of password, date-of-birth, government-ID, or financial data exposure. ShinyHunters listed Instructure on its leak site claiming 275 million individuals across nearly 9,000 institutions and 3.65TB of data; Instructure has not verified those figures, and BleepingComputer and TechCrunch have not independently confirmed them.
Why it matters: Even using Instructure's narrower confirmed scope, two practical exposures matter for any business that uses Canvas for compliance or onboarding training. First, employee email addresses tied to student IDs make for highly targeted phishing material. Second, if your single sign-on connects to Canvas, review those authentication logs for unusual activity, and rotate any application keys you provisioned to the platform.
Source: BleepingComputer, TechCrunch
✅ JUST DO THIS
Block Sign-Ins From Countries Where You Don't Operate
⏱️ 10–15 minutes | 💰 Free (Microsoft 365 Business Premium / Google Workspace Business Plus)
Why now: The 35,000-user phishing campaign routed credentials through staging servers and authentication proxies in countries most US small businesses have no reason to log in from. A geographic block sets a floor under the attack: even if an employee gives up password and MFA code, the sign-in itself fails because the attacker's location is denied at the front door. It costs nothing and breaks the chain at step one.
| Platform | Steps |
|---|---|
| Microsoft 365 | Entra Admin Center → Protection → Conditional Access → New Policy → Name it "Block Foreign Countries" → Users: All users → Conditions → Locations → Configure: Yes → Include: select countries to block → Grant: Block access → Enable policy |
| Google Workspace | Admin Console → Security → Context-aware access → Create access level → Add geographic conditions → Apply to organizational units |
| Other | Ask your IT provider: "Can we block logins from outside [your country]?" Most modern identity providers support this |
Verify it worked: Sign in through a VPN set to a blocked country, or have your IT provider test it. You should see an access-denied message before any credential prompt.
🎯 THREAT ACTOR SPOTLIGHT
Aurora 🏪
8 victims this week — first appearance in our coverage, with the most detailed leak posts we've seen all year
Why this group, this week: Qilin again leads on volume — covered in detail in our April 13 issue and now in its fourth straight week of dominance — but Aurora is doing something the dominant actors aren't. Where most crews post a victim name and a vague file-tree screenshot, Aurora publishes a detailed inventory: full file counts, database sizes, credential lists, and in some cases the specific Windows Active Directory file (NTDS.dit, the database that holds every password hash for a corporate network) it claims to have lifted. The specificity is itself a pressure tactic.
Notable claims this week (attacker-reported, not independently verified):
- Cheval Blanc Randheli (Maldives luxury resort): 75,855 passport scans gathered over a decade, with Qatari and UAE officials identified by name.
- Costa Solutions LLC: Social Security numbers, bank routing numbers, and twelve years of HR records for 3,000 to 8,000 individuals.
- Advanta Genetics (Texas, clinical toxicology lab): NTDS.dit exfiltration — if accurate, every domain credential needs treatment as compromised.
Defensive Priorities:
| # | Action | Plain English |
|---|---|---|
| 1 | Domain controller hardening | Limit who can sign in to your domain controller — the server that handles every login on your network — and turn on credential guard if you run Windows 10/11 Enterprise |
| 2 | Document retention review | If you don't need ten years of passport scans on a server connected to the internet, archive them offline — Aurora's leverage comes from the depth of what's been kept, not just what was current |
| 3 | Backup verification | Confirm offline backups exist and that someone has actually tested restoring this quarter |
Also Active: Qilin posted 23 victims this week — its strongest US showing yet, with five regional construction firms hit in a single week. The Gentlemen (7) continue running the SystemBC botnet infrastructure we covered last week. ShinyHunters (6) issued separate ultimatums to three additional targets with deadlines spanning May 4–6.
🏭 SECTOR TARGETING
Manufacturing/Industrial — 14 victims 🏭
Threat actors: Aurora, Blackwater, M3rx, CMD Organization, Inc Ransom
Notable incidents: Atlas Metal Industries (Florida, attackers claim full ERP and payroll database exfiltrated — figure not independently verified), Shenzhen Gongjin Electronics (China), Tuopu Group (China), Engineered Machine Tool (Kansas), Iowa Spring Manufacturing, Zampell (refractory services)
Healthcare — 12 victims 🏪 (see Trendline above)
Threat actors: Aurora, Qilin, Nightspire, Pear
Notable incidents: Advanta Genetics (Texas, clinical toxicology lab handling opioid-therapy patient records), Bomu Hospital (Kenya), Accurate Nursing Services, Armstrong George Cohen Will Ophthalmology, Progressive Oral Surgery & Implantology, Fox Broermann Pediatric Dentistry
Professional Services (Law, Title, Wealth) — 11 victims 🏢
Threat actors: Aurora, ShinyHunters, Worldleaks, The Gentlemen
Notable incidents: Law Offices of Michael A. Freedman (Maryland — attackers claim 579 GB across 656 client-matter folders), Bayou Title (Louisiana — attackers claim 70,000–100,000+ Social Security numbers from real estate closings), Peyton Law Firm, Towerpoint Wealth LLC. Volumes attacker-reported and not independently verified.
Construction — 9 victims 🏪 NEW
Threat actors: Qilin (5 of 9), CMD Organization
Notable incidents: JG Stewart Construction, Jayeff Construction, Probity Contracting Group, Edenshaw Developments, LSM Lee. The five Qilin hits were all regional US contractors — a sector concentration we have not previously seen from this actor.
⚠️ SMB Sector Alert: Regional Construction Contractors
Five US construction firms posted by a single actor in a single week is a target list, not a coincidence. Bid documents, subcontractor banking details, and project insurance certificates are exactly the kind of data that converts to wire-transfer fraud against larger general contractors and developers downstream. If you run a regional contracting firm: rotate any shared cloud storage credentials this week and confirm your project-management software has MFA enforced on every account.
🏪 SMB REALITY CHECK
If you're under 50 employees with no dedicated security staff, here's what actually matters this week:
The phishing campaign is real and aimed at your size of business. Healthcare practices, accounting firms, and small financial services companies were named as primary targets. The good news: this week's geographic-blocking action would stop most of these attacks at the door, costs nothing, and takes roughly fifteen minutes.
The Trellix and Instructure breaches don't change your day-to-day unless you actively run those products — and even then, the action is a phone call to your account representative, not a panic.
💡 Hardware Keys Are the Only MFA Left That Works
For most small businesses, two to five people have admin access to Microsoft 365, the bank, and payroll. A FIDO2 hardware key (YubiKey or similar) costs about $50 and cannot be intercepted by an AiTM proxy — the cryptography binds the login to the physical device. For five admins, that's $250–$375 once. It is the single highest-leverage security purchase available to a business this size.
Your Stack, Your Actions:
| If You Use... | Do This | Time |
|---|---|---|
| Microsoft 365 | Enable Security Defaults if not already on; add the geographic block from "Just Do This" | 15 min |
| Google Workspace | Turn on 2-Step Verification enforcement; configure context-aware access | 15 min |
| Canvas LMS for training | Reset employee passwords reused with Canvas; rotate any SSO application keys | 20 min |
| Anyone with admin access | Order FIDO2 hardware keys (~$50 each); plan rollout within 30 days | 2–3 hrs |
📞 When to Call for Help
If anyone receives an email about an HR or compliance issue that asks them to log in to confirm something — and they're not certain it's legitimate — call your IT person before they click. One compromised admin account from this week's campaign hands attackers everything that account can reach.
Safe to ignore this week: The two BlackCat insider sentencings (interesting context on the insider-threat angle, but no operational action); follow-on coverage of REvil/GandCrab attribution; Telegram mini-app crypto scams unless your team uses Telegram for business.
🔮 LOOKING AHEAD
The Vendors You Pay to Protect You Are the Next Front
Trellix this week. Checkmarx and Cisco within the last month. The pattern is no longer occasional — security and developer-tooling vendors are being targeted directly because compromising one of them potentially compromises every customer they serve. The strategic logic is clean: breach one bank, you have one bank; breach the company that secures five hundred banks, you have a path into all of them.
What to watch: Unusual communications from your security vendors that don't match their normal channels. Unexpected software update prompts, especially outside scheduled patch windows. News that a vendor in your stack has confirmed a breach or is investigating one. Quiet announcements buried in a support portal often precede the public ones.
Bottom line: Your incident response plan needs to assume your security vendors can themselves be the source of the next incident. Document which vendors have what access — can your endpoint protection vendor push code to your machines? Can your monitoring tool read every log? Those access paths are now the access paths that matter.
📅 This Month's Priority
Build a one-page inventory of every security and IT vendor connected to your environment. For each: what data they can read, what actions they can take, when their access was last reviewed, and who at your company is the named owner. If the list runs longer than one page, you have more vendor access than oversight — fix that before the headlines write themselves.
CLASSIFICATION: TLP:CLEAR
Sources: Microsoft Security Blog (May 4), BleepingComputer (May 3–4), TechCrunch (May 5), Trellix Official Statement, Dark Web Informer (Apr 30), The Record (May 4), Ransomware.live API, RansomLook.io API
S6 RANSOMWARE SIGNAL
Your data is an asset. We guard it like one.
Intelligence cutoff: May 4, 2026 14:00 ET | Next edition: May 11, 2026
