---

📋 EXECUTIVE SUMMARY

---

📊 METRICS & INTELLIGENCE

Metric	This Week	What It Means
Total Disclosed Victims	97	Steady volume; Qilin now leads with 17.5%
Active Threat Actors	27 (↑ from 19)	More groups active; ecosystem fragmenting further
Healthcare Sector Hits	12 (↑ from 4)	3× increase; 10+ distinct actors targeting small practices
US-Based Victims	31 (32%)	Sharp increase from 8% last week; US back in crosshairs
Manufacturing/Industrial	14 (↑ from 12)	Steady targeting; supply chain data remains valuable

Geographic shift: US jumped from 8% to 32% of victims. Germany (9), France (6), Malaysia (5), and Italy (5) round out the top five.

---

🚨 ACTIVE CAMPAIGNS

What happened: Booking.com confirmed unauthorized access to guest reservation data including names, email addresses, phone numbers, postal addresses, and booking details. Financial information was not accessed. The company reset PINs for impacted reservations and notified affected users over the weekend.

Why it matters: Attackers now have everything needed to craft convincing payment scams: legitimate booking details, accurate dates, real hotel names. The platform's messaging system has been abused this way before, turning legitimate conversations into delivery channels for fraud. Multiple Reddit users reported receiving scam messages referencing real reservation details.

Source: BleepingComputer, TechCrunch

What happened: ShinyHunters posted ransom demands against Amtrak (9.4M records), McGraw Hill (45M records), Rockstar Games, and others on April 11 with an April 14 deadline. Snowflake confirmed on April 7 that attackers compromised customer accounts through Anodot, a third-party cloud analytics vendor. The attackers harvested authentication tokens from Anodot to access connected Snowflake environments, bypassing MFA entirely.

Why it matters: This attack exploited trusted integrations, not primary systems. The access appeared as legitimate internal monitoring, so security teams likely saw nothing unusual. Organizations granting third-party tools broad cloud permissions face similar exposure.

Source: Help Net Security, Cyber Daily

What happened: Nearly 4,000 US industrial devices (Rockwell Automation PLCs: programmable logic controllers that control physical machinery) are directly accessible from the internet. A joint FBI/CISA advisory confirms Iranian-linked groups are actively targeting these exposed systems.

Why it matters: These devices control water treatment, manufacturing equipment, HVAC systems, and building automation. Full compromise means control of physical processes, production disruption, equipment damage, safety incidents. No phishing required; attackers can connect directly if your PLCs are internet-exposed.

Source: BleepingComputer | SMB Note: Only relevant if you have manufacturing equipment or sophisticated building automation with Rockwell controllers.

---

✅ JUST DO THIS

Why now: The ShinyHunters campaign succeeded because a third-party tool (Anodot) had broad access to customer Snowflake environments. When that tool got compromised, every connected customer became vulnerable. The same risk exists with any app you've granted access to your Microsoft 365 or Google Workspace.

Platform	Steps
Microsoft 365	Entra Admin Center → Applications → Enterprise Applications → Review all apps with "Admin consent granted" → Remove any you don't recognize or no longer use
Google Workspace	Admin Console → Security → API Controls → App Access Control → Review third-party apps → Revoke access for unused or unfamiliar apps
Personal accounts	Google: myaccount.google.com/permissions | Microsoft: account.live.com/consent/Manage

What to look for: Apps with broad permissions ("Read all files," "Send email on your behalf," "Access all data") that you don't actively use. Ask: "Does this tool need access to everything, or just specific data?"

---

🎯 THREAT ACTOR SPOTLIGHT

Why it matters now: Qilin displaced The Gentlemen (last week's leader) and has claimed over 1,000 total victims since 2022. In Q2 2025, Qilin accounted for 24% of all ransomware incidents targeting US state and local governments. Many former RansomHub affiliates switched to Qilin after RansomHub went inactive in April.

Target profile: Mid-market manufacturing, professional services, education, healthcare. Heavy focus on Germany (4 victims), US (3), Japan (2). Organizations with $50M-$500M revenue are the sweet spot.

Known TTPs (plain English):

• Initial access: Phishing, exposed RDP/VPN endpoints, or purchasing credentials from initial access brokers. Recent campaigns exploit Fortinet vulnerabilities (CVE-2024-21762, CVE-2024-55591)
• Evasion trick: Uses Windows Subsystem for Linux (WSL) to run Linux ransomware on Windows machines, bypassing Windows-focused security tools
• Double extortion: Encrypts files AND steals data for leak threats. Operates leak sites on both Tor and the open internet

Defensive Priorities:

#	Action	Plain English
1	Patch Fortinet devices	If you use FortiGate firewalls, update immediately: Qilin is automating these attacks
2	Disable WSL if unused	Most businesses don't need Windows Subsystem for Linux: disable it to block this evasion technique
3	Isolate backup systems	Qilin specifically targets Veeam backup infrastructure to steal credentials before encryption

---

🏭 SECTOR TARGETING

Healthcare — 12 victims (↑ 200% from last week) 🏪 SMB PRIORITY

Threat actors: Exitium, Blackwater, Insomnia, Lynx, The Gentlemen, Pear, Anubis, Dragonforce, Lamashtu, INC Ransom

Notable incidents: Gastroenterology & Hepatology of CNY (US reports suggest significant patient record exposure), Medical Park (Turkey, 36 hospitals), United Medical Doctors (US, 70+ locations), ACN Healthcare (US, $253.6M revenue)

Why the surge: 10+ distinct actors targeting healthcare this week suggests coordinated interest or shared initial access. Small practices under 50 employees are easier targets than hospital systems.

Manufacturing/Industrial — 14 victims 🏭

Threat actors: Qilin, The Gentlemen, Dragonforce, Everest, Eraleign (APT73), Lamashtu

Notable incidents: Herth+Buss (Germany, automotive parts), GEM Terminal (Taiwan, electronic components), Gauthier Connectique (France, military/civilian aircraft connectors 42GB claimed)

Data exposed: Production specs, supplier contracts, proprietary designs

Professional Services — 9 victims 🏢

Threat actors: Qilin, Pear, INC Ransom, Beast, Dragonforce

Notable incidents: Sonn Law Group (US), Powell, Powell & Powell (US, personal injury), Siegel Lewitter Malkani (US, employment law), multiple German law firms (Straten & Kollegen, Irmler Rechtsanwälte)

Data exposed: Client files, NDAs, HR records, financial documents

---

🏪 SMB REALITY CHECK

If you're under 50 employees with no dedicated security staff, here's what actually matters this week:

The Booking.com breach affects you directly, if anyone on your team booked travel recently, warn them that "updated payment" emails are likely scams even if they contain accurate booking details. The healthcare surge means practices should verify their cyber insurance coverage and incident response contacts this week.

Your Stack, Your Actions:

If You Use...	Do This	Time
Booking.com/Expedia	Email finance team: "Verify ALL 'updated payment' requests via phone call to hotel directly"	5 min
Microsoft 365	Review enterprise app permissions — remove unused apps	15 min
Google Workspace	Review third-party app access	10 min
Healthcare practice	Verify cyber insurance policy and incident response contact numbers are current	20 min

Safe to ignore this week: The ShinyHunters enterprise breaches (Amtrak, Rockstar Games). Relevant only if you use Snowflake with third-party analytics integrations. The industrial PLC vulnerabilities, unless you operate manufacturing equipment with internet-connected Rockwell controllers.

---

🔮 LOOKING AHEAD

Third-Party Integrations: The New Front Door

The ShinyHunters campaign demonstrates a fundamental shift in how attackers operate. They didn't break into Snowflake or any victim's primary systems, they compromised Anodot, a trusted third-party tool, and used legitimate authentication tokens to walk through the front door.

What's changing: Long-lived authentication tokens that don't expire are a liability. When a monitoring tool like Anodot gets compromised, every customer environment it touches becomes accessible. The access appears routine; security teams may see nothing unusual while attackers quietly export databases.

What to watch: Unusual API activity from approved integrations during off-hours. Large data transfers that appear to come from legitimate monitoring services. Authentication from integration services to resources they don't typically access.

The uncomfortable question: For every third-party app connected to your cloud environment, ask: "If this vendor got breached tomorrow, what could attackers access through their integration with us?"

---