S6 Ransomware Signal - June 16 to 22, 2026
TLP:CLEAR. Approved for Public Distribution

S6 RANSOMWARE SIGNAL

Week of June 16 to 22, 2026 | Published by S6 Tech


⚡ 60-SECOND VERSION

Biggest threat: A new ransomware called Prinz Eugen leaves no ransom note at all, and Microsoft confirmed this week that attackers are now using AI to compress the time between break-in and full encryption from days to hours.

Why it matters: Negotiation needs time and instructions. Both are slipping away. Restore-from-backup is moving from the fallback plan to the primary plan, but only if your backups actually restore.

Do this now: Run a full restore of one real business file this week, start to finish. Time how long it takes. Microsoft restore guide.

📋 EXECUTIVE SUMMARY

1. Two unrelated stories pointed the same direction this week. BleepingComputer documented Prinz Eugen, a ransomware strain that targets your most recently modified files first and never drops a ransom note. Separately, Microsoft and PRODAFT confirmed ransomware operators are now using AI to accelerate every stage of an attack. The implication for owners is simple. The window you assumed you had to call IT, get advice, and decide whether to pay may not exist on the next incident. Backups stop being a fallback. They become the plan.

2. The Gentlemen, whose operator was named last week as Alexander Yapaev of Izhevsk, claimed Mackay Sugar in Australia and shut down harvest and milling operations across multiple sites. Tier 2 data puts the group at 21 victims for the week and 22 percent of all disclosed ransomware activity. That is four of our last five issues with this group at the top of the volume table. The story is no longer who they are. The story is what they do once inside, and the answer keeps getting more operational.

3. Aurora ran an enterprise breach spree this week with downstream consequences for thousands of smaller firms. ALS Global lost a 1Password emergency recovery kit, 1,018 passport scans, and 20 GB of proprietary research. Hagerman & Company, an Autodesk reseller, exposed engineering vault data tied to NYPA power plants, Kinder Morgan LNG terminals, NASA, and Lockheed. NationsBuilders Insurance lost 2.7 million file entries across claims and policies. When a vendor at that scale leaks, the contracts and credentials inside the leak name their smaller customers. Your data may already be sitting in someone else's breach.


📊 METRICS & INTELLIGENCE

Metric This Week What It Means
Total Disclosed Victims 96 First reading below the 97 to 107 band we have held for nine weeks. A single soft week is not a trend, but it is the first crack in the line.
Active Threat Actors 31 Fragmentation holds. One leader, thirty smaller crews filling the rest.
The Gentlemen's Share 21 (22%) Volume leader for the fourth time in five issues. The exception was June 15, when deadlock's 77-victim posting backlog distorted the share.
Qilin's Share 16 (17%) Steady second place. Claimed Central Bank of Libya this week; scope and operational impact not independently confirmed.
US-Based Victims 24 (25%) Recovered from last week's 8.4 percent low. The deadlock-driven Europe concentration was a one-week event.
Healthcare Sector Hits 5 Sharp drop from 14 two weeks ago. May be a real cooling or a posting lag. Two weeks at this level would confirm.
Manufacturing Hits 14 Volume leader by sector again. Mackay Sugar shutdown sits inside this count.

Germany (7), Canada (6), India (5), and Vietnam (4) followed the US, with the remainder spread across more than twenty other countries.

SECTOR VICTIM COUNT, THIS WEEK

Manufacturing
14
Professional Services
11
Construction
9
Financial Services
6
Healthcare
5
Education
4

Manufacturing leads for the second week running. Healthcare cooled to five victims after holding double-digit counts in five of the last seven issues.


🚨 ACTIVE CAMPAIGNS

Prinz Eugen Ransomware 🏢

A new strain that encrypts your most recent work first and leaves no payment instructions behind.

What it does: Researchers at BleepingComputer documented a ransomware strain that takes a different approach than the rest of the market. It sorts files by modification date and targets the newest first, so the work you did this week gets hit before the archives from 2019. No ransom note is written to disk on infected systems. Victims have no built-in path to negotiate.

Why it matters: The absence of a note signals one of three things. Either the operators plan to contact victims through other channels after the fact, the stolen data will be sold or leaked without an offer, or this is purely destructive and recovery is not on the table at all. The active victim count is not yet public and the entry vector is not yet documented. What is documented is the philosophy. In an attack you cannot negotiate, the only working option is the one you built before the attack happened.

Source: BleepingComputer, June 20, 2026.

Mackay Sugar Operational Shutdown 🏭

The Gentlemen claimed an Australian sugar producer mid-harvest. Production halted across multiple sites.

What it does: The Gentlemen ransomware group claimed Mackay Sugar, one of Australia's largest sugar producers, this week. Harvesting and milling operations were halted across multiple sites. The specific entry vector has not been disclosed by the company or by investigators. The operational impact is what makes this incident worth attention.

Why it matters: Sugarcane has a narrow crush window. A shutdown during harvest is not just a data-recovery problem. It is a crop-loss problem and a downstream supply chain problem. The lesson reaches well past sugar. If your business runs operational technology (the systems controlling machines and production lines, not the systems running email), the network segmentation between those two worlds is now defensive priority one. Attackers who reach your email server should not also be able to reach your production floor. If the only thing standing between IT and OT is the goodwill of your network configuration, you have a Mackay Sugar incident waiting to happen.

Source: The Record, June 18, 2026.

Aurora Enterprise Breach Spree 🏢

Three high-impact disclosures expose credentials and contracts that flow downhill to SMB customers.

What it does: Aurora published three notable enterprise breaches this week. ALS Global (ASX:ALQ, a multi-billion-dollar testing firm) lost what attackers describe as a 1Password emergency recovery kit, 1,018 passport scans, and 20 GB of research data. Hagerman & Company, an Autodesk reseller, exposed engineering vault data tied to NYPA power plants, Kinder Morgan LNG terminals, NASA, and Lockheed. NationsBuilders Insurance lost 2.7 million file entries across claims and policies. Volumes come from attacker leak posts and are not independently verified.

Why it matters: When a vendor at this scale leaks, the contents name their downstream partners. An Autodesk reseller's vault holds client designs. An insurance broker's files hold policies for SMB customers. If your company has ever worked with these vendors, assume the data they hold about you is now exposed. The defensive move is rotating any credentials you share with them and asking what they will do about it.

Source: Tier 2 leak-site intelligence (Ransomware.live, RansomLook.io), week of June 16 to 22, 2026.

📈 TRENDLINE: The Gentlemen at the Top, Four of Five Weeks

The Gentlemen has led the volume tables on June 1 (22 percent), June 8 (25 percent), and now June 22 (22 percent). The single exception was June 15, when deadlock's 77-victim posting backlog took the share for that week alone. That is not a rotation. It is structural dominance. Combined with the Microsoft worm-propagation analysis from June 1, the Yapaev deanonymization from June 15, and the Mackay Sugar incident this week, the operation is now the single most consistent feature of the ransomware ecosystem. Plan your defenses against their playbook even when your incident was not this week's headline.


✅ JUST DO THIS

Run a full restore of one real business file this week.

⏱️ 30 to 60 minutes | 💰 Free

Why now: Two stories this week pointed at the same operational conclusion. Prinz Eugen ransomware leaves no payment instructions, so there is no negotiation channel. AI-accelerated attacks compress the window between break-in and full encryption from days to hours, so there is no extra time. Both of those gaps are filled by exactly one thing: a backup that actually restores. Most businesses verify that backups are running. Far fewer verify that backups can be recovered. The first time you find out is the worst possible time to find out.

Platform Steps
Microsoft 365 Pick a SharePoint or OneDrive document modified at least 30 days ago. Right-click the file, choose Version History, and restore an earlier version. Open the restored file. Confirm the content is intact. Restore guide.
Google Workspace Open a Doc, Sheet, or Drive file from at least 30 days back. File > Version History > See version history > Restore an earlier version. Open it. Confirm the content. Version history guide.
On-prem, NAS, or managed backup Pick one file (not the whole server). Ask your IT provider to restore it from your most recent backup to a test location. Time how long the process takes. Open the restored file. Confirm it works.

Verify it worked: The restored file opens cleanly and contains the expected content. If the process took six hours for one file, your full server recovery target is realistically a week, not a day. That gap is the conversation you should be having with your IT provider before the next incident, not after.


🎯 THREAT ACTOR SPOTLIGHT

The Gentlemen 🏭

21 victims this week, 22 percent of disclosed activity. Top of the volume table for the fourth time in five issues.

The deanonymization to Alexander Yapaev of Izhevsk and the Microsoft self-propagation analysis are both behind us in earlier issues. The defensive priorities have not changed. What is worth tracking now is how the operation grew. Check Point and PRODAFT both confirm a 90/10 affiliate revenue split, against the industry-standard 80/20. That extra ten points is a hiring strategy. It pulls experienced affiliates from competing programs the same way a higher-paying employer pulls engineers. The position at the top of the volume table is a recruiting outcome that took roughly a year to compound, and it is not going to reverse on its own.

Target profile this week: Mid-market firms between 50 and 500 employees across manufacturing, professional services, logistics, and real estate, spread across the US, Germany, France, the UAE, Thailand, Taiwan, and Spain. The Mackay Sugar attack shows the group will also take targets where shutting down operations causes more pain than stealing data.

TTPs (the techniques they use):

  • Initial access: Brute-force attacks against Fortinet SSL-VPN logins (automated password guessing) plus credentials harvested from old data breaches. Several recent victims share the common signal of an exposed IT or MSP connection.
  • Lateral movement: Once inside, comprehensive access to file servers across HR, finance, and operations.
  • Speed: Initial access to network-wide encryption inside hours. PRODAFT confirmed the operator uses AI for tooling and post-exploitation, which compresses the timeline further.

Defensive priorities:

# Action Plain English
1 Segment IT from OT Put a firewall (or a vlan, or both) between office computers and any production machinery, point of sale, or building system. Mackay Sugar is the cautionary tale.
2 Audit file share permissions Review who can read HR, finance, and operations folders. The default "everyone" permission is how a single compromised laptop becomes a company-wide breach.
3 Hardware MFA on remote access admin accounts App codes and SMS can be intercepted. A physical security key cannot. Issue them to anyone who can log into your VPN, firewall, or domain controller.

Also active: Qilin held second place with 16 victims and claimed the Central Bank of Libya this week. Operational impact and scope of the central bank incident have not been independently confirmed, but a claim against a national monetary authority is the kind of incident that draws regulatory attention well beyond the immediate victim.


🏭 SECTOR TARGETING

Manufacturing, 14 victims 🏭

Threat actors: Qilin, The Gentlemen, Wallstreet, DragonForce, Aurora. Notable incidents: Omax Autos (India), MBO GmbH (Germany), CTM India and Motherson Group (India), Taiwan Sintong Machinery (Taiwan), MIHANA Seisakusho (Japan), Kochs GmbH (Germany), Roth Industries. Data exposed per leak posts: The Kochs GmbH breach allegedly includes 22 GB of payroll databases, 77 VPN pre-shared keys (the secrets that let remote workers connect to the corporate network), and plaintext Active Directory credentials. If those VPN keys are real and unrotated, the network is still walkable.

Professional Services, 11 victims 🏪🏢

Threat actors: Akira, The Gentlemen, Aurora. Notable incidents: Berg Lilly PC (Montana law firm, attackers claim 50 GB of client personally identifiable information), GIA Partners (investment advisor reporting more than $1 billion in assets under management), Burris & MacOmber PLLC (Arizona law firm), Amigest (French IT integrator). Data exposed: Client tax records, legal correspondence, financial planning files. Two US law firms posted in a single week is the pattern to watch.

Construction, 9 victims 🏪

Threat actors: Qilin, Aurora, The Gentlemen, LockBit5. Notable incidents: NTP B.V. (Netherlands), Homes By J Anthony, PJ Daly Contracting (Ireland), Sparkle Pools, Keywest Projects (Canada), PROBAT Bau AG (Germany). Data exposed: Project bids, subcontractor lists, supplier payment terms. Construction firms with 20 to 200 employees took most of this category.

Healthcare, 5 victims 🏢

Threat actors: The Gentlemen, Nightspire. Notable incidents: Athens Orthopedic Clinic (Georgia), Hooke Laboratories (biotech), ErgoMed (occupational health), Dean Cosmetic Dentistry, Artistic Smiles. The count is down from 14 two weeks ago, the lowest since mid-April. Treat this as either a real cooling or a posting lag until two consecutive weeks confirm either way.

Education, 4 victims 🏢

Threat actors: DragonForce, CMD Organization, Qilin, LockBit5. Notable incidents: BITS Pilani (premier Indian university), Wall ISD (Texas K-12 district), Belz Institutions, Delano Public Schools (Minnesota). Texas K-12 hits put this week's list close to home. Public schools tend to run thin IT staff and standardize on a small set of platforms, so one compromise can affect several districts at once.

⚠️ SMB Sector Alert: Small Law Firms

Two US law firms posted in a single week, both small practices outside the major markets. Berg Lilly PC (Montana) and Burris & MacOmber PLLC (Arizona) both lost client files according to the attacker posts, with Berg Lilly's volume alone claimed at 50 GB. If your firm holds client tax records, estate documents, divorce filings, or contract negotiations and runs on under 50 staff, you fit this week's target profile precisely. The cheap moves still apply. MFA on remote access, segmented file shares, and a tested restore of one file. Those are this week's defenses, and none of them cost more than a few hours.


🏪 SMB REALITY CHECK

If you are under 50 employees with no dedicated security staff, here is what actually matters this week:

Last week's call to audit third-party app permissions still applies, and the MFA-on-perimeter call from earlier issues still applies. What is new this week is one specific test. Pick a file that matters to your business. Try to restore it from your most recent backup. Time the process. If it takes longer than your business can tolerate, that is the gap to talk to your IT provider about, calmly, this month, before anyone calls you in a panic on a Saturday.

The Prinz Eugen story matters not because the strain is in active wide deployment yet but because of what it signals. Attackers are starting to skip the negotiation step. The AI-accelerated attack story matters because the time between someone clicking a bad link and your shared drive being encrypted is shrinking. Both gaps point at the same fix.

💡 Backups Are a Habit, Not a Product

A backup that has never been restored is a hope. A backup that you restored from last quarter, on a real file, with a clock running, is a plan. The shift is not technical. It is operational. The people running the business need to know the recovery time, not just the backup status.

Your Stack, Your Actions:

If You Use... Do This Time
Microsoft 365 Restore one file from SharePoint Version History. Open it. Confirm. 10 min
Google Workspace Restore one Drive file from Version History. Open it. Confirm. 10 min
Server backup (Datto, Veeam, Synology) Ask your IT provider to restore one file to a test location and time it. 30 to 60 min
QuickBooks, Xero, or other SaaS bookkeeping Export a full backup to local storage. Some platforms do not back up your data; they expect you to. 15 min

📞 When to Call for Help

If your restore attempt fails, takes more than two hours for a single file, or your IT provider cannot tell you what your recovery time objective actually is, that is the signal to bring in outside help. You should not be guessing how long a real recovery would take.

Safe to ignore this week: the Aurora enterprise breaches (unless you actually do business with ALS Global, Hagerman, or NationsBuilders), the Brazil false emergency alert investigation, the Microsoft DART report on parallel threat actors (that is enterprise incident response reading), and the Dutch hosting server seizure (geopolitically interesting, not operationally actionable for SMBs).


🔮 LOOKING AHEAD

AI-Accelerated Attacks Are Operational, Not Theoretical

Two confirmations landed this week from sources that do not exaggerate. PRODAFT confirmed The Gentlemen's operator uses AI for ransomware tooling and post-exploitation. Microsoft's June 17 advisory put the broader picture plainly: AI is helping cyberattackers move faster across the entire attack chain by personalizing social engineering at scale, automating reconnaissance, analyzing leaked credentials, identifying privileged users, probing exposed systems, and adapting tactics in real time. That is no longer a forecast. It is current operations.

What to watch: Phishing emails with fewer typos and more context-specific detail (someone seems to know about the project you are working on, the vendor you just paid, the meeting you missed). Attack progression measured in hours instead of days. Attackers correctly identifying your most valuable systems on the first try, without weeks of probing first.

Bottom line: Legacy incident response plans assumed attackers were slow. They are not slow anymore. If your plan reads like "we would detect it Friday afternoon and call IT Monday morning," that window has closed. The detection-to-response gap needs to live inside hours, not days. That changes who is on call after hours and what authority your IT provider has to start containment without waiting for a meeting.

📅 Next Month's Priority

Schedule a quarterly documented backup restoration test. Pick one server, one shared drive, one critical file. Restore them all to a test location. Document the times. Report the results to whoever runs the business, not just to whoever runs IT. Cost: roughly 2 hours of staff time per quarter, free if your existing backup product supports test restores (most do).


CLASSIFICATION: TLP:CLEAR

Sources: BleepingComputer (Prinz Eugen, June 20) · The Record (Mackay Sugar, June 18) · KrebsOnSecurity (The Gentlemen, June 10) · Huntress (TTPs, May 21) · Microsoft Security Blog (DART, June 22) · Microsoft Entra Blog (AI acceleration, June 17) · The Record (SocGholish, June 19) · BleepingComputer (Texas breach, June 19) · Ransomware.live and RansomLook.io API data, week of June 16 to 22.

S6 RANSOMWARE SIGNAL

Your data is an asset. We guard it like one.

Intelligence cutoff: June 22, 2026 | Next edition: June 29, 2026

Keep reading