S6 RANSOMWARE SIGNAL
Week of March 30 – April 5, 2026 | Published by S6 Tech
⚡ 60-SECOND VERSION
Biggest threat: New "Infinity Stealer" malware targets Mac users through fake error pop-ups. Credential theft is no longer a Windows-only problem.
Why it matters: 97 organizations disclosed as ransomware victims this week; construction (11) and professional services (9) hit hardest. A new "Leak Bazaar" marketplace now monetizes stolen data when victims refuse to pay, making every breach permanently costly.
Do this now: Send a 2-minute email to Mac users: "Never copy-paste commands from pop-up error messages. This is how attackers steal your passwords." See details
📋 EXECUTIVE SUMMARY
1. Mac users are now credential theft targets. "Infinity Stealer" malware uses fake error pop-ups ("ClickFix" lures) to trick users into pasting malicious commands. If your organization includes Macs, they need the same security attention as Windows machines.
2. Stolen data now has a secondary market. A new platform called "Leak Bazaar" specifically monetizes corporate data when victims refuse to pay ransoms. It uses machine learning to categorize stolen files and targets companies with $10M+ revenue. Any breach now carries permanent resale risk.
3. Qilin and Akira maintain pressure. Qilin posted 24 victims (25% of all disclosures) up slightly from last week. Construction and professional services remain primary targets. The Starkiller MFA-bypass threat from last week remains active; hardware security key deployment should continue.
📊 METRICS & INTELLIGENCE
| Metric | This Week | What It Means |
|---|---|---|
| Total Disclosed Victims | 97 (vs. 107 last week) | Slight dip but no slowdown; 31 active threat actors |
| Construction Sector Hits | 11 (same as last week) | Qilin posted 6 in 4 days; sustained targeting |
| Professional Services | 9 (vs. 12 last week) | Law firms with Fortune 500 clients remain in crosshairs |
| Healthcare Sector Hits | 8 (same as last week) | Patient records, SSNs explicitly stolen; HIPAA exposure |
| macOS Targeting | New infostealer families | Include Macs in security awareness; not inherently safer |
| Data Broker Markets | New platform launched | Any stolen data has resale value; breach costs are permanent |
US-based organizations accounted for 28 victims (29%) the rest scattered across 20+ countries including UK (7), Germany (5), India (5), and Canada (4).
🚨 ACTIVE CAMPAIGNS
Infinity Stealer (macOS) 🏢 All Organizations
NEW: Credential theft targeting Mac users through fake error messages
What it does: "ClickFix" lures display fake pop-up error messages telling users to copy and paste a command to fix a problem. The pasted command downloads Python-based malware (compiled with Nuitka) that steals browser credentials, cryptocurrency wallets, and system information from infected Macs.
Why it matters: Many organizations assume Macs are inherently safer than Windows, they're not. Stolen credentials enable follow-on attacks including network compromise and ransomware deployment. If attackers harvest your employee's browser-saved passwords, they may gain access to business systems.
Source: BleepingComputer
Leak Bazaar Data Marketplace 🏢 All Organizations
NEW: Secondary market monetizes stolen data when victims refuse to pay
What it does: A new platform operated by SnowTeam/BlackSnow specifically designed to sell corporate data when ransomware victims refuse to pay. Uses machine learning to automatically categorize stolen data (financial reports, M&A documents, R&D, personal data) and automated database reverse-engineering to extract clean exports from raw SQL/SAP/Oracle dumps.
Why it matters: This creates a secondary market that increases the value of any data breach. Target profile: companies with $10M+ revenue, prioritizing tech, biotech, pharmaceuticals, law firms, insurance, and financial services. Minimum 100GB data volume preferred. Even if you don't pay a ransom, your data may be sold anyway.
Source: Dark Web Informer
📌 Reminder: Starkiller MFA Bypass Still Active
Last week's #1 threat remains operational. If you haven't deployed hardware security keys for admin accounts, this should remain a priority. The platform intercepts MFA codes in real-time, defeating standard authenticator apps. Details from last week
✅ JUST DO THIS
Warn Mac users about fake error pop-ups
⏱️ 5 minutes | 💰 Free
What: Send a direct message to every Mac user in your organization: "If you see a pop-up asking you to copy and paste a command to 'fix' an error, STOP. This is malware. Close the window and report it to IT."
Why now: Infinity Stealer is actively using this "ClickFix" technique. Mac users often believe they're immune to malware, they need explicit warning that this attack targets them specifically.
| Platform | Instructions |
|---|---|
| Slack/Teams | Post in #general: "🍎 Mac Security Alert: Never copy-paste commands from pop-up error messages. This is how attackers steal passwords. If you see this, close the window and tell IT." |
| Send to Mac users only (check your device inventory): Same message, subject line "Security Alert for Mac Users" |
Verify it worked: Ask a Mac user tomorrow what they'd do if a pop-up asked them to paste a command.
🎯 THREAT ACTOR SPOTLIGHT: QILIN (Continued)
24 victims this week (up from 23 last week) — 25% of all disclosed attacks. Consistent daily posting cadence continues. Still targeting SMB and mid-market organizations across construction, healthcare, retail, and professional services.
This week's notable activity: Qilin posted 6 construction victims in just 4 days, suggesting a focused campaign against the sector. Geographic spread: US (8), UK (3), Germany (2), with additional victims in Malaysia, Spain, Slovakia, and Denmark.
Defensive priorities remain unchanged:
| Priority | Action | Status Check |
|---|---|---|
| 1 | Disable exposed RDP | Scan your external IPs for port 3389 |
| 2 | Hardware security keys for admins | Per last week's guidance, continue rollout |
| 3 | Network segmentation | Ensure backups are isolated from primary network |
Also Active: Akira posted 11 victims (vs. 12 last week) across construction, manufacturing, and professional services. Continues explicitly threatening data uploads with specific GB counts and targeting employee PII including passports and medical records.
🏭 SECTOR TARGETING
Construction 🏪 SMB Priority — 11 victims (unchanged from last week)
New incidents this week: Miles Electric, Wm Erath & Son, TR Construya, ACR1.COM Commercial Roofing, Mac Interiors, Kaemmerlen Solutions. Qilin drove the bulk of activity with 6 victims in 4 days.
Data exposed: Employee PII, project files, financial records, subcontractor agreements.
Healthcare 🏪 SMB Priority — 8 victims (unchanged)
New incidents: IKRON (278 GB stolen including patient records, SSNs), Florida Therapy Services, NJ Pain Care Specialists, Louise Medical Center. Exitium explicitly claimed CEO emails from one victim.
Threat actors: Exitium, Nightspire, Lynx, Qilin, Black Nevas.
Professional Services (Legal/Accounting) 🏢 All — 9 victims (down from 12)
New incidents: Schlam Stone & Dolan LLP (represents Fortune 500/government clients, Anubis specifically noted the client roster), Richard J. Hackerman P.A. (tax/bankruptcy law), Summit Tax Advisory.
Tax season note: Tax-related phishing remains elevated through April 15. Treat every tax-related email with extra scrutiny.
Manufacturing 🏭 Mid-Market+ — 9 victims
New incidents: Janome America, SBC Tanzania ($42.5M revenue), Conveyors Inc. One unverified claim against Dow [VERIFY: if confirmed, Fortune 100 chemical manufacturer].
🏪 SMB REALITY CHECK
If you're under 50 employees with no dedicated IT staff, here's what actually matters this week:
The new Mac threat is real. If anyone in your office uses a Mac, warn them today: never paste commands from pop-up error messages. This 2-minute conversation could prevent credential theft. The Leak Bazaar marketplace means any data breach now has permanent resale value, even if you never pay a ransom, your client data may be sold. This reinforces why you need to know where your most sensitive data lives.
Your Stack, Your Actions:
| If You Use... | Do This | Time |
|---|---|---|
| Mac computers | Warn users: Never copy-paste commands from pop-ups | 5 min |
| Any file server | Identify where client SSNs, contracts, and financials live | 1 hour |
| Microsoft 365 / Google | Continue hardware key rollout from last week | Ongoing |
⚠️ When to Call for Help
If a Mac user reports seeing a pop-up asking them to paste a command, even if they didn't do it, assume compromise and call your IT provider. Also, if anyone clicked a suspicious link and entered credentials, the account may already be compromised (Starkiller remains active).
Safe to ignore this week: European Commission breach (government/enterprise only), Telnyx Python package compromise (developers only), unverified BMW and Dow claims (monitoring only).
🔮 LOOKING AHEAD
What's changing: The emergence of Leak Bazaar signals a maturing ransomware economy. Stolen data now has guaranteed resale value even when victims refuse to pay, meaning every breach carries permanent cost. This shifts the economics: prevention matters more than incident response negotiation.
Early indicators to watch: Watch for ransom demands that reference "secondary markets" or "data brokers". Attackers may use this as additional pressure. Also watch for breaches of companies in biotech, pharmaceuticals, or legal sectors, which Leak Bazaar explicitly prioritizes.
Bottom line: Data classification matters more than ever. Know where your most sensitive files live (financials, contracts, HR records) so you can protect them first. If you can't afford to lose it, you can't afford to leave it unprotected.
📅 This Month's Priority: Data Classification
Spend 4-8 hours this month inventorying where your most sensitive data lives. Focus on: client SSNs, financial records, contracts, HR files, and anything that would trigger breach notification if stolen. You can't protect what you can't find.
CLASSIFICATION: TLP:CLEAR
Sources: Ransomware.live, RansomLook.io, BleepingComputer, Dark Web Informer, Krebs on Security
S6 Ransomware Signal
Your data is an asset. We guard it like one.
Intelligence cutoff: March 31, 2026, 08:00 ET | Next edition: April 7, 2026