The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a new initiative called “CI Fortify” aimed at helping critical infrastructure operators prepare for disruptive cyberattacks linked to geopolitical conflicts. The initiative comes amid growing concerns over nation-state cyber threats targeting operational technology (OT) systems that support essential services across the United States. The CI Fortify initiative focuses on improving critical infrastructure resilience through two key objectives: isolation and recovery. CISA said the effort is designed to help operators maintain essential operations even if adversaries compromise telecommunications networks, internet services, or industrial control systems. According to the agency, nation-state actors are no longer limiting their activities to espionage. Instead, threat groups have increasingly been pre-positioning themselves inside critical infrastructure environments to potentially disrupt or destroy systems during future geopolitical conflicts.

CI Fortify Initiative Focuses on Isolation and Recovery

Under the CI Fortify initiative, CISA is urging critical infrastructure organizations to assume that third-party communications and service providers may become unreliable during a crisis. Operators are also being asked to plan under the assumption that threat actors may already have some level of access to OT networks. Nick Andersen, Acting Director at CISA, emphasized the need for organizations to prepare for worst-case operational scenarios. “In a geopolitical crisis, the critical infrastructure organizations Americans rely on must be able to continue delivering, at a minimum, crucial services,” Andersen said. “They must be able to isolate vital systems from harm, continue operating in that isolated state, and quickly recover any systems that an adversary may successfully compromise.” The isolation strategy outlined under CI Fortify involves proactively disconnecting operational technology systems from external business networks and third-party connections. CISA said this approach is intended to prevent cyber impacts from spreading into OT environments while allowing organizations to continue delivering essential services in a degraded communications environment. The agency advised operators to identify critical customers, including military infrastructure and other lifeline services, and determine the minimum operational capabilities needed to support them during emergencies. CISA also recommended updating engineering processes and business continuity plans to support safe operations for extended periods while systems remain isolated.

Recovery Planning Central to Critical Infrastructure Resilience

Alongside isolation, the CI Fortify initiative places strong emphasis on recovery planning. CISA urged operators to maintain updated system documentation, create secure backups of critical files, and regularly practice system replacement or manual operational transitions. The agency noted that organizations should also identify communications dependencies that could complicate recovery efforts, such as licensing servers, remote vendor access, or upstream network connections. CISA encouraged operators to work closely with managed service providers, system integrators, and vendors to understand potential failure points and establish alternative recovery pathways. The initiative also highlights broader benefits of emergency planning beyond cybersecurity incidents. According to CISA, the same planning processes can help organizations maintain operations during weather-related disruptions, equipment failures, and safety emergencies. The agency said isolation planning can help cut off command-and-control access to compromised systems, while strong recovery preparation can reduce incident response costs and shorten recovery timelines.

Security Vendors and Service Providers Asked to Support CI Fortify

The CI Fortify initiative extends beyond infrastructure operators and calls on cybersecurity vendors, industrial automation suppliers, and managed service providers to support resilience planning efforts. Industrial control system vendors are being encouraged to identify barriers that could interfere with isolation and recovery procedures, including licensing restrictions and server dependency issues. Managed service providers and integrators are expected to assist organizations in engineering updates, local backup collection, and recovery documentation planning. Meanwhile, security vendors are being asked to support threat monitoring and provide intelligence if nation-state actors shift from espionage-focused activity to destructive cyber operations. CISA also requested vendors share information related to tactics that could undermine recovery or bypass isolation protections, including malicious firmware updates and vulnerabilities affecting software-based data diodes.

Volt Typhoon Cyberattacks Continue to Shape U.S. Cybersecurity Strategy

The launch of CI Fortify is closely tied to ongoing concerns surrounding the Volt Typhoon cyberattacks, which U.S. officials have linked to Chinese state-sponsored threat actors. CISA’s initiative specifically references the Volt Typhoon campaign as an example of how adversaries have attempted to establish long-term access inside U.S. critical infrastructure systems to potentially support disruptive actions during military conflicts. The Volt Typhoon operation first became public in 2023, when U.S. authorities revealed that Chinese hackers had infiltrated multiple sectors of American critical infrastructure. Former CISA Director Jen Easterly stated in 2024 that the agency had identified and removed Volt Typhoon intrusions across several sectors. She later reiterated in 2025 that efforts continued to focus on identifying and evicting Chinese cyber actors from critical infrastructure environments. Despite these operations, cybersecurity researchers and some government officials have warned that Chinese threat actors may still retain access to portions of critical infrastructure networks. Several experts have argued that nation-state groups remain deeply embedded in certain environments despite years of remediation efforts. With the CI Fortify initiative, CISA appears to be shifting focus toward operational resilience, recognizing that prevention alone may not be sufficient against sophisticated nation-state cyber threats targeting U.S. critical infrastructure.

Australia has announced the creation of a Cyber Incident Review Board, a move aimed at strengthening the country’s ability to respond to and learn from major cyberattacks. The initiative places Australia among a small group of jurisdictions globally that have formalised independent review mechanisms to assess significant cyber incidents and improve long-term resilience. The Cyber Incident Review Board will conduct no-fault, post-incident reviews of major cybersecurity events affecting both government and private sector organisations. Rather than assigning blame, the board’s mandate is to identify systemic gaps and generate actionable recommendations to improve how Australia prevents, detects and responds to cyber threats. Established under the Cyber Security Act 2024, the board is a central element of the government’s 2023-2030 Australian Cyber Security Strategy. The broader goal is to position Australia as one of the most cyber secure nations by the end of the decade, supported by resilient infrastructure, prepared communities and stronger industry practices. Officials said the Cyber Incident Review Board will focus on extracting lessons from incidents and translating them into practical steps that can reduce the likelihood and impact of future attacks.

Cyber Incident Review Board Brings Leaders From Cross-Sector 

The government has appointed a panel of senior cybersecurity and industry leaders to the Cyber Incident Review Board. The board will be chaired by Narelle Devine, Global Chief Information Security Officer at Telstra. Other members include Debi Ashenden of the University of New South Wales, Valeska Bloch from Allens, Jessica Burleigh of Boeing Australia, Darren Kane from NBN Co, Berin Lautenbach of Toll Group and Nathan Morelli from SA Power Networks. The group brings experience across cybersecurity operations, legal frameworks, governance, national security and critical infrastructure. Authorities said this mix is designed to ensure independent, credible advice that reflects both technical and policy realities.

Government Emphasises Learning Over Blame

Australia’s Minister for Cyber Security Tony Burke said the Cyber Incident Review Board will play a key role in ensuring continuous improvement in national cyber defence. “We know that cyber attacks are constant. This guarantees we learn from every attack and keep increasing our resilience,” Burke said in a statement. He added that the board will examine major cybersecurity incidents, develop findings and provide recommendations that can be applied across sectors. The no-fault model is intended to encourage cooperation from affected organisations, while still producing insights that can benefit the wider ecosystem.

Response Shaped by Recent High-Profile Cyberattacks

The creation of the Cyber Incident Review Board follows a series of major cyber incidents in Australia, including breaches involving health insurer Medibank and telecom provider Optus. These events exposed sensitive customer data and triggered widespread public concern, increasing pressure on the government to strengthen cybersecurity oversight. By introducing structured post-incident reviews, authorities aim to ensure that lessons from such breaches are not lost and can inform future preparedness efforts.

How Australia’s Approach Compares Globally

Australia’s Cyber Incident Review Board aligns with similar efforts internationally but includes some distinct features. The European Union has established a comparable mechanism under its Cyber Solidarity Act, tasking the EU Agency for Cybersecurity with reviewing significant cross-border incidents. However, that framework has yet to be tested in practice. In the United States, a cyber safety review board has already examined several incidents, including a high-profile breach involving Microsoft. That report pointed to avoidable security failures and called for cultural and leadership changes within the company, prompting CEO Satya Nadella to prioritise security across operations. However, earlier U.S. reviews, such as those into the Log4j vulnerability and the Lapsus$ group, were criticised for lacking focus and impact. Analysts noted that broader, less targeted reviews made it harder to drive accountability or meaningful change.

Stronger Powers to Ensure Participation

One notable difference in Australia’s model is its ability to compel organisations to provide information if they decline to participate voluntarily. This marks a shift from the U.S. approach, which relied on cooperation from affected entities. Experts have argued that such powers could improve the depth and accuracy of findings, ensuring that the Cyber Incident Review Board has access to critical data when analysing incidents. At the same time, the framework stops short of allowing flexible expansion of board membership for specialised cases, an idea that has been suggested in international policy discussions.

Focus on Long-Term Cyber Preparedness

The Cyber Incident Review Board is expected to become a key mechanism in shaping Australia’s cybersecurity posture over the coming years. By systematically reviewing incidents and sharing lessons across sectors, the government hopes to build a more coordinated and resilient defence against evolving cyber threats. With cyberattacks continuing to target critical infrastructure, businesses and public services, the success of the Cyber Incident Review Board will likely depend on its ability to translate insights into measurable improvements across the national ecosystem.

A ransomware organization sentencing has brought one of the key operatives behind a major cybercrime group to justice, highlighting the global reach of law enforcement in tackling ransomware attacks. A Latvian national, Deniss Zolotarjovs, has been sentenced to 102 months in prison for his role in a Russian-linked ransomware organization responsible for targeting more than 54 companies worldwide. The sentencing marks a significant development in ongoing efforts to dismantle international ransomware networks. According to the U.S. Department of Justice, Zolotarjovs played a central role in extortion operations carried out between June 2021 and August 2023. The group operated under multiple ransomware brands, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira, reflecting a complex and evolving cybercrime structure.

Ransomware Organization Sentencing: Role in Extortion and Data Exploitation

Officials said Zolotarjovs was primarily responsible for increasing pressure on victims who hesitated to pay ransom demands. He analyzed stolen data and used sensitive information to intensify extortion tactics. In one case involving a pediatric healthcare provider, Zolotarjovs used children’s health information to pressure the organization into paying. When the ransom demand was not met, he allegedly encouraged co-conspirators to leak or sell the data. Court documents reveal he distributed a bulk set of sensitive records to hundreds of patients, aiming to amplify fear and force compliance. Assistant Attorney General A. Tysen Duva described Zolotarjovs as a “cruel, ruthless, and dangerous international cybercriminal,” noting that his actions included exploiting highly personal data to increase leverage over victims.

Financial and Operational Impact of Attacks

The ransomware organization’s activities caused widespread damage. Of the more than 54 targeted companies, attacks on 13 resulted in losses exceeding $56 million, including approximately $2.8 million paid in ransom. An additional 41 companies are believed to have paid around $13 million, though detailed loss figures are still being compiled. Authorities estimate that the total financial impact could reach hundreds of millions of dollars when factoring in underreported incidents. Beyond financial losses, the attacks led to the exposure of highly sensitive data, including Social Security numbers, addresses, dates of birth, and healthcare records. In one instance, a government entity’s 911 emergency system was forced offline, raising serious concerns about public safety and the broader consequences of ransomware attacks.

Organized Structure and Global Operations

Investigators found that the ransomware organization operated with a structured hierarchy and used a network of companies across Russia, Europe, and the United States to mask its activities. Members were largely based in Russia and reportedly operated from an office in St. Petersburg. The group’s operations also involved corruption and misuse of public resources. Authorities said some members had ties to former Russian law enforcement, allowing them to access databases, intimidate individuals, and identify potential recruits. These connections also enabled members to avoid scrutiny, including evading taxes and military service through bribes.

Arrest, Extradition, and Prosecution

Zolotarjovs was arrested in Georgia in December 2023 and later extradited to the United States in August 2024 after contesting the process. In July 2025, he pleaded guilty to conspiracy charges involving money laundering and wire fraud. The case was investigated by the Federal Bureau of Investigation, with support from multiple field offices and international partners. Special Agent in Charge Jason Cromartie said the case reflects the agency’s continued efforts to track down cybercriminals operating across borders. U.S. Attorney Dominick S. Gerace II added that the prosecution demonstrates that cybercriminals cannot rely on geography or anonymity to evade justice.

Continued Focus on Ransomware Threats

The ransomware organization sentencing highlight the scale and persistence of ransomware threats targeting businesses and public services. Authorities said investigations into related actors and networks remain ongoing as part of broader efforts to disrupt global cybercrime operations.

The 2026 threat landscape continued to intensify in March, with ransomware attacks, expanding data breach activity, and a growing underground market for compromised access shaping the global cybersecurity environment. According to analysis from CRIL (Cyble Research & Intelligence Labs), organizations worldwide faced a highly active and coordinated threat ecosystem throughout the month.  CRIL’s findings point to a cybercriminal landscape driven by financial extortion, credential theft, and operational disruption. Attackers consistently targeted industries that rely heavily on uptime or store large volumes of sensitive data, reinforcing the urgency for stronger defensive strategies. 

Ransomware Attacks Dominate the 2026 Threat Landscape 

One of the most defining aspects of the March 2026 threat landscape was the scale of ransomware attacks. CRIL recorded 702 ransomware incidents globally, underscoring the continued dominance of ransomware as a primary attack vector.  Among the most active threat groups were Qilin, Akira, The Gentlemen, Dragonforce, and INC Ransom. Collectively, these actors were responsible for over 56% of all observed ransomware activity, reflecting their operational maturity and extensive affiliate networks.  Industries most affected by ransomware attacks included: 

• Construction  
• Professional Services  
• Manufacturing  
• Healthcare  
• Energy & Utilities  

Attackers frequently employed double-extortion tactics, combining data theft with system disruption to increase pressure on victims. Geographically, the United States remained the primary target, influenced in part by ongoing geopolitical tensions, including those involving Iran. 

Rise of Access Brokers in the CRIL Threat Analysis 

Another notable trend in the 2026 threat landscape, as identified by CRIL, was the continued growth of the compromised access market. During March, 20 separate incidents involving the sale of unauthorized network access were tracked across cybercrime forums.  The most targeted sectors for access sales were: 

• Professional Services (25%)  
• Retail (20%)  
• IT & ITES  
• Manufacturing  

A small group of threat actors, vexin, holyduxy, and algoyim, dominated this space, accounting for more than 55% of observed listings. These access brokers play a critical upstream role, enabling ransomware attacks, espionage campaigns, and financial fraud operations. 

Data Breaches and Leak Markets Stay Active 

CRIL also documented 54 significant data breach and leak incidents in March, further highlighting the scale of data exposure risks in the current 2026 threat landscape.  The most targeted sectors for data breaches included: 

• Government & Law Enforcement  
• Retail  
• Technology  

Several incidents stood out: 

• A threat actor known as “nightly” claimed to have stolen over 5TB of data from Hospitality Holdings, including biometric data, CCTV footage, and financial records. 
• Another actor, XP95, advertised 3.8TB of allegedly stolen South African government data for sale.  
• A separate breach exposed more than 95,000 travel-related records, including passport and payment information.  

Exploitation of Critical Vulnerabilities Accelerates 

The 2026 threat landscape also saw increased exploitation of critical vulnerabilities, particularly those listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.  Key vulnerabilities targeted included: 

• CVE-2026-20131 (Cisco Secure Firewall Management Center)  
• CVE-2025-53521 (F5 BIG-IP APM)  
• CVE-2026-20963 (Microsoft SharePoint Server)  
• CVE-2026-33017 (Langflow AI)  
• CVE-2021-22681 (Rockwell Automation ICS)  

CRIL observed attackers exploiting both newly disclosed zero-day vulnerabilities and older, unpatched flaws. This trend reflects persistent gaps in patch management and exposure mitigation across organizations. 

Emerging Threat Developments in March 2026 

Beyond ransomware attacks and data breaches, CRIL identified several strategic developments shaping the 2026 threat landscape: 

• AI-Driven Attacks: Threat actors reportedly leveraged an open-source framework called CyberStrikeAI to target Fortinet FortiGate devices across 55 countries, compromising more than 600 systems. 
• Supply Chain Risks: North Korean-linked actors were associated with 26 malicious npm packages distributing remote access trojans (RATs) via infrastructure hosted on Pastebin and Vercel. 
• Geopolitical Cyber Activity: Iran-linked cyber operations are expected to increase, with potential ransomware attacks and hacktivist campaigns targeting organizations in the Middle East. 

In this week’s weekly roundup, The Cyber Express reviews major developments across the cybersecurity domain. highlighting incidents involving crypto ecosystem attacks, state-linked fraud operations, regulatory scrutiny, and underground cybercrime activity. The broader threat landscape continues to show attackers targeting infrastructure weaknesses, social engineering pathways, and third-party dependencies rather than isolated technical flaws.  Across multiple cases, state-aligned and financially motivated actors are focusing on routers, DNS layers, and decentralized systems to intercept data and manipulate transactions. At the same time, gaps in regulation and enforcement continue to complicate platform accountability, particularly in online safety and digital content governance.  

The Cyber Express Weekly Roundup 

$15M Grinex Hack Halts Trading After Wallet Breach 

Grinex suspended trading and withdrawals following a coordinated attack that compromised its wallet infrastructure, resulting in the theft of more than $15 million in USDT. The attackers rapidly moved assets across Ethereum and Tron networks, using chain-hopping and layering techniques to obscure transaction trails and avoid detection. Read more... 

Two U.S. Nationals Sentenced in $5M North Korea IT Worker Scheme 

Two U.S. nationals, Kejia Wang and Zhenxing Wang, received prison sentences of 108 and 92 months for their roles in a North Korea-linked remote employment scheme that generated over $5 million. The operation used stolen identities, domestic “laptop farms,” and shell companies to present overseas workers as U.S.-based employees across more than 100 companies. Read more... 

Australia Social Media Ban Faces Enforcement Questions 

Australia’s under-16 social media restriction is facing renewed scrutiny after a study of 1,050 children found that over 60% of previously active users aged 12–15 continue accessing platforms such as TikTok, YouTube, and Instagram. Many accounts remained active without intervention from providers, and in some cases, users created new profiles after restrictions were applied. Read more... 

TierOne Dark Web Contest Offers $10K for Exploit Writeups 

A dark web forum known as TierOne has launched a $10,000 contest encouraging detailed technical write-ups on vulnerability exploitation techniques. Running from April 13 to May 14, 2026, and reportedly sponsored by a ransomware group, the contest focuses on topics such as remote code execution, IDOR, SSTI, firmware attacks, and EDR bypass methods.  Read more... 

Rockstar Cyberattack Confirmed Amid Extortion Threat 

Rockstar Games confirmed a cyberattack involving unauthorized access through a third-party service, though it stated that core operations and player systems were unaffected. The threat actor group ShinyHunters claimed responsibility, alleging access to internal company data and demanding payment by April 14, 2026, under threat of public release. Read more... 

Weekly Takeaway 

The Cyber Express weekly roundup reflects a threat landscape that is fragmented yet interconnected. From multimillion-dollar crypto thefts and criminal employment schemes to underground exploit markets and extortion-driven breaches, attackers are consistently blending technical exploitation with deception and supply chain targeting.   Regulatory uncertainty and weak enforcement mechanisms further amplify these risks, allowing both state-linked and financially motivated actors to operate with greater flexibility across digital environments. 

A newly identified cyber campaign involving JanaWare ransomware is targeting users in Turkey, with researchers linking the activity to a customized version of the Adwind Remote Access Trojan (RAT). The findings come from an analysis by researchers at Acronis’ Threat Research Unit (TRU), who identified the threat cluster during an investigation into suspicious Java-based malware samples. According to the researchers, the JanaWare ransomware operation appears to have been active since at least 2020. Evidence from malware samples and infrastructure indicates that the campaign has continued into late 2025, suggesting sustained activity with limited visibility. The attack relies on a modified Adwind RAT that includes polymorphic capabilities. This allows the malware to change its structure across infections, making detection more difficult. Combined with code obfuscation, these techniques have likely contributed to the campaign remaining relatively unnoticed. Unlike large ransomware groups that focus on high-value enterprise targets, JanaWare ransomware appears to follow a different strategy. Observed ransom demands range between $200 and $400, pointing to a model that prioritizes volume over large individual payouts.

Phishing Identified as Primary Infection Vector

The JanaWare ransomware campaign primarily spreads through phishing emails. Victims are lured into clicking malicious links, which lead to the download of a Java archive file. In many observed cases, the payload is hosted on cloud storage platforms. Telemetry data reviewed by researchers shows a consistent attack chain. A phishing email is opened in Microsoft Outlook, followed by a browser session that downloads the malicious file. The file is then executed using Java, triggering the infection. [caption id="attachment_111347" align="aligncenter" width="761"] Image Source: Acronis’ Threat Research Unit (TRU)[/caption] User reports on public cybersecurity forums also describe similar incidents, supporting the assessment that phishing is the main entry point.

Geofencing Restricts Janaware Ransomware Attacks to Turkey

A key feature of the JanaWare ransomware is its use of geofencing. The malware is designed to execute only on systems that meet specific regional criteria linked to Turkey. It checks system language, locale settings, and external IP geolocation before proceeding. If the system does not match Turkish parameters, the malicious activity is halted. Researchers note that this approach likely serves both operational and defensive purposes. It allows attackers to focus on a specific region while reducing exposure to global security monitoring and automated analysis systems.

Obfuscation and Polymorphism Hinder Detection

The JanaWare ransomware incorporates multiple techniques to evade detection. Researchers identified the use of known obfuscation tools such as Stringer and Allatori, alongside custom methods that complicate analysis. The malware also includes a self-modifying component that alters its file structure during deployment. By adding random data to its Java archive, each instance generates a unique file hash, limiting the effectiveness of signature-based detection. In addition, the malware contains embedded configuration parameters that control its behavior. These include command-and-control server details, communication ports, and authentication values used during initial connections.

Security Controls Disabled Before Encryption Stage

Before encrypting files, the malware attempts to weaken system defenses. It executes commands to disable Microsoft Defender, suppress security alerts, and remove recovery mechanisms such as Volume Shadow Copies. It also interferes with Windows Update and scans for installed antivirus software. These steps reduce the likelihood of detection or recovery once the ransomware payload is activated. The encryption process is carried out by a secondary module delivered after the initial compromise. This module uses AES encryption and communicates with command-and-control infrastructure over the Tor network.

Turkish-Language Ransom Notes Signal Targeted Approach

After encryption, the malware drops ransom notes across affected systems. These notes are written in Turkish and instruct victims to contact the attackers through encrypted communication channels such as qTox or Tor-based websites. Researchers say the consistent use of Turkish-language content, combined with geofencing, indicates a deliberate focus on users in Turkey rather than a broad, global campaign. The JanaWare ransomware campaign highlights how targeted, lower-profile operations can persist over long periods without drawing significant attention. By focusing on home users and small businesses, and keeping ransom demands relatively low, the attackers appear to maintain a steady but less visible operation. Researchers caution that such localized campaigns may continue to operate alongside larger ransomware groups, adding another layer to the evolving threat landscape.

The ChipSoft ransomware incident has disrupted healthcare operations across multiple institutions after the Dutch software vendor was hit by a cyberattack on April 7. The attack forced hospitals to disconnect critical systems and triggered widespread precautionary actions, highlighting the ongoing risks ransomware poses to the healthcare sector. Z-CERT confirmed it has been working closely with ChipSoft, healthcare institutions, and other stakeholders since the incident was first detected. The organization is actively monitoring the situation while providing support and threat intelligence to affected entities.

ChipSoft Ransomware Incident Forces System Shutdowns

In response to the ransomware incident, the company disabled connections to key platforms, including Zorgportaal, HiX Mobile, and the Zorgplatform, as a precaution. These systems remain temporarily unavailable as ChipSoft works to restore services in phases. Users are being issued new login credentials as part of the recovery process. ChipSoft has maintained direct communication with its customers, outlining steps to manage disruptions while systems are gradually brought back online. According to reports, 11 hospitals disconnected ChipSoft software from their networks following the attack. A confidential advisory also urged customers to cut secure VPN connections after the compromise was identified.

Hospitals Face Operational Challenges, Not Critical Disruptions

The ChipSoft ransomware incident has led to logistical challenges across healthcare institutions rather than critical failures in patient care. Hospitals have increased staffing at service desks, expanded telephony support, and relied more heavily on direct communication channels. Systems were reported unavailable at several hospitals, including Sint Jans Gasthuis, Laurentius Hospital, VieCuri Medical Center, and Flevo Hospital. Despite these disruptions, Z-CERT noted that no critical care processes have come to a standstill so far, suggesting that contingency plans and manual workflows are helping maintain essential medical services.

Investigation Ongoing, Attackers Yet to Be Identified

At this stage, the source of the ChipSoft ransomware incident remains unknown, and no ransomware group has claimed responsibility. ChipSoft’s website was also reported unreachable at the time of writing, indicating ongoing technical or security challenges. The attack appears to have originated from a compromise within ChipSoft’s environment, prompting widespread defensive actions by its customers to limit further risk.

Ripple Effects Extend Beyond Immediate Disruptions

The impact of the ransomware incident has extended beyond system outages. Leiden University Medical Center (LUMC) announced it has postponed the rollout of a new electronic patient record system supplied by ChipSoft following the breach. The hospital clarified that there are no indications that patient data has been leaked, reinforcing the current assessment that the incident has not resulted in data exposure.

Healthcare Sector Remains a Prime Target

The ChipSoft ransomware incident highlights the persistent threat facing healthcare organizations. Cybercriminals frequently target hospitals and medical software providers due to the critical nature of their services, where downtime can create pressure to restore systems quickly. A recent example includes the cyberattack on University of Hawaiʻi Cancer Center, where a ransomware incident impacted research systems and exposed sensitive personal data collected over decades. While clinical operations were not affected, the breach highlighted the long-term risks associated with storing large volumes of historical data.

Z-CERT Continues Support and Monitoring

Z-CERT continues to play a central role in managing the fallout from the ransomware incident. The organization is assisting healthcare institutions with prevention, detection, response, and recovery efforts, while also sharing updated threat intelligence. As restoration efforts progress, authorities and healthcare providers remain focused on minimizing disruption and ensuring patient care remains uninterrupted. The ransomware incident serves as another reminder of how cyberattacks on third-party vendors can cascade across critical sectors, reinforcing the need for stronger resilience in healthcare cybersecurity systems.

The fallout from the Axios npm supply chain attack continues to widen, with OpenAI issuing a detailed response outlining its exposure and remediation steps. The Axios npm supply chain attack, reported by The Cyber Express on April 1, has since been linked to North Korea’s Lazarus Group, significantly expanding the scope and impact of the incident. Attribution was confirmed by Google Threat Intelligence Group, which identified the activity under UNC1069, a financially motivated group active since at least 2018.

OpenAI Confirms Limited Exposure to Axios npm Supply Chain Attack

In its official statement, OpenAI said, “We recently identified a security issue involving a third-party developer tool, Axios, that was part of a widely reported, broader industry incident⁠.” The company clarified that while it was affected by the broader Axios npm supply chain attack, there is no evidence of compromise to user data or internal systems. “We found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was altered,” the statement added. The exposure occurred on March 31, 2026, when a GitHub Actions workflow used in OpenAI’s macOS app-signing process executed a malicious version of Axios (v1.14.1). This workflow had access to sensitive code-signing certificates used for validating OpenAI applications like ChatGPT Desktop, Codex, Codex CLI, and Atlas.

Certificate Rotation and macOS App Updates

As a direct response to the Axios npm supply chain attack, OpenAI has initiated a full rotation of its macOS code-signing certificates. While internal analysis suggests the certificate was likely not exfiltrated, the company is treating it as potentially compromised. To mitigate any residual risk, OpenAI is requiring users to update their macOS applications. Older versions of affected apps will lose support and functionality after May 8, 2026. Updated versions will carry new certificates to ensure authenticity. This move is designed to prevent threat actors from distributing malicious software disguised as legitimate OpenAI applications, a known risk in supply chain attacks involving code-signing materials.

Investigation and Security Measures

OpenAI engaged a third-party digital forensics and incident response firm to investigate the impact of the Axios npm supply chain attack. The company also coordinated with Apple to block any new notarization attempts using the old certificate. Additional steps taken include:

• Publishing new builds of all affected macOS applications
• Reviewing all past software notarizations for anomalies
• Ensuring no unauthorized modifications were made to distributed software

The company confirmed that no malicious applications signed with its certificate have been identified so far.

Root Cause: GitHub Workflow Misconfiguration

The root cause of OpenAI’s exposure to the Axios npm supply chain attack was traced to a misconfiguration in its GitHub Actions workflow. Specifically, the workflow relied on a floating tag instead of a fixed commit hash and lacked a minimum release age for dependencies, both of which increased the risk of pulling compromised packages. This highlights a broader industry issue where development pipelines remain vulnerable to upstream compromises, especially in open-source ecosystems.

No Impact on User Data or Other Platforms

OpenAI emphasized that the incident is limited strictly to macOS applications. There is no impact on iOS, Android, Windows, Linux, or web-based services. The company also reassured users:

• No user data or API keys were compromised
• No passwords need to be changed
• No malware signed as OpenAI has been detected

What Happens Next

OpenAI will fully revoke the old certificate on May 8, 2026, after a 30-day transition window. This approach is intended to minimize disruption while ensuring users have adequate time to update their applications. The company noted that any software signed with the old certificate will be blocked by macOS security protections after revocation, further reducing the risk of misuse.

Growing Impact of Axios npm Supply Chain Attack

The Axios npm supply chain attack highlight the escalating risks tied to third-party software dependencies. With attribution pointing to a state-sponsored group, the incident reflects how supply chain attacks are increasingly being leveraged for financial and strategic objectives. As organizations continue to rely heavily on open-source libraries, the incident serves as a reminder of the need for stricter dependency management, secure development practices, and continuous monitoring of software pipelines.

In this week’s weekly roundup, The Cyber Express summarizes key cybersecurity news across state-sponsored attacks, crypto ecosystem breaches, regulatory gaps, and mobile data exposure risks.   State-linked groups are focusing on internet infrastructure like routers and DNS for interception and credential theft, while crypto-related actors are exploiting weaknesses in decentralized finance systems and governance layers. Regulatory uncertainty in areas such as online content detection further complicates response efforts.  The Cyber Express weekly roundup also notes that even secure messaging systems can leave residual data on devices through OS-level features like notification storage.  

The Cyber Express Weekly Roundup 

APT28 DNS Hijacking Campaign Disrupted 

APT28, a Russian-linked threat group, has been exploiting vulnerable routers to carry out DNS hijacking and adversary-in-the-middle (AITM) attacks. These operations were primarily aimed at intercepting traffic and stealing credentials, with a particular focus on email platforms such as Microsoft Outlook. Read more... 

EU CSAM Legal Gap Raises New Concerns 

The expiration of the EU’s temporary 2021 regulatory framework on April 3, 2026, has created uncertainty around how technology companies can detect and report Child Sexual Abuse Material (CSAM). The framework previously allowed platforms to voluntarily scan private communications using techniques such as hash-matching, a method widely considered essential by investigators for identifying illegal content and tracking offenders. Read more... 

$285M Drift Protocol Hack Shakes Cybersecurity Landscape 

In a major cryptocurrency-related incident, attackers successfully stole $285 million from Drift Protocol on April 1, 2026. Drift Protocol, the largest decentralized perpetual futures exchange on Solana, reportedly lost over half of its total value within just 12 minutes of the breach. Read more... 

FBI Finds Deleted Signal Data Can Persist in iPhone Systems 

A notable finding in this weekly roundup comes from an FBI investigation related to the Prairieland ICE Detention Facility case in Texas. Investigators discovered that deleted Signal messages may still be partially recoverable from iPhones. Importantly, this is not a failure of Signal’s encryption. Instead, the issue stems from how iOS handles notification previews. Read more... 

Treasury Launches Digital Asset Cybersecurity Initiative 

The U.S. Department of the Treasury has launched a Digital Asset Cybersecurity Initiative through its Office of Cybersecurity and Critical Infrastructure Protection (OCCIP). The initiative is designed to strengthen cybersecurity defenses across the cryptocurrency ecosystem. Read more... 

Weekly Takeaway 

This weekly roundup highlights a rapidly diversifying threat landscape, ranging from state-sponsored DNS hijacking campaigns and multimillion-dollar crypto thefts to regulatory uncertainty and mobile data persistence risks.  Across all incidents, a consistent pattern emerges; attackers are blending technical exploitation with social engineering, infrastructure compromise, and long-term strategic planning.  

German authorities have named a key figure behind some of the most notorious ransomware operations in recent years, linking a real identity to the REvil ransomware gang and its predecessor, the GandCrab ransomware network. According to Germany’s Federal Criminal Police (BKA), a 31-year-old Russian national, Daniil Maksimovich Shchukin, has been identified as the individual operating under the alias “UNKN” or “UNKNOWN.” Investigators say he led both ransomware gangs and was directly involved in at least 130 cyberattacks targeting victims in Germany between 2019 and 2021. The identification marks a significant development in the long-running investigation into the REvil ransomware gang, which at its peak was one of the most aggressive and financially successful cybercrime operations globally.

Inside the REvil Ransomware Gang’s Operations

Authorities allege that Shchukin, along with another suspect, Anatoly Sergeevitsch Kravchuk, carried out coordinated attacks that extorted nearly €2 million, while causing more than €35 million in economic damage. The REvil ransomware gang and GandCrab ransomware group were among the first to popularize “double extortion”, a tactic that changed the ransomware landscape. Victims were not only asked to pay for decryption keys but also pressured to pay again to prevent stolen data from being published. This model has since become standard across ransomware gangs, making attacks more damaging and recovery more difficult for victims.

From GandCrab to REvil: Evolution of a Cybercrime Enterprise

The GandCrab ransomware operation first appeared in 2018 and quickly gained traction through an affiliate model. Hackers were offered a share of profits in exchange for breaching corporate systems, while the core operators maintained and improved the malware. Over time, GandCrab released multiple versions of its ransomware, each designed to evade detection and improve effectiveness. By May 2019, the group claimed to have earned over $2 billion before announcing its shutdown. Soon after, the REvil ransomware gang emerged. Many cybersecurity experts viewed it as a direct continuation or rebranding of GandCrab. Operating under the same alias “UNKNOWN,” the group expanded its reach and began targeting larger organizations with deeper pockets. REvil became known for “big-game hunting”—focusing on enterprises with significant revenues and cyber insurance coverage, increasing the likelihood of large payouts.

Industrialization of Ransomware Gangs

What makes the REvil ransomware gang particularly significant is how it operated more like a business than a traditional cybercriminal group. Ransomware developers outsourced tasks such as gaining initial access, encrypting systems, and laundering payments. Specialized actors—like access brokers and crypto laundering services—formed an entire underground ecosystem supporting these attacks. This structure allowed ransomware gangs to scale operations quickly, reinvest profits, and continuously improve their tools. As a result, attacks became more targeted, more sophisticated, and more difficult to stop.

High-Profile Attacks and Law Enforcement Response

One of the most notable incidents linked to the REvil ransomware gang was the 2021 attack on Kaseya, which impacted over 1,500 businesses worldwide. The scale of the breach demonstrated how ransomware could disrupt entire supply chains. However, the same attack also marked the beginning of REvil’s decline. The FBI later revealed it had gained access to the group’s infrastructure before the incident but could not act immediately without compromising its investigation. Subsequent actions, including the release of a free decryption key, weakened the group’s operations significantly.

Following the Money and Identity Trail

Shchukin’s name had previously surfaced in a 2023 U.S. Department of Justice filing related to cryptocurrency seizures tied to REvil activities. Authorities linked him to digital wallets holding over $317,000 in illicit funds. Despite the identification, German authorities believe Shchukin remains in Russia, beyond immediate reach. “Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia,” the BKA noted.

What This Means for the Ransomware Landscape

The exposure of a suspected leader behind the REvil ransomware gang is a rare win for law enforcement in a space where attribution is often difficult. But the broader issue remains. The structure pioneered by GandCrab ransomware and refined by REvil continues to influence modern ransomware gangs. The tools, tactics, and business models are still widely used. Even as individual operators are identified, the ecosystem they helped build continues to operate. The takeaway is clear: ransomware is no longer just a technical threat—it is an organized, evolving industry.

The FBI Internet Crime Report 2025 shows just how expensive cybercrime has become. In 2025, the FBI’s Internet Crime Complaint Center (IC3) received over one million complaints, with reported losses touching $20.8 billion, the highest ever recorded. That figure is not just a statistic. It reflects everyday incidents, individuals losing life savings to investment scams, businesses wiring money to fraudulent accounts, and organizations dealing with disruptions from ransomware attacks. What used to be isolated cases are now happening at scale. The FBI Internet Crime Report 2025 also shows how the nature of cybercrime is changing. Fraud is no longer limited to suspicious emails or obvious scams. Criminals are using social platforms, messaging apps, and now even artificial intelligence to make their operations look legitimate. In many cases, victims don’t realize they are being targeted until the money is already gone. At the same time, the report highlights that law enforcement is trying to keep pace. Operations targeting crypto scams and international fraud networks are making an impact, but the overall trend shows that cybercrime is expanding faster than it is being contained.

Cyber-Enabled Fraud Remains the Biggest Driver

A large share of these losses comes from cyber-enabled fraud, which alone accounts for nearly 85% of the total financial damage, or about $17.7 billion. Investment fraud continues to cause the most damage. In 2025, it led to $8.6 billion in losses, followed by business email compromise (BEC) and tech support scams. Within this, cryptocurrency investment fraud stands out. Losses linked to crypto scams reached $7.2 billion, making it the biggest single category. [caption id="attachment_111088" align="aligncenter" width="577"] Image Source: FBI Report[/caption] These scams are no longer basic phishing attempts. Attackers spend time building trust, approaching victims through social media, messaging apps, or even dating platforms. Once trust is established, victims are guided toward fake investment platforms that show fabricated profits. By the time withdrawals are attempted, the money is gone.

AI-Enabled Scams Are Growing Fast

The FBI Internet Crime Report 2025 includes a separate section on AI-enabled scams for the first time, and the early numbers are already concerning.

• More than 22,000 complaints linked to AI
• Around $893 million in losses

AI is making scams more convincing. Fake profiles, cloned voices, and realistic conversations can now be created quickly and at scale. This allows attackers to run highly targeted campaigns without much effort. The challenge is that these scams often look legitimate, making it harder for individuals and even businesses to identify red flags in time.

Ransomware Continues to Target Critical Sectors

Ransomware remains a steady threat, especially for critical infrastructure.

• Over 3,600 complaints reported in 2025
• Losses crossed $32 million

The actual impact is likely much higher. Many organizations do not report full losses, especially indirect costs like downtime or recovery expenses. The report also notes 63 new ransomware variants identified during the year, showing how quickly these attacks continue to evolve. Sectors such as healthcare, manufacturing, and government facilities remain frequent targets, where even short disruptions can have serious consequences.

FBI Operations Are Preventing Some Losses

The report also highlights efforts by law enforcement to limit the damage. One example is Operation Level Up, focused on cryptocurrency investment scams. Since its launch in 2024, the initiative has helped reduce potential losses by more than $500 million. In many cases, victims did not realize they were being scammed until they were contacted. This reflects a larger issue, many cyber fraud cases go unnoticed until significant financial damage has already occurred.

Cybercrime Is Becoming More Structured

The report also points to broader trends. Cybercriminal groups are operating more like organized businesses. At the same time, state-linked actors are becoming more active, targeting infrastructure and sensitive data. One example highlighted is the DPRK IT worker scam, where individuals posing as remote IT workers gain access to company systems and use that access for data theft or further attacks. These developments show that cybercrime is no longer limited to isolated incidents. It is part of a larger, global ecosystem.

A Growing Gap Between Threats and Preparedness

The FBI Internet Crime Report 2025 shows a clear pattern—cybercrime is scaling faster than awareness and response.

• Fraud tactics are becoming more personal and long-term
• AI is helping attackers improve success rates
• Cryptocurrency is making transactions harder to trace

While recovery efforts and law enforcement actions are improving, most interventions still happen after the damage is done.

Final Take on FBI Internet Crime Report 2025

The FBI Internet Crime Report 2025 highlights a shift in how cybercrime operates today. The scale—over $20 billion in losses—is significant, but the methods behind these numbers are just as important. From cyber-enabled fraud to AI-enabled scams and cryptocurrency investment fraud, attackers are using a mix of technology and human psychology to succeed. For individuals and organizations, the risk is no longer occasional—it is constant, and it is evolving.

In this week’s weekly roundup, The Cyber Express delivers a concise overview of the latest cybersecurity news, highlighting major cyberattacks, new ransomware risks, and supply chain vulnerabilities. Organizations across industries continue to face a surge in modern cyber threats, ranging from targeted breaches to large-scale exploitation campaigns that disrupt operations and expose sensitive data.  The current threat landscape reflects a growing convergence of cybercrime, geopolitical motives, and technological dependencies. As highlighted in this weekly roundup, both private enterprises and public institutions are increasingly recognizing that resilience depends not only on advanced tools but also on coordinated strategies and proactive risk management. 

The Cyber Express Weekly Roundup 

Hasbro Cyberattack Disrupts Operations Amid Rising Ransomware Concerns 

Hasbro has reported a cyberattack after detecting unauthorized network access on March 28, 2026. The company responded swiftly by initiating containment measures, isolating affected systems, and engaging external experts to assess the breach. While core operations remain functional under contingency plans, some delays are expected. Read more...

Mercor Breach Exposes Supply Chain Risks in AI Ecosystems 

A significant development in this weekly roundup involves AI startup Mercor, which confirmed a breach linked to a supply chain compromise in the LiteLLM open-source project. The attack stemmed from a malicious package update, affecting thousands of organizations relying on the software. The group known as TeamPCP has been associated with the incident, while Lapsus$ has also claimed involvement. Read more...

Lazarus Group Tied to Axios Supply Chain Attack 

Another major highlight is a widespread attack targeting the Axios JavaScript library. The operation has been attributed to North Korea’s Lazarus Group, known for conducting advanced cyber campaigns. Attackers inserted a malicious dependency into the package, enabling backdoor access across multiple operating systems through automated installations. Read more...

Personal Email Breach of FBI Director Raises Security Questions 

Hackers linked to Iran compromised the personal email account of FBI Director Kash Patel. The breach resulted in the leak of emails and personal data as part of a coordinated “hack-and-leak” campaign. Attributed to the Handala Hack Team, the attack appears designed to inflict reputational damage and psychological pressure. Read more...

CareCloud Cyberattack Impacts Health Records System 

Healthcare provider CareCloud disclosed a cyberattack involving unauthorized access to its electronic health record system. Detected on March 16, the incident lasted approximately eight hours before being contained. While investigations are ongoing, the breach raises concerns about potential exposure to sensitive patient data. Read more...

"764" Cybercrime Case Highlights Dark Web Exploitation Networks 

In a separate case, a U.S. individual pleaded guilty to charges related to child exploitation and cyberstalking linked to the extremist “764” network. The case illustrates how cybercriminal ecosystems extend beyond financial motives, involving coordinated abuse, manipulation, and exploitation facilitated by online platforms. Read more...

Weekly Takeaway

This edition of The Cyber Express weekly roundup emphasizes the growing scale and complexity of global cybersecurity news, where ransomware, supply chain compromises, and targeted attacks intersect. From corporate breaches and nation-state operations to exploitation networks, the threat landscape continues to expand in both scope and impact.  To mitigate these risks, organizations must strengthen supply chain oversight, enforce robust access controls, and prioritize rapid incident response capabilities. As highlighted throughout this weekly roundup, maintaining resilience in today’s environment requires a multi-layered approach that integrates technology, governance, and continuous monitoring to stay ahead of modern-day cyber threats. 

In this week’s weekly roundup, The Cyber Express brings together the latest developments in global cybersecurity news, from high-profile ransomware attacks to emerging risks in AI adoption and geopolitical cyber activity.   Organizations worldwide are grappling with a combination of disruptive cyberattacks, espionage campaigns, and ongoing threats to critical infrastructure, reflecting the complex and interconnected nature of today’s threat landscape. Intelligence reports continue to highlight nation-state cyber operations, while companies and governments are recognizing that operational resilience, secure technology adoption, and coordinated defense strategies are essential to managing fast-evolving risks.

The Cyber Express Weekly Roundup 

Human Behavior Remains the Weakest Link 

Cybersecurity experts stress that the most significant vulnerabilities often stem from human behavior rather than technical shortcomings. In a recent discussion covered by The Cyber Express weekly roundup, Dr. Sheeba Armoogum emphasized that modern cyberattacks increasingly exploit trust, emotion, and predictable behavior through techniques like social engineering and AI-driven impersonation. Read more... 

Energy Sector Ransomware: Lessons from 2025 

The energy sector recorded 187 successful ransomware attacks in 2025, demonstrating the real-world consequences of cybercrime on critical infrastructure. Incidents such as Halliburton’s $35 million loss and significant outages in Ukraine revealed vulnerabilities in outdated systems, IT-OT convergence, and slow patching practices. Read more... 

EU Investigates Snapchat for Child Safety 

The European Commission has launched a formal investigation into Snapchat under the Digital Services Act (DSA), examining child protection, privacy, and content moderation practices. Concerns include insufficient age verification, exposure to harmful content, and the accessibility of reporting tools, with potential fines reaching 6% of Snapchat’s global turnover if non-compliance is confirmed. Read more... 

Hackmanac CEO Warns: Cybersecurity Still Fails at the Basics 

Sofia Scozzari, CEO of Hackmanac, emphasized that cybersecurity remains too focused on technology and often overlooks business risk, human behavior, and the operational impact of breaches. She explained that attackers collaborate and exploit known vulnerabilities, while organizations continue to treat cybersecurity as an IT issue rather than a strategic business challenge. Read more... 

Port of Vigo Disrupted by Ransomware 

The Port of Vigo experienced a ransomware attack early Tuesday, shutting down cargo management systems and digital services. Physical port operations remain functional, but manual processes are slowing workflows, particularly at the Border Inspection Post. Authorities confirmed servers linked to the port’s website remain offline as part of containment efforts. Read more... 

Russian Cybercrime Leader Sentenced 

In Detroit, Illya Angelov, head of the Russian cybercriminal group “Mario Kart,” was sentenced for running a botnet operation that infected thousands of computers daily and sold backdoor access to ransomware operators. Active from 2017 to 2021, the scheme targeted 72 U.S. companies across 31 states, sending 700,000 malware-laden emails daily and compromising roughly 3,000 systems each day. Read more... 

Crunchyroll Cyberattack Highlights Outsourced Risk 

Crunchyroll confirmed a cyber incident linked to a third-party vendor, likely affecting customer service ticket data. There is no evidence of ongoing access to internal systems, though early reports suggest a threat actor may have gained access through an infected vendor device. Read more... 

Weekly Takeaway 

This week’s weekly roundup highlights the growing complexity of the global cybersecurity landscape. From critical supply chain disruptions and challenges in AI governance to ransomware attacks, escalating geopolitical cyber threats, and vulnerabilities in third-party systems, organizations face an increasingly interconnected and high-stakes risk environment. To navigate these threats effectively, companies must prioritize human-centric security practices, enforce proactive governance frameworks, and implement continuous monitoring across all systems. Only through a strategic, multi-layered approach can organizations stay ahead in today’s hostile and fast-evolving digital ecosystem.

The Nova Scotia Power data breach has forced the utility provider to commit to stronger cybersecurity and privacy safeguards after a cyberattack exposed sensitive data of more than 900,000 current and former customers. The scale of the Nova Scotia Power data breach and the nature of the compromised information have raised serious questions about how organizations manage and protect customer data. The breach, discovered on April 25, 2025, was not the result of a single failure. Instead, it unfolded over weeks—highlighting how attackers can quietly move through systems before being detected.

Nova Scotia Power Data Breach Linked to Malware Infection

According to details shared in a compliance letter, the Nova Scotia Power data breach began on or around March 19, 2025. An employee accessed a compromised website infected with “SocGholish” malware and clicked on a malicious pop-up link. This allowed the malware to install and create a foothold within the network. From there, attackers escalated their access. Between April 8 and April 22, they moved laterally across systems using domain administrator privileges, conducted internal reconnaissance, and harvested credentials. This phase is critical, and often underestimated in cyber incidents. By the time the Nova Scotia Power data breach was detected, the attackers had already spent days exploring the network.

Data Exfiltration and Ransomware Deployment

The final stage of the Nova Scotia Power data breach occurred between April 23 and April 25, when the threat actor exfiltrated data from both on-premises systems and cloud storage. Shortly after, ransomware was deployed, backups were destroyed, and multiple applications stopped functioning. The attack was only discovered when employees reported system disruptions—an indication that the breach had already reached its most damaging phase. The attackers later contacted the company via a Tor-based dark web page, providing proof that sensitive customer data had been accessed. However, there is no confirmed evidence so far that the data has been publicly released or sold. Nova Scotia Power chose not to pay the ransom, aligning with law enforcement guidance.

Scope of the Nova Scotia Power Data Breach

The Nova Scotia Power data breach impacted approximately 375,000 current customers and 540,000 former customers. The compromised data includes:

• Names, phone numbers, and email addresses
• Mailing addresses and dates of birth
• Account and billing history, including bank details
• Driver’s license numbers and Social Insurance Numbers (SINs)

This level of exposure significantly increases the risk of identity theft and financial fraud, making the Nova Scotia Power data breach particularly serious.

Delayed Notifications and Customer Concerns

The handling of the Nova Scotia Power data breach has also drawn scrutiny. The Office of the Privacy Commissioner of Canada received multiple complaints, particularly around delayed notifications and the use of mailed letters, which slowed communication with affected individuals. Some concerns were also raised about the collection and storage of SINs, which were part of the compromised dataset. While Nova Scotia Power informed the public on April 28 and notified regulators by May 1, direct notifications to customers began weeks later, with additional affected individuals identified months after the initial disclosure. This staggered communication reflects the complexity of breach investigations—but also highlights the importance of timely transparency.

Response and Security Commitments

Following the Nova Scotia Power data breach, the company took steps to contain the incident. This included isolating affected systems, resetting compromised credentials, and working with third-party cybersecurity experts to investigate and remediate the breach. Customers were offered credit monitoring and identity protection services, initially for 24 months and later extended to five years for all customers. More importantly, Nova Scotia Power has now committed to strengthening its security measures under a compliance agreement. The Office of the Privacy Commissioner will continue to monitor progress until all commitments are fulfilled. Privacy Commissioner Philippe Dufresne stated, “I welcome this commitment by Nova Scotia Power to ensure stronger protections for the personal information of its customers. This privacy breach highlights the significant risks of cyberattacks to individuals and companies. Strong, proactive data protection, including robust safeguards, must be prioritized by all organizations in this evolving landscape.”

The Port of Vigo faced a cyberattack early Tuesday morning that disrupted its cargo management systems and forced authorities to shut down access to key digital services. The Port of Vigo cyberattack was detected at around 5:45 a.m., prompting an immediate response from the port’s IT team. The Port of Vigo cyberattack incident, now confirmed as a ransomware attack, affected servers linked to the Port Authority’s website, which remains offline. While the technical team was able to contain the threat, systems have been isolated from external networks as a precaution, delaying full restoration. Port president Carlos Botana said the systems will not be brought back online until all security checks are complete. He noted that the team is waiting until “everything is clear” before reconnecting services. At this stage, there is no confirmed timeline for when normal operations will resume.

Port of Vigo Cyberattack Slows Port Operations

The cyberattack on Port of Vigo has not impacted the port’s physical functioning, but it has significantly disrupted daily operations. Much of the cargo handling process depends on digital platforms for scheduling, coordination, and documentation. With systems offline, port users have been asked to switch to manual methods. Some operations, including those at the Border Inspection Post (BIP), are now being managed using paper records to keep workflows moving. This fallback has helped avoid a complete shutdown, but it is slowing processes and adding pressure on staff. The situation reflects how dependent modern port operations have become on digital infrastructure.

Ransomware Behind the Attack

Authorities have confirmed that the Port of Vigo cyberattack involved ransomware, a type of malware that blocks access to systems or data until a ransom is paid. In many cases, attackers also extract sensitive data, increasing the risk of further exposure. In this case, the focus remains on containment and recovery. A forensic investigation is currently underway to determine how the attackers gained access and whether any data has been compromised.

No Immediate Recovery Timeline

Despite progress in controlling the attack, the Port Authority has made it clear that restoring systems will take time. The IT team has not provided an estimated timeline for resuming server activity, citing the need for complete security validation before reconnecting systems. “The port's operational services and physical functioning have not been affected, but the programs will not be reopened to the public until all security checks have been completed,” Botana stated. This cautious approach is increasingly common in ransomware cases, where premature restoration can lead to reinfection or further compromise.

A Reminder of Growing Cyber Risks

The Port of Vigo cyberattack highlights the growing risk ransomware poses to critical infrastructure. Ports, in particular, rely on a mix of physical operations and digital systems, making them vulnerable to disruptions that can affect both logistics and trade flow. While operations at Vigo have not stopped entirely, the shift to manual processes shows how quickly efficiency can drop when systems go offline. The Port of Vigo cyberattack incident also points to a broader trend, cyberattacks are no longer limited to data theft. They are increasingly designed to disrupt operations, creating immediate and visible impact. As the investigation into cyberattack on Port of Vigo continues, the focus remains on restoring systems safely and understanding the scope of the breach. For now, the Port of Vigo continues to operate under constrained conditions, managing cargo traffic without the digital tools it typically depends on.

A federal court in Detroit sentenced Russian national Illya Angelov, on Tuesday, for running a botnet operation that infected thousands of computers daily, sold backdoor access to ransomware groups and victimized 72 companies across 31 U.S. states.

The extortion scheme involving Angelov and his criminal organization, known by the FBI as "Mario Kart," ran from 2017 to 2021. Prosecutors said Angelov and co-conspirators built a network of compromised computers that distributed malware-infected files attached to spam emails.

Angelov and his co-manager then monetized this botnet by selling access to individual compromised computers to other criminal groups, who typically engaged in ransomware extortion schemes — locking victims out of their computer networks and demanding extortion payments to restore access.

A botnet is a network of devices secretly infected with malware and controlled remotely by an attacker without the device owners' knowledge. The court records describe a scheme that was lucrative and prolific, sending 700,000 emails a day to computers around the world and infecting approximately 3,000 computers daily.

The Mario Kart malware provided a backdoor through which software could be uploaded to victims' computers. Instead of directly exploiting this access, the Mario Kart group sold it to customers, that is, other cybercriminal groups. These customers typically used the backdoor access to distribute ransomware, encrypting victims' data and demanding extortion payments to decrypt it.

Angelov's group included software coders who developed programs to distribute spam emails and malware so advanced it could evade virus-detection software. The operation sold backdoor access at scale, functioning as a criminal wholesale supplier to ransomware operators who lacked the infrastructure to breach targets themselves.

Angelov pleaded guilty in secret in October to one count of conspiracy to commit wire fraud. Prosecutors requested he serve 61 months in prison — a significant break from advisory sentencing guidelines calling for more than 12 years — and he was ordered to pay a $100,000 fine and a $1.6 million money judgment. The reduction reflected both his voluntary cooperation and the circumstances of his surrender.

Angelov was sentenced four years after an associate, Vyacheslav Igorevich Penchukov, was arrested in Switzerland and later extradited to the U.S. Penchukov was a member of a group that negotiated a $1 million payment to Angelov and a second individual for access to Mario Kart. A few days after Penchukov's arrest, Angelov contacted U.S. authorities and eventually negotiated his surrender. At the time of his travel and surrender, he was living in the United Kingdom, a country from which the U.S. could have sought his extradition.

Vitlalii Alexandrovich Balint, who provided essential coding to Mario Kart, was sentenced five months earlier in federal court in Detroit to 20 months in prison. While Balint's role in Mario Kart was significant, he was Angelov's subordinate.

The Mario Kart case sits inside a broader DOJ enforcement pattern targeting the upstream criminal economy — the access brokers and botnet operators who supply the tools and entry points that ransomware groups deploy.

The day before Angelov's sentencing, a separate federal court sentenced Russian access broker Aleksei Volkov to 81 months for supplying network access to the Yanluowang ransomware group across dozens of U.S. organizations.

Read: Russian Access Broker Gets Nearly 7 Yrs for Enabling Millions in Ransomware Extortion

Two Russian cybercriminals sentenced in two consecutive days across two different federal districts signals a deliberate prosecutorial push against the ransomware supply chain's foundational layer, not just its most visible operators.

The scheme operated before the peak of ransomware extortion payments, which reached a high of $1.25 billion in 2023. That trajectory makes the infrastructure Angelov built — and the model it demonstrated — directly relevant to understanding how the ransomware economy scaled to where it stands today.

A single individual selling stolen network credentials to the right buyers can cause more damage than any ransomware group operating alone and a federal court in Indiana made that arithmetic concrete by sentencing a 26-year-old Russian citizen to 81 months in prison for precisely that role — of being an access broker.

Aleksei Volkov, of St. Petersburg, Russia, was sentenced in the Southern District of Indiana for assisting major cybercrime groups, including the Yanluowang ransomware group, in carrying out numerous attacks against U.S. companies and other organizations. Volkov facilitated dozens of ransomware attacks throughout the United States, causing over $9 million in actual losses and over $24 million in intended losses.

Volkov operated as what the cybersecurity industry calls an initial access broker, which is a specialized criminal role that sits upstream of ransomware deployment. Rather than executing attacks himself, Volkov found vulnerabilities in computer networks and systems, identified ways to access those networks and systems without authorization, and sold that illicit access to conspirators who were also cybercriminals.

Also read: Iranian State Hackers Act as Access Brokers for Ransomware Gangs, Target U.S. and Allies’ Critical Infrastructure

Those co-conspirators then used the access Volkov provided to infect the affected computer networks and systems with malware, encrypting victims' data and preventing them from accessing it, damaging their business operations.

The conspirators then demanded that the victims pay ransom in cryptocurrency — sometimes in the tens of millions of dollars — in exchange for restoring access to the data and promising not to publicly disclose the hack or release victims' stolen data on a leak website.

The access broker model is a critical enabler of the modern ransomware economy. By separating the intrusion skill from the extortion operation, it allows ransomware groups to scale attacks without needing every member to possess deep technical exploitation expertise. Volkov effectively ran a supply chain for cybercrime — sourcing the raw ingredient that ransomware operators cannot easily produce at volume themselves.

Volkov was arrested on January 18, 2024, in Italy after a Bitcoin transaction originating in Indianapolis tied him to the cybercrime group. He was subsequently extradited to the United States and pleaded guilty to charges including aggravated identity theft and access device fraud.

As part of his plea agreement, Volkov agreed to pay $9,167,198.19 in restitution to known victims. In addition to the 81-month prison term, he received two years of supervised probation. He had been indicted in both the Southern District of Indiana and the Eastern District of Pennsylvania.

The Yanluowang ransomware group, one of the criminal organizations Volkov supplied, previously claimed responsibility for high-profile breaches including a 2022 intrusion into Cisco's corporate network. The group's willingness to target major enterprise organizations shows the downstream risk that a single access broker enabling their operations can create across the entire victim landscape.

Prosecuting access brokers — rather than only the ransomware operators who deploy the final payload — directly attacks the supply chain that makes large-scale ransomware campaigns economically viable. Targeting that upstream layer forces criminal networks to either develop intrusion capabilities in-house — a significant barrier — or risk greater exposure by broadening their supplier relationships.

In this week’s cybersecurity roundup, The Cyber Express covers key global security developments, including a major supply chain disruption affecting a global manufacturer, rising concerns over security and legal risks linked to rapid AI adoption, and the continued escalation of cyber activity driven by geopolitical tensions.

Across industries, organizations are facing a mix of disruptive attacks and long-term espionage campaigns targeting both operational systems and critical infrastructure. Intelligence reports also continue to highlight sustained nation-state activity shaping the global threat landscape.

These developments reflect a cybersecurity environment where operational resilience, secure technology adoption, and coordinated defense strategies are increasingly essential to managing interconnected and fast-evolving risks.

The Cyber Express Weekly Roundup 

Stryker Cyberattack Disrupts Supply Chain, Recovery Timeline Unclear 

A cyberattack on Stryker Corporation has disrupted manufacturing, shipping, and order processing operations, with no clear recovery timeline announced. While internal systems were impacted, customer products have not been affected. The incident has been linked to the Handala group, and authorities, including the Cybersecurity and Infrastructure Security Agency (CISA), are currently investigating the attack. Read more… 

AI Legal Risks Rise as Businesses Rush Adoption, Expert Warns 

Cybersecurity expert Lisa Fitzgerald has warned that rapid adoption of AI tools without proper governance can expose organizations to data breaches, regulatory violations, and loss of control over sensitive information. In an interview with The Cyber Express, she emphasized the importance of structured risk assessments, employee training, and clear governance frameworks to manage AI-related risks effectively. Read more… 

Bonnie Butlin Highlights Role of Collaboration in Modern Security 

Bonnie Butlin has stressed the importance of global collaboration in addressing complex cyber, physical, and geopolitical threats. She highlighted the need to break down industry silos, strengthen cross-sector cooperation, and build more inclusive leadership models to improve resilience against evolving risks. Read more… 

US Intel Warns China Is Top Cyber Threat Ahead of Other Nation-States 

A new U.S. intelligence assessment identifies China as the most persistent cyber threat actor, with ongoing operations reportedly embedded within critical infrastructure systems. The report also highlights cyber activities from Russia, North Korea, and Iran, each employing different tactics ranging from espionage and sabotage to cybercrime and disinformation campaigns. Read more… 

Middle East Cyber Warfare Intensifies Amid Rising Geopolitical Conflict 

According to Cyble Research and Intelligence Labs, cyberattacks in the Middle East are increasing in parallel with ongoing geopolitical tensions. Critical sectors such as energy, finance, and communications have been identified as primary targets in this escalating cyber conflict landscape. Read more… 

Also Read: Top 50 Women Leaders in Cybersecurity to Watch in 2026

Weekly Takeaway 

This week’s The Cyber Express weekly roundup highlights the growing complexity of the global cybersecurity environment, from supply chain disruptions and AI governance risks to escalating nation-state cyber operations and regional cyber warfare.  Organizations, governments, and individuals must remain vigilant, prioritize strong governance frameworks, and adopt proactive security measures, including timely patching and continuous monitoring, to effectively respond to the evolving threat landscape. 

This week’s The Cyber Express weekly roundup highlights major cybersecurity developments affecting organizations, governments, and individuals worldwide. Key stories include destructive cyberattacks, such as system-wide wipes and targeted breaches, as well as state-backed cyber espionage targeting technology and research sectors.   The roundup also covers proactive defense measures, including bug bounty programs, critical software patches, and industry responses to emerging malware. Together, these incidents highlight the technical prowess of cyber threats, the direct impact on operations and data security, and the urgent need for timely mitigation strategies across both public and private sectors. 

The Cyber Express Weekly Roundup 

Iran-Linked Hackers Wipe 200,000 Devices in Stryker Cyberattack 

In one of the most significant cybersecurity incidents this week, an Iran-linked hacker group known as Handala carried out a large-scale attack on Stryker Corporation. The group remotely wiped over 200,000 devices across 79 countries, bringing portions of the company’s operations to a halt. Handala has claimed responsibility, stating the attack was retaliation for a recent U.S. military strike in Iran. Read more... 

India Launches Bug Bounty to Secure Aadhaar Ecosystem 

India’s Unique Identification Authority (UIDAI) has launched a structured bug bounty program aimed at strengthening the Aadhaar ecosystem. Twenty expert ethical hackers have been enlisted to rigorously test core platforms, including the myAadhaar portal, the official website, and the Secure QR Code app. Read more... 

Finland Issues Warning on Russian and Chinese Cyber Espionage 

Finland’s Security and Intelligence Service (SUPO) has issued a warning regarding ongoing cyber espionage campaigns from Russian and Chinese state-backed actors. These campaigns are targeting technology companies, research institutions, and government networks. Read more... 

Microsoft March 2026 Patch Tuesday Addresses Critical Vulnerabilities 

Microsoft’s March 2026 Patch Tuesday update addresses 79 vulnerabilities across its ecosystem, including SQL Server, .NET, Office, SharePoint, Azure, and Windows. Notably, the update resolves two zero-day vulnerabilities and multiple remote code execution flaws. Additional updates target SharePoint, Azure MCP Tools, and Windows privilege escalation vectors. Read more... 

Cyberattack Forces Polish Hospital to Revert to Paper Operations 

The Independent Public Regional Hospital in Szczecin, Poland, experienced a cyberattack on March 7–8, 2026, which encrypted parts of its IT system and blocked access to critical digital records. Hospital officials confirmed that patient care continued without interruption, but administrative processes slowed considerably. Read more... 

ClipXDaemon: Linux Malware Hijacks Cryptocurrency Transactions 

A new Linux-based malware, ClipXDaemon, has been discovered targeting cryptocurrency users. The malware silently replaces copied wallet addresses with attacker-controlled addresses, allowing the theft of Ethereum, Bitcoin, Monero, Dogecoin, and Litecoin. ClipXDaemon operates locally without network communication, disguises itself as a kernel process, and persists by modifying the user’s ~/.profile file. Read more... 

Weekly Takeaway 

This week’s The Cyber Express weekly roundup highlights the breadth of modern cybersecurity challenges, from geopolitically motivated attacks and malware targeting cryptocurrencies to proactive measures such as India’s bug bounty program and Microsoft’s critical patches. Organizations, governments, and individuals must remain vigilant, prioritize timely patching, and adopt proactive monitoring to navigate the complex threat landscape.