Good Thursday morning from TX - where it felt like the switch flipped from ‘spring’ to ‘summer’ this week.

-Jake

1. Ransomware reconsolidates around Qilin, LockBit 5.0, and "The Gentlemen"

What's happening: Check Point Research's Q1 2026 ransomware report logged 2,122 new victims across data-leak sites in the first three months of the year. Qilin held the top spot for a third consecutive quarter with 338 victims. LockBit 5.0 climbed back to fourth place with 163 victims (a 106% jump). The biggest mover: "The Gentlemen," up 315% to 166 victims after barely registering in Q4 2025.

State of play: Manufacturing and industrial sectors remained heavily represented in the victim pool. The US accounted for 49.6% of named victims, but Thailand cracked the top 10 for the first time and Taiwan's count more than tripled - both driven by The Gentlemen's regional push.

The big picture: This is the post-LockBit-takedown picture coming into focus. Cl0p's Oracle EBS campaign (CVE-2025-61882) shows the model going forward: a single high-value exploit chain, picked up by one or two crews, can move thousands of victims onto leak sites in weeks.

2. UK ICO fines South Staffordshire Water £964,900

The Information Commissioner's Office issued its monetary penalty notice on May 7 and made it public this week.

What's happening: The ICO fined South Staffordshire Plc and South Staffordshire Water Plc £964,900 (reduced from £1.6M after early admission) for security failures tied to the 2022 Cl0p ransomware breach that exposed personal data on 633,887 customers and employees.

  • Only 5% of the IT environment was monitored, meaning attackers operated undetected from initial access (September 2020) through primary exfiltration (May–July 2022)

  • Windows Server 2003 was still in production

  • No regular internal or external vulnerability scans, with critical systems left unpatched

Of note: South Staffordshire didn't appeal.

🗞️ Quick Reads

Kaspersky's Securelist team disclosed that trojanized DAEMON Tools installers have been distributed since April 8, 2026, planting info-stealers and backdoors across thousands of systems globally, with selectively delivered advanced implants hitting roughly a dozen high-value targets in manufacturing, government, and scientific sectors.

🎭 Rapid7 published research linking a "Chaos ransomware" intrusion to Iran's MuddyWater (Seedworm) APT. The crew used Microsoft Teams social-engineering and screen-sharing to harvest credentials, then deployed AnyDesk and DWAgent for persistence — using ransomware branding as a false flag for espionage.

🏢 A new WEF piece (Leo Simonovich of Siemens Energy + Filipe Beato of WEF) makes the case that data centers have quietly become OT-adjacent critical infrastructure. Their argument: as AI workloads pull data centers into deeper integration with regional power grids, the perimeter-based security model breaks — and the cascade risk between hyperscale energy demand and OT-controlled substations is now a real attack-surface conversation.

📋 CISA, the G7 Cybersecurity Working Group, and partner agencies in Germany, Canada, France, Italy, Japan, the UK, and the EU released "Software Bill of Materials for AI – Minimum Elements." Seven required clusters: Metadata, Models, Dataset Properties, System-Level Properties, KPIs, Security Properties, and Infrastructure.

One More Thing: West Pharmaceutical and Foxconn ransomware hits put OT-adjacent manufacturing back in the crosshairs

What's happening: West Pharmaceutical Services (NYSE: WST), a major medical-device and drug-delivery manufacturer, disclosed in a May 13 SEC 8-K that it detected an intrusion on May 4 and proactively shut down systems globally to contain it. The attackers encrypted some systems and exfiltrated an undisclosed amount of data. West engaged Palo Alto Networks' Unit 42 and notified law enforcement.

Separately, Foxconn (the Taiwan-based electronics giant that builds for Apple, Nvidia, Google, Intel, and Dell) confirmed a cyberattack affecting its North American factories, including facilities in Mount Pleasant, Wisconsin and Houston, Texas. The Nitrogen ransomware crew claimed responsibility, posting that it had stolen 8TB of data and 11+ million files, including hardware schematics and project documentation for its largest customers.

State of play: West's manufacturing, shipping, and shared services were all disrupted; some operations have resumed but full restoration is not finalized. Foxconn says affected factories are "returning to normal production." Neither company has confirmed whether OT systems on the factory floor were directly compromised vs. shut down preemptively.