Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

Crews now cross-claim each rival victim

4 min read
08:46UTC

Bitdefender's June debrief found affiliates now claiming victims already posted by rival crews, one group adding physical break-ins, and construction overtaking manufacturing as the most-targeted sector.

TechnologyDeveloping
Key takeaway

Affiliates cross-claiming rival victims signals a ransomware market churning faster than takedowns can thin it.

Bitdefender's June threat debrief flags a structural shift in the ransomware market: affiliates are now claiming victims already posted by rival crews 1. Affiliates are the independent operators who lease attack tooling from a ransomware-as-a-service brand and split the proceeds. The cross-claiming is a symptom of how freely they now move between programmes, and of how commoditised the IAB (initial access broker) market has become. The same brokered, pre-authenticated access that a Check Point VPN zero-day supplies in bulk a few sections up feeds this churn directly.

The Silent Ransomware Group has added physical on-site infiltration against legal and financial firms, pairing a network intrusion with a person through the door. MedusaLocker has rebranded as Bavacai and re-entered the top ten, a familiar move that lets a crew shed law-enforcement heat without losing its tooling 2.

Construction has overtaken manufacturing as the most-targeted sector 3. The logic is unglamorous: construction firms combine project-stage cash-flow pressure with weaker security maturity than manufacturing, which makes them quicker to pay and slower to detect. Enforcement is working the same market from the other end. The Europol seizure that disrupted at least 25 gangs helped push two crews out of the top tier after law-enforcement visibility rose, set against May's baseline of 95 disclosed victims across 37 active groups . The picture is a market under pressure but not consolidating: crews rebrand and re-enter faster than takedowns remove them.

Deep Analysis

In plain English

Ransomware is a type of cyberattack where criminals break into a company's computer systems, lock up or steal the data, and demand money to unlock it or not publish it. These criminal groups have become organised like businesses, with some providing the technical tools and others renting access to those tools to run actual attacks, a model called ransomware-as-a-service. A security company called Bitdefender found several notable changes in this criminal market in June 2026. Different criminal groups are now both claiming credit for the same attack on the same victim, because they independently bought access to the victim's network from the same underground broker. One group called the Silent Ransomware Group has gone further: its members physically showed up at the offices of law firms and financial companies to steal documents, combining an old-fashioned break-in with a cyberattack. Construction firms overtook manufacturers as the most commonly targeted industry, possibly because construction companies hold contract pricing, planning documents, and subcontractor relationships that fetch high ransoms, but typically invest less in security.

What could happen next?
  • Consequence

    Affiliate cross-claiming creates a dual-extortion negotiation problem for victims: paying one RaaS programme does not resolve the parallel claim from a second affiliate who purchased the same IAB access.

    Immediate · Assessed
  • Risk

    Silent Ransomware Group's physical infiltration tactic against legal and financial firms represents a hybrid cyber-physical threat requiring physical security controls alongside network defences for high-value document environments.

    Short term · Reported
  • Consequence

    Construction sector overtaking manufacturing as the most-targeted vertical will prompt cyber insurers to revise construction-sector exposure models and increase premium rates for firms without demonstrated security baselines.

    Medium term · Reported
First Reported In

Update #7 · VPN zero-day, no-patch KEV, late Exchange

Bitdefender· 14 Jun 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.