Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
20MAY

RansomHouse posts Trellix internal screenshots as extortion leverage

3 min read
09:58UTC

RansomHouse posted alleged internal system screenshots from inside Trellix to its leak site on or around 11 May, 24 days after the 17 April intrusion and 21 days after Trellix's 8 May self-disclosure, withholding the full source-code dump as extortion leverage.

TechnologyDeveloping
Key takeaway

Trellix's 45-day disclosure-to-extortion timeline is the data point the UK reporting bill will be argued against.

RansomHouse, the extortion crew, posted alleged internal system screenshots from inside Trellix to its leak site on or around Monday 11 May 2026 1. The screenshots reportedly show access to Trellix's appliance management console, its VMware estate, Rubrik backup infrastructure, and Dell EMC storage. Trellix, the US cybersecurity vendor formed from the McAfee Enterprise and FireEye merger, confirmed unauthorised repository access on 8 May but stated there was no evidence the source code had been altered or weaponised. The full source-code dump has not been published; RansomHouse is holding it as leverage.

RansomHouse says the original compromise occurred on 17 April 2026. Trellix self-disclosed on 8 May, a 21-day intrusion-to-disclosure gap . The leak-site posting on 11 May added a further three days before the first public extortion artefact landed, totalling roughly 24 days from initial access to leak-site publication. RansomHouse's incremental disclosure tactic, screenshots first and dump later, is by now a standard pattern for the operator.

The UK Cyber Security and Resilience Bill, at Report Stage in Parliament since 2 March 2026, proposes a 24-hour initial-notification window and a 72-hour full-report requirement . Trellix's 21-day gap is well beyond the bill's proposed initial threshold. The case is now a worked example for parliamentary debate: a US-headquartered cybersecurity vendor with UK customers, an intrusion-to-disclosure interval running into weeks, and an attacker-controlled second disclosure window opened beyond it. The Capita ICO precedent has already shown the regulator willing to treat NCSC guidance as enforceable; the bill would put a statutory clock on top of that.

Deep Analysis

In plain English

Trellix sells cybersecurity software used by large organisations to detect and respond to attacks. The group RansomHouse broke into Trellix on 17 April 2026, and rather than releasing all stolen data immediately, posted screenshots of Trellix's internal systems on 11 May to pressure the company into paying. Trellix confirmed the break-in but claimed the hackers had not altered its software.

First Reported In

Update #4 · AI joins the breach column on both sides

ThaiCERT· 20 May 2026
Read original
Causes and effects
This Event
RansomHouse posts Trellix internal screenshots as extortion leverage
A worked example of the disclosure-gap problem the UK Cyber Security and Resilience Bill is trying to close: 45 days total from initial access to first public extortion artefact, with the bill's proposed 24-hour reporting clause currently before Parliament.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.