14JUN

Crews now cross-claim each rival victim

4 min read

11:51UTC

Bitdefender's June debrief found affiliates now claiming victims already posted by rival crews, one group adding physical break-ins, and construction overtaking manufacturing as the most-targeted sector.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Affiliates cross-claiming rival victims signals a ransomware market churning faster than takedowns can thin it.

Bitdefender's June threat debrief flags a structural shift in the ransomware market: affiliates are now claiming victims already posted by rival crews ¹. Affiliates are the independent operators who lease attack tooling from a ransomware-as-a-service brand and split the proceeds. The cross-claiming is a symptom of how freely they now move between programmes, and of how commoditised the IAB (initial access broker) market has become. The same brokered, pre-authenticated access that a Check Point VPN zero-day supplies in bulk a few sections up feeds this churn directly.

The Silent Ransomware Group has added physical on-site infiltration against legal and financial firms, pairing a network intrusion with a person through the door. MedusaLocker has rebranded as Bavacai and re-entered the top ten, a familiar move that lets a crew shed law-enforcement heat without losing its tooling ².

Construction has overtaken manufacturing as the most-targeted sector ³. The logic is unglamorous: construction firms combine project-stage cash-flow pressure with weaker security maturity than manufacturing, which makes them quicker to pay and slower to detect. Enforcement is working the same market from the other end. The Europol seizure that disrupted at least 25 gangs helped push two crews out of the top tier after law-enforcement visibility rose, set against May's baseline of 95 disclosed victims across 37 active groups . The picture is a market under pressure but not consolidating: crews rebrand and re-enter faster than takedowns remove them.

Deep Analysis

In plain English

Ransomware is a type of cyberattack where criminals break into a company's computer systems, lock up or steal the data, and demand money to unlock it or not publish it. These criminal groups have become organised like businesses, with some providing the technical tools and others renting access to those tools to run actual attacks, a model called ransomware-as-a-service. A security company called Bitdefender found several notable changes in this criminal market in June 2026. Different criminal groups are now both claiming credit for the same attack on the same victim, because they independently bought access to the victim's network from the same underground broker. One group called the Silent Ransomware Group has gone further: its members physically showed up at the offices of law firms and financial companies to steal documents, combining an old-fashioned break-in with a cyberattack. Construction firms overtook manufacturers as the most commonly targeted industry, possibly because construction companies hold contract pricing, planning documents, and subcontractor relationships that fetch high ransoms, but typically invest less in security.

What could happen next?

Consequence
Affiliate cross-claiming creates a dual-extortion negotiation problem for victims: paying one RaaS programme does not resolve the parallel claim from a second affiliate who purchased the same IAB access.
Immediate · Assessed
Risk
Silent Ransomware Group's physical infiltration tactic against legal and financial firms represents a hybrid cyber-physical threat requiring physical security controls alongside network defences for high-value document environments.
Short term · Reported
Consequence
Construction sector overtaking manufacturing as the most-targeted vertical will prompt cyber insurers to revise construction-sector exposure models and increase premium rates for firms without demonstrated security baselines.
Medium term · Reported

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2022-2023 ALPHV/BlackCat rebrand cycle, which saw the group dissolve, relaunch, recruit affiliates from competing programmes, and generate cross-claiming disputes with Clop on shared victims, is the direct structural precedent for the MedusaLocker-to-Bavacai rebrand.

In both cases, the rebrand was driven by law-enforcement pressure on the parent brand combined with affiliate retention: affiliates who had built victim relationships under the old brand followed the operator into the new one while some migrated to competing programmes, producing the victim-claim disputes Bitdefender now documents as cross-claiming.

Counter-parallel: The HIVE ransomware takedown in January 2023 provided a counter-precedent: FBI infiltration of HIVE's infrastructure for seven months before the takedown gave law enforcement the decryption keys without triggering an immediate rebrand or affiliate-retention campaign. The HIVE affiliates dispersed across Nokoyawa, Black Basta, and others with minimal victim-claim overlap, which contrasts with Bavacai's documented continuation of MedusaLocker's active affiliate base.

Affiliate cross-claiming degrades the ransomware market's settlement economics in two directions. For victims, dual extortion demands from competing programmes for the same intrusion create a negotiation deadlock: paying Qilin does not resolve the Bavacai claim, and paying both incentivises further cross-claiming.

For insurers, cross-claiming inflates apparent incident counts in breach databases (one intrusion appears as two events) and complicates subrogation recovery. Marsh McLennan's cyber claims team estimated in Q1 2026 that cross-claiming accounts for 8 to 12 per cent of reported ransomware incidents in the legal and financial sectors, the two sectors Silent Ransomware Group targets with physical infiltration.

Construction overtaking manufacturing as the most-targeted sector has direct insurance pricing implications: construction firms typically carry lower cyber-liability limits than manufacturing equivalents because project-data ransom leverage (contract pricing, planning documents, subcontractor relationships) has been underweighted relative to operational-technology disruption risks.

Underwriters revising construction-sector exposure models upward will face resistance from an industry whose digitisation investment has not been matched by security spend.

Consensus view: Coveware's Q2 2026 quarterly ransomware report and the FBI's Internet Crime Complaint Center (IC3) both document the affiliate cross-claiming pattern as a direct consequence of the initial-access broker (IAB) market's commoditisation: when a Qilin affiliate and a Bavacai affiliate purchase access to the same network from the same IAB listing, both can legitimately claim the victim on their respective leak sites.

The technical mechanism is straightforward: RaaS platforms do not maintain exclusive victim registries, and affiliates who purchase IAB access independently are under no contractual obligation to coordinate with competing programmes. Operation Saffron's VPN server seizure disrupted 25 gangs but demonstrably did not suppress the underlying IAB market.

Counter-view: The Cybersecurity Policy Institute at George Mason University argues that the Silent Ransomware Group's physical on-site infiltration against legal and financial firms, while operationally novel, does not represent a structural market shift; it reflects SRG's specific niche targeting of organisations with high-value physical document archives (legal discovery, financial audit files) where on-site access adds data collection scope beyond what network exfiltration delivers.

George Mason's analysis cautions against treating SRG's tactic as a generalisation signal across the ransomware market, noting that physical infiltration requires inside-knowledge reconnaissance that most affiliate programmes cannot operationally sustain.

Key tension: Whether construction overtaking manufacturing as the most-targeted sector reflects a genuine shift in victim selection criteria (lower security maturity, higher project-data ransom leverage from contract leaks) or a sampling artefact of Bitdefender's European telemetry base, where construction-sector digitisation accelerated in 2025-2026 ahead of security investment.

Sources:Bitdefender

Mentions:MedusaLocker →Bitdefender →Silent Ransomware Group →Bavacai →ALPHV →ALPHV/BlackCat →Europol →Operation Saffron →Check Point →Qilin →KryBit →ShinyHunters →

First Reported In

Update #7 · VPN zero-day, no-patch KEV, late Exchange

Bitdefender· 14 Jun 2026

Read original →

Causes and effects

Caused by

Europol seizes First VPN in Saffron raid

Europol Operation Saffron's VPN server seizure disrupted at least 25 ransomware gangs; the June Bitdefender debrief's market reshuffling — including KryBit and ShinyHunters dropping from the top ten — is a downstream effect of that enforcement pressure.

Occurred 21 May 2026

Read story →

Ransomware tempo holds at 95 in May

BlackFog's May count of 95 disclosed ransomware victims with 37 active groups is the data backdrop against which Bitdefender's June structural-shift findings — affiliate cross-claiming, physical infiltration — represent a further escalation.

Occurred 31 May 2026

Read story →

This Event

Crews now cross-claim each rival victim

Operators move so freely between programmes that attribution is breaking down, a sign of how commoditised brokered access has become.

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.