Acording to a newly published Comparitech report, global ransomware attacks reached a new high in H1 of 2026 with an average of 23 attacks per day. During the first six months of 2026, researchers logged 4,217 ransomware attacks. This is an 11 percent increase on the second half of 2025 (3,809).
Additional key findings include:
484 confirmed ransomware attacks
319 were on businesses
83 were on government entities
49 were on healthcare companies
33 were on educational institutions
3,733 unconfirmed attacks*
3,356 were on businesses
102 were on government entities
198 were on healthcare companies
71 were on educational institutions
5,019,204 records compromised in the confirmed attacks
Median ransom demand: $150,000 (average: $1.36M)
Qilin was the most prolific ransomware group with 641 victims in total, followed by The Gentlemen (464) and Akira (317)
Qilin (54) and The Gentlemen (51) had the most confirmed attacks
The United States was the most targeted country with 1,832 attacks in total, followed by Canada (200), Germany (164), the United Kingdom (157), Italy (131), France (117), and Spain (100)
China saw one of the biggest upticks in attacks from H2 2025 to H1 2026 (up 540% from 5 to 30)
Commenting on these findings is Rebecca Moody, Head of Data Research at Comparitech:
“One thing that stands out in this report is how the growth of one ransomware group can start to change the threat landscape. The Gentlemen overtook Qilin in the number of attack claims last month, and, as the group operates a more “international” approach to its targets, attack figures dropped in the US (when compared to H2 of 2025), despite figures increasing in most other countries.
Around half of Qilin’s targets tend to be US-based, but less than 1 in 5 of The Gentlemen’s victims in June 2026 were based in the US. Perhaps seeing how saturated ransomware attacks are in the US, The Gentlemen has decided to focus more of its efforts further afield — and with relative success. 51 of its 2026 victims have confirmed their attacks to date, with notable names including Mackay Sugar in Australia, the Grand Hotel Taipei in Taiwan, and NATO contractor Indra (Spanish HQ but subsidiary affected).”
With organizations adopting AI-powered SOCs, much of the attention focuses on reducing false positives. False negatives where AI falsely clears an attack or its early phases is far less discussed, but far more problematic.
Yasir’s detailed analysis recognizes that AI SOCs miss real threats more often than SOC teams and their organizations expect, and lays out the costs of false negatives to the average organization.
AI detection tools lose ~between 45 and 50 percent of their tested accuracy when deployed in real environments because of differences in data, infrastructure and dynamic, evolving threats.
Up to 40 percent of alerts in a standard SOC go completely uninvestigated – and that slow detection is a strong potential driver for escalating estimates of the cost of a data breach.
An effective SOC is a well-governed one that logs what it missed, flags gaps, routes uncertain signals to human review, and escalates ambiguous as well as high-risk cases to supervising humans.
An operator tied to FortiBleed’s infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment for the first time.
Behind the credential leaks lies a coordinated operation run by the Lynx-INC ransomware group, and the actors are exploiting a previously undisclosed Nextcloud zero-day that our team is actively investigating.
The operators were found leveraging a Nextcloud zero-day to expand access. Investigation is ongoing – full technical details, affected versions, and IOCs will follow in our upcoming report.
Key findings:
FortiBleed has targeted 430,000+ FortiGate firewalls worldwide via a custom credential-sniffing tool
STRU identified 200+ additional operational servers beyond the original campaign
An operator with access to FortiBleed infrastructure was found logged into both INC Ransom and Lynx negotiation panels
Victim data from FortiBleed overlaps with victims already tracked by INC Ransom
An internal tracking document reveals an organized, ~20-person operation with a clear division of labor
What we now know
Ransomware operation: STRU assesses with high confidence that FortiBleed is operated by the Lynx-INC ransomware group. Extensive intelligence has been obtained on the group, including its members.
Nextcloud zero-day: The actors are exploiting a previously undisclosed Nextcloud zero-day. Our analysis is ongoing.
Backdoored accounts: Persistent backdoor accounts were found on compromised devices (username: adminin).
Large-scale sniffing: Traffic sniffing was identified on ~19,000 Fortinet devices. Following SOCRadar’s notifications to affected parties, this number has dropped to ~11,000.
Infrastructure seizure: 500 servers were seized – including the server Lynx-INC used for ransom negotiations.
Decryption: Efforts to recover decryption keys are ongoing.
Recent timeline
29 Jun 2026 – 9,426 newly identified FortiGate devices found in Lynx-INC’s internal tracking documents, with ransomware deployed against several targets.
27 Jun 2026 – FortiBleed formally linked to the Lynx-INC ransomware group.
26 Jun 2026 – IoC update: 42 operation servers and 13 files added.
25 Jun 2026 – Citrix target list discovered: 29,000 IP addresses and 37 domains, indicating targeting is expanding beyond FortiGate.
25 Jun 2026 – IoC update: 19 operation servers and 4 files added.
A detailed report – covering the Lynx-INC operation, the Nextcloud zero-day, and full indicators of compromise will be published later this week or early next week.
Posted in Commentary with tags Azure on July 1, 2026 by itnerd
A massive password spray campaign targeting Azure CLI is the latest reminder that identity remains the easiest way into an environment, not the hardest. What’s notable isn’t the technique, it’s how many organizations will only learn their exposure after the fact, because their compliance program checks whether an MFA policy exists once a year instead of verifying it holds up in real time.
Justin Beals, CEO & Founder of Strike Graph, an AI-native GRC and compliance automation platformhad this to say:
“A password spray campaign at this scale against Azure CLI is a reminder that identity is still the front door most attackers walk through, not the one they have to break down. Credential stuffing and spray attacks work because organizations are still measuring identity security by whether a policy exists, not by whether it’s actually holding under live pressure.
This is the attestation versus verification gap again. A company can have an MFA policy documented, reviewed, and signed off in an audit, and still get walked through the door if enforcement has gaps, exceptions, or stale service accounts sitting outside the policy’s scope. Traditional compliance checks that policy exists once a year. It doesn’t tell you whether your identity controls are holding up against an active campaign today.
Continuous monitoring of authentication events, not an annual attestation, is what actually catches this while it’s happening. If the first time you find out about a password spray campaign is when a security outlet writes about it, your compliance program is documenting risk after the fact instead of managing it in real time.”
Anthropic is putting Claude Fable 5 back online worldwide. On June 30, the U.S. Commerce Department lifted the export controls it had imposed on Fable and its more tightly controlled sibling Mythos 5 about two and a half weeks earlier.
Fable 5 returns to users on Wednesday, July 1, across Claude.ai, the Claude Platform, Claude Code, and Claude Cowork.
Export controls restrict who can receive or use a technology. The June 12 order told Anthropic to cut off both models for any foreign national, inside or outside the United States, including its own non-citizen staff.
Commenting on this is Mayur Upadhyaya, CEO at APIContex:
“The restoration of Claude Fable 5 is welcome news. However, many organizations discovered they had unintentionally created a single point of failure in their AI strategy.
Where workflows had automatically adopted the latest Anthropic model, removing Fable didn’t always result in graceful degradation. In some cases, automations failed silently because there was no fallback, no cold restart, and no operational awareness that the dependency had changed.This isn’t a criticism of Anthropic. The pace of innovation from the foundation model providers is extraordinary. But it does highlight that enterprises are beginning to treat AI models as operational infrastructure rather than productivity tools.Every infrastructure dependency eventually changes. Models are updated, withdrawn, restricted, or superseded. The question for organizations is no longer whether they’ll use frontier AI. It’s whether their workflows continue to operate when those underlying dependencies inevitably change.As AI becomes part of critical business processes, resilience needs to evolve beyond model performance. We need to verify that the transactions built on top of these models continue to perform and conform, even when the infrastructure beneath them changes.”
I’m going to go out on a limb and suggest that the US didn’t really have much of a choice but to release Claude Fable 5. But that doesn’t me that anything that AI generates doesn’t need to be validated. In fact, I would argue that it doubles the need for validation.
Harness, the AI Software Delivery Platform company, today launched Autonomous Worker Agents for software delivery: the platform for enterprises to build and safely run AI agents that handle the work between writing code and shipping it to production.
Software delivery has moved through phases. First, people did the work by hand. Then they wrote scripts for individual jobs like deployment. Most recently, they connected those jobs into automated pipelines that follow fixed instructions, which is what Harness has run for large enterprises for years. Worker Agents are the next phase. Every step in the pipeline can now run as a reasoning agent rather than a fixed script, with the context, governance, sandboxing, and audit trails that enterprises need to trust agents in production.
Dozens of Harness Managed Agents are available today, and any team can customize them or build their own. A new Harness Agent Marketplace makes it easy to find, use, and share them.
The controls that keep agents safe in production
Autonomous Worker Agents run on infrastructure that the customer controls. Code and data never leave the customer’s network, and agents are governed by the same controls enterprises already use for human deployments.
These controls make Autonomous Worker Agents safe to run in production:
Sandboxing: Agents run in isolated containers with restricted file and network access. An agent that produces a malicious command has nowhere to send data.
Scoped credentials: Each agent has its own identity and the specific set of permissions assigned to it, the same way an employee does. An agent can only take the actions those permissions allow, no matter who triggers it or what its prompt says.
Policy enforcement: The same policies that gate human deployments gate agents. A policy can keep agents off non-approved models or out of production pipelines.
Audit trails: Every agent action is recorded under a distinct AI identity, with full provenance: what triggered the agent, what it did, and the outcome.
Cost tracking: Token spend is surfaced per agent, per pipeline, with budget caps that stop an agent when it hits its limit.
Chaining: Agents compose into multi-step workflows, passing output from one to the next.
Easy to build, governed by your policies
Building an Autonomous Worker Agent uses the same agent-file format that has become standard across the industry. Save it to a single file, commit it to your repository, and the agent is live, governed, and available across your organization. Teams that would rather not write the file can use Harness AI to generate the agent for them. Either way, the agent runs as a governed pipeline step with the same controls, audit trail, and policy enforcement as everything else.
Once it runs, the agent has your organization’s full context. It reasons using the Harness Software Delivery Knowledge Graph, a connected map of your services, pipelines, deployments, infrastructure, incidents, and security findings. An agent assessing a vulnerability knows which services are affected and who owns them. A deployment agent knows which services depend on the one being deployed. The result is a response built for your specific environment, not a generic fix that only looks right.
Agents also meet you where you work. Through the Harness MCP Server, a developer in Cursor, Claude Code, or another tool can assign a task to a Worker Agent and have it run in Harness, with the result returned to wherever it was triggered. Wherever an agent runs, it runs under your organization’s policies, governed the same way as every other step in your pipeline.
Harness-built agents, ready to use today
Harness has pre-built Autonomous Worker Agents that handle the repetitive, time-consuming work that slows teams down across the delivery lifecycle.Here are a few of the agents available today, with more added regularly:
Autofix reads build logs, identifies the root cause of a build failure, commits a fix to the PR branch, and re-triggers builds until it passes.
Code Review reviews PR diffs for code quality, security issues, and test coverage.
Code Coverage identifies untested lines and generates tests to close coverage gaps.
Feature Flag Cleanup detects stale flags and validates safe removal.
Manifest Remediator analyzes failed Kubernetes deployments and fixes manifest issues.
IaCM Remediation fixes configuration drift, security findings, and cloud cost issues by editing infrastructure configurations.
The Harness Agent Marketplace
The Harness Agent Marketplace is a shared catalog where Worker Agents are published and reused across an organization and the broader Harness community. Teams can adopt an existing agent rather than build their own, and contribute the agents they build back to the catalog.
It has three tiers:
Harness Managed: Built, maintained, and SLA-backed by Harness.
Harness Certified: Built by partners, reviewed and certified by the Harness engineering and security teams.
Community: Published by the broader Harness community. Organizations can use out-of-the-box policies to control which community agents run in production.
Every agent in the Marketplace can be forked. A team can clone an existing agent and adjust the prompt, tools, or triggers to fit their environment. The agent one team builds to solve a problem becomes the starting point for the next team that hits the same roadblock.
Bring your own model
Autonomous Worker Agents work with any LLM provider. Connect Anthropic, AWS Bedrock, or Google Vertex AI through existing Harness connectors, and switch models per agent, per environment, or per pipeline without rewriting the agent.
Availability
Autonomous Worker Agents and the Harness Agent Marketplace are now generally available to all Harness customers. For more information, visit https://harness.io/platform/worker-agents.
Think your small business is too small to be targeted by ransomware?
That’s precisely the assumption cybercriminals hope you’ll make.
Bitdefender Antispam researchers have uncovered a phishing campaign targeting small businesses across Europe, Asia, the Middle East, and the United States with fake investigation emails impersonating law enforcement officials.
The messages claim to contain evidence of suspicious company activity, but there’s a catch: The attached ‘evidence’ is actually ransomware.
Key takeaways
Researchers at Bitdefender Antispam Lab have identified a malicious campaign impersonating Interpol
The emails claim to contain evidence of suspicious company activity and pressure recipients into opening a password-protected archive.
Recipients are directed to a Proton Drive-hosted file that ultimately delivers ransomware.
The ransomware appears to be a custom-built payload rather than a known ransomware family.
The operation targeted organizations across Europe, Asia, the Middle East, and the United States.
Small businesses are particularly at risk because many lack dedicated IT and cybersecurity resources.
How the attack works
The emails arrive with an urgent tone, claiming to be from Interpol’s cybercrime investigation unit, which is conducting a compliance or security review.
Recipients are told that investigators have obtained information and video material related to their organization and are encouraged to review the evidence as soon as possible.
The message is carefully crafted to create anxiety. Nobody wants to receive an email suggesting their company may be involved in suspicious or fraudulent activity or under investigation.
To review the alleged evidence, recipients are directed to a Proton Drive link containing a password-protected archive. The password is conveniently included in the email itself.
Once opened, the archive appears to contain a video file documenting the supposed activities under investigation.
Instead, the victim is greeted with malware.
The attackers use a familiar trick: disguising an executable as a video file in the hope that recipients won’t notice the difference before opening it.
The malware isn’t sophisticated. The social engineering is.
According to researchers Viorel Vrabie and Andrei Mogage, the fake video contains a ransomware payload hidden within multiple archive layers.
Once executed, the malware seeks to encrypt files across available drives and presents victims with a ransom message:
“Your computer has been compromised, and you will not be able to recover your encrypted files without the decryption key.
Do not delete any files or change their locations. Do not scan your computer, as this may complicate the recovery process.
We are available only through Tox.”
One interesting detail is what the ransom note doesn’t say:
Unlike older ransomware attacks that immediately demanded a fixed payment amount, this note doesn’t specify a ransom at all. Instead, victims are instructed to contact the attackers through a Tox chat channel.
This approach has become increasingly common among ransomware operators. Rather than demanding the same amount from every victim, attackers often prefer to negotiate after establishing contact. The final ransom may depend on the size of the organization, the perceived value of its data, and its ability to pay.
The researchers also found that the malware itself is relatively simple. The code contains hardcoded values, including the password used during encryption and decryption, and lacks many of the features typically associated with large ransomware operations.
Bitdefender researchers observed the campaign targeting organizations across multiple industries, including food and agriculture, legal services, pharmaceuticals, media, technology, and finance.
The campaign was also geographically diverse, with targets identified across Europe, Asia, the Middle East, and the United States.
Is this attack linked to a major ransomware gang?
In fact, the malware seems much simpler than the tools typically used in major ransomware operations. Beyond the relatively basic code observed by our researchers, another notable difference is how victims are instructed to make contact.
Most modern ransomware-as-a-service (RaaS) groups direct victims to a dedicated negotiation portal hosted on the dark web, where they can exchange messages, receive payment instructions, and negotiate the ransom.
In this campaign, however, the attackers simply provide a Tox chat ID. There is no dedicated negotiation portal or victim site, which is another indication that this is likely a custom-built operation rather than the work of an established ransomware group.
This suggests the malware may have been custom-built or assembled using publicly available code and tools.
The campaign highlights an important trend: cybercriminals no longer need the resources or expertise of a large ransomware gang to launch disruptive attacks. Even relatively simple malware can become a serious threat when paired with convincing social engineering.
In this case, the fake investigation email does much of the heavy lifting. The attackers rely on fear, urgency, and authority to persuade victims to launch the malware themselves.
Why small businesses remain attractive targets
Small businesses are often viewed as easier targets than large enterprises.
Many operate without dedicated IT teams or cybersecurity staff. Security responsibilities are often shared among employees who already wear multiple hats, and limited budgets can make it difficult to invest in advanced security measures or ongoing training.
When an alarming email arrives claiming to involve investigators, compliance issues, or evidence of misconduct, there may be no formal process for verifying the claims before someone clicks.
Attackers understand this reality and design campaigns specifically to exploit it.
What should you do if you opened the file?
If you downloaded and opened a file like the one used in this campaign, don’t panic, but don’t ignore it either. Acting quickly can make a big difference.
Disconnect the affected device from the network. If ransomware or other malware is running, taking the computer offline may help prevent it from communicating with attacker-controlled servers or spreading to shared drives and other devices.
Run a full security scan. Use a trusted security solution, such as Bitdefender Ultimate Small Business Security, to perform a complete scan of the affected device. Even if nothing appears unusual, remember that some threats are designed to remain hidden until they’ve completed their job.
Notify your IT administrator or managed service provider, where possible. If you’re part of a business, don’t try to deal with the incident alone. The sooner your IT team is aware, the faster they can isolate affected systems and prevent additional damage.
Inform your team about the attack. Awareness can also make a huge difference in protecting your business, devices, data, and reputation.
Change important passwords from a clean device. If there’s any chance the malware also harvested credentials, update passwords for your business email, cloud storage, financial accounts, and collaboration platforms. Use strong, unique passwords and enable multi-factor authentication wherever it’s available.
Look for signs of suspicious activity. Watch for unexpected login alerts, password reset emails, unfamiliar transactions, or files that suddenly become inaccessible. Continue monitoring your accounts over the following days, as some attacks don’t reveal their full impact immediately.
Report the incident. Report the phishing email through your email provider’s “Report phishing” feature and notify the organization being impersonated when appropriate. If your business has been infected or you suspect ransomware was executed, consider reporting the incident to your national cybersecurity agency. Sharing information about active campaigns helps authorities warn other organizations and better understand emerging threats.
Campaigns like this prove that ransomware attacks don’t always begin with sophisticated hacking techniques. Often, they start with a message designed to create panic.
To reduce the risk of your small business falling victim to a similar ransomware attack:
Verify all unsolicited correspondence before acting: If you receive a message claiming to come from law enforcement, regulators, or another authority, don’t rely on the contact details provided in the email. Reach out through official channels to confirm whether the communication is legitimate.
Note: One of the biggest red flags in this campaign is the delivery method itself. While the attackers impersonate Interpol, legitimate law enforcement agencies don’t send unsolicited emails containing Proton Drive links to password-protected files and ask organizations to review alleged evidence of wrongdoing. If you receive a message like this, resist the urge to investigate on your own. Instead, verify the communication through official channels before opening any attachments or downloading files.
Treat password-protected archives with caution, especially when the password is included in the email.
Show file extensions on Windows devices: This makes it easier to spot executables masquerading as videos or documents.
Enable multi-factor authentication wherever possible. MFA won’t stop ransomware that’s already running, but it can prevent attackers from accessing your business accounts if they also try to steal passwords.
Keep systems and software up to date. Regular security updates help close vulnerabilities that attackers may exploit before or after a phishing attack.
Train employees to recognize scams: Criminals increasingly rely on fear and urgency rather than technical exploits.
Maintain secure backups: Reliable backups remain one of the best defenses against ransomware.
Use layered security designed for small businesses: Even well-trained employees can have an off day, and attackers count on those moments. Solutions such as Bitdefender Ultimate Small Business Security add another layer of defense by helping block phishing emails, detecting malicious downloads, identifying suspicious behavior, and stopping ransomware in its tracks.
This article is published for informational and educational purposes only. The information presented is based on technical research conducted by Bitdefender Labs and publicly available sources. Bitdefender does not make any legal determination regarding the activities described herein. The mention of any company, brand, domain, or individual does not constitute an accusation of illegal activity. Readers should exercise their own judgment and consult appropriate authorities or legal counsel if they believe they have been affected by any of the activities described. Domain names and URLs listed in this article are provided solely to help consumers and security professionals identify potentially harmful infrastructure. Bitdefender disclaims any liability for actions taken based on the information in this article.
Every day, cybercriminals send around 3.4 billion phishing emails. 90 percent of successful cyber attacks originate from one of these emails. 96 percent of IT security and decision makers expect to see email security challenges throughout 2026, so you’d be forgiven for thinking that most organizations would be meeting the basics. However, Comparitech’s findings found that more than eight percent of organizations’ domains are fully unprotected.
This Wednesday, Comparitech researchers will be publishing a new study looking into this very subject by analyszing the live DNS records for 5,849 domains across 13 sectors, scoring each based on a series of frameworks.
Key findings include:
487 of the total domains scanned (5,849) had zero protection (8.3%)
Government domains had the lowest average score – 2.73
Tech company domains had the highest average score – 4.83
China had the lowest average score – 2.3
Additionally, Rebecca Moody, Head of Data Research at Comparitech, provided the following comment on the subject:
“If you asked people which industries they’d like to assume are meeting basic cybersecurity standards, government agencies and healthcare providers would likely be among some of the most popular answers. Our study highlights that, when it comes to standard email security, this couldn’t be further from the truth.
The fact that over 1 in 4 government agencies and 1 in 5 healthcare providers have zero email protection is incredibly concerning, particularly when the factors we’ve assessed (SPF, DMARC, DKIM, or MTA-STS) are what many would call “standard” protocols. Equally, these sectors are often subject to more regulation, demonstrating that even when they should be meeting these requirements by law, they often aren’t.
One of the biggest risks of having gaps in email security is spoofing. Without the necessary protocols in place, hackers can spoof an organization’s domain, which adds to the legitimacy of their campaign. They could use this to send phishing emails, malware, or carry out a wire fraud scam, for example. Ultimately, the email security protocols we’ve assessed shouldn’t be seen as a recommendation or “good to have,” they should be viewed as being essential for all organizations.”
As AI-assisted engineering accelerates how quickly software is designed, written, and shipped, cybersecurity teams are facing a harder problem: risk is being created earlier than traditional tools can see it. Dawnguard announced the public launch of its security architecture automation platform, making it available to organizations looking to design, build, and operate secure cloud-native systems from day zero through production.
The launch marks the company’s move from enterprise design partnerships into general availability, following a year of platform development and customer validation. Alongside the product launch, Dawnguard announced the opening of its New York City office and an additional $3.3 million in pre-seed funding from existing investor BNVT Capital in the UK, with new participation from Curiosity VC in the Netherlands and eCAPITAL in Germany. The new capital brings Dawnguard’s total funding to more than $6.3 million.
Why this matters now
Cybersecurity has spent decades getting better at detecting, alerting, and responding to threats after systems are already built. That model is under increasing pressure. As software development speeds up, security teams are asked to protect systems that are more complex, more dynamic, and increasingly shaped by AI-generated code and autonomous engineering workflows.
Despite record spending on cybersecurity tools, breaches continue to originate from architectural weaknesses, insecure configurations, and design decisions that cannot simply be patched away. Dawnguard was founded on a simple belief: cybersecurity cannot continue to operate as a reactive industry. True cyber resilience begins at the drawing board, where systems are designed, validated, and deployed securely from the start.
A new category for the Mythos era
The rise of AI, autonomous systems, and increasingly complex digital infrastructure has created what Dawnguard calls the Mythos Era: an environment where software evolves and is exploited faster than traditional security processes can keep pace. Security teams are overwhelmed by thousands of alerts, fragmented tooling, and endless patch cycles, while attackers increasingly exploit weaknesses embedded in architecture itself.
Dawnguard was built for this shift. Its platform turns secure architecture into deployable infrastructure, enabling organizations to:
Design secure and compliant cloud architectures before deployment
Automatically generate production-ready Infrastructure as Code
Continuously validate that deployed environments remain aligned with approved designs
Eliminate security drift between architectural intent and operational reality
Enable engineering and security teams to collaborate within a shared architecture workspace
The platform is designed to eliminate the gap between security intent and operational reality. Engineering and security teams work in a shared architecture workspace where designs can be validated, translated into enforceable infrastructure, and checked continuously as systems evolve.
Unlike traditional security products that focus on detecting problems after systems are built, Dawnguard helps organizations prevent insecure patterns from being introduced in the first place. The result is a security model that starts at the drawing board and follows the system into production.
The team
Dawnguard was founded by cybersecurity veterans from IBM, Microsoft, Amazon, and military cyber operations to challenge the industry’s dependence on reactive security and compliance-driven checkbox exercises. Since launching from stealth, the company has expanded its platform capabilities, strengthened integrations across cloud environments, and worked closely with enterprise design partners to bring security architecture automation into production.
The new funding will accelerate product development, AI-driven architecture intelligence, enterprise go-to-market expansion, and international growth.
The future is design-focused security
Dawnguard’s vision extends beyond improving security workflows. The company aims to establish security architecture as a foundational control layer for modern digital systems, where security, compliance, cost management, resilience, sustainability, performance, and operational excellence are built into infrastructure and the application layer from the moment they are conceived.
As organizations enter the Mythos Era, Dawnguard is betting that the future of cybersecurity will not be defined by faster alerts or longer patch lists. It will be defined by systems that are secure by design, continuously validated, and capable of adapting to an increasingly autonomous world.
Comparitech is reporting that the city of Middletown, Ohio today confirmed it notified 123,791 people of a July 2025 data breach that compromised names, SSNs, financial account info, medical info, health insurance info, addresses, and government-issued IDs.
The cyberattack disrupted city services including water utility billing, which wasn’t fully restored until months later in January 2026.
Commenting on this news is Rebecca Moody, Head of Data Research at Comparitech:
“This attack highlights why government agencies remain a key target for hackers.
First, the case shows just how disruptive these attacks can be, with Middletown only being able to restore its water billing system in January of this year, around six months after the attack took place. Second, governments are often in possession of vast quantities of data. Accessing such data not only gives hackers further leverage to demand a ransom, but it also gives them key data that they can sell on the dark web if negotiations fail. The fact that SafePay posted the City of Middletown to its data leak site suggests ransom negotiations failed (for the data theft at least).
While government agencies are sometimes prevented from paying ransoms (or have to meet strict conditions in order to pay one, as is the case in Ohio), we saw a case just last month (Murray County in Georgia) where the ransom was paid in order to prevent county data from being published.
It’s win-win for hackers. Receive a ransom demand to decrypt systems and/or delete data, or sell highly sensitive personal data on the dark web.”
I guess hackers are about to have a field day because they seriously hit the jackpot here. Which illustrates why stopping the bad guys from doing evil things is preferable to getting pwned.
Ransomware Roundup: H1 2026 stats on attacks, ransoms, and active gangs
Posted in Commentary with tags Comparitech on July 2, 2026 by itnerdAcording to a newly published Comparitech report, global ransomware attacks reached a new high in H1 of 2026 with an average of 23 attacks per day. During the first six months of 2026, researchers logged 4,217 ransomware attacks. This is an 11 percent increase on the second half of 2025 (3,809).
Additional key findings include:
Commenting on these findings is Rebecca Moody, Head of Data Research at Comparitech:
“One thing that stands out in this report is how the growth of one ransomware group can start to change the threat landscape. The Gentlemen overtook Qilin in the number of attack claims last month, and, as the group operates a more “international” approach to its targets, attack figures dropped in the US (when compared to H2 of 2025), despite figures increasing in most other countries.
Around half of Qilin’s targets tend to be US-based, but less than 1 in 5 of The Gentlemen’s victims in June 2026 were based in the US. Perhaps seeing how saturated ransomware attacks are in the US, The Gentlemen has decided to focus more of its efforts further afield — and with relative success. 51 of its 2026 victims have confirmed their attacks to date, with notable names including Mackay Sugar in Australia, the Grand Hotel Taipei in Taiwan, and NATO contractor Indra (Spanish HQ but subsidiary affected).”
For full details, you can read the study here: https://www.comparitech.com/news/ransomware-roundup-h1-2026-stats-on-attacks-ransoms-and-active-gangs/
Leave a comment »