Ransomware
In-depth guides and analysis on ransomware from the Safeguard engineering team.
24 articles
First VPN Takedown: How May 2026's Strike on Ransomware Infrastructure Worked
In May 2026, an international coalition dismantled First VPN, a service the FBI says at least 25 ransomware gangs used to hide. We unpack the takedown, the broader 2026 infrastructure offensive, and why disrupting plumbing matters more than chasing brands.
The Gentlemen RaaS Database Leak: What the May 2026 Breach Revealed About a Top Ransomware Operation
An insider sold The Gentlemen's internal 'Rocket' backend in May 2026, exposing affiliate structure, tooling, and negotiation logs of one of 2026's most prolific RaaS crews. Here is what the leak teaches defenders.
Nitrogen Ransomware Hits Foxconn: 8TB Claim and the Manufacturing Extortion Wave of May 2026
Foxconn confirmed a cyberattack on its North American factories in May 2026 after the Nitrogen ransomware crew claimed 8TB and 11 million files. We break down the attack chain, the broken ESXi decryptor, and what manufacturers should do now.
Fog Ransomware: Why the Education Sector Keeps Getting Hit
Fog ransomware has carved a niche targeting schools and universities, exploiting chronic underfunding and SonicWall VPN vulnerabilities to devastating effect.
Play Ransomware: Supply Chain Exploitation Through Managed Service Providers
Play ransomware refined the MSP attack model, exploiting FortiOS and RDP vulnerabilities to cascade through managed service providers into hundreds of downstream organizations.
Medusa Ransomware: How Supply Chain Infiltration Became Their Signature Move
Medusa ransomware operators have refined a playbook that targets managed service providers and software vendors as stepping stones into hundreds of downstream victims.
Ransomware-as-a-Service in 2024: The Ecosystem That Won't Die
The RaaS ecosystem proved resilient through 2024 despite major law enforcement takedowns, with new groups filling every gap and affiliate models becoming more sophisticated.
Qilin Ransomware and the Chrome Credential Harvesting Gambit
Qilin ransomware operators pioneered a mass credential theft technique using Group Policy to extract saved Chrome browser credentials across entire domains.
Rhysida Ransomware: Systematic Targeting of Government and Critical Infrastructure
Rhysida ransomware distinguished itself through deliberate targeting of government agencies, education institutions, and healthcare organizations across multiple countries.
Black Basta Ransomware: Techniques and Tactics in 2024
Black Basta evolved from a Conti offshoot into one of the most technically advanced ransomware operations, using novel initial access methods and sophisticated evasion techniques.
Akira Ransomware: Exploiting VPN Vulnerabilities for Supply Chain Entry
Akira ransomware systematically exploited Cisco VPN vulnerabilities as its primary entry vector, targeting organizations through the network infrastructure they trusted most.
The Ransomware Payment Ban Debate: Arguments, Evidence, and Unintended Consequences
Should governments ban ransomware payments? The debate intensified through 2023 as attacks escalated, with strong arguments on both sides and no clear consensus.