Sociedad Hipotecaria Federal
January 21, 2026
•[ ransomware, data leak, encryption ]
Sociedad Hipotecaria Federal was listed by LockBit, which claimed to have stolen 277 GB of data and published it after a ransom deadline expired; reporting also cited encryption of critical systems and operational disruption.
At least one Iranian consumer
January 20, 2026
•[ Android banking trojan, Remote-access trojan (RAT), Ransomware ]
Cyble Research and Intelligence Labs (CRIL) reported discovering deVixor, an advanced Android banking trojan that has remote-access (RAT) capabilities and can also deploy a ransomware-style device lock screen. The campaign explicitly targets Iranian users, distributing malicious APKs via phishing websites posing as legitimate automotive businesses and luring victims with heavily discounted vehicle offers. Once installed, deVixor prompts victims to grant high-risk permissions (contacts, SMS, media files, accessibility service), then harvests SMS data to extract banking information such as account balances, OTPs, bank alerts, credit card details, and crypto transaction data. It also uses WebView-based JavaScript injection to load real banking sites inside a hidden WebView and steal login credentials during authentication. In some cases, operators activate a ransom overlay that locks the device and demands payment to a cryptocurrency wallet. Cyble said it identified 700+ deVixor samples since October 2025 and observed indicators (Persian artifacts, targeted-app lists, Telegram infrastructure) suggesting strong familiarity with Irans financial ecosystem.
McDonald's India
January 20, 2026
•[ ransomware, data leak, data exfiltration ]
HackRead reported that on January 20, 2026 the Everest ransomware group claimed it breached McDonalds India and exfiltrated 861 GB of customer data and internal documents. The report described screenshots purportedly showing internal financial reports (20232026), audit trails, cost tracking, ERP migration files, pricing data, and other internal communications, as well as a Contact Database spreadsheet with investor/business-partner contact details and store-level manager contact information. Everest reportedly issued a short deadline and threatened to leak data; the article noted the claim was unverified at the time.
Hyatt
January 19, 2026
•[ ransomware, data leak, double-extortion ]
A ransomware group calling itself NightSpire publicly claimed on January 19, 2026 that it attacked Hyatt and exfiltrated 48.5GB of data originating from the Hyatt Place Chelsea New York hotel. The actors published samples that appeared to include internal company documents such as invoices, expense reports containing employee names, contact information, signatures, and partner company data, and researchers noted the sample list suggested possible exposure of employee credentials for internal tools (raising risk of further compromise). The posting indicated a free download link, consistent with double-extortion tactics where stolen data is leaked if negotiations fail. At the time of reporting, Hyatt had not publicly confirmed the breach and the claims remained unverified by the company.
Kyowon Group
January 14, 2026
•[ ransomware, service outage, data exfiltration ]
Kyowon Group, a large South Korean conglomerate with major education/publishing and digital services operations, confirmed a ransomware incident after initially describing a suspected attack that caused service outages. In a follow-up update, the company stated the incident occurred in January around 10 a.m. and that an attacker exfiltrated data from its systems. Reporting cited Korean media indicating the event may have impacted a substantial portion of Kyowons infrastructure (roughly 600 of 800 servers) and that there are millions of registered accounts, though Kyowon said it was still determining whether stolen data included customer information. The company said it notified relevant authorities (including KISA), engaged security experts, and worked to restore services while conducting a detailed investigation into scope and data exposure.
Undisclosed Taiwanese healthcare organization #5
January 12, 2026
•[ ransomware, cyber intrusion, data exfiltration ]
The CrazyHunter ransomware group conducted a cyber intrusion against a healthcare organization in Taiwan by exploiting application-layer access, resulting in unauthorized access and data exfiltration. Security reporting confirms the victim as one of multiple Taiwanese healthcare entities affected, though specific organizational details were not publicly disclosed.
Nissan Motor Corporation (Nissan Motor Co., Ltd.)
January 10, 2026
•[ ransomware, data leak, extortion ]
HackRead reported that the Everest ransomware group claimed it breached Nissan Motor Corporation and stole about 900GB of internal data. The article said the group posted the allegation on its leak site on January 10, 2026 and shared screenshots and directory listings suggesting access to internal operational documents, data extracts, and dealership-related records. Everest reportedly threatened to publish the data if Nissan did not respond within a set timeframe. Nissan had not publicly confirmed the claim at the time of reporting.
Cressi
January 8, 2026
•[ ransomware, data leak, leak site ]
Cybernews reported that the ransomware group Qilin claimed responsibility for an attack on Cressi, an Italian diving equipment manufacturer, by posting a ransom entry on its leak site on January 8, 2026. The report notes that at that stage it was unclear what data (if any) had been accessed or exfiltrated and that the group had not published data samples or set a countdown timer. As reported, the main confirmed indicator is the groups claim and listing on the leak site; independent confirmation of encryption, downtime, or data theft was not provided in the article.
Panera Bread
January 7, 2026
•[ ransomware, data leak ]
In January 2026, Panera Bread suffered a data breach that exposed 14M records. After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses. Panera Bread subsequently confirmed that "the data involved is contact information" and that authorities were notified.
Metro Pet Vet
January 7, 2026
•[ ransomware, data breach, technical difficulties ]
A Lancaster County veterinary practice (Metro Pet Vet) reported it was hit by a ransomware attack after several days of technical issues. The office said Monday and Tuesday it experienced major technical difficulties, including its router stopping, and by Wednesday morning ransomware was detected and the practice lost access to its server. Staff reported they could not access pet vaccine and medication histories and had to operate like 40 years ago using paper while continuing to treat animals and relying on an app for scheduling. The practice stated no credit card or Social Security information was stored on the affected server, but client phone numbers and addresses were stored there, and it expected recovery work to continue into the following week.
Veenkoloniaal Museum (Veendam)
January 7, 2026
•[ ransomware, unauthorized access, data theft ]
The Veenkoloniaal Museum in Veendam experienced a ransomware incident discovered on January 7, 2026, in which the LockBit group gained unauthorized access to systems. Data was stolen and files were rendered inaccessible, affecting digital records and image archives. Individuals whose personal data was involved were notified. The museum restored systems from backups and declined to negotiate with the attackers.
Netstar Australia
January 5, 2026
•[ ransomware, data leak, financial data ]
Netstar Australia, a Melbourne-based telematics and GPS fleet tracking provider, was named on a ransomware leak site in December 2025 by the Black Shrantac ransomware group. The threat actors alleged they compromised Netstars systems and stole customer, financial, and database information, claiming roughly 800GB of data and posting sample files said to include internal records related to staff, tax, equipment, and customers. Public reporting noted that Netstar had not provided a detailed public statement confirming the claims at the time of publication.
Bolttech
January 5, 2026
•[ ransomware, data leak, extortion ]
Cybernews reported that the Everest ransomware group claimed to have stolen about 186GB of data from Bolttech (a global insurance infrastructure platform) and demanded ransom. The group claimed the dataset includes employee/agent account details (emails, names, roles, identifiers), customer information and contact details, policy data, mortgage-related records, insured property addresses, and financial parameters/identifiers. The group posted samples and a countdown timer on its leak site, threatening to publish the data if Bolttech did not respond. The article notes the claim was based on the leak-site post and that confirmation from Bolttech was being sought.
Esquire Brands
January 2, 2026
•[ ransomware, data leak, extortion ]
Cybernews reported that Esquire Brands (a childrens footwear maker operating several brands/licenses) was posted on the Play ransomware leak site, with attackers threatening to publish stolen data shortly thereafter. According to the leak-site post summarized in the article, the attackers claimed they obtained client documents, payroll data, and finance information. The report frames the incident as data theft with extortion leverage (typical double-extortion posture).
Sedgwick Government Solutions
December 31, 2025
•[ ransomware, data leak, file transfer system ]
SecurityWeek reported that Sedgwick confirmed a security incident at its subsidiary Sedgwick Government Solutions after the TridentLocker ransomware group claimed to have hacked it. Sedgwick stated the incident affected only an isolated file transfer system and that the subsidiary is segmented from the rest of Sedgwick, with no evidence of access to claims management servers and no impact on service delivery. The article noted that on New Years Eve, TridentLocker claimed it stole roughly 3.4GB of data from Sedgwick Government Solutions and leaked it publicly, while Sedgwick did not comment on the specifics of the attackers claims.
ManageMyHealth
December 30, 2025
•[ ransomware, data leak, healthcare ]
A significant volume of patient medical records was accessed and partially encrypted in a cyber intrusion targeting document systems The threat actor issued a ransom demand and published some data samples online before legal action was taken The breach was discovered in late December and publicly confirmed shortly after
Sports Medicine and Orthopedics
December 30, 2025
•[ ransomware, data leak, healthcare ]
Sports Medicine & Orthopaedics, a now-closed practice in East Providence, Rhode Island, reported that it was impacted by a ransomware incident in October 2025. Reporting indicates the attack exposed personal and health-related information for roughly 4,000 patients, prompting the practice to issue breach notifications after it had already shut down operations. Public accounts describe a ransomware-driven compromise that resulted in unauthorized access to patient information (typical elements in these incidents include identifiers and clinical/billing-related data), with the key confirmed impact being exposure of patient data tied to the practice rather than a long-running operational outage (since the practice was shuttered).
Complexul Energetic Oltenia
December 26, 2025
•[ ransomware ]
A ransomware attack attributed to the Gentlemen group encrypted internal IT systems at Complexul Energetic Oltenia on December 26 2025 causing partial operational disruption The company isolated affected systems restored operations from backups and stated that national energy supply was not affected Data exfiltration has not been confirmed
Chrysler (Stellantis)
December 25, 2025
•[ ransomware, data leak ]
Everest ransomware group claimed it breached Chrysler systems and exfiltrated 1088 GB of data, including Salesforce-related CRM exports and recall/customer service records, and threatened to leak the full dataset.
Undisclosed Austrian pharmaceutical company
December 25, 2025
•[ ransomware, data leak, extortion ]
The article reports that a Vienna-based pharmaceutical company was affected by a ransomware attack in which threat actors compromised systems and leaked corporate data as part of an extortion campaign.
