Cyber Chronicle

TRENDS, THREATS & TACTICS FOR CYBER CERTAINTY

BY DANIEL TOBOK

July 2026

NEW ALL-TIME RECORD LEVELS OF CYBER THREAT AND CONCERN: Global Trends & Threat Levels At An All Time High

L A W  E N F O R C E M E N T  J U S T  C U T  O F F  T H E  R A N S O M W A R E  E C O N O M Y ’ S  F I N A N C I A L  B A C K B O N E : The AudiA6 Takedown Changes the Economics of Cybercrime

My thoughts:

  • What stands out to me about the AudiA6 operation is not just the scale of what was seized. It is where law enforcement chose to strike. Rather than targeting the attacks themselves, this operation goes after the financial system that makes ransomware viable. Without the ability to convert ransom payments into usable currency, the economics collapse: affiliates go unpaid, infrastructure costs go uncovered, incentives erode. Attacking the money is a strategic shift, and I believe we will see more of it.

    But I want to be direct about what this means for the organizations I work with. These groups are operationally resilient — new infrastructure and laundering services emerge quickly. This disruption raises costs for the criminal ecosystem over time; it does not reduce your immediate risk. External pressure is welcome, but your internal preparation remains your most controllable line of defense.

What can we do?

  • Security and business leaders should use this moment to pressure-test their posture, not relax it. Start with backups. Validate that they exist, that they are truly isolated from your production environment, and that you can restore from them under pressure.

    Many organizations discover gaps during an incident, which is the worst possible time to find them. Next, assess your segmentation. A ransomware group that gains access to one system should not be able to reach your critical operations. If your network architecture would not contain a breach before it becomes a business-wide crisis, that needs to change.

    Business leaders should be driving these questions at the executive level: What systems, if encrypted tomorrow, would halt our operations? How quickly would we detect it? Who owns the decision-making in the first two hours? These are not IT questions; they are business continuity questions, and they need to be answered before an incident forces the conversation.

P A T C H I N G  I S  N O  L O N G E R  E N O U G H : CISA’s New Directive Requires Organizations to Check for Compromise Before Closing the Ticket

My thoughts:

  • What CISA is codifying in BOD 26-04 is something I have been saying to security teams for years: applying a patch is not the same as confirming you are clean. These are two separate problems.

    In a typical vulnerability response cycle, a CVE gets published, the patch gets deployed, leadership is informed, and the incident is closed, but almost no one asks the critical question: Was this vulnerability exploited before we got to it? Is there an attacker now sitting inside a patched system, having survived the remediation cycle entirely?

    That gap is where organizations lose months without knowing it. I have seen it in engagements where a company applied every patch on schedule, closed every ticket, and still had a threat actor in their environment because no one asked whether the vulnerability had already been used as an entry point.

    BOD 26-04 forces that forensic question into the response process before the patch goes in. For private sector organizations, this is not a government mandate — it is a model worth adopting voluntarily, because the threat actors targeting your organization are not waiting for patch windows, and neither should your response posture.

What can we do?

  • Security teams need to build a compromise assessment step into their vulnerability response process for every Known Exploited Vulnerability. Before patching, ask and answer the following: Are there indicators of exploitation in our logs? Has this system communicated with any unusual external destinations? Have any new accounts, scheduled tasks, or persistence mechanisms appeared recently? Are there signs of lateral movement originating from this host?

    This does not require slowing down your patch cadence. It requires adding a structured triage step that runs in parallel with patch preparation. The goal is not to delay remediation — it is to ensure that remediation is not the end of the conversation when an active compromise may have preceded it.

    For business leaders: the question to ask your security team is not only “are we patched?” — it is “do we know whether we were compromised before we patched?” Those are two different questions with potentially very different answers. Organizations that distinguish between them are the ones that catch active intrusions that a standard patch cycle would never have revealed.

A  N E W  R A N S O M W A R E  G R O U P  H A S  C L A I M E D  4 7 8  V I C T I M S  I N  U N D E R  A  Y E A R : The Gentlemen Are Scaling Faster Than Most Organizations Can Respond

  • The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm

    The Gentlemen ransomware group has claimed 478 victims across 66 countries in under a year, faster than any group on record — running a Ransomware-as-a-Service operation with AI-assisted tooling and worm-like malware that spreads automatically across networks once inside, exploiting FortiGate vulnerabilities and stolen credentials for access.

My Thoughts:

  • What concerns me most about The Gentlemen is not their victim count — it is the operational model behind it. They are succeeding not because of new technology, but because they have built a more efficient criminal enterprise.

    A 90% affiliate revenue share pulls experienced operators from competing groups. AI-assisted tooling lowers the skill floor. Worm-like propagation collapses the time between initial access and full network compromise. Every element is designed to increase velocity and reduce cost, with more attacks against more organizations, in less time.

    That worm-like spread is what every security leader should be focused on. Traditional containment assumes a window between breach and escalation. That assumption is being invalidated.

    When ransomware moves laterally automatically within minutes, the window between a contained incident and a business-wide crisis compresses to almost nothing, making detection speed and network architecture your determining factors. And with victims across 66 countries and 20 sectors, this is not a targeted campaign. If you have internet-facing services with known vulnerabilities or credentials exposed through infostealer activity, you are a potential target.

What can we do?

  • The Gentlemen’s attack chain begins at two points organizations can address right now: known vulnerabilities in internet-facing services and credentials stolen through infostealer malware. On vulnerabilities, patch aggressively and validate continuously.

    This group actively tracks new CVE disclosures and builds rapid exploitation capability. If your patch cadence is measured in weeks rather than days, you are already operating inside their attack window. On credentials, assume employee credentials have been or will be harvested. Monitor for your organization’s exposure on criminal markets, enforce multi-factor authentication across all privileged access without exception, and aggressively reduce which accounts have pathways to your most sensitive systems.

    On containment: test your network segmentation now. Run a tabletop exercise that assumes an attacker has already gained access to one system and ask whether your current architecture would prevent a full organizational compromise. The answer will tell you precisely where to invest. The organizations that will manage this threat most effectively are those that have already validated their ability to detect fast, isolate fast, and decide fast — before a real incident forces those questions.

If Cyber CertaintyTM matters to you, your company or business, then subscribe to Daniel’s thought leadership today

    Social Media

    ©2026 Daniel Tobok. All rights reserved.