Here is a ransomware trend that is becoming more frequent in 2026: The same victim organizations are posted twice, under two different flags. This is occurring frequently enough that we stopped treating it as a curiosity and went looking for the why behind this trend. We expected one answer, but we found at least five.Our team discussed this increasing trend during our Ctrl-Alt-DECODE ep. 10 livestream and in our monthly Threat Debrief, which ranks the most active ransomware groups and recent ransomware news. Now, let's take an in-depth look.

Why Are Leading Ransomware Groups Claiming the Same Victims?

I'd like to thank my co-author, Martin Zugec, for his valuable contributions to this report.

KryBit Ransomware Strikes Back, Exposing 0APT

[CRITICAL] | Active extortion campaign | Exposure window closed | Credential rotation and phishing defense required

The coverage of Anthropic’s Mythos Red Team report has followed a predictable arc: a sensational headline, reactions ranging from alarm to dismissal, and little engagement with what the research actually demonstrates. That is worth correcting, because what Mythos reveals is not primarily a story about AI finding vulnerabilities. It is a story about why trusting software is no longer a viable strategy, and what the architectural response should be. 

Handala’s Surge Signals a New Wave of Wartime Cyberattacks

[CRITICAL] | Active RAT | Malicious npm versions removed | Assess all systems that ran npm install during exposure window

Bitdefender has analyzed the movements of dozens of ransomware groups executing campaigns against organizations based in the United States. As a result of this analysis, we can draw insights into patterns that emerged in early 2026. The analysis that follows expounds on key trends and developments. We also share predictions that underscore how ransomware operations and attack patterns may take shape during spring 2026.

Security solutions have become so complex that many small and lean security teams aren’t looking for another dashboard or additional source of alerts—even when they’re at RSA. Instead, they’re exploring ways to simplify security operations without reducing effectiveness.

I'd like to thank my coauthors Adrian Schipor, Victor Vrabie, Marius Baciu, and Martin Zugec for their invaluable contributions to this research. 

The ransomware threat actor Coinbase Cartel first emerged in September 2025 and claimed 14 victims that month. The group focuses on data exfiltration, which aligns with a trend Bitdefender is tracking in the ongoing evolution of ransomware.

The promise of autonomous AI agents is rapidly turning into a security beachhead for initial access. Our labs have detected a series of malicious campaigns targeting OpenClaw (formerly known as Moltbot and Clawdbot), an open-source AI agent framework. The attacks are distributed through ClawHub, the public registry for OpenClaw skills.

One of the biggest challenges in threat intelligence is separating the hype from the hazard. We focus too much on complex, scary threats and too little on the dangerous ones - the simple, scalable techniques that work day in and day out.