![[FORECAST] Will Akira trigger a week-long hospital disruption by end of 2026? (Updated 2026-05-11)](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/05/z-3.png)
forecasts
[FORECAST] Will Akira trigger a week-long hospital disruption by end of 2026? (Updated 2026-05-11)
We’re revising the Akira hospital disruption forecast down to 2%. The risk is real, but the question is narrower than it looks.
ransomware
![[SIGNALS WEEKLY] Edge Devices, Identity Abuse, and KEV-Driven Exploitation Converge](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-5.png)
weekly
[SIGNALS WEEKLY] Edge Devices, Identity Abuse, and KEV-Driven Exploitation Converge
The industry still talks like identity compromise begins at the login page. Meanwhile the path is edge box → DNS games → token theft → bad week for everyone pretending “strong auth” was the whole plan.
![[SIGNALS WEEKLY] Converging Control-Plane Threats Across Modern Infrastructure](https://storage.ghost.io/c/06/e5/06e5730b-7d78-4713-9cec-6cba31d297f5/content/images/size/w600/2026/04/z-2.png)
weekly
[SIGNALS WEEKLY] Converging Control-Plane Threats Across Modern Infrastructure
Everyone loves “endpoint visibility” until the incident starts in the control plane they treated like support infrastructure. Routers, CI/CD, token flows, web admin panels — same neglect, better attacker ROI.
PIR
Deepfake BEC & Payment Diversion: The Q1 2026 Fraud PIR You Can’t Defer
Deepfake BEC = the same old fraud… with a way better script. 🎭💸 If payroll/AP changes can happen on “sounds right,” you’re funding someone’s Q1 bonus.
weekly
SIGNALS WEEKLY: Poisoned DNS Updates + Aflac’s 22.65M Aftershock (and MongoBleed)
This week’s vibe: MongoBleed → KEV, BitLocker ransomware in critical infra, poisoned DNS “updates” for MgBot, and Aflac’s ~22.65M aftershock. 🔥🧨🦠
breaches
Token Factory: The 5 Costliest US Breaches of 2025
2025’s priciest breaches weren’t “elite malware.” They were tokens + SaaS + downtime 🪙⏱️🔥 If your revoke MTTR is measured in days, the attackers already won.
forecasts
How Close Are We to a Cyber-Driven Citywide Water Outage?
Will hackers actually turn off a city’s water, or is that just conference-slide horror fiction? 💧🤔 We put a number on it...
weekly
SIGNALS WEEKLY: Android Banking Malware & VS Code Worms Go Mainstream
🚨 CodeRED alerts ransomed. 🐛 Shai Hulud 2.0 looting CI/CD secrets. 📱 107 Android bugs + Albiriox on-device fraud. Signals Weekly on what to fix first.
forecasts
Will Akira trigger a week-long hospital disruption by end of 2026?
20% odds Akira triggers a 7-day ambulance diversion at a 10+ hospital system by end of 2026. 🚑 Still feeling “low risk”?
cl0p
After LockBit and BlackCat, Is Cl0p Really Next in Line?
LockBit got the Operation Cronos takedown. BlackCat imploded. Cl0p just logged a record leak month—and shows no sign of slowing. By 2026, do we really keep Cl0p dark for 90+ days… or just get Cl0p v2 with a fresh logo?
weekly
Signals Weekly: Active WSUS Exploits and Ransomware Shifts
WSUS RCE is live—patch OOB now + watch 8530/8531. Payments fell to 23% in Q3 as crews pivot to insider bribes; Qilin doubles down on ESXi + EDR tamper.
cl0p
Cl0p’s Leak Sites: 20% Chance They Go Dark by Apr 22, 2026
Forecast: 20% chance Cl0p’s leak sites go dark by Apr 22, 2026. Needs a seizure banner or ≥14 days down w/ LE attribution. Cronos showed it’s doable; mirrors make it brutal.