RANSOMWARE WATCHLIVE

West Pharmaceutical Services, an S&P 500 pharmaceutical manufacturing company with over $3 billion in annual revenue and more than 10,800 employees, disclosed in an SEC filing that it suffered a material cybersecurity attack on May 4 in which an unauthorized party exfiltrated data and encrypted systems, forcing the company to take systems offline globally for containment. The company, a critical supplier of injectable drug packaging, syringe components, and drug delivery devices used by major pharmaceutical firms worldwide, has partially restarted manufacturing after restoring core enterprise systems but has not yet completed full restoration or assessed the incident's financial impact. No ransomware group has claimed responsibility for the attack, and West Pharmaceutical has engaged Palo Alto Networks' Unit 42 for incident response and recovery alongside external forensic experts and law enforcement.

Foxconn, the world's largest electronics manufacturer with $260 billion in 2025 revenue and clients including Apple, Nvidia, Intel, AMD, and Google, confirmed that several of its North American factories were hit by a cyberattack claimed by the Nitrogen ransomware group, who allege they stole 8 TB of data and over 11 million documents containing confidential instructions, projects, and drawings from Foxconn's customer contracts. The company reports that its cybersecurity team activated response mechanisms to maintain production continuity and that affected factories are now resuming normal operations, while Nitrogen — which emerged in 2023 with a loader deploying BlackCat payloads before developing its own strain from leaked Conti 2 builder code — listed Foxconn on its dark web leak site. The ransom amount has not been disclosed, and this marks Foxconn's third known ransomware incident after LockBit hit a subsidiary in 2024 and DoppelPaymer demanded $34 million in 2020.

At least 44,000 cPanel IP addresses have been compromised since late April as multiple threat actors mass-exploit CVE-2026-41940, a critical authentication bypass in cPanel and WHM, to deploy the "Sorry" Go-based Linux ransomware — a new campaign using ChaCha20 encryption with RSA-2048 key protection that appends a .sorry extension — alongside cryptocurrency miners, botnets, and the Filemanager cross-platform backdoor traced to a long-running threat actor known as Mr_Rot13. The ongoing exploitation wave, which escalated on May 2 and has been observed by QiAnXin XLab and Shadowserver, involves over 2,000 attacker source IPs primarily from Germany, the U.S., Brazil, and the Netherlands targeting web hosts, government sites, and MSPs across North America, Southeast Asia, and Europe. Ransom amounts per victim are undisclosed but files encrypted without the attacker's RSA-2048 private key cannot be recovered; all cPanel/WHM users are urged to apply the emergency security update immediately.