What Business Owners Need to Know This Week
Week 20 (3–10 May 2026) delivered one new SA ransomware-tracker listing, a major new parliamentary disclosure, and escalating deadline pressure across multiple threat vectors. On 4 May, Standard Bank Group was formally indexed on ransomware.live by PrinzEugen (ROOTBOY), taking the SA cumulative tally from 107 to 108. On 6 May, the City of Ekurhuleni disclosed a R2 billion billing fraud at a Parliamentary SCOPA hearing — a Wi-Fi-enabled intrusion into licensing and billing systems spanning 2023–24. ShinyHunters set a 12 May leak deadline for the Canvas/Instructure 275M-record dump, directly exposing five SA tertiary institutions: Wits, Stadio, Milpark, Invictus, and SPARK Schools. PAN-OS CVE-2026-0300 (state-sponsored since 16 April) tops the urgency list with a 9 May CISA KEV deadline. APT28 SAMA financial-sector expansion was flagged by Fyntralink on 7 May, broadening the nation-state threat horizon for SA banks. Defender RedSun and UnDefend remain unpatched; Patch Tuesday 12 May is expected to address them.
The Bottom Line: Standard Bank’s formal ransomware.live indexing makes it the 108th confirmed SA victim — Africa’s largest bank now sits alongside municipalities and SMEs on a public breach registry. The 12 May Canvas deadline is days away: Wits, Stadio, Milpark, Invictus, and SPARK should be in active incident response mode now. Polmed scope has expanded to 1.7 million records and 68,000 SAPS officers — significantly worse than initially disclosed. PAN-OS KEV deadline has already passed; any unpatched Palo Alto edge device is in active-exploitation crosshair.
The Week in Numbers
- 108 cumulative SA ransomware victims as of 10 May 2026, up from 107 (W19).
- 1 new SA ransomware listing: Standard Bank Group, formally indexed by PrinzEugen (ROOTBOY) on 4 May.
- R2 billion — Ekurhuleni billing fraud disclosed at SCOPA on 6 May; intrusion spanned 2023–24 via Wi-Fi-enabled access to billing and licensing systems.
- 275 million records in the Canvas/Instructure dataset; 5 SA institutions (Wits, Stadio, Milpark, Invictus, SPARK Schools) directly exposed by the 12 May leak deadline.
- 1.7 million records / 68,000 SAPS officers — confirmed Polmed scope (expanded in W20 from the initially disclosed 100,000+ officers).
- 4 new CISA KEV entries in W20: PAN-OS CVE-2026-0300 (9 May deadline), Ivanti EPMM CVE (10 May), LiteLLM (11 May), Linux Kernel (15 May).
- ~284 POPIA breach notifications per month in 2026 (IR W20 data) — significantly above historical averages.
- APT28 (Fancy Bear) SAMA financial-sector expansion flagged by Fyntralink 7 May — 3 SA finance victims in 90 days.
Major Incidents: Who Was Hit and How
Standard Bank — Formally Indexed on Ransomware.live
On 4 May, Standard Bank Group was formally indexed on ransomware.live by PrinzEugen (ROOTBOY), making it the 108th confirmed SA victim. This is distinct from the earlier daily data dumps — formal indexing on ransomware.live places Standard Bank in the permanent public record of confirmed breaches, affecting reputational standing with regulators, institutional investors, and correspondent banks globally. The full 1.2 TB dataset remains under active distribution.
City of Ekurhuleni — R2 Billion Billing Fraud
On 6 May, the City of Ekurhuleni disclosed at a Parliamentary SCOPA hearing that a Wi-Fi-enabled intrusion into its licensing and billing systems between 2023 and 2024 resulted in a R2 billion billing fraud. The attackers manipulated billing records, licensing approvals, and payment systems to divert municipal revenue. This is one of the largest confirmed cyber-enabled financial frauds in South African public-sector history. The disclosure highlights the systemic vulnerability of municipal Wi-Fi infrastructure and the long detection gaps that allow financial manipulation to compound over 12–18 month periods.
ShinyHunters Canvas/Instructure — 12 May Deadline Hits SA Universities
ShinyHunters set a 12 May publication deadline for the Canvas/Instructure 275 million-record dataset, directly exposing five South African tertiary institutions: Wits (University of the Witwatersrand), Stadio, Milpark Education, Invictus Education, and SPARK Schools. The Canvas learning management system is used by these institutions for student data, assessment records, course content, and communications. The exposed data potentially includes student ID numbers, academic records, financial aid information, and staff credentials. SA institutions should be in active incident response mode ahead of the 12 May deadline.
Polmed — Scope Expands to 1.7 Million Records
The confirmed scope of the Polmed/ShinyHunters breach expanded significantly in Week 20: from the initially disclosed 100,000+ officers and 214 GB to 1.7 million records and 68,000 directly identified SAPS officers. The expanded dataset includes dependants, medical scheme beneficiaries, and historical claims data. This is now one of the largest confirmed law enforcement data exposures in African history and represents a sustained national security risk for SAPS operational security.
APT28 — SAMA Financial Sector Expansion
APT28 (Fancy Bear / Forest Blizzard) SAMA financial-sector expansion was flagged by Fyntralink on 7 May, with 3 SA finance sector entities confirmed as victims in the preceding 90 days. APT28’s tradecraft in financial environments focuses on credential harvesting via NTLM exploitation (CVE-2026-32202, W19), spearphishing of treasury and SWIFT operations staff, and long-term persistence for intelligence collection rather than immediate monetisation. SA banks with SARB/FSCA regulatory reporting obligations should treat APT28 presence as a Board-level risk requiring immediate notification.
POPIA and Regulatory
The monthly POPIA notification rate of ~284/month in 2026 is running significantly above historical annual totals. The Ekurhuleni disclosure at SCOPA signals that parliament is increasingly scrutinising cyber-enabled financial fraud in the public sector. The Canvas deadline for SA tertiary institutions triggers Joint Standard obligations for those entities that fall under DHET oversight and any FSCA-registered education providers. APT28’s confirmed presence in SA financial institutions triggers SARB Joint Standard 2/2024 mandatory 24-hour incident reporting obligations for affected entities.
Full Intelligence Report
The complete Week 20 technical report covers Standard Bank ransomware.live indexing analysis, Ekurhuleni billing fraud methodology, Canvas/ShinyHunters exposure map for SA institutions, Polmed expanded scope assessment, APT28 SAMA campaign profile, PAN-OS/Ivanti KEV patch guidance, and structured hunt missions (TH-2026-W20-01 to -04) with full IOC tables.
What Your Business Should Do Right Now
- Patch PAN-OS immediately (CVE-2026-0300, KEV deadline passed): Any unpatched Palo Alto Networks firewall or SD-WAN appliance is in active-exploitation crosshair from state-sponsored actors. Apply Palo Alto advisory patches immediately and audit for IOCs consistent with the KEV-listed exploitation chain.
- SA tertiary institutions: activate Canvas incident response now: Wits, Stadio, Milpark, Invictus, and SPARK Schools should treat the 12 May ShinyHunters deadline as a confirmed breach event. Notify student records offices, brief financial aid teams on spearphishing risk, and prepare Section 22 notifications to the Information Regulator.
- Hunt for APT28 in financial sector environments: Financial institutions regulated by SARB or FSCA should execute APT28-specific threat hunts focusing on NTLM credential harvesting (CVE-2026-32202), treasury and SWIFT operations spearphishing, and anomalous long-dwell persistence mechanisms. Any confirmed APT28 activity triggers 24-hour reporting under Joint Standard 2/2024.
- Review municipal Wi-Fi security posture: The Ekurhuleni case demonstrates that unsecured Wi-Fi networks in public-sector environments provide direct access to billing and licensing systems. Conduct a segmentation audit of any wireless network with access to financial or operational systems.
- Monitor Patch Tuesday 12 May for Defender RedSun/UnDefend patches: Apply immediately upon release. Until then, maintain daily manual hunting for FortiGate VPN initial access followed by Defender engine tampering events.
- Verify Ivanti EPMM patch status (10 May KEV deadline): Patch Ivanti Endpoint Manager Mobile to the latest version. Unpatched Ivanti EPMM exposes your mobile device management infrastructure to remote exploitation.