What Business Owners Need to Know This Week
Week 21 (10–17 May 2026) delivered three new SA ransomware-tracker listings, a CVSS 10.0 KEV deadline, and an actively exploited Exchange OWA zero-day with no permanent patch. On 11 May, Canvas/Instructure confirmed that ShinyHunters’ ransom was paid (estimated ~US$10M), averting the threatened data publication for the five SA tertiary institutions — but leaving downstream phishing risk live. On 12 May, SANBS (South African National Blood Service) appeared on KillSec’s leak portal — this claim is UNVERIFIED and SANBS has not issued a public statement. Merensky Timber (13 May) and Sew Treat (16 May) were both listed by BlackSuit, taking the SA cumulative tally from 108 to 111. Patch Tuesday 12 May delivered 120–138 CVEs with zero zero-days at release — the first clean Patch Tuesday in months — but Defender RedSun and UnDefend remain unpatched. CVE-2026-42897 (Exchange OWA XSS/spoofing) became actively exploited on 14 May with only an EEMS mitigation available. CVE-2026-20182 (Cisco Catalyst SD-WAN, CVSS 10.0) is KEV-listed with a deadline of 17 May — any unpatched estate is in active-exploitation crosshair.
The Bottom Line: The SANBS claim, if verified, would mean South Africa’s national blood supply is compromised — a direct threat to healthcare infrastructure and patient safety. Even unverified, it demands immediate investigation. The Exchange OWA zero-day has no permanent patch; EEMS Mitigation ID M2 is the only protection. The Cisco SD-WAN CVSS 10.0 KEV deadline has now passed — any unpatched SD-WAN controller is being actively exploited. BlackSuit’s two SA listings in a single week signals renewed SA-sector targeting by a sophisticated RaaS group.
The Week in Numbers
- 111 cumulative SA ransomware victims as of 17 May 2026 (SANBS unverified), up from 108 (W20).
- 3 new SA ransomware listings in W21: SANBS/KillSec (UNVERIFIED), Merensky Timber/BlackSuit (13 May), Sew Treat/BlackSuit (16 May).
- ~US$10 million — estimated ransom paid by Canvas/Instructure to ShinyHunters on 11 May, averting publication for 5 SA institutions.
- 7 active SA breach investigations: Canvas (resolved), Standard Bank, Polmed, CGCSA, Adumo, FlySafair, SANBS (unverified).
- CVSS 10.0 — Cisco Catalyst SD-WAN CVE-2026-20182 KEV deadline was 17 May; actively exploited by UAT-8616 via SSH key injection and NETCONF modification.
- 3 SA-relevant unpatched zero-days: Defender RedSun, Defender UnDefend, Exchange OWA CVE-2026-42897 (no permanent patch).
- 120–138 CVEs in May Patch Tuesday — first clean release with zero zero-days at release time in months.
- 3 new CISA KEV entries: Cisco SD-WAN (CVSS 10.0), Exchange OWA (CVSS 8.1), Ivanti EPMM (CVSS 9.8).
Major Incidents: Who Was Hit and How
SANBS — KillSec Claim (UNVERIFIED)
On 12 May, the South African National Blood Service (SANBS) appeared on KillSec’s dark web leak portal. SANBS manages South Africa’s national blood supply, donor databases, and hospital blood product distribution. This claim is UNVERIFIED — SANBS has not issued any public statement or confirmed a breach. If verified, a SANBS compromise would represent a critical healthcare infrastructure incident with potential impacts on blood product availability, donor PII, and hospital supply chain continuity. Organisations in the healthcare sector should monitor for an official SANBS statement and treat any SANBS-branded communications with heightened scrutiny until the claim is resolved.
Merensky Timber & Sew Treat — BlackSuit Double Listing
Merensky Timber, a South African forestry and timber processing company, was listed by BlackSuit on 13 May. Sew Treat, operating in the industrial processing sector, followed on 16 May. BlackSuit is a sophisticated Ransomware-as-a-Service group known for double-extortion tactics (encrypt + exfiltrate) and targeting mid-market industrial and manufacturing organisations. Two SA listings in a single week from the same group signals an active BlackSuit campaign targeting SA industrial and manufacturing sectors.
Canvas/Instructure — Ransom Paid, Phishing Risk Persists
On 11 May, Canvas/Instructure confirmed that ShinyHunters’ ransom was paid (estimated ~US$10M), preventing the threatened publication of the 275M-record dataset. This averts immediate mass data exposure for the five SA tertiary institutions (Wits, Stadio, Milpark, Invictus, SPARK Schools). However, ransom payment does not guarantee data deletion, and ShinyHunters has historically retained copies. SA institutions should treat student and staff credential exposure as confirmed and maintain elevated phishing monitoring and credential rotation protocols.
Exchange OWA — CVE-2026-42897 Actively Exploited, No Permanent Patch
CVE-2026-42897 (Microsoft Exchange OWA, CVSS 8.1) became actively exploited on 14 May. The vulnerability enables XSS and email spoofing via Outlook Web Access, allowing attackers to hijack authenticated OWA sessions and send convincing phishing emails from legitimate organisational addresses. No permanent patch exists as of 17 May; Microsoft’s only available mitigation is Exchange Emergency Mitigation Service (EEMS) Mitigation ID M2. Organisations running on-premises Exchange must verify EEMS is active and M2 is applied. CISA KEV deadline is 29 May.
Cisco Catalyst SD-WAN — CVSS 10.0 KEV Deadline Arrives
The CISA KEV deadline for CVE-2026-20182 (Cisco Catalyst SD-WAN Manager, CVSS 10.0) was 17 May. Any unpatched SD-WAN controller is now confirmed in active-exploitation crosshair by UAT-8616 (Talos attribution), which uses SSH key injection and NETCONF modification for persistent access. Cisco Catalyst SD-WAN is widely deployed in SA enterprise WAN environments for branch office connectivity.
POPIA and Regulatory
The SANBS claim, if verified, would trigger mandatory Section 22 POPIA notifications for over 1 million registered blood donors whose PII is held in SANBS systems. The BlackSuit double listing of Merensky Timber and Sew Treat represents new POPIA notification obligations for these organisations. The Canvas ransom payment, while averting publication, does not eliminate the SA institutions’ POPIA reporting obligations — the breach occurred and data was at risk; notification to the Information Regulator is still required under Section 22.
Full Intelligence Report
The complete Week 21 technical report covers the SANBS KillSec claim analysis, BlackSuit actor profile and SA campaign assessment, Canvas ransom payment implications, Exchange OWA CVE-2026-42897 EEMS mitigation guide, Cisco SD-WAN CVE-2026-20182 patch and hunt playbook, Defender RedSun/UnDefend continued hunting guidance, and structured hunt missions (TH-2026-W21-01 to -04) with full IOC tables.
What Your Business Should Do Right Now
- Apply EEMS Mitigation ID M2 on all Exchange servers immediately: CVE-2026-42897 is actively exploited with no permanent patch. Run the Exchange Health Checker script to confirm Mitigation ID M2 is applied. CISA KEV deadline is 29 May. Any unprotected OWA instance can be used to send convincing spearphishing from legitimate organisational addresses.
- Patch Cisco Catalyst SD-WAN (CVE-2026-20182, CVSS 10.0): The KEV deadline of 17 May has passed. Apply Cisco advisory patches immediately. Hunt for SSH key injection (audit authorised_keys on SD-WAN controllers) and NETCONF configuration changes outside maintenance windows consistent with UAT-8616 TTPs.
- Investigate SANBS claim status: Healthcare organisations, blood banks, and hospitals with SANBS supply relationships should contact SANBS directly for an incident update. Do not rely on KillSec portal data. Brief blood product procurement teams to monitor for supply disruptions.
- Protect industrial and manufacturing environments against BlackSuit: Merensky Timber and Sew Treat listings signal an active BlackSuit SA campaign. Industrial organisations should audit internet-facing RDP and VPN, enforce MFA on OT/IT boundary systems, and verify offline backup integrity.
- SA tertiary institutions: rotate Canvas credentials regardless of ransom payment: Force password resets for all students and staff with Canvas accounts at Wits, Stadio, Milpark, Invictus, and SPARK. ShinyHunters retains data copies after payment. Elevated phishing monitoring should remain active for at least 90 days.
- Apply May Patch Tuesday updates: With 120–138 CVEs addressed and zero zero-days at release, this is a straightforward patch cycle. Prioritise Exchange, Cisco, and Defender updates. Confirm Defender Engine 1.1.26040.x is deployed once RedSun/UnDefend patches are released.