Two high-profile ransomware claims emerged on March 27–28, 2026 targeting organizations across different sectors and continents. Qilin ransomware claimed ITWAL Limited — Canada's only national food distribution network serving the retail and foodservice industries — on March 27. The following day, ARENCO Group (A.A. Al Moosa Enterprises), a major Dubai-based diversified conglomerate, was claimed by a ransomware actor. Neither organization has issued a public statement at time of writing. The incidents continue a week of aggressive ransomware activity in which Qilin alone claimed 30 victims, cementing its position as the most prolific ransomware group of the current reporting period.

What Happened

ITWAL Limited was posted to Qilin's dark web leak site on March 27, 2026. ITWAL operates as Canada's only national network providing distribution, selling, marketing, and information solutions to retail and foodservice operators — functioning as critical supply chain infrastructure for the Canadian food industry. The specific data claimed and ransom demand have not been publicly disclosed; the post is currently listed without additional details on the leak site.

ARENCO Group (A.A. Al Moosa Enterprises) was claimed on March 28, 2026. ARENCO is a diversified conglomerate operating across real estate, construction, hospitality, and commercial sectors in Dubai and the broader UAE. The group's IT infrastructure was reportedly compromised, disrupting normal business operations. The attack has been attributed to a threat actor identified in source reporting as "payload" — a less documented group. Specific ransom demands and stolen data volumes have not been confirmed publicly.

Both organizations are significant economic actors in their respective markets: ITWAL as the backbone of Canadian national food distribution, and ARENCO as a major property and commercial operator in one of the Middle East's most active economic hubs.

What Was Taken

Neither ITWAL nor ARENCO has publicly confirmed what data was exfiltrated. Based on the operational profiles of each organization:

ITWAL — as a national distribution network intermediary: - Supplier and retailer business data — contracts, pricing agreements, distribution terms with major Canadian grocery and foodservice chains - Logistics and distribution data — delivery routes, warehouse operations, inventory systems - Client and vendor contact data — relationships spanning Canada's entire food retail sector - Financial and billing records — transaction data across a national distribution operation

ARENCO Group — as a Dubai conglomerate: - Real estate and construction project files — property portfolios, development plans, contractor agreements - Financial records — corporate accounts, investment data, revenue reporting across business units - Employee and HR data — personnel records across a large, multi-sector workforce - Client and tenant data — commercial relationships across hospitality, retail, and property management divisions

Qilin's established double extortion model means ITWAL data was almost certainly exfiltrated before any encryption was deployed. If Qilin follows its standard timeline, a publication deadline will follow if ransom negotiations fail.

Why It Matters

The ITWAL breach strikes at critical food supply chain infrastructure. Canada's national food distribution network represents a single point of failure for supplier-to-retailer logistics across a G7 economy. Operational disruption or data exposure here creates cascading effects: delayed deliveries to grocery chains, exposed supplier pricing intelligence, and potential disruption to foodservice operators dependent on ITWAL's distribution and information services. Food supply chain organizations have historically been underweighted in critical infrastructure protection frameworks despite their systemic importance.

Qilin's March activity — 30 confirmed victims in a single week — signals an operational tempo that has accelerated sharply. The group is deploying at a pace that suggests either expanded affiliate recruitment or automated targeting infrastructure. Security teams should treat Qilin as an active, high-velocity threat rather than a periodic one.

For ARENCO and the broader Gulf region, this is part of a pattern of increasing ransomware targeting of Middle Eastern conglomerates. Dubai's position as a global business hub makes its major corporate groups attractive targets: they hold significant financial assets, operate across multiple jurisdictions, and are under reputational pressure to avoid public breach disclosures — conditions that increase ransom payment probability.

The Attack Technique

Qilin (ITWAL): Qilin's documented TTPs include exploitation of vulnerabilities in internet-facing systems (particularly VPN appliances and remote desktop infrastructure), phishing-based credential theft, and affiliate-driven intrusion operations. The group deploys a Go-based ransomware payload capable of targeting both Windows and Linux/VMware ESXi environments, making it particularly effective against enterprise virtualization infrastructure. Qilin uses double extortion as standard practice: data exfiltration precedes encryption, and the leak site deadline is the primary leverage mechanism.

Unknown actor (ARENCO): The threat actor identified as "payload" in source reporting is not extensively documented in public threat intelligence at this time. The intrusion methodology for the ARENCO breach has not been disclosed. Given ARENCO's conglomerate structure across multiple business units and geographic locations, likely entry vectors include spearphishing targeting corporate administrators, exploitation of remote access infrastructure, or compromise via a third-party vendor or contractor with network access.

What Organizations Should Do

  1. Prioritize patching of internet-facing remote access infrastructure — now — Qilin and peer groups systematically exploit unpatched VPN appliances, Citrix NetScaler, and RDP gateways. Run an immediate vulnerability scan against all internet-facing systems and treat any unpatched Fortinet, Citrix, or Ivanti devices as critical-priority remediation items. If exploitation is suspected, pull the device offline and investigate before patching.

  2. Implement network segmentation for supply chain and logistics systems — For organizations like ITWAL that operate as network intermediaries connecting suppliers and retailers, logistics and distribution systems must be isolated from corporate IT. Ransomware that reaches inventory management, order processing, or distribution routing systems creates operational disruption that far exceeds the financial cost of the ransom itself.

  3. Enforce MFA across all remote access and email platforms — Credential-based initial access is the most common entry path for Qilin affiliates. MFA on VPN, Microsoft 365, Google Workspace, and any remote desktop gateway eliminates the most prevalent initial access vector. Organizations without universal MFA deployment should treat it as an emergency remediation item, not a roadmap item.

  4. Develop and test a ransomware-specific incident response playbook — Both ARENCO and ITWAL are large, multi-division organizations where a ransomware event creates complex triage decisions: which systems to isolate, who makes the ransom decision, how to communicate with regulators, clients, and the public. A tested playbook that pre-answers these questions reduces response time from days to hours when an event occurs.

  5. Monitor Qilin's leak site proactively if you are an ITWAL supplier or client — If your organization has data flowing through ITWAL's distribution and information network, you have an indirect stake in this incident. Assign an analyst to monitor Qilin's dark web publication for ITWAL-related data, and prepare a contingency plan for the possibility that your supplier agreements, pricing data, or contact information appears in a public dump.

  6. Engage threat intelligence services tracking Qilin affiliate activity — Qilin's 30-victim week indicates active affiliate campaigns that are likely still in progress. Organizations in retail, food distribution, logistics, and real estate — sectors matching both ITWAL and ARENCO — should raise their threat posture and review anomalous network activity from the past 30 days for indicators of compromise consistent with Qilin's TTPs.

Sources