Ransomware attacks dominated cybersecurity news in July 2026, with Coca-Cola’s Fairlife dairy subsidiary shutting down U.S. production, a major ransomware group exploiting two SonicWall zero-days rated as high as 10.0 on the CVSS scale, and a new Sophos report confirming that identity-based attacks have overtaken vulnerability exploitation as the primary ransomware entry point. A Florida cybersecurity professional was also sentenced to nearly six years in prison for helping the BlackCat ransomware gang extort victims.
Coca-Cola’s Fairlife Halts U.S. Production After Ransomware Hit
Coca-Cola suspended all U.S. production at its Fairlife dairy subsidiary in July 2026 after ransomware struck the unit’s production systems. The company disclosed the attack in a July 16 filing with the U.S. Securities and Exchange Commission, stating that hackers had accessed “a portion of Fairlife’s systems, including production-related systems.” Canadian operations remain unaffected.
Fairlife, a Chicago-based wholly owned subsidiary of Coca-Cola, produces ultra-filtered milk across five product lines and generated an estimated $4 billion in sales by 2024, according to TechCrunch. The scale of that revenue makes the production stoppage commercially significant, though Coca-Cola has not yet determined whether the incident will have a material financial impact.
In its SEC filing, Coca-Cola said it has notified law enforcement, activated incident response protocols, and engaged outside cybersecurity advisors. “Product quality and safety have not been impacted,” the company stated, adding that its investigation is ongoing. No ransomware group has publicly claimed responsibility, and Coca-Cola has not confirmed whether it received an extortion demand.
SecurityWeek noted that past ransomware incidents at food and beverage companies — including Arizona Beverages in 2019 and distributor UNFI more recently — caused weeks-long production disruptions and empty grocery shelves, a pattern that frames the potential downstream risk for Fairlife.
Inc Ransomware Group Exploits Two SonicWall Zero-Days
A threat actor linked to the Inc ransomware-as-a-service group has been actively exploiting two zero-day vulnerabilities in SonicWall’s SMA 1000 Series appliances, chaining them together to achieve root-level remote code execution on enterprise networks. SonicWall published a security advisory on July 14 covering CVE-2026-15409 and CVE-2026-15410, days after Rapid7 telemetry detected active exploitation in the wild.
According to Dark Reading, CVE-2026-15409 is a server-side request forgery (SSRF) flaw in the SMA’s “Work Place” web interface that requires no authentication and earned a maximum CVSS score of 10.0. An unauthenticated attacker on the internet can craft web requests that trick the portal into reaching internal, otherwise gated services. CVE-2026-15410 scored 7.2 out of 10 and requires prior access to the Appliance Management Console, but when chained with the first flaw, the combination grants full root-level command execution.
Rapid7’s telemetry shows the Inc-affiliated actor has already used the chain to penetrate multiple enterprise networks, harvest credentials, and position for ransomware deployment. Organizations running SonicWall SMA 1000 Series appliances should apply SonicWall’s patches immediately and audit access logs for signs of SSRF activity against the Work Place interface.
Identity Attacks Now the Leading Ransomware Entry Point
For the first time, identity-based attacks — not software vulnerabilities — are the primary root cause of ransomware, ending a three-year run in which exploit-based intrusions dominated. Sophos published this finding in its State of Ransomware 2026 report, based on a survey of 2,158 IT and cybersecurity leaders across 17 countries, all from organizations hit by ransomware in the past year.
Malicious email accounted for 26% of ransomware root causes, and phishing for 24% — together representing half of all incidents. Vulnerability exploitation fell to 18%, down from 32% the prior year. Two-thirds (67%) of victims said the ransomware attack was also their most significant identity attack of the year.
Perhaps most striking: MFA was deployed in 97% of credential-based attacks yet failed to prevent compromise, according to Dark Reading’s coverage of the report. Sophos attributed this to attackers using techniques such as MFA fatigue, SIM swapping, and adversary-in-the-middle phishing kits that intercept session tokens after authentication.
“With phishing and malicious email now accounting for half of all ransomware root causes in this report, organizations should deploy advanced email filtering, implement DMARC/DKIM/SPF protocols, and invest in regular phishing awareness training,” Sophos said in the report. “The shift toward email-based attacks suggests that technical vulnerability patching alone is insufficient.”
On the financial side, the report found that 56% of ransomware attacks successfully encrypted victim networks, while ransom demands and payments are trending downward — a rare piece of positive data in an otherwise grim picture.
Florida Man Sentenced to 70 Months for Helping BlackCat Ransomware
Angelo Martino, 41, of Florida, was sentenced on July 17 to 70 months in federal prison after pleading guilty in April to helping the BlackCat/Alphv ransomware gang while posing as a ransomware negotiator hired to protect victims. He is the third U.S. cybersecurity professional sentenced in connection with the same scheme.
According to SecurityWeek, the Department of Justice said Martino began working with BlackCat operators in April 2023, feeding them confidential information about his clients’ negotiating positions and strategies to help the gang “maximize the ransoms paid by the victims.” He helped extort at least five organizations. Authorities seized $10 million in assets from Martino, including cryptocurrency, vehicles, a food truck, and a fishing boat.
The two other defendants — Kevin Martin of Texas and Ryan Goldberg of Georgia — were each sentenced to four years in prison in late April. BlackCat targeted over 1,000 organizations between 2021 and December 2023, when law enforcement disrupted the operation. The U.S. government is still offering $10 million for information identifying key BlackCat members.
What This Means
The July 2026 threat picture reflects a structural shift that security teams cannot patch their way out of. The Sophos data is particularly clarifying: when MFA fails in 97% of credential-based attacks, the assumption that multi-factor authentication is a reliable last line of defense no longer holds. Attackers have industrialized bypass techniques faster than most organizations have updated their defenses.
The Fairlife incident illustrates that operational technology and production systems remain high-value ransomware targets in the food and beverage sector — an industry with low tolerance for downtime and limited legacy-system hardening. The SonicWall zero-days show that even perimeter security appliances, devices meant to protect access, are now primary attack surfaces. Chaining a CVSS 10.0 flaw with a 7.2 flaw to reach root access is a well-worn playbook, and the Inc group’s speed in weaponizing these flaws before a patch was available underscores the shrinking window between disclosure and exploitation.
The Martino sentencing adds a supply-chain-of-trust dimension: organizations paying for ransomware negotiators now face the documented risk that the negotiator is working for the other side.
FAQ
Why did Coca-Cola suspend Fairlife production?
Coca-Cola suspended U.S. production at its Fairlife dairy subsidiary after ransomware compromised a portion of the unit’s systems, including production-related systems, as disclosed in a July 16 SEC filing. Canadian operations were not affected, and no ransomware group has publicly claimed responsibility.
What are CVE-2026-15409 and CVE-2026-15410?
These are two zero-day vulnerabilities in SonicWall’s SMA 1000 Series appliances, disclosed by SonicWall on July 14, 2026. CVE-2026-15409 is a CVSS 10.0 server-side request forgery flaw requiring no authentication; chained with CVE-2026-15410, attackers can achieve root-level remote code execution, a combination already exploited by the Inc ransomware group.
How are ransomware attackers bypassing MFA?
According to Sophos’s State of Ransomware 2026 report, MFA was present in 97% of credential-based ransomware attacks but still failed to stop compromise. Attackers are using techniques such as MFA fatigue bombing, SIM swapping, and adversary-in-the-middle phishing kits that capture session tokens after the authentication step completes.
Sources
- Identity Attacks Overtake Exploits as Top Ransomware Cause – Dark Reading
- Inc Ransomware Exploits SonicWall SMA Zero-Days – Dark Reading
- Coca-Cola Suspends US Fairlife Production Due to Ransomware Attack – SecurityWeek
- Third US Security Expert Sentenced to Prison for Helping Ransomware Gang – SecurityWeek
- Coca-Cola suspended production at its Fairlife dairy after a ransomware attack – TechCrunch






