Daily Ransomware Report - 03/18/2026
Statistical Overview
Victim Totals
- This month: 532
- This quarter: 2261
- Year to date: 2261
- Last 24h: 35
Quarterly Breakdown
| Q1: 2261 | Q2: 0 | Q3: 0 | Q4: 0 |
|---|
Q1 shows high activity with 2261 victims, which is the entire year-to-date total. The daily count of 35 new victims adds to this initial quarter's large volume.
Introduction
The past 24 hours recorded 35 new ransomware victims. LockBit, SafePay, Sinobi, APT73, and Medusa were the most active groups. The United States remains the main target country, with nearly half of today's observed attacks. Key affected sectors include professional services, government, manufacturing, and healthcare. This indicates threat actors use a broad, opportunistic approach.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | LockBit | 6 | fiepe.org.br, jean.com.tw, luetz-binder.de (+3) | Taiwan, Italy | Professional Services, Real Estate |
| 2 | SafePay | 5 | Briwaycarriers.com, Brookercg.com, Mattandsteve.com (+2) | Canada, Germany | Agriculture & Food, Pharmaceuticals & Biotech |
| 3 | Sinobi | 5 | Eco Sound Builders, Interpack Northwest, McAfee Tool & Die (+2) | United States | Energy & Utilities, Professional Services |
| 4 | APT73 | 4 | Doghairinc.com, Dpwh.gov.ph, Isosl.be (+1) | Canada, Belgium | Government / Public Sector, Manufacturing |
| 5 | Medusa | 4 | Bonanza casino, Cape may county, Lehigh carbon community college (+1) | United States | Government / Public Sector, Hospitality & Travel |
| 6 | Handala | 3 | Martyr ali larijani, Vahid offline members, Who is vahidonline? | Iran, United States | Technology / Software, Nonprofit |
| 7 | Kill Security | 2 | Hospitalvetdiadema24h.com.br, Palram.com | Israel, Brazil | Manufacturing, Healthcare |
| 8 | Play News | 2 | Gsolutionz, Knight's site services | United States | Professional Services, Telecommunications |
| 9 | AiLock | 1 | Solutions extreme technology | Egypt | Technology / Software |
| 10 | DragonForce | 1 | Bestgraphics.net | United States | Manufacturing |
| 11 | LeakedData | 1 | Wood smith henning & berman llp | United States | Legal |
| 12 | Qilin | 1 | Shwapno | Bangladesh | Retail & Ecommerce |
LockBit, SafePay, Sinobi, APT73, and Medusa were the most active groups in the last 24 hours, collectively accounting for over half of all new victims. The United States continues as the main target country, with a variety of sectors impacted, including professional services, government, manufacturing, and healthcare. Today's targets include Dpwh.gov.ph (Government / Public Sector) by APT73, which shows continued focus on public-sector entities, and Bonanza casino and Lehigh carbon community college by Medusa, showing persistent threats to hospitality and education sectors.
Victim Distribution
By Country
- United States: 16
- Brazil: 3
- Canada: 3
- Belgium: 2
- Germany: 2
- Taiwan: 1
- Portugal: 1
- Egypt: 1
- Bangladesh: 1
- Iran: 1
By Industry
- Construction: 2
- Manufacturing: 2
- HVAC and Plumbing Services: 1
- Real Estate Development: 1
- Food Brokerage: 1
- Fuel Distribution: 1
- Gaming and Hospitality: 1
- Government: 1
- Government Administration: 1
- Higher Education: 1
The concentration of attacks on the United States, which was nearly half of today's observed victims, shows a sustained focus on North American targets. The variety of targeted industries, from construction and manufacturing to government and higher education, suggests ransomware operators use a broad, opportunistic approach rather than a narrow sectoral focus.
Attack Methodology Analysis
According to recent threat intelligence research, ransomware groups are increasingly diversifying their attack vectors. The key trend observed is the shift toward exploiting unpatched vulnerabilities in widely-used enterprise software, particularly VPN appliances and firewall systems which now account for approximately one-third of initial access attempts.
Primary Attack Vectors Include:
- Exploitation of unpatched SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704)
- VPN and firewall compromise for lateral movement
- Social engineering through ClickFix lures
- Supply chain compromises targeting managed service providers
Emerging Threat Actor Capabilities
Research shows that modern ransomware operations have evolved beyond simple encryption attacks. The key development is the adoption of "living off the land" techniques, where attackers leverage legitimate system tools to avoid detection:
Advanced Techniques Observed:
- BYOVD (Bring Your Own Vulnerable Driver) - Groups like Warlock deploy NSecKrnl.sys to gain kernel-level access
- Cloud Storage Exploitation - LeakNet utilizes Amazon S3 for data exfiltration
- In-Memory Execution - Deno-based loaders prevent disk-based detection
- Legitimate Tool Abuse - TightVNC, PsExec, and PowerShell for persistence
Ransomware News
Today's intelligence shows changes in the ransomware threat environment, with advanced post-exploitation tactics, attackers changing methods, and ongoing state-linked cyber operations.
The Medusa ransomware group claimed attacks on the University of Mississippi Medical Center and Passaic County, New Jersey, demanding $800,000 for the hospital breach. The EU Council sanctioned China's Integrity Technology Group and Iran's Emennet Pasargad, citing involvement in large-scale cyber operations, including ransomware and data theft campaigns. The Fairfield City Council secured an injunction against a threat actor to prevent data dissemination following an October 2025 ransomware incident. Handala was linked to cyber intrusions as part of a broader multi-domain conflict.
Warlock ransomware added to its post-exploitation toolkit, incorporating BYOVD (NSecKrnl.sys), TightVNC via PsExec, and the Yuze reverse proxy. It also exploits unpatched Microsoft SharePoint vulnerabilities, specifically CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771. Separately, LeakNet ransomware uses ClickFix as an initial access vector and deploys a Deno-based loader for in-memory execution and Amazon S3 for exfiltration. Google's GTIG analysis indicates a broader trend of attackers shifting to native Windows tooling and increasing data theft (77% of attacks) as ransomware payments decline. VPN/firewall vulnerabilities serve as initial access in one-third of incidents.
These developments show threat actors are adapting, driven by declining profitability, towards more stealthy "live off the land" tactics. Nation-state entities continue to use cyber capabilities, including ransomware, for strategic goals.
Critical Defense Strategies
According to cybersecurity experts, organizations must implement multi-layered defense strategies to combat evolving ransomware threats. The key recommendations include:
Immediate Actions Required:
- Patch SharePoint systems against CVEs identified in Warlock campaigns
- Implement network segmentation to limit lateral movement
- Deploy endpoint detection and response (EDR) solutions
- Establish offline backup systems with regular restoration testing
- Conduct regular security awareness training focusing on social engineering
For comprehensive protection strategies, organizations should consider implementing advanced threat detection and strengthening incident response capabilities.
Technical Takeaways
- Continued targeting of government and education sectors: Medusa's attacks on Passaic County and Lehigh Carbon Community College confirm pressure on public entities.
- Post-exploitation tactics are evolving: Warlock ransomware deploys BYOVD techniques and uses legitimate tools like TightVNC and Yuze for persistence and remote access.
- Ransomware operators are shifting to "living off the land" tactics: Operators increasingly use built-in Windows tooling (e.g., PowerShell, WMI) and rely less on traditional tools like Cobalt Strike Beacon as payments decline.
- New initial access vectors: LeakNet uses ClickFix lures and Deno runtime for stealthy in-memory payload execution. Warlock continues to exploit unpatched SharePoint CVEs for initial access.
- Data exfiltration remains a primary tactic: Data theft is present in approximately 77% of ransomware attacks. Groups like LeakNet use Amazon S3 for exfiltration, showing the continued double extortion trend.
Industry Impact Assessment
The current ransomware landscape demonstrates a concerning trend toward targeting critical infrastructure and essential services. According to threat intelligence analysts, the healthcare sector faces particular risk due to the urgency of restoring systems and the sensitive nature of patient data.
Sector-Specific Risks:
- Healthcare: Extended system downtime threatens patient safety
- Government: Disruption of public services and citizen data exposure
- Education: Academic operations disruption and student record theft
- Manufacturing: Supply chain interruptions and intellectual property theft
Organizations in these high-risk sectors should prioritize ransomware-specific security measures and consider engaging with specialized cybersecurity services.
FAQ
What are the most active ransomware groups currently?
LockBit remains the most prolific group with 6 victims in the past 24 hours, followed by SafePay, Sinobi, APT73, and Medusa with 4-5 victims each. These five groups account for over 70% of recent ransomware activity and demonstrate sophisticated post-exploitation capabilities.
Which industries should be most concerned about ransomware attacks?
Government and public sector organizations face the highest risk, representing a significant portion of recent attacks. Healthcare, education, and professional services are also prime targets due to their critical data and operational urgency. Manufacturing companies are increasingly targeted for intellectual property theft.
What are the latest ransomware attack techniques organizations should know about?
Modern ransomware groups employ "living off the land" techniques using legitimate Windows tools like PowerShell and WMI. They exploit unpatched SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704) and use BYOVD attacks with vulnerable drivers like NSecKrnl.sys for kernel access.
How can organizations protect against current ransomware threats?
Immediate protection requires patching SharePoint systems, implementing network segmentation, and deploying EDR solutions. Organizations should establish offline backups, conduct regular restoration testing, and provide security awareness training focused on social engineering tactics like ClickFix lures.
What geographic regions are most targeted by ransomware groups?
The United States accounts for nearly 50% of recent ransomware victims, with 16 organizations affected in the past 24 hours. Brazil, Canada, Belgium, and Germany also show significant activity, indicating a global threat landscape with particular focus on North American and European targets.
How has the ransomware threat landscape evolved recently?
Research indicates a shift toward data theft as the primary extortion method, present in 77% of attacks, as traditional encryption-based payments decline. Attackers increasingly use cloud storage services like Amazon S3 for exfiltration and deploy in-memory execution techniques to evade detection.
About PurpleOps
PurpleOps focuses on cyber threat intelligence, ransomware tracking, and dark web research. Our platform provides real-time information into ransomware operations, emerging CVEs, and underground economy activity.
Learn how we help organizations detect, prevent, and respond to ransomware threats:
