Everest Ransomware Claims 7 Victims in 24h
Statistical Overview
Victim Totals
- This month: 187
- This quarter: 187
- Year to date: 5193
- Last 24h: 32
Quarterly Breakdown
Q1: 2631 | Q2: 2386 | Q3: 187 | Q4: 0
Ransomware activity surged in the last 24 hours, exceeding the current monthly average. This indicates a trend of increased activity as Q3 progresses.
Introduction
Ransomware operations saw 32 new victims in the last 24 hours. Everest, crpx0, and Qilin were the most active groups. Operations focused predominantly on the United States, with a large concentration of attacks observed across various healthcare-related sectors.
Ransomware Summary Table
| # | Group | Victims (24h) | Sample Victims | Geos | Sectors |
|---|---|---|---|---|---|
| 1 | Everest | 7 | Akm enterprises inc, Conway analytics, Epm (+4) | None, United States | Real Estate, Technology / Software |
| 2 | crpx0 | 6 | Amhwa biopharm co., ltd., Benjamin h. wang dds inc., Bishop arts dental pllc (+3) | China, United States | Pharmaceuticals & Biotech, Healthcare |
| 3 | Qilin | 4 | Cop® vertriebs-gmbh zentrale, Lechner massivhaus gmbh, Next clinics (+1) | United States, Germany | Manufacturing, Healthcare |
| 4 | Play News | 3 | Kevin bao lenguyen, Preneed funeral programs, United infrastructure | United Kingdom, United States | Professional Services, Construction & Engineering |
| 5 | Chaos | 2 | Corepharma.com, Opportune.com | United States | Professional Services, Pharmaceuticals & Biotech |
| 6 | Krybit | 2 | Shelby.com.mx, Xuerong.com | Mexico, China | Agriculture & Food, Manufacturing |
| 7 | Medusa Locker | 2 | Baeaeai, Bakaqah | Japan, India | Retail & Ecommerce, Media & Entertainment |
| 8 | Akira | 1 | Wade's dairy | United States | Agriculture & Food |
| 9 | INC Ransom | 1 | Aesthetic Surgical Images | United States | Healthcare |
| 10 | NightSpire | 1 | Pccc realty llc | None | Professional Services |
| 11 | PEAR | 1 | Tostrud & temp, s.c. | United States | Professional Services |
| 12 | Space Bears | 1 | Biessse | Italy | Manufacturing |
Everest led in the past period with 7 new victims, showing continued activity in Real Estate and Technology sectors, as documented in analysis of Everest ransomware. Close behind, crpx0 and Qilin ransomware were also highly active, targeting Pharmaceuticals and Healthcare entities. Play News ransomware continued its operations with three new victims across professional services and construction.
Victim Distribution
By Country
- United States: 16
- Germany: 3
- China: 2
- None: 2
- United Kingdom: 1
- United Arab Emirates: 1
- Norway: 1
- Mexico: 1
- Japan: 1
- Italy: 1
By Industry
- Dental Services: 3
- Construction: 2
- Manufacturing: 2
- Trade: 1
- Tax Preparation Services: 1
- Plastic Surgery: 1
- Pharmaceutical Manufacturing: 1
- Pediatric Dentistry: 1
- Oil and Gas: 1
- Law Practice: 1
The United States continues as the primary target for ransomware operations, accounting for half of all reported victims. Healthcare-related industries, including dental services, plastic surgery, pediatric dentistry, and pharmaceutical manufacturing, collectively represent a large concentration of recent attacks.
Ransomware News
Topline - Current ransomware developments show critical vulnerability exploitation and new ransomware strains.
Campaigns & Operations - The recently identified WhiteLock ransomware campaign utilizes AES-CBC and RSA-2048 encryption, appends a .Fbin extension, creates a c0ntact.Txt ransom note, and terminates remote access services to impede recovery.
Vulnerabilities & TTPs - U.S. federal agencies have been directed to patch a critical authentication bypass, CVE-2026-55255, in the Langflow AI development framework, a vulnerability actively exploited in the wild by actors like JadePuffer ransomware to exfiltrate PostgreSQL data.
Analyst Note - These events show the dual threat of established vulnerabilities in popular platforms and the continuous evolution of new ransomware capabilities.
Technical Takeaways
- JadePuffer ransomware is exploiting CVE-2026-55255, an authentication bypass in Langflow, to access and potentially dump PostgreSQL data.
- The WhiteLock ransomware campaign employs AES-CBC with a 32-byte key and 16-byte IV, protected by RSA-2048 encryption, and appends the
.Fbinextension to encrypted files. - WhiteLock terminates remote access tools like AnyDesk and TeamViewer to prevent victim remediation efforts.
- Everest, crpx0, and Qilin were the most active ransomware groups, collectively responsible for 17 new victims.
- Healthcare-related sectors, including dental services, pharmaceuticals, and general healthcare, were frequently targeted across multiple ransomware groups.
Everest Ransomware Group: Threat Profile
Everest is a sophisticated ransomware group known for double-extortion tactics, combining file encryption with data theft to pressure victims into paying ransoms. Key characteristics include:
- Primary targets: Real estate, technology, and professional services sectors
- Geographic focus: Heavy concentration on United States-based organizations
- Tactics: Credential harvesting, lateral movement, and staged data exfiltration
- Leak site: Maintains an active dark web portal to publish stolen data
Organizations should review endpoint detection rules and privileged access controls to reduce exposure to Everest campaigns. See our ransomware group profiles for deeper analysis.
How to Defend Against Ransomware Surges
When ransomware activity spikes, as seen in this 24-hour window with 32 total victims, defenders must act quickly to harden their environments. Recommended immediate steps include:
- Patch internet-facing systems to close known exploitation vectors
- Enable MFA across all remote access and privileged accounts
- Audit backup integrity and verify offline copies are current and restorable
- Monitor threat intelligence feeds for indicators of compromise tied to active groups like Everest, Qilin, and crpx0
- Segment networks to limit lateral movement if an initial compromise occurs
Consult our ransomware defense checklist for a full hardening guide.
Sectors Most Affected This Quarter
The Q3 data, with 187 victims recorded so far, reveals distinct sector-level targeting patterns across active ransomware campaigns:
- Healthcare: Repeatedly targeted by crpx0, Qilin, and related groups due to low downtime tolerance
- Real estate and technology: Primary focus areas for Everest ransomware operations
- Pharmaceuticals and biotech: Attractive to threat actors seeking both financial leverage and sensitive IP
- Construction and engineering: Increasingly targeted by groups like Play News for project data and subcontractor access
Understanding sector exposure helps security teams prioritize threat modeling. Visit our sector threat reports to explore industry-specific ransomware trends.