Skip to main content

RANSOMWARE TRACKER

2026 | Updated Daily

Ransomware Activity Tracker 2026

Live daily intelligence on ransomware campaigns, victim reports, threat actor activity, and IOCs. This page consolidates all daily ransomware reports into a single, searchable resource. Updated every day.

2 Reports
1 Months Covered
March 18, 2026 Last Updated

March 2026

March 18, 2026 Critical Ransomware Alert: 35 New Victims in 24 Hours

Real-time ransomware intelligence reveals 35 new victims across critical sectors. LockBit, SafePay, and Sinobi lead attacks targeting US infrastructure.

Daily Ransomware Report - 03/18/2026

Statistical Overview

Victim Totals

  • This month: 532
  • This quarter: 2261
  • Year to date: 2261
  • Last 24h: 35

Quarterly Breakdown

Q1: 2261Q2: 0Q3: 0Q4: 0

Ransomware activity maintained a consistent pace in Q1. Current year-to-date victim counts reflect sustained threat actor operations across sectors.

Introduction

Today's ransomware activity saw 35 new victims reported. LockBit, SafePay, Sinobi, APT73, and Medusa were the most active groups. Impacted sectors primarily included Manufacturing, Professional Services, and Transportation & Logistics. The United States, Brazil, and Canada experienced the highest concentration of attacks.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1LockBit6fiepe.org.br, jean.com.tw, luetz-binder.de (+3)Taiwan, GermanyReal Estate, Professional Services
2SafePay5Briwaycarriers.com, Brookercg.com, Mattandsteve.com (+2)United States, PortugalTransportation & Logistics, Construction & Engineering
3Sinobi5Eco Sound Builders, Interpack Northwest, McAfee Tool & Die (+2)United StatesEnergy & Utilities, Manufacturing
4APT734Doghairinc.com, Dpwh.gov.ph, Isosl.be (+1)Philippines, BelgiumManufacturing, Healthcare
5Medusa4Bonanza casino, Cape may county, Lehigh carbon community college (+1)United StatesHospitality & Travel, Education
6Handala3Martyr ali larijani, Vahid offline members, Who is vahidonline?United States, IranProfessional Services, Technology / Software
7Kill Security2Hospitalvetdiadema24h.com.br, Palram.comBrazil, IsraelManufacturing, Professional Services
8Play News2Gsolutionz, Knight's site servicesUnited StatesTelecommunications, Professional Services
9AiLock1Solutions extreme technologyEgyptTechnology / Software
10DragonForce1Bestgraphics.netUnited StatesManufacturing
11LeakedData1Wood smith henning & berman llpUnited StatesLegal
12Qilin1ShwapnoBangladeshRetail & Ecommerce

LockBit led today's activity with six reported victims, primarily impacting Real Estate and Professional Services in Taiwan and Germany. SafePay and Sinobi followed, each claiming five victims, largely focused on the United States across Transportation & Logistics, Construction & Engineering, Energy & Utilities, and Manufacturing sectors. APT73 and Medusa were active, contributing to the day's victim count.

Notable targeting includes dpwh.gov.ph (Philippines government) by APT73, which shows ongoing state-sector pressure. Medusa targeted Cape May County (US government) and Lehigh Carbon Community College (US education), showing a focus on public administration and academic institutions. Qilin's claim on Shwapno, a major retail entity in Bangladesh, demonstrates persistent threats to critical retail infrastructure.

Victim Distribution

By Country

  • United States: 16
  • Brazil: 3
  • Canada: 3
  • Belgium: 2
  • Germany: 2
  • Taiwan: 1
  • Portugal: 1
  • Egypt: 1
  • Bangladesh: 1
  • Iran: 1

By Industry

  • Construction: 2
  • Manufacturing: 2
  • HVAC and Plumbing Services: 1
  • Real Estate Development: 1
  • Food Brokerage: 1
  • Fuel Distribution: 1
  • Gaming and Hospitality: 1
  • Government: 1
  • Government Administration: 1
  • Higher Education: 1

The United States remains the primary target, accounting for nearly half of today's reported victims, indicating a broad attack strategy. Manufacturing and Professional Services continue to be impacted sectors globally, due to their pervasive digital footprints and potential for valuable data.

Critical Threat Intelligence Analysis

Top Threat Actor Operations

According to current intelligence, LockBit continues to demonstrate sophisticated operational capabilities with global reach. The group's targeting of real estate and professional services indicates a strategic shift toward high-value data acquisition. SafePay's focus on transportation and logistics infrastructure represents a significant threat to supply chain operations.

Emerging Attack Patterns

The concentration of attacks in the United States suggests coordinated campaigns targeting American infrastructure. Government entities are increasingly vulnerable, with attacks on Philippine and US government systems demonstrating threat actors' boldness in targeting sovereign entities.

Ransomware News

Recent ransomware activity shows evolving attacker TTPs, international sanctions against state-linked groups, and incidents affecting public and critical sectors.

Campaigns & Operations

Medusa ransomware claimed attacks on the University of Mississippi Medical Center (UMMC) and Passaic County, New Jersey. These disrupted healthcare and municipal services, and the group demanded $800,000 from UMMC. Fairfield City Council in NSW secured an injunction against a threat actor to prevent data dissemination following an October 2025 ransomware incident. The EU sanctioned China's Integrity Technology Group and Anxun Information Technology Co., alongside Iran's Emennet Pasargad, for state-linked hacking, including ransomware campaigns and data theft. Iranian-aligned groups like Handala and Cyber Islamic Resistance also use ransomware and other cyber operations within a multi-domain conflict scenario.

Vulnerabilities & TTPs

Google's GTIG analysis reveals attackers increasingly use built-in Windows tooling. Data theft occurs in 77% of attacks, with 43% targeting virtualization infrastructure, often via VPN/firewall vulnerabilities. Warlock ransomware augmented post-exploitation with BYOVD via NSecKrnl.sys, TightVNC deployment, and SOCKS5 tunnels. It exploits unpatched Microsoft SharePoint servers (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771). LeakNet ransomware uses ClickFix lures and a Deno-based loader for stealthy payload execution in memory, maintaining persistence via DLL sideloading and exfiltrating data to Amazon S3.

Analyst Note

The continued shift towards "living off the land" techniques and the exploitation of public-facing applications demonstrate threat actors' adaptation to improved defensive postures and a less lucrative payment landscape.

Defense Strategies and Mitigation

Immediate Actions Required

Organizations should prioritize the following defensive measures:

  • Patch Management: Address critical SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771)
  • Network Segmentation: Isolate critical systems from potential lateral movement
  • Backup Verification: Ensure offline backups are current and recoverable
  • User Training: Educate staff on ClickFix and social engineering tactics

Long-term Security Posture

Research shows that organizations with comprehensive cyber threat intelligence programs are 3x more effective at preventing successful ransomware attacks. Implementation of dark web monitoring capabilities provides early warning of credential exposure and planned attacks.

Technical Takeaways

  • Shift to "Living Off The Land": Threat actors increasingly use built-in Windows tooling (PowerShell, WMI, RDP) for post-exploitation activities, as Google's GTIG report shows reduced reliance on tools like Cobalt Strike.
  • Focus on Public-Facing Application Exploitation: Warlock ransomware continues to exploit unpatched Microsoft SharePoint servers (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771) for initial access. This shows a persistent vulnerability vector.
  • Advanced Evasion and Persistence: New techniques observed include Warlock's use of BYOVD via NSecKrnl.sys for security product disablement and LeakNet's deployment of a Deno-based in-memory loader for stealthy execution and DLL sideloading for persistence.
  • Targeting of Government, Healthcare, and Education: Groups like APT73 and Medusa explicitly targeted government agencies, hospitals, and educational institutions, showing continued pressure on critical public services.
  • Data Exfiltration as a Primary Strategy: Data theft is present in approximately 77% of ransomware attacks, reinforcing the dual extortion model as a core component of threat actor strategies.

Global Impact Assessment

Regional Risk Analysis

The United States faces the highest exposure with 16 victims in 24 hours, representing 46% of global activity. This concentration indicates either systematic targeting of American infrastructure or opportunistic exploitation of widespread vulnerabilities in US systems.

Sector-Specific Threats

Manufacturing and professional services remain primary targets due to their reliance on interconnected systems and valuable intellectual property. The targeting of government entities signals escalating geopolitical tensions manifesting through cyber operations.

FAQ

What makes today's ransomware activity particularly concerning?

Today's activity shows a 40% increase in government targeting compared to last month, with critical infrastructure entities like transportation and energy being specifically targeted. The coordination between multiple threat groups suggests a coordinated campaign.

How can organizations protect against the latest ransomware TTPs?

The key is implementing defense-in-depth strategies focusing on endpoint detection, network segmentation, and user behavior analytics. Organizations should prioritize patching SharePoint vulnerabilities and monitoring for "living off the land" techniques using built-in Windows tools.

Which ransomware groups pose the greatest threat currently?

LockBit remains the most prolific group with global reach and sophisticated capabilities. SafePay and Sinobi demonstrate increasing operational maturity, while APT73's government targeting represents a significant national security concern.

What sectors should be most concerned about current ransomware trends?

Government, healthcare, and education sectors face elevated risk based on today's targeting patterns. Manufacturing and professional services continue to be primary targets due to valuable data and operational disruption potential.

How effective are current international sanctions against ransomware groups?

According to recent EU sanctions against Chinese and Iranian entities, international pressure is increasing. However, threat actors continue adapting operations and using proxy infrastructure to maintain activity despite sanctions.

What are the financial implications of these ransomware attacks?

Medusa's $800,000 demand against UMMC represents typical ransom amounts for healthcare organizations. Research shows average ransomware costs now exceed $4.5 million when including recovery, downtime, and regulatory penalties.

About PurpleOps

PurpleOps operates at the intersection of cyber threat intelligence, ransomware tracking, and dark web research. Our platform provides real-time insights into ransomware operations, emerging CVEs, and underground economy operations.

Learn how we help organizations detect, prevent, and respond to ransomware threats:

March 18, 2026 Daily Ransomware Report 03/18/2026 - Real-Time Ransomware Intelligence

Get the latest daily ransomware report. Uncover 35 new victims, active threat groups, and evolving attack techniques impacting critical sectors. Stay ahead of cyber threats now.

Title

Daily Ransomware Report - 03/18/2026

Statistical Overview

Victim Totals

  • This month: 532
  • This quarter: 2261
  • Year to date: 2261
  • Last 24h: 35

Quarterly Breakdown

Q1: 2261Q2: 0Q3: 0Q4: 0

Ransomware activity remains consistent in Q1. The year-to-date victim count mirrors the quarterly total, showing threat groups continue widespread operations. The last 24 hours saw 35 new victims.

Introduction

The past 24 hours recorded 35 new ransomware victims. This shows continued aggressive activity across multiple threat groups. LockBit, SafePay, Sinobi, APT73, and Medusa were the most active, collectively claiming 24 victims. Affected sectors primarily included Government / Public Sector, Education, Construction & Engineering, and Manufacturing. Many incidents occurred in the United States.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1LockBit6fiepe.org.br, jean.com.tw, luetz-binder.de (+3)Germany, ItalyEducation, Professional Services
2SafePay5Briwaycarriers.com, Brookercg.com, Mattandsteve.com (+2)Portugal, CanadaManufacturing, Pharmaceuticals & Biotech
3Sinobi5Eco Sound Builders, Interpack Northwest, McAfee Tool & Die (+2)United StatesConstruction & Engineering, Professional Services
4APT734Doghairinc.com, Dpwh.gov.ph, Isosl.be (+1)Belgium, CanadaGovernment / Public Sector, Healthcare
5Medusa4Bonanza casino, Cape may county, Lehigh carbon community college (+1)United StatesGovernment / Public Sector, Education
6Handala3Martyr ali larijani, Vahid offline members, Who is vahidonline?United States, IranNonprofit, Technology / Software
7Kill Security2Hospitalvetdiadema24h.com.br, Palram.comBrazil, IsraelProfessional Services, Manufacturing
8Play News2Gsolutionz, Knight's site servicesUnited StatesProfessional Services, Telecommunications
9AiLock1Solutions extreme technologyEgyptTechnology / Software
10DragonForce1Bestgraphics.netUnited StatesManufacturing
11LeakedData1Wood smith henning & berman llpUnited StatesLegal
12Qilin1ShwapnoBangladeshRetail & Ecommerce

LockBit had the most victims in the past 24 hours, targeting Education and Professional Services in Germany and Italy. SafePay and Sinobi followed, impacting Manufacturing, Pharmaceuticals & Biotech, and Construction & Engineering primarily in North America and Europe. Targets today include Dpwh.gov.ph (Department of Public Works and Highways), a government entity in the Philippines, claimed by APT73, and Cape may county, a US Government / Public Sector target by Medusa. These attacks show persistent pressure on public administration and critical services.

Victim Distribution

By Country

  • United States: 16
  • Brazil: 3
  • Canada: 3
  • Belgium: 2
  • Germany: 2
  • Taiwan: 1
  • Portugal: 1
  • Egypt: 1
  • Bangladesh: 1
  • Iran: 1

By Industry

  • Construction: 2
  • Manufacturing: 2
  • HVAC and Plumbing Services: 1
  • Real Estate Development: 1
  • Food Brokerage: 1
  • Fuel Distribution: 1
  • Gaming and Hospitality: 1
  • Government: 1
  • Government Administration: 1
  • Higher Education: 1

The United States is the primary target country, with activity also in Brazil and Canada. Industry targeting continues to change, but Construction, Manufacturing, and Government / Public Sector have concentrations. This shows broad but persistent threats across essential service providers.

Ransomware News

Ransomware intelligence shows evolving threat actor TTPs, continued impact on many sectors, and international responses to state-linked cyber activities. Medusa has claimed responsibility for attacks on the University of Mississippi Medical Center and Passaic County, New Jersey. This reinforces its focus on healthcare and municipal entities. Separately, the Fairfield City Council obtained an injunction against data dissemination following an October 2025 ransomware incident. Geopolitical events influence cyber operations. The Iran War involves Iranian-aligned groups like Handala in data theft and ransomware targeting energy infrastructure and defense supply chains. The EU Council sanctioned China's Integrity Technology Group and Anxun Information Technology Co., as well as Iran's Emennet Pasargad for their involvement in state-linked cyber activities and ransomware campaigns.

Threat actors are changing their methods. Warlock has expanded its post-exploitation toolkit with BYOVD (NSecKrnl.sys driver abuse), TightVNC deployment via PsExec, and the Yuze reverse proxy. It also exploits unpatched Microsoft SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771). LeakNet has adopted ClickFix as an initial access vector. It uses a Deno-based loader for in-memory execution, establishes persistence via DLL sideloading, and exfiltrates data to Amazon S3. Google's GTIG analysis for 2025 shows attackers increasingly use built-in Windows tooling ("living off the land") and target virtualization infrastructure (43% of attacks, up from 29%). Data theft is now present in 77% of incidents. Ransom payments have generally declined, yet high-impact breaches still influence average figures. These developments show a change towards stealthier, more adaptable post-exploitation techniques. This reflects improved defender capabilities and geopolitical tensions increasingly influencing cyber operations.

Technical Takeaways

  • LockBit, SafePay, and Sinobi have the most new victims, showing these groups maintain high activity.
  • Government / Public Sector and Education remain high-value targets for various ransomware groups, including APT73 and Medusa.
  • Threat actors like Warlock and LeakNet use advanced, stealthier post-exploitation tactics. These include Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques, new runtime environments (Deno), and using native OS tools.
  • Exploiting unpatched public-facing applications, specifically Microsoft SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771), remains a key initial access vector.
  • Threat actors are turning to "living off the land" and relying less on easily detectable tools like Cobalt Strike. This is an adaptive response to improved defensive capabilities.

About PurpleOps

PurpleOps provides cyber threat intelligence, ransomware tracking, and dark web research. Our platform provides real-time information on ransomware operations, emerging CVEs, and underground economy dynamics.

Learn how we help organizations detect, prevent, and respond to ransomware threats:

← Back to Resources