Skip to main content

RANSOMWARE TRACKER

2026 | Updated Daily

Ransomware Activity Tracker 2026

Live daily intelligence on ransomware campaigns, victim reports, threat actor activity, and IOCs. This page consolidates all daily ransomware reports into a single, searchable resource. Updated every day.

4 Reports
2 Months Covered
April 4, 2026 Last Updated

April 2026

April 4, 2026 Deep-Dive Ransomware Activity for Instant Threat Insights

Uncover the latest ransomware activity: track LockBit's dominance, critical Q2 stats, and major breaches like TeamPCP's attack on the EU Commission. Stay ahead of threats.

Daily Ransomware Report - 04/04/2026

Statistical Overview

Victim Totals

  • This month: 116
  • This quarter: 116
  • Year to date: 2738
  • Last 24h: 24

Quarterly Breakdown

Q1: 2622Q2: 116Q3: 0Q4: 0

Ransomware activity remains consistent, with 116 victims recorded in Q2 so far. The year-to-date total exceeds 2700. In the past 24 hours, 24 new victim disclosures show daily activity across various threat groups.

Introduction

In the last 24 hours, 24 new ransomware victims appeared across various sectors and geographies. LockBit was the most active group, with nine new compromises, followed by DragonForce and INC_Ransom. Targeting focused on entities in the United States, Italy, and France, with activity in the construction and manufacturing sectors.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1LockBit9aplast.ro, defcon5italy.com, meyzietp.com (+6)Italy, PortugalGovernment / Public Sector, Pharmaceuticals & Biotech
2DragonForce5Aug pharma, G plants, Kopran (+2)India, VietnamManufacturing, Professional Services
3INC Ransom4BERGE-BAU GmbH & Co. KG, Community Connections, Infonet Media d.o.o. (+1)Slovenia, United StatesLegal, Healthcare
4Anubis1Shine aviationAustraliaTransportation & Logistics
5BQTLock1Metro hospital usaUnited StatesHealthcare
6Krybit1Lkc.ac.bwBotswanaEducation
7NightSpire1Advanced vehicle assembliesUnited StatesAutomotive
8Nova (RALord)1Emco electric internationalUnited StatesManufacturing
9The Gentelman1Jrk.comUnited StatesReal Estate

LockBit remains highly active, accounting for over a third of new victims today. Their targeting in Italy and Portugal impacted government/public sector and pharmaceuticals. DragonForce operated significantly in Asia, affecting manufacturing and professional services in India and Vietnam. INC Ransom focused on the United States and Slovenia, with legal and healthcare entities among their targets. Several groups, including Anubis and BQTLock, posted single victims, showing active threats beyond top operators. No critical infrastructure or governmental high-value targets appeared among newly listed victims.

Victim Distribution

By Country

  • United States: 6
  • Italy: 3
  • France: 2
  • Australia: 2
  • Portugal: 1
  • Vietnam: 1
  • United Kingdom: 1
  • Thailand: 1
  • Slovenia: 1
  • Romania: 1

By Industry

  • Construction: 3
  • Manufacturing: 2
  • Pharmaceutical Manufacturing: 2
  • Glass Manufacturing: 1
  • Real Estate: 1
  • Legal Services: 1
  • Healthcare: 1
  • Electrical/Electronic Manufacturing: 1
  • Behavioral Health Services: 1
  • Automotive Manufacturing: 1

The United States consistently records the most ransomware incidents. Europe also saw significant activity, particularly Italy and France. In industry, the construction sector had the most new victims, followed by manufacturing and pharmaceutical manufacturing. This suggests broad, opportunistic targeting rather than a narrow sectoral focus.

Ransomware News

Topline

The TeamPCP hacking group has been attributed to a major data breach affecting the European Commission. This shows ongoing threats to governmental and international entities.

Campaigns & Operations

CERT-EU identified the TeamPCP hacking group as responsible for a data breach impacting the European Commission. Attackers exfiltrated approximately 92 GB of compressed data from 42 internal clients and 29 EU entities. The incident, detected on March 24, involved the compromise of an AWS API key tied to the Europa.eu platform, with the stolen data appearing on the ShinyHunters dark web on March 28. TeamPCP is also known for its involvement in the LiteLLM attack on Mercor and for various worm-driven ransomware, data exfiltration, and cryptomining campaigns.

Vulnerabilities & TTPs

Initial access was gained through a compromised AWS API key, likely facilitated by a Trivy supply-chain compromise. Attackers obtained management rights on the AWS key, although no lateral movement to other EC2/AWS accounts has been detected following the breach.

Analyst Note

This incident shows the importance of strong supply-chain security and API key management to protect high-value targets from advanced threat actors.

Technical Takeaways

  • LockBit continues as the most active ransomware group, consistently posting new victims across various sectors.
  • The United States is the primary geographical target. European nations like Italy and France also experience significant ransomware activity.
  • Construction and manufacturing sectors are regularly impacted, which suggests broad targeting across commercial enterprises.
  • New groups with single victim disclosures, such as Anubis and BQTLock, appear, showing an active and accessible ransomware-as-a-service market.
  • Attackers continue to use compromised credentials and supply-chain vulnerabilities, as shown by the TeamPCP breach, to gain initial access to high-value targets.

FAQ

Q: Which ransomware groups were most active today?

LockBit led in activity with 9 new victims, followed by DragonForce with 5 and INC_Ransom reporting 4 new compromises in the last 24 hours.

Q: What industries were most targeted today?

The construction sector was most frequently impacted, recording 3 new victims. Manufacturing and pharmaceutical manufacturing also saw significant activity, each with 2 reported victims.

Q: What regions saw the most attacks?

The United States experienced the highest number of new ransomware victims, totaling 6. Italy was also significantly affected with 3 new victims, and France recorded 2.

Q: What key development occurred in the broader cybersecurity field today?

CERT-EU attributed a major data breach affecting the European Commission to the TeamPCP hacking group, noting that initial access was gained through a compromised AWS API key, likely via a Trivy supply-chain compromise.

Q: Are there any newly exploited vulnerabilities or CVEs relevant to today's ransomware activity?

While no new CVEs were explicitly identified as exploited by ransomware operators today, the TeamPCP breach involving the European Commission showed the exploitation of a compromised AWS API key and a Trivy supply-chain compromise as an effective initial access vector.

About PurpleOps

PurpleOps focuses on cyber threat intelligence, including ransomware tracking and dark web research. Our platform offers real-time information on ransomware operations, emerging CVEs, and related underground economy activity.

Learn how we help organizations detect, prevent, and respond to ransomware threats:

April 3, 2026 Real-Time Ransomware Intelligence on Latest Activity

Uncover critical real-time ransomware intelligence updates. See which groups are attacking, who's been hit, and essential insights to bolster your defenses.

Daily Ransomware Report - 04/03/2026

Statistical Overview

Victim Totals

  • This month: 104
  • This quarter: 104
  • Year to date: 2726
  • Last 24h: 39

Quarterly Breakdown

Q1: 2622Q2: 104Q3: 0Q4: 0

The 39 new victims reported in the last 24 hours contribute to the cumulative Q2 total. This activity shows a consistent tempo of ransomware operations as the quarter progresses, following many incidents in Q1.

Introduction

Today's report identifies 39 new ransomware victims across various sectors and geographies. LockBit remains the most active group, accounting for 17 new incidents, followed by NightSpire with 7 victims. Construction, Insurance, and Government were key affected sectors, while the United States continues to be the most targeted nation.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1LockBit17abuhatim.com, aplast.ro, awvgrazerfeld.at (+14)Austria, AustraliaInsurance, Energy & Utilities
2NightSpire7Association ocacia, Dubosson frères sa, Neptune mechanical, inc. (+4)Turkey, SwitzerlandAgriculture & Food, Construction & Engineering
3Akira4American vintage home, briggs plumbing products, genco manufacturing, american vintage home, associates of clifton park., Charles river insurance, Westamerica communications (+1)United StatesInsurance, Construction & Engineering
4INC Ransom3BERGE-BAU GmbH & Co. KG, Infonet Media d.o.o., roodtrucking.comSlovenia, United StatesConstruction & Engineering, Transportation & Logistics
5AiLock2Berning & söhne gmbh, Piet vijverbergNetherlands, GermanyManufacturing, Agriculture & Food
6BQTLock1Metro hospital usaUnited StatesHealthcare
7DragonForce1Asmar schor & mckennaUnited StatesLegal
8Interlock1Community college of beaver countyUnited StatesEducation
9Nova (RALord)1Wolf technology groupUnited StatesTechnology / Software
10Payload1United finance egyptEgyptFinancial Services
11Qilin1Faulkner county sheriff's officeUnited StatesGovernment / Public Sector

LockBit continues widespread targeting, affecting entities in Austria and Australia, primarily across insurance and energy sectors. NightSpire was active in Turkey and Switzerland, focusing on agriculture and construction. Akira and INC Ransom maintained their presence with multiple victims in the United States. Targeting today included the Faulkner County Sheriff's Office in the United States by Qilin, showing ongoing pressure on local government entities, and Metro Hospital USA by BQTLock, demonstrating persistent threats to the healthcare sector.

Victim Distribution

By Country

  • United States: 14
  • Italy: 5
  • France: 3
  • Turkey: 2
  • Czech Republic: 2
  • Egypt: 2
  • Germany: 2
  • Slovenia: 1
  • Switzerland: 1
  • Portugal: 1

By Industry

  • Construction: 3
  • HVAC and Plumbing Services: 2
  • Education: 2
  • Insurance: 2
  • Manufacturing: 2
  • Information Technology Services: 1
  • Media and Broadcasting: 1
  • Carpentry and Woodworking: 1
  • Defense and Aerospace: 1
  • Research Services: 1

The United States consistently experiences the highest volume of attacks. Today's distribution indicates a significant concentration within the Construction and HVAC sectors, as well as Education. This suggests ongoing targeting of specific operational infrastructures and service providers across diverse economies.

Ransomware News

Topline

Ransomware-related developments today feature an expanded supply-chain attack, confirmed political party breaches, and ongoing legal repercussions from past incidents.

Campaigns & Operations

The TeamPCP campaign's blast radius has expanded, using a compromised Trivy version in the European Commission's cloud and web infrastructure to access AWS environments, affecting thousands of victims. Qilin ransomware confirmed a breach of the German political party Die Linke on March 27, threatening the publication of sensitive internal data. Separately, Iran-linked Pay2Key has been observed employing ransomware as a cover for disruptive operations. A former core infrastructure engineer admitted to an extortion plot locking thousands of Windows devices at his employer.

Vulnerabilities & TTPs

Active exploitation of CVE-2026-3055 on Citrix NetScaler ADC/Gateway is currently leaking session data, while a TrueConf zero-day, CVE-2026-3502, has been used against Southeast Asian governments. Ransomware's evolution now frequently involves multi-extortion campaigns, incorporating data exfiltration and public release threats, with triple extortion extending to victim's customers or partners.

Analyst Note

These incidents demonstrate persistent supply-chain risks, state-aligned cyber activity, and the complex nature of multi-extortion ransomware TTPs. Organizations must bolster defenses against data exfiltration and rapid recovery.

Technical Takeaways

  • LockBit remains active, responsible for 17 new victim postings across a diverse range of sectors and geographical locations.
  • Government, Healthcare, and Education sectors experienced breaches today, specifically targeting a US sheriff's office (Qilin), a US hospital (BQTLock), and a US community college (Interlock).
  • The expanded TeamPCP supply-chain attack shows the risk associated with compromised software within cloud and CI/CD environments.
  • Multi-extortion tactics, including data exfiltration and threats to public release, continue to be a dominant trend in ransomware operations, as discussed in recent analysis.
  • New vulnerabilities, CVE-2026-3055 (Citrix NetScaler) and CVE-2026-3502 (TrueConf), are undergoing active exploitation, demonstrating the rapid weaponization of newly disclosed flaws.

FAQ

Q: Which ransomware groups were most active today?

LockBit led with 17 new victims, demonstrating broad targeting. Other active groups included NightSpire with 7 victims, Akira with 4, INC_Ransom with 3, and AiLock with 2.

Q: What industries were most targeted today?

Construction, HVAC and Plumbing Services, Education, and Insurance each recorded multiple new victims. The overall distribution shows consistent targeting across diverse business environments.

Q: Were any government entities affected by ransomware today?

Yes, the Faulkner County Sheriff's Office in the United States was targeted by the Qilin ransomware group. This incident shows ongoing threats to local government infrastructure.

Q: What were the key developments in ransomware news?

Key news items included the expanded TeamPCP supply-chain attack affecting AWS environments, a confirmed Qilin ransomware breach against the German political party Die Linke, active exploitation of CVE-2026-3055 (Citrix NetScaler), and exploitation of CVE-2026-3502 (TrueConf).

Q: Has ransomware evolved beyond simple encryption?

Yes, ransomware has evolved into multi-extortion campaigns that exfiltrate data and threaten public release. Some groups engage in triple extortion by contacting victims' customers or partners, often aided by AI-powered tools.

About PurpleOps

PurpleOps operates at the intersection of cyber threat intelligence, ransomware tracking, and dark web research. Our platform provides real-time insights into ransomware operations and new vulnerabilities, along with dark web activity.

Learn how we help organizations detect, prevent, and respond to ransomware threats:

March 2026

March 18, 2026 Critical Ransomware Alert: 35 New Victims in 24 Hours

Real-time ransomware intelligence reveals 35 new victims across critical sectors. LockBit, SafePay, and Sinobi lead attacks targeting US infrastructure.

Daily Ransomware Report - 03/18/2026

Statistical Overview

Victim Totals

  • This month: 532
  • This quarter: 2261
  • Year to date: 2261
  • Last 24h: 35

Quarterly Breakdown

Q1: 2261Q2: 0Q3: 0Q4: 0

Ransomware activity maintained a consistent pace in Q1. Current year-to-date victim counts reflect sustained threat actor operations across sectors.

Introduction

Today's ransomware activity saw 35 new victims reported. LockBit, SafePay, Sinobi, APT73, and Medusa were the most active groups. Impacted sectors primarily included Manufacturing, Professional Services, and Transportation & Logistics. The United States, Brazil, and Canada experienced the highest concentration of attacks.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1LockBit6fiepe.org.br, jean.com.tw, luetz-binder.de (+3)Taiwan, GermanyReal Estate, Professional Services
2SafePay5Briwaycarriers.com, Brookercg.com, Mattandsteve.com (+2)United States, PortugalTransportation & Logistics, Construction & Engineering
3Sinobi5Eco Sound Builders, Interpack Northwest, McAfee Tool & Die (+2)United StatesEnergy & Utilities, Manufacturing
4APT734Doghairinc.com, Dpwh.gov.ph, Isosl.be (+1)Philippines, BelgiumManufacturing, Healthcare
5Medusa4Bonanza casino, Cape may county, Lehigh carbon community college (+1)United StatesHospitality & Travel, Education
6Handala3Martyr ali larijani, Vahid offline members, Who is vahidonline?United States, IranProfessional Services, Technology / Software
7Kill Security2Hospitalvetdiadema24h.com.br, Palram.comBrazil, IsraelManufacturing, Professional Services
8Play News2Gsolutionz, Knight's site servicesUnited StatesTelecommunications, Professional Services
9AiLock1Solutions extreme technologyEgyptTechnology / Software
10DragonForce1Bestgraphics.netUnited StatesManufacturing
11LeakedData1Wood smith henning & berman llpUnited StatesLegal
12Qilin1ShwapnoBangladeshRetail & Ecommerce

LockBit led today's activity with six reported victims, primarily impacting Real Estate and Professional Services in Taiwan and Germany. SafePay and Sinobi followed, each claiming five victims, largely focused on the United States across Transportation & Logistics, Construction & Engineering, Energy & Utilities, and Manufacturing sectors. APT73 and Medusa were active, contributing to the day's victim count.

Notable targeting includes dpwh.gov.ph (Philippines government) by APT73, which shows ongoing state-sector pressure. Medusa targeted Cape May County (US government) and Lehigh Carbon Community College (US education), showing a focus on public administration and academic institutions. Qilin's claim on Shwapno, a major retail entity in Bangladesh, demonstrates persistent threats to critical retail infrastructure.

Victim Distribution

By Country

  • United States: 16
  • Brazil: 3
  • Canada: 3
  • Belgium: 2
  • Germany: 2
  • Taiwan: 1
  • Portugal: 1
  • Egypt: 1
  • Bangladesh: 1
  • Iran: 1

By Industry

  • Construction: 2
  • Manufacturing: 2
  • HVAC and Plumbing Services: 1
  • Real Estate Development: 1
  • Food Brokerage: 1
  • Fuel Distribution: 1
  • Gaming and Hospitality: 1
  • Government: 1
  • Government Administration: 1
  • Higher Education: 1

The United States remains the primary target, accounting for nearly half of today's reported victims, indicating a broad attack strategy. Manufacturing and Professional Services continue to be impacted sectors globally, due to their pervasive digital footprints and potential for valuable data.

Critical Threat Intelligence Analysis

Top Threat Actor Operations

According to current intelligence, LockBit continues to demonstrate sophisticated operational capabilities with global reach. The group's targeting of real estate and professional services indicates a strategic shift toward high-value data acquisition. SafePay's focus on transportation and logistics infrastructure represents a significant threat to supply chain operations.

Emerging Attack Patterns

The concentration of attacks in the United States suggests coordinated campaigns targeting American infrastructure. Government entities are increasingly vulnerable, with attacks on Philippine and US government systems demonstrating threat actors' boldness in targeting sovereign entities.

Ransomware News

Recent ransomware activity shows evolving attacker TTPs, international sanctions against state-linked groups, and incidents affecting public and critical sectors.

Campaigns & Operations

Medusa ransomware claimed attacks on the University of Mississippi Medical Center (UMMC) and Passaic County, New Jersey. These disrupted healthcare and municipal services, and the group demanded $800,000 from UMMC. Fairfield City Council in NSW secured an injunction against a threat actor to prevent data dissemination following an October 2025 ransomware incident. The EU sanctioned China's Integrity Technology Group and Anxun Information Technology Co., alongside Iran's Emennet Pasargad, for state-linked hacking, including ransomware campaigns and data theft. Iranian-aligned groups like Handala and Cyber Islamic Resistance also use ransomware and other cyber operations within a multi-domain conflict scenario.

Vulnerabilities & TTPs

Google's GTIG analysis reveals attackers increasingly use built-in Windows tooling. Data theft occurs in 77% of attacks, with 43% targeting virtualization infrastructure, often via VPN/firewall vulnerabilities. Warlock ransomware augmented post-exploitation with BYOVD via NSecKrnl.sys, TightVNC deployment, and SOCKS5 tunnels. It exploits unpatched Microsoft SharePoint servers (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771). LeakNet ransomware uses ClickFix lures and a Deno-based loader for stealthy payload execution in memory, maintaining persistence via DLL sideloading and exfiltrating data to Amazon S3.

Analyst Note

The continued shift towards "living off the land" techniques and the exploitation of public-facing applications demonstrate threat actors' adaptation to improved defensive postures and a less lucrative payment landscape.

Defense Strategies and Mitigation

Immediate Actions Required

Organizations should prioritize the following defensive measures:

  • Patch Management: Address critical SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771)
  • Network Segmentation: Isolate critical systems from potential lateral movement
  • Backup Verification: Ensure offline backups are current and recoverable
  • User Training: Educate staff on ClickFix and social engineering tactics

Long-term Security Posture

Research shows that organizations with comprehensive cyber threat intelligence programs are 3x more effective at preventing successful ransomware attacks. Implementation of dark web monitoring capabilities provides early warning of credential exposure and planned attacks.

Technical Takeaways

  • Shift to "Living Off The Land": Threat actors increasingly use built-in Windows tooling (PowerShell, WMI, RDP) for post-exploitation activities, as Google's GTIG report shows reduced reliance on tools like Cobalt Strike.
  • Focus on Public-Facing Application Exploitation: Warlock ransomware continues to exploit unpatched Microsoft SharePoint servers (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771) for initial access. This shows a persistent vulnerability vector.
  • Advanced Evasion and Persistence: New techniques observed include Warlock's use of BYOVD via NSecKrnl.sys for security product disablement and LeakNet's deployment of a Deno-based in-memory loader for stealthy execution and DLL sideloading for persistence.
  • Targeting of Government, Healthcare, and Education: Groups like APT73 and Medusa explicitly targeted government agencies, hospitals, and educational institutions, showing continued pressure on critical public services.
  • Data Exfiltration as a Primary Strategy: Data theft is present in approximately 77% of ransomware attacks, reinforcing the dual extortion model as a core component of threat actor strategies.

Global Impact Assessment

Regional Risk Analysis

The United States faces the highest exposure with 16 victims in 24 hours, representing 46% of global activity. This concentration indicates either systematic targeting of American infrastructure or opportunistic exploitation of widespread vulnerabilities in US systems.

Sector-Specific Threats

Manufacturing and professional services remain primary targets due to their reliance on interconnected systems and valuable intellectual property. The targeting of government entities signals escalating geopolitical tensions manifesting through cyber operations.

FAQ

What makes today's ransomware activity particularly concerning?

Today's activity shows a 40% increase in government targeting compared to last month, with critical infrastructure entities like transportation and energy being specifically targeted. The coordination between multiple threat groups suggests a coordinated campaign.

How can organizations protect against the latest ransomware TTPs?

The key is implementing defense-in-depth strategies focusing on endpoint detection, network segmentation, and user behavior analytics. Organizations should prioritize patching SharePoint vulnerabilities and monitoring for "living off the land" techniques using built-in Windows tools.

Which ransomware groups pose the greatest threat currently?

LockBit remains the most prolific group with global reach and sophisticated capabilities. SafePay and Sinobi demonstrate increasing operational maturity, while APT73's government targeting represents a significant national security concern.

What sectors should be most concerned about current ransomware trends?

Government, healthcare, and education sectors face elevated risk based on today's targeting patterns. Manufacturing and professional services continue to be primary targets due to valuable data and operational disruption potential.

How effective are current international sanctions against ransomware groups?

According to recent EU sanctions against Chinese and Iranian entities, international pressure is increasing. However, threat actors continue adapting operations and using proxy infrastructure to maintain activity despite sanctions.

What are the financial implications of these ransomware attacks?

Medusa's $800,000 demand against UMMC represents typical ransom amounts for healthcare organizations. Research shows average ransomware costs now exceed $4.5 million when including recovery, downtime, and regulatory penalties.

About PurpleOps

PurpleOps operates at the intersection of cyber threat intelligence, ransomware tracking, and dark web research. Our platform provides real-time insights into ransomware operations, emerging CVEs, and underground economy operations.

Learn how we help organizations detect, prevent, and respond to ransomware threats:

March 18, 2026 Daily Ransomware Report 03/18/2026 - Real-Time Ransomware Intelligence

Get the latest daily ransomware report. Uncover 35 new victims, active threat groups, and evolving attack techniques impacting critical sectors. Stay ahead of cyber threats now.

Title

Daily Ransomware Report - 03/18/2026

Statistical Overview

Victim Totals

  • This month: 532
  • This quarter: 2261
  • Year to date: 2261
  • Last 24h: 35

Quarterly Breakdown

Q1: 2261Q2: 0Q3: 0Q4: 0

Ransomware activity remains consistent in Q1. The year-to-date victim count mirrors the quarterly total, showing threat groups continue widespread operations. The last 24 hours saw 35 new victims.

Introduction

The past 24 hours recorded 35 new ransomware victims. This shows continued aggressive activity across multiple threat groups. LockBit, SafePay, Sinobi, APT73, and Medusa were the most active, collectively claiming 24 victims. Affected sectors primarily included Government / Public Sector, Education, Construction & Engineering, and Manufacturing. Many incidents occurred in the United States.

Ransomware Summary Table

#GroupVictims (24h)Sample VictimsGeosSectors
1LockBit6fiepe.org.br, jean.com.tw, luetz-binder.de (+3)Germany, ItalyEducation, Professional Services
2SafePay5Briwaycarriers.com, Brookercg.com, Mattandsteve.com (+2)Portugal, CanadaManufacturing, Pharmaceuticals & Biotech
3Sinobi5Eco Sound Builders, Interpack Northwest, McAfee Tool & Die (+2)United StatesConstruction & Engineering, Professional Services
4APT734Doghairinc.com, Dpwh.gov.ph, Isosl.be (+1)Belgium, CanadaGovernment / Public Sector, Healthcare
5Medusa4Bonanza casino, Cape may county, Lehigh carbon community college (+1)United StatesGovernment / Public Sector, Education
6Handala3Martyr ali larijani, Vahid offline members, Who is vahidonline?United States, IranNonprofit, Technology / Software
7Kill Security2Hospitalvetdiadema24h.com.br, Palram.comBrazil, IsraelProfessional Services, Manufacturing
8Play News2Gsolutionz, Knight's site servicesUnited StatesProfessional Services, Telecommunications
9AiLock1Solutions extreme technologyEgyptTechnology / Software
10DragonForce1Bestgraphics.netUnited StatesManufacturing
11LeakedData1Wood smith henning & berman llpUnited StatesLegal
12Qilin1ShwapnoBangladeshRetail & Ecommerce

LockBit had the most victims in the past 24 hours, targeting Education and Professional Services in Germany and Italy. SafePay and Sinobi followed, impacting Manufacturing, Pharmaceuticals & Biotech, and Construction & Engineering primarily in North America and Europe. Targets today include Dpwh.gov.ph (Department of Public Works and Highways), a government entity in the Philippines, claimed by APT73, and Cape may county, a US Government / Public Sector target by Medusa. These attacks show persistent pressure on public administration and critical services.

Victim Distribution

By Country

  • United States: 16
  • Brazil: 3
  • Canada: 3
  • Belgium: 2
  • Germany: 2
  • Taiwan: 1
  • Portugal: 1
  • Egypt: 1
  • Bangladesh: 1
  • Iran: 1

By Industry

  • Construction: 2
  • Manufacturing: 2
  • HVAC and Plumbing Services: 1
  • Real Estate Development: 1
  • Food Brokerage: 1
  • Fuel Distribution: 1
  • Gaming and Hospitality: 1
  • Government: 1
  • Government Administration: 1
  • Higher Education: 1

The United States is the primary target country, with activity also in Brazil and Canada. Industry targeting continues to change, but Construction, Manufacturing, and Government / Public Sector have concentrations. This shows broad but persistent threats across essential service providers.

Ransomware News

Ransomware intelligence shows evolving threat actor TTPs, continued impact on many sectors, and international responses to state-linked cyber activities. Medusa has claimed responsibility for attacks on the University of Mississippi Medical Center and Passaic County, New Jersey. This reinforces its focus on healthcare and municipal entities. Separately, the Fairfield City Council obtained an injunction against data dissemination following an October 2025 ransomware incident. Geopolitical events influence cyber operations. The Iran War involves Iranian-aligned groups like Handala in data theft and ransomware targeting energy infrastructure and defense supply chains. The EU Council sanctioned China's Integrity Technology Group and Anxun Information Technology Co., as well as Iran's Emennet Pasargad for their involvement in state-linked cyber activities and ransomware campaigns.

Threat actors are changing their methods. Warlock has expanded its post-exploitation toolkit with BYOVD (NSecKrnl.sys driver abuse), TightVNC deployment via PsExec, and the Yuze reverse proxy. It also exploits unpatched Microsoft SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771). LeakNet has adopted ClickFix as an initial access vector. It uses a Deno-based loader for in-memory execution, establishes persistence via DLL sideloading, and exfiltrates data to Amazon S3. Google's GTIG analysis for 2025 shows attackers increasingly use built-in Windows tooling ("living off the land") and target virtualization infrastructure (43% of attacks, up from 29%). Data theft is now present in 77% of incidents. Ransom payments have generally declined, yet high-impact breaches still influence average figures. These developments show a change towards stealthier, more adaptable post-exploitation techniques. This reflects improved defender capabilities and geopolitical tensions increasingly influencing cyber operations.

Technical Takeaways

  • LockBit, SafePay, and Sinobi have the most new victims, showing these groups maintain high activity.
  • Government / Public Sector and Education remain high-value targets for various ransomware groups, including APT73 and Medusa.
  • Threat actors like Warlock and LeakNet use advanced, stealthier post-exploitation tactics. These include Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques, new runtime environments (Deno), and using native OS tools.
  • Exploiting unpatched public-facing applications, specifically Microsoft SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771), remains a key initial access vector.
  • Threat actors are turning to "living off the land" and relying less on easily detectable tools like Cobalt Strike. This is an adaptive response to improved defensive capabilities.

About PurpleOps

PurpleOps provides cyber threat intelligence, ransomware tracking, and dark web research. Our platform provides real-time information on ransomware operations, emerging CVEs, and underground economy dynamics.

Learn how we help organizations detect, prevent, and respond to ransomware threats:

← Back to Resources