Daily Ransomware Report – 2/6/2026
Estimated reading time: 4-5 minutes
Key Takeaways
- Ransomware activity remains consistent, with 33 new victims reported in the last 24 hours, significantly contributing to Q1 totals.
- CL0P was the most active group, accounting for nearly a third of all new incidents, predominantly targeting Technology/Software and Construction & Engineering sectors in North America.
- The Qilin group demonstrated a continued focus on critical infrastructure with a confirmed cyberattack on Romania’s national oil pipeline operator, Conpet.
- Threat actors are evolving their tradecraft by abusing legitimate virtualization platforms like ISPsystem’s VMmanager for stealthy C2 and payload delivery, and employing sophisticated infrastructure obfuscation techniques such as SSH key rotation.
- Professional Services and Construction & Engineering continue to be the most impacted sectors, while the United States remains the primary geographical target.
Table of Contents
- Statistical Overview
- Introduction
- Ransomware Summary
- Victim Distribution
- Ransomware News
- Technical Takeaways
- About PurpleOps
- FAQ
Statistical Overview
Victim Totals
- This day (24h): 33
- This month: 199
- This quarter: 1011
- Year-to-date: 1011
Quarterly Breakdown
- Q1: 1011
- Q2: 0
- Q3: 0
- Q4: 0
Ransomware activity maintains a consistent pace as Q1 progresses, with the reported 33 victims contributing significantly to the current monthly and year-to-date totals, indicating sustained threat actor operations.
Introduction
The last 24 hours saw 33 new ransomware victims reported, with CL0P emerging as the most active group, accounting for nearly a third of all new incidents. PayoutsKing, DragonForce, and Sinobi also contributed significantly to the daily victim count. Geographically, the United States remained the primary target, while Professional Services and Construction & Engineering were the most impacted sectors.
Ransomware Summary
| # | Group | Victims (24h) | Sample Victims | Top Geos | Top Sectors |
|---|---|---|---|---|---|
| 1 | CL0P | 10 | Conwest.com, Crowdedisland.com, Dukosi.com | Canada, United States | Technology / Software, Construction & Engineering |
| 2 | PayoutsKing | 7 | Bay ship & yacht, Esentia energy systems, Lehigh valley restaurant group | United States, Mexico | Professional Services, Energy & Utilities |
| 3 | DragonForce | 5 | Esposito bros. construction ltd, Heavy motions inc, Https://www.platinumdrywall.com/ | United States, Canada | Construction & Engineering, Manufacturing |
| 4 | Sinobi | 5 | Exco, InfoMontreal, Penn Fencing | United States, France | Professional Services, Manufacturing |
| 5 | 2 | Peerson audio, Tripartum | United States, United Kingdom | Professional Services | |
| 6 | Anubis | 1 | Advent aircraft systems, inc. | United States | Professional Services |
| 7 | CoinbaseCartel | 1 | Logility | United States | Technology / Software |
| 8 | Qilin | 1 | La fabrica | Argentina | Healthcare |
| 9 | TridentLocker | 1 | Tmpartner | United States | Professional Services |
CL0P led victim postings with 10 entities, predominantly impacting Technology/Software and Construction & Engineering across North America. PayoutsKing and DragonForce were also highly active, collectively responsible for 12 new victims, targeting Professional Services, Energy & Utilities, and Manufacturing sectors. Geographically, the United States and Canada remain primary targets, with activity also noted in Mexico, France, and Argentina.
Notable targeting today includes Conpet, Romania’s national oil pipeline operator, which confirmed a cyberattack, with the Qilin ransomware group claiming data exfiltration, underscoring persistent pressure on critical infrastructure.
Victim Distribution
By Country
- United States – 18
- Canada – 5
- United Kingdom – 3
- Italy – 2
- Argentina – 1
By Industry
- Professional Services – 12
- Construction & Engineering – 7
- Technology / Software – 5
- Manufacturing – 3
- Healthcare – 2
The United States remains the primary target, accounting for over half of all reported victims, while Professional Services and Construction & Engineering continue to be heavily impacted, indicating sustained targeting of business services and infrastructure-related sectors.
Ransomware News
Ransomware activities continue to impact diverse sectors globally, marked by critical infrastructure targeting and evolving TTPs for stealthy operations. The Qilin group claimed a nearly terabyte data exfiltration from Conpet, Romania’s national oil pipeline operator, though its operational technology remained unaffected. Separately, Beacon Mutual Insurance Co. successfully restored systems after a January attack, containing the threat before encryption. In terms of tradecraft, Sophos researchers identified ransomware operators, including those linked to LockBit, Qilin, Conti, and BlackCat/ALPHV, abusing ISPsystem’s VMmanager to deploy Windows VMs with identical hostnames for C2 and payload delivery, enabling blending with legitimate hosting providers. Concurrently, Group-IB’s analysis shows ShadowSyndicate is rotating multiple SSH keys to hide infrastructure and evade attribution, while maintaining consistent bulletproof hosting provider choices. These developments underscore the persistent efforts by threat actors to leverage infrastructure obfuscation and critical infrastructure targeting to maximize impact and evasion.
Technical Takeaways
- Persistent targeting of Professional Services and Construction & Engineering sectors, especially in North America, indicates high value for threat actors.
- The Qilin group demonstrates continued interest in critical infrastructure, as seen with the attack on Romania’s national oil pipeline operator.
- Threat actors are increasingly abusing legitimate virtualization platforms, such as ISPsystem’s VMmanager, for command-and-control and payload delivery to enhance stealth.
- Sophisticated infrastructure obfuscation techniques, including the rotation of SSH keys by groups like ShadowSyndicate, are being deployed to hinder attribution and extend campaign longevity.
- CL0P maintains a significant operational tempo, consistently contributing a large proportion of newly reported victims across various industries.
About PurpleOps
PurpleOps operates at the intersection of cyber threat intelligence, ransomware tracking, and dark web research. Our platform delivers real-time insights into ransomware operations, emerging CVEs, and underground economy dynamics. Learn how our services help organizations detect, prevent, and respond to ransomware threats:
- Cyber Threat Intelligence
- Dark Web Monitoring
- Protect Against Ransomware
- Penetration Testing
- Supply-Chain Security
FAQ
What is the total number of ransomware victims reported today?
In the last 24 hours, there were 33 new ransomware victims reported.
Which ransomware group was most active recently?
CL0P was the most active group, responsible for 10 new victims, nearly a third of all new incidents.
What countries and industries are currently most affected by ransomware?
The United States remains the primary target country, while Professional Services and Construction & Engineering are the most heavily impacted sectors.
What emerging tactics are ransomware groups using?
Threat actors are increasingly abusing legitimate virtualization platforms like ISPsystem’s VMmanager for C2 and payload delivery, and employing sophisticated infrastructure obfuscation techniques such as rotating SSH keys.
How does PurpleOps assist organizations in combating ransomware threats?
PurpleOps provides real-time insights into ransomware operations, emerging CVEs, and underground economy dynamics through services such as Cyber Threat Intelligence, Dark Web Monitoring, Protection Against Ransomware, Penetration Testing, and Supply-Chain Security.
