Diverse Ransomware Activity Sees 14 New Victims

Statistical Overview

Victim Totals

• This month: 99
• This quarter: 1645
• Year to date: 4270
• Last 24h: 14

Quarterly Breakdown

Q1: 2631 | Q2: 1645 | Q3: 0 | Q4: 0

Ransomware activity maintains a consistent pace, with this quarter's victim count indicating sustained threat actor operations. The total new victims in the last 24 hours align with a steady pattern observed across the year.

Introduction

The past 24 hours saw 14 new ransomware victims reported, reflecting ongoing threat actor operations across various sectors. Active groups included Akira (2), DragonForce (2), Genesis (2), and INC Ransom (2), alongside others like Anubis (1). Primary targets were concentrated in the Manufacturing, Healthcare, and Financial Services sectors, with the United States remaining the most frequently impacted geography.

Ransomware Summary Table

The summary table illustrates varied ransomware activity, with no single group overwhelmingly dominant in victim count. Akira, Akira ransomware TTP analysis, DragonForce, and INC Ransom each claimed two victims, primarily affecting manufacturing and technology sectors across the United States, Singapore, Lebanon, and Mexico. Groups such as Genesis Group ransomware, Anubis, and The Gentelman continued targeting healthcare and financial services, predominantly in the United States. DragonForce ransomware activity further extended its reach to include financial and manufacturing entities.

Victim Distribution

By Country

• United States: 8
• Singapore: 2
• Brazil: 1
• Canada: 1
• Lebanon: 1
• Mexico: 1

By Industry

• Financial Services: 3
• Healthcare: 2
• Food Service: 1
• Information Technology: 1
• Paper and Forest Product Manufacturing: 1
• Apparel Manufacturing: 1
• Healthcare & Social Services: 1
• Information Services: 1
• Manufacturing: 1
• Publishing: 1

The United States remains a primary target for ransomware operators, accounting for over half of the new victims. Industrially, Manufacturing and Financial Services show the highest concentration of attacks, suggesting continued emphasis on critical and potentially lucrative sectors.

Ransomware News

Topline

Multiple ransomware incidents were reported against local government entities and various organizations. The US government announced sanctions against cryptocurrency exchanges for facilitating ransomware payments.

Campaigns & Operations

Bowman, North Dakota Parks & Recreation experienced a ransomware attack leading to encrypted files, which were subsequently decrypted with expert assistance. In South Korea, Qilin ransomware targeted an automation equipment company, Nova ransomware affected a university's AI department, and Black X was observed in a data-extortion leak against a plastic surgery clinic. The National Federation of Subpostmasters (UK) also suffered a ransomware attack. Globally, the upcoming FIFA World Cup 2026 is projected to face increased threats, with high ransomware activity expected, particularly in the US and Canada. The US Treasury's OFAC sanctioned Nobitex, a major Iranian crypto exchange, for facilitating payments tied to IRGC-linked ransomware and sanctions evasion as part of the "Economic Fury" campaign, which also targeted other exchanges.

Vulnerabilities & TTPs

The ransomware attack on the National Federation of Subpostmasters stemmed from the exploitation of a critical vulnerability in the cPanel hosting control panel used by its web hosting provider. This period also shows the persistent use of dark-web channels for data leakage and extortion by various threat actors.

Analyst Note

These developments show the persistent and diversified threats posed by ransomware and its supporting financial infrastructure to a broad array of targets globally.

Technical Takeaways

• Ransomware activity remains distributed across numerous groups, with Akira, DragonForce, Genesis, and INC Ransom leading in victim counts.
• Manufacturing, Financial Services, and Healthcare continue to be highly targeted sectors, indicating a focus on critical and high-value industries.
• The United States accounts for the majority of reported new ransomware victims, showing its significant threat landscape.
• Exploitation of vulnerabilities in common infrastructure, such as cPanel hosting control panels, remains a key initial access vector for some campaigns.
• Efforts to disrupt ransomware financing continue, as evidenced by US sanctions against cryptocurrency exchanges facilitating illicit payments.

The Gentelman Ransomware Activity: 9 New Victims

Statistical Overview

Victim Totals

• This month: 85
• This quarter: 1631
• Year to date: 4256
• Last 24h: 35

Quarterly Breakdown

Q1: 2631 | Q2: 1631 | Q3: 0 | Q4: 0

Ransomware activity shows 35 new victims. The Gentelman, LockBit, and Qilin operations influenced the victim count this period.

Introduction

Recent ransomware activity shows 35 new victims, with The Gentelman as the most active operator. Other groups include LockBit, Qilin, Akira, and INC_Ransom. Affected sectors include Healthcare and Professional Services, with targeting primarily in the United States, India, and Germany.

Ransomware Summary Table

The Gentelman led activity with 9 reported victims, impacting healthcare and professional services across Germany and Guatemala. LockBit and Qilin were also active, each claiming 4 victims in sectors like retail, technology, and hospitality in Uruguay, Taiwan, and the United States. The varied sectors and geographies show how widely current ransomware campaigns operate.

Victim Distribution

By Country

• United States: 7
• India: 3
• Taiwan: 2
• Germany: 2
• Mexico: 2
• Portugal: 2
• South Korea: 1
• Spain: 1
• Thailand: 1
• The Bahamas: 1

By Industry

• Financial Services: 3
• Healthcare: 2
• Advertising & Marketing: 1
• Industrial Machinery & Equipment: 1
• Chemical Manufacturing: 1
• Industrial Distribution: 1
• Process Control and Electronics/Telecommunication: 1
• Conglomerates: 1
• Automotive and Industrial Manufacturing: 1
• None: 1

The United States is the most frequently targeted country, followed by India. This shows a continued focus on economically significant regions. Industries such as Financial Services and Healthcare face attacks, which suggests these sectors are high-value targets.

Ransomware News

Topline

Recent intelligence shows an increase in ransomware activity, including new AI-driven tools and an active global campaign from The Gentelman operator.

Campaigns & Operations

Microsoft Threat Intelligence has documented The Gentelman ransomware-as-a-service operation, attributed to the Storm-2697 syndicate. This operation infiltrates corporate assets, exfiltrates data, and expands via a self-spreading worm and a 21-vector remote-execution playbook. This occurs alongside broader ransomware trends: the global cost is projected to reach approximately $275 billion annually by 2031, and 29% of organizations pay the initial ransom demand. Municipalities like the City of Thorold have also confirmed cybersecurity incidents, showing the continued operational and financial impact on public services. The threat economy is consolidating, driven by four main groups. Identity is becoming a key perimeter, and there is an increase in living-off-the-land techniques, with APAC financial services accounting for about 22% of incidents. These events show a continued evolution of understanding ransomware attacks.

Vulnerabilities & TTPs

Sophos researchers have identified an AI-built ransomware toolkit that automates Active Directory discovery and EDR evasion, using multiple AI agents, including Claude Opus, to develop and harden payloads. The Gentelman campaign uses advanced evasion tactics, including PowerShell-driven Defender real-time monitoring disablement, local binary exclusion, and C:\\ volume scan exclusion. It also performs aggressive post-encryption cleanup of Volume Shadow Copies and logs, using a custom hybrid crypto stack (Curve25519 with XChaCha20).

Analyst Note

These developments show the increased sophistication of ransomware threats, combining advanced TTPs with AI to improve evasion and operational scale. This shows that timely threat intelligence platform insights are important.

Technical Takeaways

• The Gentelman, operated by the Storm-2697 syndicate, uses an advanced 21-vector remote execution playbook, a self-spreading worm, and a custom hybrid crypto stack for encryption.
• Active ransomware groups use advanced evasion techniques, including PowerShell-driven Defender disablement and aggressive post-encryption cleanup of logs and Volume Shadow Copies.
• AI is used in ransomware toolkit development to automate Active Directory discovery and EDR evasion, though human oversight is important for payload refinement and deployment.
• Ransomware operations are evolving towards double extortion and data exfiltration. Identity is recognized as a primary defense perimeter.
• Healthcare and Professional Services are highly targeted sectors, with a wide geographical distribution of victims. This indicates both opportunistic and strategic targeting across regions.

SafePay Ransomware Activity Targets Diverse Sectors (6 Victims)

Statistical Overview

Victim Totals

• This month: 50
• This quarter: 1596
• Year to date: 4221
• Last 24h: 23

Quarterly Breakdown

Q1: 2631 | Q2: 1596 | Q3: 0 | Q4: 0

Ransomware activity reported 23 new victims in the last 24 hours. The quarterly total of 1596 shows continued threat actor activity, with the last 24 hours having a moderate number of new victim disclosures.

Introduction

In the last 24 hours, ransomware groups disclosed 23 new victims. SafePay was the most active with six victims, followed by BlackX with four. Groups like Nova (RALord) and CoinbaseCartel were also active. Primary targets included entities in Transportation & Logistics, Professional Services, and Healthcare. Attacks concentrated in the United States and Europe, especially Germany, Italy, and France.

Ransomware Summary Table

SafePay led activity with six new victims, as reported in SafePay ransomware's operations. It primarily impacted Transportation & Logistics and Professional Services across Germany and Italy. BlackX followed with four victims, targeting entities in Healthcare and Professional Services, including the African National Congress, and showing activity in Germany and the United States. CoinbaseCartel and Krybit both focused on Transportation & Logistics and Professional Services, with victims in the United States, Guatemala, and France. Overall, 11 groups contributed to the victim count, with varied targeting strategies across multiple geographies.

Victim Distribution

By Country

• United States: 6
• Germany: 4
• Italy: 3
• France: 3
• Switzerland: 1
• South Korea: 1
• South Africa: 1
• Armenia: 1
• Guatemala: 1
• Chile: 1

By Industry

• Consumer Goods: 1
• Telecommunications Equipment Distribution: 1
• Software Development: 1
• Legal Research: 1
• Hospital & Health Care: 1
• Grocery and Foodservice Distribution: 1
• Aviation & Aerospace: 1
• Agricultural Technology and Innovation: 1
• Plastic Surgery: 1
• Political Organization: 1

The United States remains the most targeted country, followed by European nations such as Germany, Italy, and France. Industry targeting is fragmented, with Professional Services and Transportation & Logistics frequently appearing among impacted sectors. This suggests broad, opportunistic targeting by multiple ransomware groups.

Ransomware News

Topline - Recent threat intelligence shows evolving ransomware tradecraft, exemplified by a new variant, and demonstrates the importance of strong incident response methods.

Campaigns & Operations - Analysis of the EndPoint ransomware, a Midnight-era variant built on the Babuk framework, shows it targets Windows, ESXi, and NAS environments. This ransomware uses a double-extortion model, encrypting data with ChaCha20 and an in-house RSA operation for session key protection. EndPoint specifically targets folders, network shares, and file extensions, while terminating key processes and deleting volume shadow copies. This shows a focused approach to data encryption and system disruption.

Vulnerabilities & TTPs - EndPoint ransomware's methods include terminating critical backup and security services such as VSS, SQL, Veeam, and Sophos, along with deleting volume shadow copies via vssadmin. To counter these tactics, effective incident response techniques focus on fast, data-driven detection using tools like EDR, SIEM, SOAR, and XDR. They also use network segmentation and isolation to contain threats and prevent lateral movement.

Analyst Note - These developments show organizations continually need to understand emerging ransomware variants and maintain agile, complete incident response frameworks to mitigate their impact.

Technical Takeaways

• SafePay is the most active group, accounting for 6 of the 23 new victims. It primarily targets Transportation & Logistics and Professional Services.
• BlackX targets diverse sectors, including Healthcare, Professional Services, and a political organization.
• Multiple ransomware groups, including CoinbaseCartel, Krybit, and Nova (RALord), show varied targeting across sectors such as Transportation & Logistics, Professional Services, and Manufacturing.
• Geographically, the United States, Germany, Italy, and France are the most frequently impacted regions.
• The newly analyzed EndPoint ransomware variant uses the Babuk framework to target Windows, ESXi, and NAS environments. It uses ChaCha20/RSA encryption and aggressive tactics such as vssadmin for shadow copy deletion and service termination.

The Gentelman Ransomware Claims 14 Healthcare, Retail Victims

Statistical Overview

Victim Totals

• This month: 27
• This quarter: 1573
• Year to date: 4198
• Last 24h: 29

Quarterly Breakdown

Q1: 2631 | Q2: 1573 | Q3: 0 | Q4: 0

Ransomware activity maintains a consistent volume, with 29 new victims reported in the last 24 hours. Quarterly data indicates substantial impact across global organizations, accumulating 1573 victims in Q2.

Introduction

In the last 24 hours, ransomware operators claimed 29 new victims across various sectors and geographies. The Gentelman group was active, accounting for 14 of these new compromises. Other groups included DragonForce, Abyss, INC Ransom, and Lapsus. Primary affected sectors observed include Healthcare, Retail & Ecommerce, Professional Services, and Government / Public Sector, with attacks concentrated in North America, including the United States and Canada.

Ransomware Summary Table

Ransomware activity remains active, largely driven by The Gentelman, which claimed 14 victims, predominantly in Healthcare and Retail & Ecommerce across Hong Kong and Canada. Other groups such as DragonForce and Abyss also contributed to the victim count, targeting sectors like Professional Services and Government / Public Sector. INC Ransom impacted the Champaign-Urbana Public Health District in the United States. This shows the ongoing threat to critical public services. The geographic distribution shows a continued focus on North America, alongside incidents in Europe, South America, and Asia. Further insights into the activity of The Gentelman ransomware group are available in our dedicated analysis.

Victim Distribution

By Country

• United States: 11
• Canada: 4
• India: 2
• Brazil: 2
• Spain: 1
• Thailand: 1
• Switzerland: 1
• Sri Lanka: 1
• Saudi Arabia: 1
• Portugal: 1

By Industry

• Legal Services: 2
• Automotive Manufacturing: 2
• Telecommunications: 2
• Insurance: 1
• Water Utility: 1
• School Facility Planning and Consulting: 1
• Public Health: 1
• Law Practice: 1
• Industrial Textile Manufacturing: 1
• Healthcare: 1

The United States continues to be the primary target region, accounting for 11 out of 29 new victims, followed by Canada. Industry targeting is diverse. Legal Services and Automotive Manufacturing each saw multiple incidents, with Telecommunications also experiencing two, reflecting a broad opportunistic approach by ransomware groups.

Ransomware News

Topline

VSP Solutions, an Australian video security distributor, is responding to a cyber security incident claimed by the Stormous ransomware-as-a-service group.

Campaigns & Operations

Stormous has reportedly exfiltrated and published over 40 GB of data from VSP Solutions, encompassing financial backups (QuickBooks & Reckon), email archives, staff personal folders, and customer databases. The company has engaged forensic experts, notified law enforcement and Australian government agencies, and is investigating the incident's scope. Stormous, known for its double-extortion tactics and data publication, continues to use compromised access against technology and business services globally.

Vulnerabilities & TTPs

The specific initial access vector for the VSP Solutions breach was not detailed. However, Stormous's operational methods consistently involve data exfiltration followed by publication if demands are unmet, employing double-extortion as a core tactic.

Analyst Note

This incident shows the persistent threat posed by established ransomware-as-a-service groups like Stormous, which continue to successfully compromise and extort organizations through data theft and publication.

Technical Takeaways

• The Gentelman emerged as the most active ransomware group, responsible for nearly half of the new victims observed.
• Targeting remains globally diverse but shows a concentration in North America, with the United States and Canada experiencing a large volume of attacks.
• Healthcare, Retail & Ecommerce, Professional Services, and Government / Public Sector are among the top-affected sectors, indicating continued opportunistic targeting across various industries.
• Ransomware-as-a-service (RaaS) groups, exemplified by Stormous, continue to use double-extortion tactics involving data theft and publication to pressure victims.
• Critical infrastructure entities, such as public health districts, remain vulnerable to compromise by groups like INC Ransom.

Genesis Group Leads Ransomware Activity with 5 Victims

Statistical Overview

Victim Totals

• This month: 767
• This quarter: 1544
• Year to date: 4169
• Last 24h: 7

Quarterly Breakdown

Q1: 2631 | Q2: 1544 | Q3: 0 | Q4: 0

Ransomware activity totaled 7 new victims in the last 24 hours. The Genesis group accounted for most incidents during this period.

Introduction

In the last 24 hours, seven new ransomware victims were reported across various sectors and geographies. The Genesis group was the most active, responsible for five incidents, while CMD and Krybit each claimed one victim. Affected sectors include Construction & Engineering, Retail & Ecommerce, Education, Healthcare, Investment Banking, Lubricants, and Residential Remodeling, primarily impacting organizations in the United States.

Ransomware Summary Table

The Genesis group was responsible for five recent ransomware victims, primarily in the United States, targeting industries such as construction, retail, and investment banking. CMD ransomware affected the Education sector, attacking Lake Washington School District. Krybit claimed one victim in the Healthcare sector in India.

Victim Distribution

By Country

• United States: 6
• India: 1

By Industry

• Home Improvement & Hardware Retail: 2
• Healthcare: 1
• Education: 1
• Investment Banking: 1
• Lubricants: 1
• Residential Remodeling: 1

The United States experienced the most ransomware attacks, accounting for most new victims. Targeting showed a broad approach across various industries, including retail, construction, education, and healthcare, without concentrating on a single vertical.

Ransomware News

Topline

Threat intelligence indicates a rising risk to critical infrastructure, with a shift from cyber espionage to physical disruption.

Campaigns & Operations

Attackers are increasingly exploiting internet-exposed industrial systems, default passwords, and outdated configurations, with small utilities and local municipalities facing disproportionate risk. Historical instances include destructive wiper attacks, post-breach cleanups, Iranian-affiliated PLC exploitation, and telecom intrusions. The United States experiences a 62% higher cyber-attack frequency compared to the global average.

Vulnerabilities & TTPs

Exploitation uses weaknesses like default passwords and unpatched systems. Artificial intelligence is integrated into intrusion lifecycles, handling 80-90% of operational tasks in some campaigns, which improves attack automation and efficiency.

Analyst Note

This trend shows a rising frequency of sophisticated attacks with real-world consequences. It requires strong OT/ICS security measures and coordinated defense strategies.

Technical Takeaways

• The Genesis group accounted for the majority of new ransomware incidents, with five victims in the last 24 hours.
• Organizations in the United States were overwhelmingly targeted, comprising six out of seven reported victims.
• Ransomware groups show broad targeting across diverse industries, including construction, retail, education, and healthcare.
• Critical infrastructure and industrial control systems face escalating threats, with attackers increasingly focused on physical disruption rather than just data exfiltration.
• Artificial intelligence is used to automate a significant portion of intrusion lifecycles, showing a change in threat actor methods.
• The continued targeting of organizations in the investment banking sector indicates ongoing financial sector risks.

Genesis Group Tactics and Target Profile

The Genesis ransomware group has demonstrated a consistent pattern of targeting small-to-mid-sized US businesses across diverse industries. Their recent activity highlights several concerning trends:

• Sector diversity: Targets span construction, retail, investment banking, and residential services
• Geographic focus: Predominantly United States-based victims
• Volume consistency: Five victims in a single 24-hour window indicates an active and organized operation
• Business size: Targets appear to include both regional firms and larger corporate entities

Organizations in these sectors should review their ransomware readiness immediately. See also: Ransomware Group Profiles for detailed threat actor analysis.

How Organizations Can Defend Against Genesis Group Attacks

Defending against groups like Genesis requires a layered security approach. Security teams should prioritize the following actions:

• Patch management: Ensure all internet-facing systems are updated to close known vulnerabilities
• Endpoint detection: Deploy EDR solutions capable of identifying ransomware behavior before encryption begins
• Backup integrity: Maintain offline, immutable backups tested regularly for restoration
• Employee training: Phishing remains a primary initial access vector for ransomware operators
• Incident response planning: Establish documented playbooks for ransomware scenarios

Proactive defense reduces dwell time and limits the blast radius of any successful intrusion. Related reading: Ransomware Incident Response Guide.

Recent Ransomware Trends Across Active Groups

Beyond Genesis, the broader ransomware landscape remains highly active. CMD's targeting of the Lake Washington School District reflects a troubling continuation of attacks on educational institutions, which often lack mature security programs. Krybit's victim in India's healthcare sector underscores that ransomware is a global threat with no industry immune.

• Education: Frequently targeted due to limited IT budgets and large user bases
• Healthcare: High-value data and operational urgency make hospitals prime targets
• Emerging groups: Smaller operators like CMD and Krybit are filling gaps left by disrupted major gangs

Monitor the latest ransomware activity feed for real-time updates on emerging group behavior.

Nova RALord Ransomware Activity Targets 3 Victims

Statistical Overview

Victim Totals

• This month: 760
• This quarter: 1538
• Year to date: 4163
• Last 24h: 16

Quarterly Breakdown

Q1: 2631 | Q2: 1538 | Q3: 0 | Q4: 0

Ransomware activity continues to show high volume this quarter, though the last 24-hour period indicates a lower-volume but diverse set of attacks. Nova (RALord) was the most active group in this timeframe, followed by DragonForce and Lapsus.

Introduction

The past 24 hours saw 16 new ransomware victims reported across varied sectors and geographies. Nova (RALord) emerged as the most active group, followed by DragonForce and Lapsus. Attackers showed broad targeting, impacting industries from automotive and education to manufacturing and technology.

Ransomware Summary Table

Nova (RALord) led the activity with three victims, targeting entities like Daegu University in South Korea and an automotive service provider in the United States. DragonForce, a ransomware group, added two new victims including a manufacturing company and a hospitality business. Lapsus, which has carried out high-profile breaches, claimed two new victims, targeting Github internal and Ingka group (ikea), impacting technology and retail sectors. The CMD ransomware group also reported activity, targeting legal services. Further insights into DragonForce's operations can be found in our deep dive on DragonForce ransomware's real estate and healthcare targeting, and information on the CMD ransomware group is available in our CMD ransomware healthcare and nonprofit blog post. The victim pool showed high diversity across sectors and geographies. The United States experienced the highest concentration of attacks.

Victim Distribution

By Country

• United States: 10
• South Korea: 2
• Brazil: 1
• France: 1
• Italy: 1
• Netherlands: 1

By Industry

• Software Development: 2
• Government: 1
• Education: 1
• Retail: 1
• Entertainment: 1
• Higher Education: 1
• Heavy-Duty Truck Customization and Repair: 1
• Hospitality: 1
• Legal Services: 1
• Medical Laboratory Services: 1

The United States remains the primary target geography for ransomware operations, accounting for over half of all reported victims in this period. Industry targeting remains fragmented, with no single sector experiencing a concentrated surge. This suggests opportunistic or broadly distributed campaigns rather than specialized attacks.

Ransomware News

Topline - An in-depth review of a city's recovery from an Interlock ransomware attack shows the critical role of pre-existing incident response plans and effective recovery strategies.

Campaigns & Operations - St. Paul, Minnesota, successfully recovered from an Interlock ransomware attack that occurred in July 2025 without paying the ransom. The city's response involved a cross-agency effort, including emergency management, state IT, federal investigators, private cybersecurity partners, and the Minnesota National Guard, all guided by a solid incident response plan and nightly backups.

Vulnerabilities & TTPs - The recovery prioritized essential services like 911 and payroll, with full restoration by the third week of August. A full "Operation Secure St. Paul" initiative involved a large-scale password reset for over 3,000 employees, enforcement of multi-factor authentication (MFA), device checks, and enhanced endpoint detection. National Guard FirstNet connectivity provided support for these efforts.

Analyst Note - This incident shows proactive preparedness, including strong incident response frameworks and complete backup regimes, helps mitigate ransomware impact and avoid ransom payments.

Technical Takeaways

• Nova (RALord) was the most active ransomware group in the past 24 hours, observed with three new victims.
• Ransomware activity remains globally distributed, with new victims reported across North America, Asia, and Europe.
• The United States represents the main target geography, accounting for 10 of the 16 reported victims.
• Industry targeting is diverse, with no single sector experiencing significant concentration of attacks.
• Organizations including Github internal and Ingka group (ikea) were impacted by the Lapsus ransomware group.

25 New Ransomware Victims as Com Ecosystem Expands

Statistical Overview

Victim Totals

• This month: 744
• This quarter: 1522
• Year to date: 4147
• Last 24h: 25

Quarterly Breakdown

Q1: 2631 | Q2: 1522 | Q3: 0 | Q4: 0

Ransomware activity maintains a consistent pace and contributes to the overall victim count this quarter, with many new compromises reported.

Introduction

The past period saw 25 new ransomware victims, showing persistent activity across diverse sectors and geographies. The_Gentelman emerged as the most active group, accounting for four of these incidents. Primary target sectors included Legal Services and Healthcare, while the United States remained the most frequently impacted country.

Ransomware Summary Table

The_Gentelman was the most prolific group, claiming four victims across manufacturing and agriculture. Groups such as Akira, Chaos, CMD, and Everest each reported two new compromises. These targeted a mix of professional services, construction, healthcare, and government entities. CMD ransomware continued its targeting of the healthcare sector. Everest's compromise of Asopagos s.a. in Colombia indicates ongoing risk to the Government/Public Sector.

Victim Distribution

By Country

• United States: 14
• Venezuela: 1
• Colombia: 1
• United Kingdom: 1
• Switzerland: 1
• Sri Lanka: 1
• Saudi Arabia: 1
• Mexico: 1
• Malaysia: 1
• Italy: 1

By Industry

• Legal Services: 3
• Healthcare: 2
• Retail: 2
• Business Services & Supplies: 1
• Wholesale Greenhouse: 1
• Transportation Equipment Manufacturing: 1
• Precious Metals Refining: 1
• Medical Equipment Manufacturing: 1
• Facilities Services: 1
• Education: 1

The United States remains the primary target country for ransomware, representing over half of the reported victims. Targeting is diverse, but Legal Services and Healthcare sectors show a significant concentration, demonstrating persistent threats to professional and essential services.

Ransomware News

Topline

The period shows complex criminal ecosystems are emerging alongside persistent ransomware and extortion campaigns, influencing cyber insurance market dynamics.

Campaigns & Operations

Flashpoint's analysis details "The Com," a diffuse neo-Nazi criminal ecosystem. Its "Hacker Com" wing is involved in breaches, DDoS attacks, and ransomware activity, recruits from gaming communities, and targets cloud and SaaS platforms. Separately, Qilin ransomware confirmed a cyber incident at Kennedy McLaughlin & Associates, an accounting firm, and DragonForce allegedly breached QLS Group, a Victorian retail logistics firm. ShinyHunters conducted a voice-phishing attack against Charter Communications, compromising an employee's Microsoft Entra identity and accessing a Salesforce instance, affecting 4.9 million accounts. A ransomware-style cyberattack also impacted Portraitbox GmbH, a German IT service provider for school photographers.

Vulnerabilities & TTPs

Threat actors are using sophisticated social engineering tactics, such as the voice-phishing attack ShinyHunters used to gain initial access via a compromised Microsoft Entra identity for Salesforce. The Com ecosystem targets critical cloud and SaaS platforms, including Okta, Salesforce, and Microsoft 365, showing a focus on widely adopted enterprise solutions.

Analyst Note

These incidents show threat actors are becoming more sophisticated, and strong defense is needed against social engineering and supply chain compromises.

Technical Takeaways

• The_Gentelman is the most active group, claiming four new victims across manufacturing and agriculture.
• The United States is the primary target country, accounting for 14 of the 25 reported ransomware victims.
• Legal Services and Healthcare are consistently targeted by various ransomware groups, along with Manufacturing.
• Extortion campaigns continue to use social engineering techniques, specifically voice-phishing, to compromise cloud and SaaS platforms.
• New threat ecosystems, such as "The Com," are emerging, integrating ransomware with broader criminal activities like child exploitation and physical intimidation.

Everest Ransomware Targets Healthcare, Utilities (7 Victims)

Statistical Overview

Victim Totals

• This month: 720
• This quarter: 1498
• Year to date: 4123
• Last 24h: 31

Quarterly Breakdown

Q1: 2631 | Q2: 1498 | Q3: 0 | Q4: 0

Ransomware activity shows a significant count for Q1, with Q2 maintaining consistent but lower activity. This indicates persistent threat actor operations across diverse sectors. The current period's observed victim count of 31 reflects ongoing, targeted ransomware campaigns.

Introduction

Recent ransomware activity saw 31 new victims across various sectors. Groups like Everest (7 victims), Qilin (5 victims), Akira (4 victims), and DragonForce (4 victims) were primary drivers. The United States remains the most targeted country. Industries such as healthcare, manufacturing, construction, hospitality, and legal services were affected. This period shows diverse threats with varied TTPs and an ongoing shift towards data exfiltration-focused extortion.

Ransomware Summary Table

Everest was the most active group, targeting healthcare and energy sectors, including "Advanced psychiatry associates" and "L&p aesthetics." Qilin and Akira also showed significant activity across construction, hospitality, and manufacturing. Victims included "Hospice Savannah" by CMD ransomware, which shows continued threats to the healthcare sector, and "Mairie thiverval grignon demo" by Medusa Locker, impacting a government entity. For more details on DragonForce's activities in real estate and healthcare, refer to our analysis on DragonForce Ransomware Targeting.

Victim Distribution

By Country

• United States: 11
• Germany: 3
• Canada: 3
• Spain: 2
• United Kingdom: 2
• Italy: 2
• Thailand: 1
• Australia: 1
• Netherlands: 1
• Kuwait: 1

By Industry

• Medical Practices: 2
• Real Estate: 2
• Manufacturing: 2
• Hospitality: 2
• Construction: 2
• Legal Services: 2
• Education: 1
• Venture Capital and Private Equity: 1
• Packaging and Containers Manufacturing: 1
• Oil and Gas Data Analytics: 1

The United States continues to see the most ransomware attacks, with broad distribution across several industries; none significantly dominate. This suggests less concentrated sector-specific campaigns and more opportunistic or diverse targeting by various ransomware operators, consistent with previous observations of groups like Qilin and DragonForce, as shown in our recent ransomware victim updates.

Ransomware News

Topline

The current period shows changes in cyber extortion, with a continued shift from data encryption to pure data exfiltration and diverse, sophisticated attack methods.

Campaigns & Operations

Silent Ransom Group operatives are increasingly engaging in in-person cyber extortion, physically appearing at victim offices to facilitate intrusions, often targeting law firms. The ShinyHunters gang, also known as Bling Libra, confirmed a social-engineering data breach affecting nearly 6 million Carnival Cruise customers, exfiltrating PII. Latin American cybercriminal groups are aggressively shifting towards exfiltrating government databases, with incidents like La Pampa Leaks affecting Uruguay's identity service and Chronus Group targeting Mexican government agencies. A ransomware incident at Wohnungsgenossenschaft Neukölln in Germany encrypted core property-management and financial systems, disrupting tenant services.

Vulnerabilities & TTPs

An analysis of Akira ransomware kill chains reveals initial access via brute-forcing forgotten local SSLVPN accounts lacking MFA. This is followed by lateral movement via RDP, credential access, and defense evasion, including security log clearance and shadow copy deletion. The broader cyber extortion economy shows a pivot, with extortion-only campaigns rising as threat actors use SaaS abuse, supply-chain compromises, and rapid data exfiltration, frequently bypassing traditional encryption methods. The FBI also warns about physical intrusion tactics by Silent Ransom Group, using methods like USB insertion or pressuring staff for remote sessions, often exfiltrating data via legitimate utilities like WinSCP or Rclone without encryption.

Analyst Note

These developments show the increasing sophistication and diversification of threat actor methods, from physical intrusions to advanced data exfiltration. This requires defensive strategies across both digital and physical security domains.

Technical Takeaways

• Implement Phishing-Resistant MFA: Crucial for all remote access points (e.g., SSLVPN) and administrator accounts to mitigate brute-force and credential stuffing attacks.
• Enhance Data Exfiltration Detection: Deploy end-to-end Data Loss Prevention (DLP) across cloud, endpoint, and network environments to detect rapid data theft, especially given the pivot from encryption.
• Strengthen Network Segmentation and Backup Integrity: Rigorous network segmentation limits lateral movement, while immutable offline backups ensure recovery capabilities even if primary systems are compromised.
• Correlate Perimeter and Endpoint Logs: Integrate and analyze logs from firewalls (e.g., SSLVPN syslog) and endpoint events (e.g., Windows EVTX) with synchronized NTP to reconstruct full kill chains and identify anomalous activity.
• Prepare for Physical Intrusion Vectors: Develop and rehearse incident response plans that account for in-person social engineering tactics, including policies for unidentified individuals and unauthorized device connections.

DragonForce Ransomware 19 Real Estate Healthcare Victims

Statistical Overview

Victim Totals

• This month: 689
• This quarter: 1467
• Year to date: 4092
• Last 24h: 36

Quarterly Breakdown

Q1: 2631 | Q2: 1467 | Q3: 0 | Q4: 0

Ransomware activity shows consistent levels this quarter, with DragonForce being a contributor in this period. The sustained victim count shows threat actors continue operating across diverse sectors.

Introduction

In the last 24 hours, 36 new ransomware victims have been reported. DragonForce was the most active group, accounting for over half of these incidents, followed by 0day-syndicate. Primary affected sectors include Real Estate, Healthcare, and Technology, with a significant concentration of incidents observed in the United States and the Netherlands.

Ransomware Summary Table

DragonForce was the most active in ransomware activity during this period, claiming 19 victims primarily in the Real Estate and Healthcare sectors across the United States and Netherlands. Other active groups, including 0day-syndicate, Medusa Locker, and Akira, contributed to a diverse range of victims spanning Technology, Professional Services, and Manufacturing. INC Ransom targeted Distrigaz Vest S.A. in Romania, showing a continued threat to critical infrastructure within the Energy & Utilities sector. For more on DragonForce's operations and targeting profiles, see our recent analysis.

Victim Distribution

By Country

• United States: 13
• United Kingdom: 4
• Netherlands: 3
• None: 3
• Mexico: 2
• Canada: 2
• Spain: 1
• Romania: 1
• Brazil: 1
• Germany: 1

By Industry

• Legal Services: 2
• Construction: 2
• Accounting: 1
• Natural Gas Distribution: 1
• Manufacturing: 1
• Oil and Gas: 1
• Staffing and Recruiting: 1
• Telecommunications and Traffic Management: 1
• Architectural Services: 1
• Architecture and Planning: 1

The United States remains the most targeted country, followed by the United Kingdom and the Netherlands. Industry targeting is diversified, with significant activity across professional services like Legal and Accounting, as well as critical sectors such as Natural Gas Distribution and Oil and Gas. More information on ransomware group activity, including Medusa Locker and Akira, is in recent threat intelligence updates.

Ransomware News

Topline

Ransomware developments include warnings of in-person data theft tactics by the Silent Ransom Group, reported ransomware incidents affecting municipalities, a Qilin group victim claim, and new cryptojacking campaigns using AI chatbots.

Campaigns & Operations

The FBI issued a warning regarding the Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, for an extortion scheme targeting U.S. law firms. This scheme combines social engineering tactics, such as posing as IT support for remote access, with a fallback of actors physically inserting USB drives to exfiltrate data. Incidents include a ransomware attack on Casalp's Livorno operations in Italy on May 11, 2026, and a partial compromise of Nandrin Municipality's IT infrastructure in Belgium around March 15, 2026. The Qilin ransomware group also named New Zealand's Alpha Group Holdings as a victim, providing limited incident details. Analysis of the wider ransomware field and quarterly trends is in our recent activity updates.

Vulnerabilities & TTPs

SRG's tactics involve impersonating IT personnel via phone, email, or live chat to gain initial access, then escalating privileges to deploy ransomware or exfiltrate data for double extortion, often blending with legitimate IT workflows. Separately, an active cryptojacking campaign is using AI chatbot interactions and SEO poisoning to redirect users to attacker-controlled download sites, delivering a rogue DLL via a packed ScreenConnect installer to establish persistence and run miners while bypassing Microsoft Defender.

Analyst Note

These events show the threat environment is changing, marked by sophisticated social engineering, persistent infrastructure targeting, and the exploitation of emerging technologies and search vectors for malicious purposes.

Technical Takeaways

• DragonForce led reported ransomware activity this period, affecting mainly Real Estate and Healthcare sectors.
• The United States remains the most frequent target country, with a broad distribution of victim industries.
• The Silent Ransom Group (SRG) uses a varied extortion approach, blending social engineering with potential physical access to victim networks for data exfiltration.
• Emerging attack vectors include cryptojacking campaigns that manipulate AI chatbot recommendations and search engine optimization to distribute malware.
• Critical infrastructure entities, such as Distrigaz Vest S.A., continue to be targeted by ransomware groups like INC Ransom.

DragonForce Leads Financial, Insurance Ransomware

Statistical Overview

Victim Totals

• This month: 620
• This quarter: 1398
• Year to date: 4023
• Last 24h: 35

Quarterly Breakdown

Q1: 2631 | Q2: 1398 | Q3: 0 | Q4: 0

Ransomware activity continues this quarter, with 35 new victims reported in the last 24 hours. DragonForce, Qilin, and NightSpire operations drive this period's activity, alongside disruptions to key ransomware infrastructure.

Introduction

The past 24 hours saw 35 new ransomware victims, with DragonForce, Qilin, and NightSpire as the most active groups. Targeting focused on the United States and Germany, impacting Financial Services, Insurance, and Healthcare. Law enforcement and industry efforts to dismantle ransomware infrastructure also occurred during this period.

Ransomware Summary Table

DragonForce was the most active group this period, claiming 12 victims mainly in Financial Services and Insurance across the United States and Germany. Qilin and NightSpire followed, impacting 13 organizations, especially within the Healthcare sector. Nova (RALord) targeted government entities in Brazil and Turkey, which shows ongoing risks to public sector organizations. For more insights on these groups, refer to our ransomware victims update.

Victim Distribution

By Country

• United States: 17
• Germany: 4
• Spain: 2
• Egypt: 2
• United Arab Emirates: 1
• Turkey: 1
• Australia: 1
• Singapore: 1
• Russia: 1
• New Zealand: 1

By Industry

• Insurance: 2
• Financial Services: 2
• Food and Beverage Manufacturing: 1
• Professional Training and Coaching: 1
• Accounting: 1
• Book and Periodical Publishing: 1
• Construction: 1
• Education & Training Services: 1
• Electric Lighting Equipment Manufacturing: 1
• Engineering and Design Services: 1

Ransomware targeting remains concentrated in the United States, accounting for nearly half of all new victims. While various industries were affected, Financial Services, Insurance, and Healthcare (seen with Qilin and NightSpire) show consistent targeting because these sectors have valuable data and operational sensitivities.

Ransomware News

Topline - Law enforcement and industry efforts disrupted key infrastructure supporting global ransomware operations. Various groups continue to claim new victims across diverse sectors.

Campaigns & Operations - Recent incidents include a March 3, 2023, ransomware attack on MSWiA Specialist Hospital in Złocieniec, Poland. This attack impacted an archival patient database. In Japan, Ficha Inc. reported a ransomware infection around May 25, 2026, leading to 13 server compromises and external copying of 144 GitHub repositories. Candeal Co., Ltd. experienced a March 11, 2026 incident where data moved towards attacker-controlled OneDrive, potentially affecting over 40,000 personal records. NOVA ransomware-as-a-service claimed a May 16, 2026 attack on the University of Valencia, exfiltrating 300 GB, though the university asserted only an obsolete research server was accessed. The Brain Cipher ransomware group alleged a hack of Australian newspaper The Adviser, claiming 350+ GB of exfiltrated data and using a LockBit variant.

Vulnerabilities & TTPs - Brain Cipher has been linked to exploiting CVE-2023-28252 for privilege escalation. Dutch authorities recently dismantled a bulletproof hosting network, which enabled ransomware, phishing, and malware campaigns, by arresting two suspects and seizing infrastructure. In a separate disruption, Microsoft's Digital Crimes Unit, in collaboration with Resecurity, shut down "Fox Tempest," a malware-signing-as-a-service operation that abused Microsoft Artifact Signing to generate short-lived certificates. This allowed actors to impersonate trusted tools and bypass endpoint defenses, disrupting a global ransomware supply chain affecting healthcare, education, and finance.

Analyst Note - The combination of sustained targeting by active groups like Qilin, as detailed in our threat activity report, alongside critical infrastructure disruptions, shows the dynamic and evolving nature of the ransomware threat.

Technical Takeaways

• DragonForce targets the Financial Services and Insurance sectors, predominantly in the United States and Germany.
• Healthcare organizations remain a key target, with Qilin and NightSpire compromising entities in this sector.
• Observed attack methods include using file transfer tools for data exfiltration and attacker-controlled cloud storage like OneDrive.
• Law enforcement and industry collaborations disrupt core ransomware infrastructure, including bulletproof hosting services and malware code-signing networks (e.g., Fox Tempest).
• Specific vulnerabilities, such as CVE-2023-28252, are exploited by groups like Brain Cipher for privilege escalation within victim networks.
• Double extortion tactics, including data exfiltration and public leak threats, continue as a standard procedure for multiple ransomware groups like Nova and Brain Cipher.

The Gentelman Ransomware Adds 9 Healthcare, Retail Victims

Statistical Overview

Victim Totals

• This month: 585
• This quarter: 1363
• Year to date: 3988
• Last 24h: 16

Quarterly Breakdown

Q1: 2631 | Q2: 1363 | Q3: 0 | Q4: 0

Ransomware activity remains consistent, with 16 new victims reported in the last 24 hours. The second quarter continues to show high activity, driven by operations from groups like The_Gentelman.

Introduction

Sixteen new ransomware victims were reported across various sectors and geographies. The Gentelman accounts for nine of these, DragonForce for three, and Bravox for two. Targeted sectors include Healthcare, Retail & Ecommerce, and Construction. Geographies affected span North America, Europe, and Asia. For more on recent threat activity, see our latest ransomware activity reports.

Ransomware Summary Table

The_Gentelman was the most active ransomware operator in the last 24 hours. It accounted for nine of the 16 reported victims, primarily impacting organizations in the United States and Japan within the Healthcare and Retail & Ecommerce sectors. DragonForce targeted three entities in the Construction & Engineering and Agriculture & Food sectors in the United States and Canada; see our ransomware victims updates for more on this group's activities. Bravox registered two victims, including a nonprofit and an energy utility, in Turkey and Canada. One victim was the Salvation Army.

Victim Distribution

By Country

• United States: 3
• Canada: 2
• Turkey: 2
• Argentina: 1
• Australia: 1
• Austria: 1
• France: 1
• Ireland: 1
• Japan: 1
• Poland: 1

By Industry

• Healthcare: 1
• Wholesale: 1
• IT Services and IT Consulting: 1
• Construction: 1
• Non-Governmental Social Services: 1
• Municipal Government: 1
• Telecommunications: 1
• Glass Packaging Manufacturing: 1
• Engineering and Manufacturing: 1
• Furniture Manufacturing: 1

Ransomware victims are geographically widespread, and no single country or industry overwhelmingly dominates current attack patterns. This suggests some ransomware groups use opportunistic or broad targeting strategies, though others show sector preferences.

Ransomware News

Topline - Recent ransomware developments involve targeted intrusions, persistent sophisticated botnet operations, and defensive actions that stopped attempted attacks.

Campaigns & Operations - Matsuzawa Shoten in Japan experienced a ransomware intrusion that crippled its order-management system. This required a server switchover and a staged return to ordering via email or fax, with ongoing recovery for EDI channels and specific platforms. The Scottsboro Police Department in Alabama quickly detected and shut down an attempted cybersecurity attack on its servers. This prevented data encryption or exfiltration and maintained public services.

Vulnerabilities & TTPs - FortiGuard Labs discovered persistent P2Pinfect botnet activity within Google Kubernetes Engine (GKE) clusters, exploiting exposed Redis instances and unauthenticated management interfaces over a six-month timeline. This Rust-based client operates behind a decentralized peer-to-peer mesh, renting access keys for ransomware or crypto miners, and continually expands its initial-access toolkit to include flaws like the Metro4Shell vulnerability in React Native servers and potential RediShell sandbox escapes.

Analyst Note - These events show diverse threats, from direct ransomware deployment to the use of sophisticated botnets for initial access. This demonstrates the important need for rapid incident response and strong network hardening.

Technical Takeaways

• The_Gentelman is an active ransomware group, impacting multiple sectors including Healthcare and Retail & Ecommerce.
• Ransomware activity shows broad geographic targeting across North America, Europe, and Asia.
• The P2Pinfect botnet uses a decentralized, Rust-based client for persistence in cloud environments and offers "botnet-for-hire" services, indicating new ransomware initial access methods.
• Exploiting exposed Redis instances and unauthenticated management interfaces remains an important initial access vector for sophisticated threats.
• Effective incident response, as demonstrated by the Scottsboro Police Department, can reduce the impact of ransomware attempts by rapidly isolating affected systems.

Why Healthcare and Retail Are Prime Ransomware Targets

Healthcare and retail organizations remain among the most frequently attacked sectors due to their reliance on legacy systems, large volumes of sensitive customer and patient data, and pressure to maintain uptime at all costs. Ransomware groups like The_Gentelman exploit these vulnerabilities deliberately.

• Healthcare: Electronic health records and billing systems create high-value data leverage
• Retail & Ecommerce: Payment data and supply chain dependencies increase attack surface
• Operational pressure: Both sectors often pay ransoms quickly to restore services
• Understaffed security teams: Smaller regional operators lack dedicated incident response

See also: Ransomware Impact on Critical Infrastructure

Understanding The_Gentelman Threat Group

The_Gentelman is an emerging ransomware operation demonstrating a focused targeting strategy across international geographies including the United States and Japan. With nine victims claimed in a single 24-hour reporting window, this group signals rapid operational tempo.

• Targets span multiple continents, suggesting automated or affiliate-driven campaigns
• Victim profiles include mid-market companies with limited security maturity
• The group's naming conventions suggest deliberate branding for notoriety
• Activity aligns with broader Q2 ransomware surge trends

Related reading: Tracking Emerging Ransomware Groups

How Organizations Can Reduce Ransomware Exposure

Defending against groups like The_Gentelman requires proactive measures beyond standard endpoint protection. Organizations in high-risk sectors should prioritize layered defenses.

• Regular offline backups: Ensure recovery without paying ransom demands
• Network segmentation: Limit lateral movement following initial compromise
• Threat intelligence feeds: Monitor dark web leak sites for early victim disclosures
• Incident response planning: Pre-established playbooks reduce response time significantly
• Employee phishing training: Many ransomware intrusions begin with credential theft

For current threat actor tracking: Latest Ransomware Threat Activity

Law Enforcement Disrupts Ransomware 33 Servers Seized

Statistical Overview

Victim Totals

• This month: 570
• This quarter: 1348
• Year to date: 3973
• Last 24h: 11

Quarterly Breakdown

Q1: 2631 | Q2: 1348 | Q3: 0 | Q4: 0

Ransomware activity shows a consistent year-to-date accumulation of victims. Current quarterly numbers indicate a high volume, though Q2 activity tracks lower than Q1's peak.

Introduction

Ransomware activity saw 11 new victims reported in the last 24 hours. Activity is diversified across several groups, with Nova (RALord) and SLSH being the most active. Affected sectors are broad, encompassing manufacturing, healthcare, and government, while targeting spanned multiple geographies, including the United States, Spain, and Turkey. For further context on ongoing threat activity, refer to our latest ransomware threat activity report. For a broader view of trends, consult our recent update on ransomware groups and Q2 trends.

Which Ransomware Groups Are Currently Most Active?

Nova (RALord) and SLSH were the most active groups, each claiming three victims, predominantly in the United States. Krybit targeted two entities, including Bangkok.go.th, a government sector victim in Thailand, alongside a transportation and logistics firm in Argentina. Overall, activity remains fragmented across groups, showing no single operator's dominance in this period.

How Are Ransomware Victims Geographically and Industrially Distributed?

By Country

• United States: 4
• Spain: 2
• Turkey: 2
• Argentina: 1
• Thailand: 1
• Vietnam: 1

By Industry

• Transportation and Logistics: 1
• Aerospace Manufacturing: 1
• Higher Education: 1
• Government Administration: 1
• Automotive Manufacturing: 1
• Retail: 1
• Construction: 1
• Health Care Equipment & Services: 1
• Telecommunications and Mass Media: 1
• Wholesale Distribution: 1

The distribution of new ransomware victims is diverse, spanning ten distinct industries and six countries. This wide array of targeting suggests an opportunistic approach by threat actors, without a discernible focus on any particular sector or geographic region in this period.

What Are the Latest Ransomware Developments?

Topline

This period shows significant counter-ransomware operations, new threat actor capabilities, and leaks exposing criminal methodologies.

Campaigns & Operations

International law enforcement has disrupted the "First VPN Service," a criminal VPN used by at least 25 ransomware groups, including Avaddon. They seized 33 servers and 32 exit nodes across 27 countries. New intelligence reveals details of the "GENTLEMEN RANSOMWARE LEAKS," exposing a RaaS operation active since September 2025 that has impacted over 420 victims. Separately, the Qilin ransomware group attacked Eyguières Town Hall in France, compromising municipal IT infrastructure and resident data to facilitate identity fraud.

Vulnerabilities & TTPs

Intrusion vectors detailed in the GENTLEMEN LEAKS include FortiGate SSL-VPN web-panel brute-force alongside LDAP credential dumping for rapid domain compromise and lateral movement. The FBI also warns of "Kali365," a fast-growing phishing-as-a-service kit that exploits legitimate Microsoft 365 device-code OAuth flows to bypass multi-factor authentication and steal persistent access tokens. This kit, distributed via Telegram, bundles AI-generated lures and automated campaign templates.

Analyst Note

These developments show how ransomware changes, with authorities disrupting infrastructure and threat actors innovating access methods and operational security.

Technical Takeaways

• International law enforcement successfully disrupted "First VPN Service," impacting infrastructure used by at least 25 ransomware groups.
• The GENTLEMEN RANSOMWARE LEAKS reveal a RaaS operation using FortiGate SSL-VPN brute-force and LDAP credential dumping for initial access.
• A new phishing-as-a-service kit, Kali365, exploits Microsoft 365 device-code OAuth flows to bypass MFA and steal access tokens.
• Ransomware targeting remains diversified across industries and geographies, with no single sector or region showing concentrated activity.

CMD Ransomware Hits 5 Healthcare Nonprofits

Statistical Overview

Victim Totals

• This month: 561
• This quarter: 1339
• Year to date: 3965
• Last 24h: 24

Quarterly Breakdown

Q1: 2631 | Q2: 1339 | Q3: 0 | Q4: 0

Ransomware activity continues to accumulate this quarter, with 24 new victims identified in the last 24 hours. This surge is predominantly influenced by groups such as CMD, Akira, APT73, and Qilin.

Introduction

Recent ransomware activity shows 24 new victim disclosures and sustained threat actor activity. Dominant groups included CMD, Akira, APT73, and Qilin, collectively responsible for over two-thirds of the reported incidents. Affected sectors include Healthcare, Nonprofit, Manufacturing, and Technology. Most organizations were targeted within the United States.

Ransomware Summary Table

CMD was the most active ransomware group, impacting five organizations primarily in the Nonprofit and Healthcare sectors, including Holy Name of Jesus and Houston Eye Associates. Other significant actors, including APT73, Akira, and Qilin, each reported four new victims, diversifying their targeting across Media & Entertainment, Government, Construction & Engineering, Hospitality & Travel, Real Estate, and Technology sectors. This broad activity shows ongoing pressure across various industries, with the United States remaining a primary target geography, a trend observed across recent ransomware group activity updates.

Victim Distribution

By Country

• United States: 11
• Canada: 2
• Spain: 1
• Turkey: 1
• Argentina: 1
• Panama: 1
• Mexico: 1
• Italy: 1
• Ireland: 1
• Indonesia: 1

By Industry

• Medical Practices: 2
• Food and Beverage Manufacturing: 2
• Manufacturing: 2
• Electronics and Technology Distribution: 1
• Religious Organization: 1
• Packaging and Containers Manufacturing: 1
• Law Firms & Legal Services: 1
• Hospitality: 1
• Healthcare: 1
• Construction: 1

The concentration of attacks continues to be highest in the United States, representing nearly half of all new victims. Industrially, the threat environment shows a persistent focus on medical practices and the broader manufacturing sector, which points to strategic targeting of both critical services and industrial operations.

Ransomware News

Topline

Recent developments demonstrate persistent ransomware threats across multiple sectors, characterized by significant data exfiltration, service disruptions, and increasing legal ramifications.

Campaigns & Operations

The Ransom Home group claimed responsibility for a cyberattack on Hospital Clínic de Barcelona, demanding $4.5 million and threatening to release 4 TB of patient data, though authorities have stated they will not pay. Separately, Liberty Mutual is facing a federal class-action lawsuit following a data leak attributed to the Everest Group ransomware operation, which allegedly exfiltrated 108 GB of client information affecting over 15,630 individuals. In Japan, Enessance Holdings Co., Ltd. and Hokuyo Co., Ltd. both disclosed ransomware incidents; Enessance confirmed encryption and the exfiltration of approximately 365,000 customer and 2,000 employee records, while Hokuyo reported a system outage that has since been resolved. Austria's Rhomberg Bau Group also experienced an intrusion involving data exfiltration and ransom demands, prompting a police investigation and system segmentation.

Vulnerabilities & TTPs

The Everest Group's operational tactics frequently involve initial access via credential theft, phishing, or exploiting unpatched services. They then move laterally using legitimate administrative tools to blend with normal network traffic. Data exfiltration remains a consistent outcome across these varied incidents, showing its central role in modern ransomware and extortion campaigns.

Analyst Note

These incidents collectively demonstrate the persistent financial and reputational impact of ransomware, with an ongoing emphasis on data exfiltration as a primary means of coercion for threat actors.

Technical Takeaways

• CMD is the most active group, primarily targeting Healthcare and Nonprofit sectors with five confirmed victims.
• The United States remains the most frequently targeted country, accounting for nearly half of all new ransomware victim disclosures.
• Data exfiltration is a prevalent tactic across multiple ransomware incidents, leading to significant financial and legal consequences for victim organizations, as seen in the Liberty Mutual case.
• Beyond Healthcare, groups like Akira (see our ransomware threat update) and Qilin (detailed in our Qilin ransomware threat activity post) continue to diversify their targeting across Construction, Hospitality, Real Estate, and Technology.
• The persistence of ransomware attacks necessitates strong incident response and data protection strategies, given ongoing exfiltration and operational disruption.

Ransomware Activity Driven by VPN Exploitation, Takedowns

Statistical Overview

Victim Totals

• This month: 542
• This quarter: 1320
• Year to date: 3946
• Last 24h: 22

Quarterly Breakdown Q1: 2631 | Q2: 1320 | Q3: 0 | Q4: 0

Ransomware activity continues at a consistent pace, with the observed 22 new victims in the last 24 hours contributing to the ongoing quarterly totals. This period reflects a diverse targeting approach across various sectors and geographies.

Introduction

The past 24 hours saw 22 new ransomware victims, indicating persistent activity across the threat environment. The most active groups included Payload (4 victims), APT73 (3 victims), CoinbaseCartel (3 victims), and The_Gentelman (3 victims). Affected sectors ranged from Transportation & Logistics and Healthcare to Technology/Software and Manufacturing, with many incidents in the United States.

Ransomware Summary Table

Payload emerged as the most prolific ransomware group in this period, predominantly impacting transportation and healthcare entities. Other notable activity includes APT73 targeting manufacturing and pharmaceuticals, CoinbaseCartel breaching telecommunications and technology firms, and The_Gentelman affecting retail and manufacturing across the Americas. Several groups, including Qilin and LockBit, continued to target diverse geographies and industries.

Victim Distribution

By Country

• United States: 8
• United Kingdom: 2
• Singapore: 2
• Thailand: 1
• Australia: 1
• North Macedonia: 1
• Mexico: 1
• Ireland: 1
• Gibraltar: 1
• Germany: 1

By Industry

• Astronomical Research: 1
• Office Equipment Manufacturing: 1
• Numismatics and Collectibles: 1
• Nonprofit Organization: 1
• Healthcare: 1
• Executive Coaching and Leadership Development: 1
• Construction: 1
• Chemical Manufacturing: 1
• Aviation and Aerospace Component Manufacturing: 1
• Law Firms & Legal Services: 1

The United States remains a primary target, with the highest number of victims, while industrial and technology sectors show broad exposure. This suggests a continued opportunistic targeting approach combined with a focus on economically vital infrastructure.

Ransomware News

Topline - Law enforcement significantly disrupted ransomware infrastructure while threat actors continued exploiting VPN vulnerabilities and targeting supply chain entities and financial institutions.

Campaigns & Operations - In a coordinated multinational effort, Europol executed "Operation Saffron," seizing the "First VPN" service and arresting its administrator, which was widely used by ransomware gangs for anonymity. Concurrently, ransomware attacks impacted Hongsu Technology, a TSMC CoWoS equipment factory in Taiwan, and Nostrum Co., Ltd. in Japan, which provides learning support services. ShinyHunters claimed a data breach against 7-Eleven, exfiltrating franchisee data. CoinbaseCartel and TeamPCP asserted data-leak claims against an Open-Source Visualization Platform and a major developer platform respectively. Reports also described ongoing threats to the Korean financial sector, involving a three-stage malware workflow. Various industrial organizations also faced APT and financial attacks from groups like Head Mare, LockBit 5.0, and DynoWiper/LazyWiper. For more information on recent threat activity, see our analysis of latest ransomware threat activity.

Vulnerabilities & TTPs - Threat actors continue to exploit poorly patched SonicWall SSL VPN appliances, specifically using CVE-2024-12802 for MFA bypass and credential brute-forcing. Beyond VPNs, initial access commonly involved phishing delivering backdoor-downloader-droppers and infostealers, as observed in the Korean financial sector. The threat environment also includes discussions on securing AI model pipelines from ransomware, which targets vulnerabilities in weights, training pipelines, and orchestration layers.

Analyst Note - The period shows a dual focus: disrupting established cybercrime infrastructure and confronting persistent exploitation of network perimeter vulnerabilities and expanding threats to emerging technologies.

Technical Takeaways

• Europol's takedown of "First VPN" demonstrates an increased focus on disrupting core cybercrime infrastructure.
• Persistent exploitation of VPN vulnerabilities, specifically SonicWall SSL VPN CVE-2024-12802, shows the need for complete patching and multi-factor authentication.
• Ransomware activity includes targeting of supply chain entities, such as the attack on Hongsu Technology, a TSMC CoWoS equipment supplier.
• Financial and industrial sectors face diverse attack chains, incorporating multi-stage malware, infostealers, and a variety of ransomware strains (e.g., Everest, Qilin, LockBit 5.0).
• Emerging threats to AI infrastructure show vulnerabilities within model pipelines, training data, GPU clusters, and other components, which points to a future ransomware vector.

Ransomware Report - 04/08/2026

Statistical Overview

Victim Totals

• This month: 186
• This quarter: 186
• Year to date: 2808
• Last 24h: 15

Quarterly Breakdown Q1: 2622 | Q2: 186 | Q3: 0 | Q4: 0 Ransomware activity recorded 186 victims in Q2 so far. This shows persistent activity into the new quarter, though slower than the previous quarter's total.

Introduction

In the last 24 hours, PurpleOps observed 15 new ransomware victims, which indicates consistent threat actor activity. The most active groups included CoinbaseCartel (3 victims), INC_Ransom (2), Kairos (2), and Payload (2). Key sectors affected include Financial Services, Legal, Healthcare, Professional Services, and Energy & Utilities, with most incidents concentrated in the United States and Austria.

Ransomware Summary Table

Today's activity shows diverse threats, with CoinbaseCartel leading in reported victims, primarily impacting Financial Services and Manufacturing. Multiple groups, including Payload and World Leaks, targeted critical infrastructure organizations-specifically El Wastani Petroleum Company (Egypt) and Deaconess Health System (United States). This demonstrates continued pressure on essential services. Financial Services, Legal, and Healthcare sectors remain consistently targeted across North America, Europe, and Australia.

Victim Distribution

By Country

• United States: 7
• Austria: 2
• Australia: 1
• Egypt: 1
• France: 1
• Switzerland: 1
• United Kingdom: 1
• Venezuela: 1

By Industry

• Legal Services: 2
• Pharmaceutical Manufacturing: 1
• Building Technical Services: 1
• Tax Consulting: 1
• Oil and Gas: 1
• Construction and Engineering: 1
• Financial Services: 1
• Healthcare: 1
• Healthcare & Social Services: 1
• Legal Practice: 1 The United States continues to be the primary target region for ransomware attacks, accounting for nearly half of all reported victims. Industry distribution shows a concentration in legal services, followed by various sectors including healthcare, financial services, and professional services, which shows targeting across many economic segments.

Ransomware News

Today's intelligence shows significant ransomware activity, particularly impacting critical sectors and rapid exploitation techniques.

Topline Multiple cyberattacks against healthcare entities in the Netherlands and United States, and high-velocity ransomware campaigns exploiting known vulnerabilities, are the latest developments in ransomware.

Campaigns & Operations A severe cyberattack on Dutch healthcare vendor ChipSoft around April 7, 2026, disrupted hospital portals across the Netherlands, threatening care workflows. Concurrently, Signature Healthcare in Massachusetts also activated incident response due to suspicious network activity, leading to ambulance diversions and delayed chemotherapy. The Silent Ransom Group (aka Luna Moth/Chatty Spider/UNC3753) claimed a phishing-driven attack on legal giant Jones Day, while the Qilin ransomware group listed Australian computer-vision firm Seeing Machines as a victim. Separately, Space Bears claimed a breach of Sydney's GC Dental.

Vulnerabilities & TTPs Microsoft Threat Intelligence detailed Storm-1175's high-velocity Medusa ransomware campaigns. These campaigns rapidly move from exploiting known vulnerabilities such as CVE-2026-1731 (BeyondTrust), CVE-2025-31161 (CrushFTP), CVE-2024-27198 (JetBrains TeamCity), CVE-2023-21529 (Microsoft Exchange), CVE-2026-23760 (SmarterMail), and CVE-2025-10035 (GoAnywhere MFT) to data exfiltration and deployment, sometimes within 24 hours. Phishing and social engineering continue to be exploited as initial access vectors by groups like the Silent Ransom Group.

Analyst Note The accelerated breakout times and persistent targeting of critical sectors, especially healthcare, show organizations urgently need to implement prevention-first cybersecurity measures, including prompt patching of known vulnerabilities and strong identity protection.

Technical Takeaways

• Critical Sector Targeting: Healthcare and Energy & Utilities continue to experience direct ransomware impact, leading to operational disruptions and potential data exposure.
• Rapid Exploitation: Threat actor Storm-1175 demonstrates the accelerated timeframe for exploiting known vulnerabilities (e.g., CVE-2026-1731, CVE-2025-31161) and deploying ransomware, often within 24 hours of initial access.
• Geographic Focus: The United States remains the most frequently targeted country, accounting for nearly 50% of observed activity, followed by a spread across Europe and ANZ regions.
• Established and Emerging Groups: Groups like Qilin maintain operations, while others such as CoinbaseCartel and Payload have demonstrated activity in the last 24 hours.
• Initial Access Vectors: Phishing and social engineering remain effective initial access vectors, as evidenced by the Jones Day incident attributed to the Silent Ransom Group.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

CoinbaseCartel was the most active group, responsible for 3 reported victims. Other active groups included INC_Ransom, Kairos, and Payload, each with 2 victims.

Q: What industries were primarily targeted by ransomware today?

Legal Services saw the highest number of targets with 2 victims. Other affected industries included Financial Services, Healthcare, Manufacturing, Professional Services, and Energy & Utilities.

Q: Which countries experienced the most ransomware attacks?

The United States was the most targeted country with 7 reported victims. Austria followed with 2 victims, while Australia, Egypt, France, Switzerland, United Kingdom, and Venezuela each recorded 1 victim.

Q: Were any critical infrastructure organizations targeted today?

Yes, Payload targeted El Wastani Petroleum Company (WASCO) in Egypt, an Energy & Utilities entity. Additionally, World Leaks listed Deaconess Health System in the United States, a healthcare provider.

Q: What ransomware trends or campaigns were reported today?

Reports describe "high-velocity" campaigns by Storm-1175 deploying Medusa ransomware, often within 24 hours of exploiting known vulnerabilities (e.g., CVE-2026-1731). There were also significant cyberattacks impacting healthcare systems in the Netherlands (ChipSoft) and the US (Signature Healthcare).

About PurpleOps

PurpleOps works with cyber threat intelligence, ransomware tracking, and dark web research. Our platform provides real-time information into ransomware operations, emerging CVEs, and the underground economy. Learn how we help organizations detect, prevent, and respond to ransomware threats:

• Cyber Threat Intelligence
• Dark Web Monitoring
• Protect Against Ransomware
• Penetration Testing
• Supply-Chain Security

Ransomware Report - 05/18/2026

Statistical Overview

Victim Totals

• This month: 468
• This quarter: 1246
• Year to date: 3872
• Last 24h: 28

Quarterly Breakdown

Q1: 2631 | Q2: 1246 | Q3: 0 | Q4: 0

Ransomware activity in Q2 continues at a steady pace, consistent with previous trends. The year-to-date victim count is substantial, with 28 new entities impacted in the last 24 hours.

Introduction

The past 24 hours saw 28 new ransomware victims publicly reported, showing the persistent threat across various sectors. Qilin and Titan were the most active groups, each claiming seven new victims. Manufacturing and Construction & Engineering sectors were impacted, and professional services and government entities across diverse geographies also continued to be targeted.

Ransomware Summary Table

Ransomware activity over the last 24 hours was dominated by Qilin and Titan, collectively responsible for 14 of the 28 new victims. Manufacturing and Construction & Engineering sectors remain primary targets, experiencing attacks from multiple groups including AiLock, Akira, Doommageddon, and Lamashtu. Geographically, North America, particularly the United States and Canada, sustained a high volume of attacks. Targets today include Majlis perbandaran alor gajah (Malaysia) by Qilin, and Trésor public (Senegal) by Audit. This shows a continued focus on government and public-sector institutions. For more on Qilin's recent activity, see our Ransomware Victims Update - May 16 and Qilin Ransomware Threat Activity - May 14.

Victim Distribution

By Country

• United States: 9
• Canada: 3
• Turkey: 2
• Malaysia: 2
• Spain: 1
• United Kingdom: 1
• Tunisia: 1
• Taiwan: 1
• Argentina: 1
• Singapore: 1

By Industry

• Manufacturing: 2
• Public Administration: 2
• Food and Beverage Services: 1
• Industrial Machinery Manufacturing: 1
• Higher Education: 1
• Healthcare Services: 1
• Health, Wellness & Fitness: 1
• Food & Beverage: 1
• Computer Hardware Manufacturing: 1
• Architectural Services: 1

The concentration of attacks over the last 24 hours shows a continued focus on the United States and Canada, while the manufacturing sector remains a consistent high-value target for ransomware operators globally. Public administration also saw sustained pressure, which indicates diversified targeting.

Ransomware News

Topline

The past 24 hours saw several ransomware-related developments, including claims by the Qilin group, a GitHub breach impacting Grafana, an internal breach exposing The Gentlemen ransomware gang's operations, and new Q1 2026 threat intelligence.

Campaigns & Operations

The Qilin ransomware-as-a-service operation claimed Generation Life as a victim following a breach via an external service provider. Qilin's global victim tally reached 1,842. CoinbaseCartel claimed responsibility for breaching Grafana's GitHub environment using a stolen access token to download source code. Links were drawn to ShinyHunters/Lapsus$ affiliates. The Gentlemen ransomware gang experienced an internal breach in May 2026, exposing its backend infrastructure, affiliate program data, and operational tools, despite an estimated 1,570 victims. 3i Infotech Limited in India reported a ransomware cyber attack on May 16, 2026. A Check Point Research threat intelligence report also detailed breaches at Vodafone, West Pharmaceutical Services, and Foxconn's North American operations.

Vulnerabilities & TTPs

Threat intelligence showed critical vulnerabilities, including Claw Chain vulnerabilities in OpenClaw (CVE-2026-44112, CVSS 9.6), an unpatched macOS kernel exploit bypassing Memory Integrity on M5 chips, Windows zero-days YellowKey and GreenPlasma, and other flaws in NGINX (CVE-2026-42945), Catalyst SD-WAN (CVE-2026-20182), and Wi-Fi components (CVE-2026-28819). The Grafana breach showed the risk of GitHub token leakage and credential theft, while phishing campaigns deploying v0.dev to harvest credentials via Telegram bots continue to be prevalent.

Analyst Note

These incidents show a continued trend of supply chain targeting, credential theft for initial access, and persistent activity by established ransomware groups. Q1 2026 analyses from Check Point Research and Kaspersky confirmed widespread attacks, impacting thousands of users and introducing thousands of new ransomware variants.

Technical Takeaways

• Increased Focus on Government Entities: Both Qilin and Audit groups targeted public administration bodies (Majlis perbandaran alor gajah, Trésor public). This indicates a persistent, high-value target sector.
• Supply Chain & Credential Theft: The Grafana breach, attributed to CoinbaseCartel via a stolen GitHub token, shows how supply chain vulnerabilities and credential compromise are critical initial access vectors.
• Group Activity: Qilin maintained a leading position with seven new victims, further extending its global reach. For more on Akira's activity, see our Ransomware Threat Update Intelligence - May 11.
• Ongoing Q1 Threat Volume: Multiple threat intelligence reports show significant ransomware activity and new variant introductions in Q1 2026. This suggests a consistently high threat level extending into Q2.
• Vulnerability Exploitation: Several critical CVEs across various platforms (OpenClaw, NGINX, Catalyst SD-WAN, Wi-Fi components) were flagged, which indicates potential for mass exploitation and continued TTP development by threat actors.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

A: In the past 24 hours, Qilin and Titan were the most active ransomware groups, each claiming 7 new victims. Other groups like AiLock, Akira, and Doommageddon also reported multiple new victims.

Q: What industries were most targeted by ransomware today?

A: Manufacturing and Construction & Engineering were the most frequently targeted industries, each seeing multiple attacks from various groups. Public Administration also experienced considerable targeting, including high-value government entities.

Q: What regions saw the most ransomware attacks today?

A: The United States recorded the highest number of ransomware victims with 9 incidents, followed by Canada with 3. Turkey and Malaysia also saw 2 reported victims each. This indicates a broad global distribution of attacks.

Q: Were there any major breaches or exposures involving ransomware gangs or major organizations?

A: Yes, the CoinbaseCartel group claimed responsibility for breaching Grafana's GitHub environment by stealing an access token and downloading source code. The Gentlemen ransomware gang also suffered an internal breach, exposing their backend infrastructure and operational data.

Q: What critical vulnerabilities were detailed in recent threat intelligence reports?

A: Recent reports flagged several critical vulnerabilities, including Claw Chain vulnerabilities in OpenClaw (CVE-2026-44112), unpatched Windows zero-days, and flaws in NGINX (CVE-2026-42945), Catalyst SD-WAN (CVE-2026-20182), and Wi-Fi components (CVE-2026-28819), and a macOS kernel exploit.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/17/2026

Statistical Overview

Victim Totals

• This month: 440
• This quarter: 1218
• Year to date: 3835
• Last 24h: 17

Quarterly Breakdown

Q1: 2622 | Q2: 1218 | Q3: 0 | Q4: 0

Ransomware activity in Q2, while still early, has already reached over 46% of Q1's total victim count, suggesting a sustained or potentially increased operational tempo from ransomware groups as the quarter progresses.

Introduction

The past 24 hours saw 17 new ransomware victims added to leak sites, showing continued pressure across various sectors. The most active groups included M3RXDLS with four reported victims, followed by Nova (RALord) and Qilin, each claiming three. Geographically, attacks were broadly distributed, with the United States and Spain registering the highest number of reported incidents, while industries such as Technology/Software and Healthcare continued to experience significant targeting.

Ransomware Summary Table

Today's ransomware activity saw M3RXDLS leading the reported victim count, showing its persistent operations primarily in Europe. Nova (RALord) and Qilin also showed significant activity, with Qilin impacting organizations across Asia and South America. DragonForce maintained its presence with targets in Europe, while other groups such as Beast, INC Ransom, and Lamashtu each claimed single victims, showing a fragmented but active threat picture. For more details into specific threat actors, review our recent analysis of M3RXDLS ransomware activity and a detailed look at Qilin ransomware activity.

Targeting today included Clinica Avellaneda Medical Center in Chile by Qilin, showing ongoing ransomware pressure on the healthcare sector in Latin America.

Victim Distribution

By Country

• United States: 4
• Spain: 3
• Romania: 1
• South Korea: 1
• Argentina: 1
• Philippines: 1
• Malaysia: 1
• Italy: 1
• Isle of Man: 1
• India: 1

By Industry

• Information Technology and Services: 2
• Gambling: 1
• Wholesale: 1
• Religious Organization: 1
• Food and Beverage Services: 1
• Insurance Brokerage: 1
• Automotive Parts Retail and E-commerce: 1
• Cosmetics Manufacturing: 1
• Healthcare: 1
• Education: 1

The concentration of attacks indicates continued targeting of the United States and European nations, with a spread across various industries. This suggests threat actors are employing opportunistic tactics rather than focusing on a single high-value sector or region, reflecting the diverse nature of recent ransomware victim updates.

Ransomware News

Topline

Grafana Labs disclosed a breach involving source code theft but rejected the associated ransom demand.

Campaigns & Operations

An attacker gained access to a portion of Grafana's GitHub environment via a compromised token, leading to the download of source code. Grafana reported no exposure of customer data or impact on customer environments and publicly refused the ransom demand, aligning with FBI guidance against payments. Remediation included revoking compromised credentials and implementing additional safeguards, with a post-incident review planned to describe further technical findings.

Vulnerabilities & TTPs

The incident was facilitated by a compromised token. Credential compromise remains a persistent initial access vector. Investigators found no evidence of customer data exposure or impact to customer environments.

Analyst Note

This incident shows the ongoing threat of data exfiltration and supply-chain risk, even when encryption is not deployed, and the complexities of managing developer environment security.

Technical Takeaways

• M3RXDLS, Nova (RALord), and Qilin collectively accounted for 10 out of 17 new victims, which shows their continued significant activity.
• Geographic targeting remains diverse, with the United States, Spain, and APAC countries (Philippines, South Korea, Malaysia, India) seeing prominent activity, as shown in the latest ransomware victims update.
• The healthcare sector, exemplified by Qilin's targeting of Clinica Avellaneda Medical Center, remains a persistent focus for ransomware groups.
• The Grafana incident shows data exfiltration without encryption as a distinct threat model, where intellectual property theft is the primary objective rather than system disruption.
• Credential compromise, as seen in the Grafana breach, continues to be a prevalent initial access vector for sophisticated threat actors.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

M3RXDLS was the most active group, claiming 4 new victims. Nova (RALord) and Qilin were also very active, each reporting 3 new victims during this period.

Q: What industries were most frequently targeted by ransomware today?

The Information Technology and Services sector, Agriculture & Food, Hospitality & Travel, and Healthcare each saw multiple new ransomware incidents today. This indicates a broad targeting approach rather than a singular industry focus.

Q: What geographic regions experienced the highest volume of new ransomware attacks?

The United States recorded the highest number of new ransomware victims with 4 incidents, followed by Spain with 3. Other regions, including the Philippines, South Korea, Malaysia, and Chile, also saw activity.

Q: Was there any significant ransomware-related news today?

Yes, Grafana Labs disclosed a breach where an attacker stole source code via a compromised token. Grafana rejected the ransom demand, confirming no customer data exposure and confirming their adherence to FBI guidance.

Q: Are there any specific attack vectors or TTPs highlighted in recent ransomware activity?

The Grafana incident specifically showed credential compromise, using a "compromised token," as an effective initial access vector for data exfiltration without traditional ransomware encryption. This points to a continued focus on credential hygiene and developer environment security.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/16/2026

Statistical Overview

Victim Totals

• This month: 424
• This quarter: 1202
• Year to date: 3819
• Last 24h: 24

Quarterly Breakdown

Quarter 2 activity continues, with 1202 victims recorded to date. This follows an active Q1. The last 24 hours saw 24 new entities impacted, showing ongoing pressure across various sectors.

Introduction

In the last 24 hours, PurpleOps recorded 24 new ransomware victims, showing persistent threat actor activity. The most active groups included Qilin (8 victims), LockBit (6 victims), and DragonForce (4 victims). Targeting remained geographically diverse, though concentrated in the United States. Sectors such as Healthcare and Education experienced significant impact.

Ransomware Summary Table

Today's ransomware activity was primarily led by Qilin, which accounted for a third of all new victims. The group's targets included financial services and education entities across Thailand and the United States. LockBit and DragonForce were also active, contributing to pressure on the healthcare sector. No specific high-value government or critical infrastructure targets were identified among the new victims in the last 24 hours. PurpleOps continues to monitor these groups, providing real-time ransomware threat activity updates.

Victim Distribution

By Country

• United States: 11
• Australia: 3
• Brazil: 3
• Thailand: 2
• United Kingdom: 1
• Peru: 1
• Netherlands: 1
• Indonesia: 1
• Dominican Republic: 1

By Industry

• Healthcare: 4
• Education: 3
• Healthcare Services: 1
• Software Development: 1
• Software: 1
• Retail: 1
• Pain Management Medicine: 1
• Insurance: 1
• Industrial Machinery & Equipment: 1
• Industrial Distribution: 1

The United States remains the primary target for ransomware attacks, accounting for nearly half of the new victims. Industrially, the healthcare and education sectors show a concentration of attacks because attackers continue to exploit their sensitive data and critical operations.

Ransomware News

Topline

Recent activity shows ongoing ransomware threats, with Qilin allegedly breaching an Australian IT provider and ShinyHunters causing data leaks by exfiltrating data from cloud environments.

Campaigns & Operations

Qilin listed Australian hospitality IT provider Bluize on its dark web leak site. Details about the incident or sample data are unconfirmed, reflecting the group's sporadic posting and potential for extortion based on exposed databases. Separately, ShinyHunters has increased its extortion tactics, using persistent social engineering and voice-based pretexts to exfiltrate multi-terabyte datasets from cloud environments, especially Salesforce and other SaaS storage. Security researchers use AI for data classification to map exposed fields and estimate risk per breach.

Vulnerabilities & TTPs

ShinyHunters' operations show a reliance on social engineering and data exfiltration from cloud environments, resulting in public dumps of extensive personal and health-related data. The broader discussion around ransomware payments shows that promises to delete data often prove unreliable, which increases long-term risks for victims. Panels also warn that AI-assisted threats and non-human identities are increasing attacks, making AI for detection and rapid microsegmentation necessary.

Analyst Note

These developments show the expanding attack surface of cloud environments and the continued effectiveness of social engineering as a primary vector, alongside the unreliability of ransomware actors post-payment. Our recent intelligence covers the ransomware intelligence update and specific Qilin ransomware threat activity.

Technical Takeaways

• Qilin showed high activity, becoming the most active group in the last 24 hours with 8 new victims, and maintained its activity level.
• The healthcare and education sectors are often targeted, making up 7 out of 24 new victims, which shows their vulnerability to ransomware campaigns.
• The United States continues to be the geographic focus for ransomware operators, with 11 organizations listed as victims today.
• ShinyHunters' activities show a heavy reliance on data exfiltration from cloud environments and social engineering, leading to large-scale data leaks.
• Observations suggest Qilin uses extortion tactics, possibly listing exposed databases to pressure victims without confirming full data exfiltration.

FAQ

Q: Which ransomware groups were most active on May 16, 2026?

Qilin was the most active ransomware group, claiming 8 new victims. LockBit followed with 6 victims, and DragonForce with 4 victims in the last 24 hours.

Q: What industries did ransomware groups target most today?

The healthcare sector was the most targeted industry with 4 reported victims, closely followed by Education with 3 victims. Other affected sectors included financial services, technology, and manufacturing.

Q: Which countries were most affected by ransomware attacks in the last 24 hours?

The United States was the most affected country, reporting 11 new ransomware victims. Australia and Brazil each recorded 3 new victims, while Thailand had 2.

Q: Are there any specific new TTPs observed in today's ransomware activity?

Today's intelligence shows ShinyHunters' increasing reliance on social engineering and voice-based pretexts to exfiltrate multi-terabyte datasets from cloud environments, especially SaaS platforms. Qilin also exhibited a pattern of listing potentially exposed databases for extortion.

About PurpleOps

PurpleOps is a cyber threat intelligence platform that uses AI, covering every threat vector, from ransomware tracking to attack surface discovery. Its AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/15/2026

Statistical Overview

Victim Totals

• This month: 400
• This quarter: 1178
• Year to date: 3795
• Last 24h: 16

Quarterly Breakdown

Q1: 2622 | Q2: 1178 | Q3: 0 | Q4: 0

Ransomware activity continues at a consistent pace into Q2, with a steady volume of new victims daily. The current quarter's figures represent a significant portion of the year-to-date total, suggesting threat actors are operating consistently.

Introduction

The past 24 hours saw 16 new ransomware victims publicly disclosed, primarily from operations by The_Gentelman (4 victims), 3AM (3 victims), and CMD (3 victims). The latest ransomware threat activity shows these groups maintaining activity across many regions. Key sectors targeted included Medical Practices, Legal Services, and Agriculture & Food, with a concentration of attacks within the United States.

Ransomware Summary Table

Today's summary table indicates varied threats, with The Gentelman leading in volume, targeting entities in Brazil and Mexico, primarily within the Agriculture & Food and Professional Services sectors. Groups like 3AM expanded their reach into Argentina and Lebanon, while CMD and INC Ransom focused on the United States, particularly impacting Healthcare and Legal Services. Real-time ransomware intelligence consistently tracks groups like Akira targeting professional services, showing the persistent and varied nature of these attacks.

Victim Distribution

By Country

• United States: 7
• Argentina: 2
• Brazil: 1
• Germany: 1
• Hong Kong: 1
• Lebanon: 1
• Mexico: 1
• Netherlands: 1
• Poland: 1

By Industry

• Medical Practices: 2
• Legal Services: 2
• Agro-industrial: 1
• Machinery Manufacturing: 1
• Agribusiness: 1
• Transport and Logistics: 1
• Religious Organization: 1
• InsurTech: 1
• Research and Education: 1
• Printing Services: 1

The United States remains the primary target, accounting for nearly half of the reported incidents today, followed by scattered attacks across Latin America, Europe, and Asia. Industry targeting shows a focus on professional services and essential sectors, suggesting groups are opportunistic and target a wide range of victims.

Ransomware News

Topline

Today's ransomware developments show the continued evolution of attack methodologies, strategic alliances among threat actors, and the increasing scrutiny on organizational cyber resilience from legislative bodies.

Campaigns & Operations

The House Committee on Homeland Security has initiated a briefing demand from Instructure following two consecutive breaches by ShinyHunters affecting the Canvas platform, questioning data exposure, remediation efforts, and a potential connection to a prior Salesforce intrusion. BreachForums owner diencracked detailed the Shai Hulud JavaScript worm, which targets the npm ecosystem for credential harvesting and data exfiltration. He also discussed strategic alliances with TeamPCP and Vect ransomware operations. Separately, Tokyo Paving Industry Co., Ltd. in Japan confirmed a ransomware attack on April 2, 2026, leading to system access restrictions and potential data leakage, and Oriental Diamond Co., also in Japan, disclosed a May 4, 2026, ransomware incident affecting its head office file server and potentially exposing customer data.

Vulnerabilities & TTPs

Active exploitation of PAN-OS CVE-2026-0300, a critical buffer overflow enabling unauthenticated root RCE, has been observed in limited campaigns, utilizing EarthWorm and ReverseSocks5 payloads. The Shai Hulud worm demonstrates sophisticated, multi-stage evolution with enhanced obfuscation and cross-runtime support. AI-assisted ransomware threats are accelerating attack cycles, with attackers completing full operations in approximately 72 minutes. This makes zero-trust postures and AI-enabled defenses necessary. NIST's NVD enrichment policy is now prioritizing vulnerabilities with attacker behavior signals, including ransomware associations, to bridge operational gaps in vulnerability management.

Analyst Note

The combination of advanced supply-chain targeting, rapid exploitation of critical vulnerabilities, and the use of AI by threat actors shows the urgent need for adaptive defense strategies and full incident response frameworks.

Technical Takeaways

• Geographic Focus: The United States continues to be the most targeted country, with 7 out of 16 victims, which shows a persistent focus on US-based entities by various ransomware groups.
• Industry Diversity: Ransomware groups broadly target diverse sectors such as Healthcare (Medical Practices), Legal Services, and Agriculture & Food, rather than a narrow vertical. This suggests opportunistic or widespread initial access methods.
• Evolving TTPs: The emergence of sophisticated threats like the Shai Hulud JavaScript worm and the documented increase in AI-assisted ransomware attacks show a shift towards faster, more automated, and supply-chain-focused offensive techniques.
• Vulnerability Exploitation: Active exploitation of critical vulnerabilities, such as PAN-OS CVE-2026-0300, remains a primary vector for ransomware operators to gain initial access and achieve remote code execution.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

In the past 24 hours, The Gentelman was the most active ransomware group, accounting for 4 new victims. Following closely were 3AM and CMD, each responsible for 3 new victim disclosures.

Q: What industries were most targeted by ransomware this period?

The industries most affected by ransomware over the last 24 hours include Medical Practices and Legal Services, both reporting 2 new victims each. The Agriculture & Food sector also saw significant activity, with multiple groups targeting businesses in this area.

Q: What regions saw the most ransomware attacks today?

The United States experienced the highest number of ransomware attacks today, with 7 victims reported. Other targeted regions included Argentina, Brazil, Germany, Hong Kong, Lebanon, Mexico, Netherlands, and Poland, each with one or two reported incidents.

Q: Are there any newly exploited vulnerabilities by ransomware operators?

Yes, active exploitation of PAN-OS CVE-2026-0300, a critical buffer overflow allowing unauthenticated root RCE, has been observed in limited campaigns, utilizing specific payloads. This shows an ongoing threat from recently disclosed or zero-day vulnerabilities.

Q: What role is AI playing in current ransomware operations?

AI is described as increasing the speed and scale of ransomware attacks, with threat actors capable of completing a full attack cycle in approximately 72 minutes. This includes using AI for various stages of the attack, making AI-enabled defenses and zero-trust postures important for mitigation.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering all threat vectors, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/14/2026

Victim Totals

• This month: 384
• This quarter: 1162
• Year to date: 3779
• Last 24h: 21

Quarterly Breakdown

Q2 ransomware activity continues to build, showing consistent pressure even though the total victim count is significantly lower than Q1 figures.

Introduction

The past 24 hours saw 21 new ransomware victims. Qilin led activity with 10 reported breaches, with CMD and DragonForce each claiming three. Key sectors impacted include Construction & Engineering, Professional Services, and Technology/Software. Geographically, the United States continues to be the primary target, alongside activity in France, Singapore, and India.

Ransomware Summary Table

Qilin was the most active group today, accounting for nearly half of all new victims and showing consistent operations. This active group has been observed in recent PurpleOps reporting on latest ransomware threat activity. The group's targeting spanned Construction & Engineering and Healthcare across France and Singapore. The remaining activity was distributed among smaller groups like CMD and DragonForce, impacting Professional Services and Technology/Software across the United States, India, and other regions. While no government or critical infrastructure entities were explicitly reported, the targeting of Technic.com (Manufacturing) and Silergy Corp (Technology/Software) represents significant breaches in industrial and tech sectors.

Victim Distribution

By Country

• United States: 13
• Australia: 2
• Sweden: 1
• Singapore: 1
• India: 1
• France: 1
• Denmark: 1
• Cayman Islands: 1

By Industry

• Industrial Machinery & Equipment: 2
• Legal Services: 2
• Chemical Manufacturing: 1
• Numismatics: 1
• Medical Transportation: 1
• Media Distribution: 1
• Law Practice: 1
• Law Firms & Legal Services: 1
• Executive Coaching and Leadership Development: 1
• Construction: 1

The United States continues to bear the brunt of ransomware attacks because of its extensive digital footprint and economic attractiveness. While industries are diverse, a concentration in Industrial Machinery & Equipment and various Legal Services suggests a focused yet varied targeting approach by threat actors.

Ransomware News

Topline

A busy period shows the manufacturing sector under persistent pressure, an internal breach of a prominent Ransomware-as-a-Service (RaaS) group, and ongoing discussions around cybersecurity law and cargo crime.

Campaigns & Operations

Nitrogen ransomware targeted Foxconn's North American facilities, allegedly exfiltrating 8TB of sensitive data, showing the manufacturing sector's vulnerability. Concurrently, the Coinbase Cartel claimed a data leak from a South Korean medical ultrasound equipment manufacturer. The Gentlemen, a prolific RaaS gang, experienced an internal back end breach in early May 2026. This exposed roughly 16GB of its operations, including tooling and communications, offering insights into their structure, including the use of an in-house LLM for development. Murray County, Georgia's government network also experienced a cyberattack, forcing office closures, though ransomware involvement remains unconfirmed. Meanwhile, Instructure Holdings paid ShinyHunters to delete stolen Canvas data, a move often yielding little return.

Vulnerabilities & TTPs

Cyber-enabled cargo crime uses the ransomware playbook, using reconnaissance, credential theft, and phishing to silently monitor shipment communications and divert freight, and repurposes known tradecraft for logistics fraud. The manufacturing sector continues to be impacted by attackers pivoting to shared vendors, Managed Service Providers (MSPs), and widely used software to maximize impact. New data-extortion group Leak Bazaar has also been observed.

Analyst Note

The incidents, from direct ransomware attacks on critical manufacturing to internal RaaS group breaches and the repurposing of ransomware tradecraft for cargo crime, illustrate the evolving nature of cyber threats.

Technical Takeaways

• Qilin continues to show significant activity across diverse geographic regions (France, Singapore) and sectors (Construction & Engineering, Healthcare). This indicates a broad targeting strategy. This aligns with trends observed in real-time Q2 ransomware intelligence reports.
• Manufacturing remains a high-value sector for ransomware groups, as evidenced by the Nitrogen ransomware incident affecting Foxconn's North American facilities, and shows the critical impact of operational downtime.
• The breach of 'The Gentlemen' RaaS gang offers intelligence into the internal workings, TTPs, and organizational structure of a major ransomware syndicate, including their use of an in-house LLM for development.
• The documented rise of cyber-enabled cargo crime indicates an evolving application of ransomware-like reconnaissance, credential theft, and phishing tactics for financially motivated fraud beyond data encryption.
• DragonForce, a group previously noted in PurpleOps' ransomware intelligence activity updates, continues to target a mix of Media & Entertainment and Technology/Software industries, primarily in India and the United States.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

Qilin was the most active ransomware group in the last 24 hours, responsible for 10 reported victims. Following Qilin, CMD and DragonForce were the next most active, each claiming 3 new victims.

Q: What industries did ransomware groups target most frequently today?

Today's ransomware activity spread across industries. Industrial Machinery & Equipment, Legal Services, and Technology/Software each reported multiple victims, indicating a varied targeting approach by threat actors.

Q: Which countries experienced the highest number of new ransomware victims?

The United States reported the highest number of new ransomware victims in the past 24 hours, with 13 incidents. Other affected countries included Australia, Sweden, Singapore, India, France, Denmark, and the Cayman Islands.

Q: What significant ransomware incidents or developments were reported today?

Significant developments include a Nitrogen ransomware attack on Foxconn's North American facilities, allegedly leading to the exfiltration of 8TB of data. Additionally, the internal back end of 'The Gentlemen' RaaS gang was reportedly breached, exposing 16GB of their operational data and tools.

Q: Have any ransomware-as-a-service groups suffered setbacks recently?

Yes, the Ransomware-as-a-Service (RaaS) group 'The Gentlemen' suffered an internal breach in early May 2026, which exposed approximately 16GB of their internal communications, tooling, and administrative data, offering potential insights into their operations.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/13/2026

Statistical Overview

Victim Totals

• This month: 364
• This quarter: 1142
• Year to date: 3759
• Last 24h: 30

Quarterly Breakdown

Q2 activity maintains a strong pace, accumulating 1142 victims to date. The 30 new victims in the last 24 hours show continued activity, contributing to a year-to-date total of 3759 incidents. For more on Q2 trends, refer to our Q2 Ransomware Threat Activity Update.

Introduction

Ransomware activity recorded 30 new victims in the last 24 hours, maintaining a consistent pace. The_Gentelman was the most active group, responsible for a third of today's breaches, followed closely by Play News. Targeting focused on the Construction & Engineering and Financial Services sectors, with the United States remaining the primary geographic target.

Ransomware Summary Table

Today's activity shows The_Gentelman and Play News as the most prolific groups, collectively responsible for 17 of the 30 new incidents. Their targeting shows a strong emphasis on Financial Services and Construction & Engineering across North America and parts of Asia. Akira and LeakedData also contributed to the day's victim count, impacting pharmaceuticals and legal sectors respectively. The geographical spread remains diverse, with a concentration in the United States.

Q: Where were ransomware victims located geographically and by industry today?

The United States recorded the highest number of new ransomware victims, with activity distributed across various industries including Manufacturing and Financial Services.

By Country

• United States: 12
• Qatar: 2
• Tunisia: 1
• United Kingdom: 1
• Ukraine: 1
• Argentina: 1
• Thailand: 1
• Taiwan: 1
• Singapore: 1
• Paraguay: 1

By Industry

• Manufacturing: 2
• Financial Services: 2
• Automotive Manufacturing: 1
• Transportation: 1
• Retail Technology: 1
• Machinery Manufacturing: 1
• Legal Services: 1
• Law Practice: 1
• Food Service Distribution: 1
• Construction Management: 1

The United States continues to experience the most ransomware attacks, accounting for 40% of today's observed victims. While Manufacturing and Financial Services show a slight uptick, the overall distribution across industries remains fragmented, indicating opportunistic rather than highly specialized targeting in the last 24 hours.

Ransomware News

Topline

Ransomware operations continue to impact diverse sectors, with activity from established groups and new attacks on major corporations across technology and healthcare.

Campaigns & Operations

The_Gentelman ransomware group's operations use infostealer credential logs, mining OWA/M365 data and breach search engines for initial access. This aligns with trends of credential use observed with groups like Coinbase Cartel. A full overview of their tactics is available in our latest ransomware threat activity report. In North America, Nitrogen ransomware claimed an attack on Foxconn, reportedly exfiltrating 8 TB of sensitive data from factories, marking another incident for the manufacturing giant. Separately, West Pharmaceutical Services disclosed a ransomware incident impacting critical systems, now under investigation by Palo Alto Networks Unit 42, showing ongoing risks to the healthcare industry. In the education sector, Instructure reached a deal with ShinyHunters following a Canvas platform breach that exposed user data, while Japan's Hokuyo Corporation reported a resolved ransomware infection from late March.

Vulnerabilities & TTPs

The emphasis on infostealer credential logs by groups like The_Gentelman shows a persistent initial access vector, prioritizing compromised employee logins for network penetration.

Analyst Note

These incidents collectively show the persistent threat of data exfiltration and business disruption across critical sectors, often facilitated by credential-based initial access.

Technical Takeaways

1. Credential-based Initial Access: The_Gentelman group's documented reliance on infostealer credential logs for initial access shows a pervasive TTP in current ransomware operations.
2. Data Exfiltration Focus: Multiple incidents, including Nitrogen's attack on Foxconn (8TB exfiltrated) and West Pharmaceutical Services, confirm data exfiltration as a primary ransomware objective alongside encryption.
3. Targeting Diversification: While the United States remains a primary target, the distribution across countries like Singapore, Ireland, Malaysia, and Ukraine indicates a broad, opportunistic targeting approach.
4. Persistent Sectoral Risk: The observed breaches in Financial Services, Manufacturing, Education, and Pharmaceuticals show the continued vulnerability of diverse critical and enterprise sectors to ransomware.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

The_Gentelman was the most active group, responsible for 10 reported victims. Play News followed with 7 victims, while Akira, LeakedData, Payload, and Qilin each claimed 2 victims.

Q: Which industries were most targeted by ransomware today?

Manufacturing and Financial Services were among the most frequently targeted sectors, each accounting for 2 reported victims. However, activity was broadly distributed across several industries, including Education, Legal, and Technology/Software.

Q: Which geographic regions experienced the most ransomware attacks today?

The United States reported the highest number of new ransomware victims, with 12 incidents. Other affected regions included Qatar, Tunisia, the United Kingdom, and Ukraine, each reporting a single incident.

Q: What were some notable ransomware incidents reported recently?

Foxconn confirmed a cyberattack claimed by the Nitrogen ransomware group, involving significant data exfiltration. West Pharmaceutical Services disclosed a ransomware incident impacting its business operations, and Instructure made a deal with ShinyHunters following a data exposure on its Canvas platform.

About PurpleOps

PurpleOps is a cyber threat intelligence platform covering all threat vectors, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats and investigate incidents in natural language.

Our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/12/2026

Statistical Overview

Victim Totals

• This month: 336
• This quarter: 1114
• Year to date: 3731
• Last 24h: 40

Quarterly Breakdown

With 40 new victims identified in the last 24 hours, Q2 activity shows sustained ransomware operations across multiple threat groups.

Introduction

The past 24 hours added 40 new ransomware victims to dedicated leak sites, indicating ongoing pressure on various sectors globally. Genesis led activity with 7 victims, followed by Qilin, Akira, CoinbaseCartel, and Lamashtu, each claiming 4 or 5 new targets. Geographic targeting remained concentrated in the United States. Industries such as Technology, Professional Services, Manufacturing, and Healthcare continued to experience impact.

Ransomware Summary Table

Analysis of today's ransomware activity shows Genesis as the most active group, adding 7 new victims. Groups like Qilin ransomware and Akira ransomware continue with victim counts, alongside CoinbaseCartel. Sector targeting is diverse, including Technology, Professional Services, and Manufacturing. Geographically, attacks distributed across North America, Europe, and Asia.

Targets included a Casino gaming commission by Genesis, the Jozef Stefan Institute (IJS)-a research institute-by CoinbaseCartel, and the Ayuntamiento de Valdemoro (local government) by Kairos. These incidents show persistent targeting of public sector and research institutions.

Victim Distribution

By Country

• United States: 22
• Mexico: 3
• United Kingdom: 3
• Spain: 2
• Canada: 2
• Thailand: 2
• Germany: 1
• India: 1
• Jamaica: 1
• Slovenia: 1

By Industry

• Real Estate: 2
• Manufacturing: 2
• Legal Services: 2
• IT Services and IT Consulting: 1
• Aviation and Aerospace Component Manufacturing: 1
• Business Process Outsourcing: 1
• Chamber of Commerce: 1
• Educational Technology: 1
• Electronics Distribution: 1
• Healthcare: 1

The United States remains the main target for ransomware operators, accounting for over half of all new victims in the last 24 hours. While industry targeting is broad, Real Estate, Manufacturing, and Legal Services experienced multiple incidents, which suggests a focus on sectors with high-value data or critical operational dependencies.

Ransomware News

Topline

A major education provider paid extortion demands, and a ransomware group's internal operations were exposed through a data leak.

Campaigns & Operations

Instructure reached a ransom agreement with ShinyHunters to prevent a 3.65TB Canvas data leak after attackers exploited a vulnerability in a support-ticket flow, siphoning 275 million records. Ahmed Al-Kadi Private Hospital in South Africa confirmed a ransomware breach encrypting a portion of its network. West Pharmaceutical Services experienced a cyberattack on May 4 that exfiltrated data and encrypted core systems, disrupting global operations. INC Ransom listed Earth Systems, an Australian environmental firm, claiming 600 GB of stolen data. Spain's Notin, an IT provider for notaries, was hit by Crypto24 ransomware, which deployed LockBit 5.0 to encrypt files and disrupt client services. The April 2026 Threat Trend Report showed broad global targeting across Manufacturing, Healthcare, and financial sectors, noting the emergence of new groups alongside active groups like Qilin and INC Ransom.

Vulnerabilities & TTPs

The Instructure incident involved exploiting a vulnerability within a free-for-teacher support-ticket flow. A data leak from The Gentlemen ransomware group exposed internal chats detailing RaaS operations, including access via compromised Fortinet edge gear, OpenConnect VPNs, extensive reconnaissance, EDR evasion, and mapping of critical infrastructure. South Staffordshire Water was fined after a nearly two-year intrusion that began with phishing and exploited weak monitoring, inadequate privileged access management, and unpatched legacy systems. Notin's attack by Crypto24 utilized LockBit 5.0, gaining access through stolen credentials, phishing, or exposed RDP, followed by lateral movement and data exfiltration. Overall trends in 2026 indicate a shift toward encryptionless extortion, post-quantum ransomware, and industrialized initial access via Access-as-a-Service, often using RDWeb/RDP abuse.

Analyst Note

These events show persistent reliance on known attack vectors like phishing and compromised credentials. They also demonstrate the increasing sophistication of data extortion tactics and the changing post-exploitation tradecraft documented in internal leaks.

Technical Takeaways

• The United States consistently experiences the highest volume of ransomware attacks. This shows a continued focus on the region by threat groups.
• Threat groups like INC Ransom, Genesis, and Crypto24 (LockBit 5.0) frequently use double-extortion tactics, combining data exfiltration with encryption to maximize pressure on victims.
• Recent analysis shows a shift toward encryptionless extortion and the industrialization of initial access through Access-as-a-Service models, often using RDWeb/RDP abuse.
• Internal leaks from ransomware groups, such as The Gentlemen, provide critical insights into their operational methods, including reconnaissance, EDR evasion, and how they structure affiliates.
• Critical infrastructure and public sector organizations remain high-value targets, as shown by incidents affecting a Casino gaming commission and local government organizations.

FAQ

Q: Which ransomware groups were most active today?

Genesis was the most active ransomware group in the last 24 hours, accounting for 7 new victims. Other active groups included Qilin (5 victims), Akira (4 victims), CoinbaseCartel (4 victims), and Lamashtu (4 victims).

Q: What industries were primarily targeted in the last 24 hours?

Ransomware attacks in the last 24 hours targeted diverse industries. Real Estate, Manufacturing, and Legal Services each recorded two victims. IT Services, Aviation, Business Process Outsourcing, and Healthcare were also affected.

Q: Which geographical regions experienced the most ransomware attacks today?

The United States was the most targeted country, with 22 new ransomware victims reported in the last 24 hours. Mexico and the United Kingdom also experienced activity, each with 3 new victims.

Q: What notable technical insights emerged from recent ransomware activity?

Key technical insights include the use of vulnerabilities in support-ticket flows for data exfiltration. Also, internal group leaks provided detailed documentation of ransomware-as-a-service operations, showing continued reliance on initial access vectors like phishing, exposed RDP, or stolen credentials. There is also a shift toward encryptionless extortion and industrialization of initial access.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering all major threat vectors, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats and investigate incidents in natural language. Our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/11/2026

Statistical Overview

Victim Totals

• This month: 296
• This quarter: 1074
• Year to date: 3691
• Last 24h: 12

Quarterly Breakdown

The second quarter shows consistent ransomware activity, with 12 new victims reported in the last 24 hours. While Q2's cumulative total remains lower than Q1, the daily pace suggests pressure across various sectors.

Introduction

In the past 24 hours, PurpleOps observed 12 new ransomware victims, showing persistent threat activity. Akira and Interlock were the most active groups, each claiming three victims, followed by Medusa Locker with two. Attacks primarily impacted the United States, with sectors like Construction & Engineering, Hospitality & Travel, and Manufacturing experiencing incidents.

Ransomware Summary Table

Akira and Interlock were the most active groups over the last 24 hours, each claiming three victims, predominantly in the United States. Akira focused on Construction & Engineering and Hospitality, while Interlock impacted the Kent District Library, showing continued targeting of the Government / Public Sector. Medusa Locker, which has a distinct RaaS model and specific TTPs detailed in our analysis of Medusa Locker's exploitation tactics, added two victims in Technology/Software and Manufacturing. Nitrogen targeting FOXCONN in Taiwan was another high-value breach, showing pressure on critical manufacturing and electronics supply chains.

Victim Distribution

By Country

• United States: 7
• China: 1
• Croatia: 1
• Netherlands: 1
• None: 1
• Taiwan: 1

By Industry

• None: 2
• Machinery Manufacturing: 1
• Steel Construction: 1
• Electronics Manufacturing: 1
• Food and Beverage Services: 1
• Hospitality Management: 1
• Legal Services: 1
• Medical Equipment Manufacturing: 1
• Public Library System: 1
• Semiconductor Manufacturing Equipment: 1

The United States remains the primary target, accounting for most new ransomware victims. Industry targeting is diversified, but a concentration is observed in Manufacturing, particularly Electronics and Semiconductor sectors, alongside Hospitality and Government/Public Services.

Ransomware News

Topline

The past 24 hours included several ransomware-related developments, such as critical application exploitation, new social engineering tactics, and the emergence of new threat groups.

Campaigns & Operations

Instructure confirmed the exploitation of multiple cross-site scripting (XSS) flaws in their Canvas platform. This led to admin session hijacking, portal defacement, and significant data exfiltration, impacting over 8,800 institutions. Separately, the MuddyWater APT group used Microsoft Teams external chat requests for credential theft and MFA bypass, often masquerading as "Chaos ransomware" to hide their espionage objectives. In Japan, JR Tokai Takashimaya and pharmaceutical wholesaler Marutake Co., Ltd. reported separate ransomware incidents on May 1 and April 28, respectively. Both involved unauthorized access, system encryption, and likely double-extortion tactics; Marutake's incident is expected to require substantial restoration time. The M3rx ransomware group, newly identified, claimed Australian toy distributor KB Toys, exfiltrating 140 GB of data and listing 15 victims in total. An interview with MedusaLocker further detailed its long-running RaaS model, financially motivated targeting, and use of distinct victim-identifying extensions such as BAGAJAI and BARADAI.

Vulnerabilities & TTPs

Exploitation of multiple XSS flaws in the Canvas platform enabled initial access and data exfiltration in the Instructure breach. MuddyWater APT used advanced social engineering via Microsoft Teams to induce victims into sharing credentials and enabling MFA bypass, employing a multi-stage payload and dual remote access tools. The M3rx ransomware payload is identified as a PE32+ x64 Go binary, using X25519 for key exchange, AES-CTR for file content, and AES-GCM for per-file key wrapping. These varied tactics show organizations need to address critical vulnerabilities and ransomware breaches.

Analyst Note

These events show the persistent prevalence of double-extortion tactics and a diversified threat environment marked by opportunistic exploitation of application flaws, sophisticated social engineering, and the continued emergence of new ransomware groups.

Technical Takeaways

• The United States remains the primary geographic target for ransomware attacks.
• Critical manufacturing sectors, including Electronics and Semiconductors (e.g., FOXCONN), are under sustained pressure.
• Adversaries are actively exploiting web application vulnerabilities, such as XSS flaws in enterprise platforms like Canvas, for initial access and data exfiltration.
• Social engineering via collaboration platforms like Microsoft Teams is a changing tactic for credential theft and MFA bypass, sometimes used to mask espionage.
• New ransomware groups, such as M3rx, continue to emerge, introducing new tooling (Go binaries) and crypto implementations (X25519, AES-CTR, AES-GCM).
• The Akira ransomware group remains active; a detailed analysis of Akira's TTPs is available.

FAQ

Q: Which ransomware groups were most active today?

Akira and Interlock were the most active ransomware groups today, each responsible for three new victim postings. Medusa Locker followed, claiming two additional victims, showing persistent activity across various sectors.

Q: Which industries were most targeted by ransomware today?

Today's ransomware activity showed diverse targeting across several industries. Sectors affected include Construction & Engineering, Hospitality & Travel, Technology / Software, Manufacturing (specifically Electronics and Semiconductor), and Government / Public Sector, as shown by the Kent District Library incident.

Q: What regions saw the most ransomware attacks?

The United States experienced the highest concentration of ransomware attacks, with seven reported victims. Other affected regions included China, Croatia, the Netherlands, and Taiwan, which saw an incident involving FOXCONN. Japan also reported two ransomware incidents.

Q: Were any new ransomware groups identified today?

Yes, the M3rx ransomware group was identified, claiming its first publicly known victim, Australian toy distributor KB Toys. This group has publicly listed 15 victims to date and uses a PE32+ x64 Go binary payload.

Q: What notable attack techniques or vulnerabilities were observed in recent ransomware incidents?

Recent incidents show exploitation of multiple cross-site scripting (XSS) flaws in the Canvas platform for data exfiltration and portal defacement. The MuddyWater APT group used Microsoft Teams for social engineering to achieve credential theft and MFA bypass, a tactic often disguised as ransomware activity to misdirect investigators.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering all threat vectors, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Our intelligence solutions:

- Ransomware Tracking

- Dark Web Monitoring

- Credential Intelligence

- Supply Chain Risk

- All Solutions

Ransomware Report - 05/10/2026

Statistical Overview

Victim Totals

• This month: 284
• This quarter: 1062
• Year to date: 3679
• Last 24h: 24

Quarterly Breakdown

Q2 ransomware activity tracks consistently with Q1, showing threat actors maintaining a high operational tempo. The 24 new victims in the last 24 hours reflect ongoing pressure across sectors, similar to trends discussed in our Q2 Ransomware Activity Report.

Introduction

In the past 24 hours, PurpleOps observed 24 new ransomware victims, which suggests consistent threat actor activity. Leak_Bazaar and Lynx were the most active groups, accounting for over two-thirds of reported breaches. These attacks primarily affected the Financial Services and Technology sectors, and were concentrated in North America and Europe, reflecting recent ransomware trends.

Ransomware Summary Table

Leak Bazaar and Lynx were the most active in ransomware activity over the last 24 hours, accounting for 17 of the 24 reported victims. Leak Bazaar focused heavily on Financial Services and Construction & Engineering firms in India and the United Kingdom. Lynx showed a broader reach, targeting Education and Technology sectors primarily in Germany and the United States. Other groups, including INC Ransom and Fulcrum, maintained a lower but persistent presence, with Fulcrum specifically affecting a UK-based professional services firm, a group whose activities we discussed in a previous report.

Victim Distribution

By Country

• United States: 13
• United Kingdom: 4
• Spain: 2
• Germany: 1
• United Arab Emirates: 1
• Taiwan: 1
• Singapore: 1
• India: 1

By Industry

• Legal Services: 2
• Financial Services: 2
• Accounting: 1
• Tourism and Hospitality: 1
• Packaging Services: 1
• Information Technology Services: 1
• Individual and Family Services: 1
• Healthcare: 1
• Food and Beverage Services: 1
• Food & Beverage: 1

The United States remains the primary target country, with over half of all victims reported today, showing a consistent focus on North American entities. While Financial Services and Legal Services had multiple incidents, the overall industry distribution points to a fragmented targeting approach, as various sectors experienced single breaches.

Ransomware News

Topline

The last 24 hours included two significant ransomware incidents affecting an Italian luxury goods manufacturer and Australian mining companies. These incidents show persistent threats to diverse industries.

Campaigns & Operations

Around May 9, 2026, Unoaerre, an Italian gold jewelry manufacturer, was hit by a ransomware attack that disrupted its operational systems. Threat actors demanded 3.8 million euros in Bitcoin for data restoration and to prevent data dissemination. Initial investigations suggest involvement from Eastern Europe and the Middle East. Around May 6, 2026, multiple Australian mining firms faced disruptions after Scope Systems, a cloud-based software provider, was breached. Northern Star Resources and Evolution Mining were among the reported targets, with the incident affecting core ERP and asset management SaaS services.

Vulnerabilities & TTPs

No new CVEs were identified in today's reporting; however, both incidents showed supply-chain risks. The Scope Systems breach revealed a cascade effect from credential theft and potential data exfiltration at a third-party provider, affecting client operations.

Analyst Note

These incidents emphasize the growing effectiveness of supply-chain targeting and the financial motivations behind current ransomware operations, particularly against established businesses.

Technical Takeaways

• Dominant Activity: Leak Bazaar and Lynx were the most active ransomware groups, responsible for 70% of new victims in the last 24 hours. This shows their current high operational tempo.
• Geographic Concentration: North America, specifically the United States, accounted for over 50% of the newly reported ransomware victims. It remains a primary target region.
• Targeted Verticals: While Financial Services and Technology / Software had concentrated attacks, the overall distribution across industries remained broad. This suggests opportunistic rather than highly specialized targeting for most groups.
• Supply Chain Exploitation: Recent news shows an ongoing focus on supply chain vulnerabilities. Ransomware groups use breaches in IT service providers to gain access to multiple downstream clients.

FAQ

Q: Which ransomware groups were most active in the past 24 hours?

Leak Bazaar and Lynx were the most active ransomware groups. Leak Bazaar reported 9 victims, and Lynx reported 8. They accounted for over 70% of all observed ransomware activity during this period.

Q: What industries were primarily targeted by ransomware today?

Financial Services and Technology / Software were the most frequently targeted sectors, and multiple incidents were reported. Today's data also shows various single-victim attacks across industries like Education, Legal Services, Professional Services, and Media & Entertainment.

Q: Which geographic regions experienced the most ransomware attacks today?

The United States was the most targeted country, reporting 13 new victims. The United Kingdom followed with 4 victims, while Spain, Germany, United Arab Emirates, Taiwan, Singapore, and India each reported 1 or 2 incidents.

Q: Are there any newly exploited vulnerabilities or specific CVEs associated with today's ransomware activity?

Based on the provided intelligence for May 10, 2026, no new specific CVEs have been publicly identified or confirmed as actively exploited by ransomware operators in the reported incidents. However, recent attacks show supply-chain risks and initial access via credential theft and data exfiltration.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform. It covers every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats and investigate incidents 24/7 in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/09/2026

Statistical Overview

Victim Totals

• This month: 260
• This quarter: 1039
• Year to date: 3656
• Last 24h: 36

Quarterly Breakdown

Ransomware activity remains consistent, with Q2 already reflecting a significant portion of Q1's total victims despite being an incomplete quarter. The past 24 hours saw 36 new victims. For more details on current trends, see our latest Q2 ransomware activity report.

Introduction

The past 24 hours recorded 36 new ransomware victims, showing consistent activity. "The Gentelman" and Qilin were the most active groups, collectively accounted for over half of the new compromises. While targeting was geographically diverse, the United States was the primary victim country, with Construction and Technology / Software were frequently impacted sectors.

Ransomware Summary Table

The latest 24-hour period showed continued high activity from "The Gentelman" and Qilin, with 10 and 9 victims respectively. Genesis also showed moderate activity with 5 new victims, primarily in the United States and Canada. Key sectors targeted include Construction & Engineering, Transportation & Logistics, and Technology / Software. These ransomware operators used a broad-spectrum approach. For more information on active groups like "The Gentelman" and Qilin, see our recent report on new ransomware victims. No government, military, or critical infrastructure entities were identified among the sample victims listed today.

Victim Distribution

By Country

• United States: 19
• India: 2
• Germany: 2
• Venezuela: 1
• Argentina: 1
• United Kingdom: 1
• Spain: 1
• Poland: 1
• None: 1
• Nigeria: 1

By Industry

• Construction: 5
• Machinery Manufacturing: 2
• Chemical Manufacturing: 2
• Financial Services: 1
• Civil Engineering and Land Surveying: 1
• Clinical Research: 1
• Construction and Building Materials: 1
• Consulting: 1
• Design Services: 1
• Education: 1

The United States was the primary target of ransomware attacks, accounting for over half of all victims today. The concentration in Construction and related industries suggests either opportunistic targeting or a focused campaign against this sector.

Ransomware News

Topline

Recent intelligence reveals a re-compromise of a major educational platform and the release of important security patches for widely used web hosting software.

Campaigns & Operations

ShinyHunters has claimed a second successful breach against Instructure's Canvas LMS, alleging theft of approximately 3.65 TB of data, affecting around 275 million individuals from nearly 9,000 institutions. This re-exploitation happened despite Instructure's earlier claims of containment. The group has pushed a new leak deadline. Instructure has temporarily shut down Free-For-Teacher accounts to address issues. This persistent targeting of an educational platform shows the significant data breach risks the sector faces.

Vulnerabilities & TTPs

cPanel and WHM have released fixes for three vulnerabilities: CVE-2026-29201 (CVSS 4.3), CVE-2026-29202 (CVSS 8.8), and CVE-2026-29203 (CVSS 8.8). These range from arbitrary file reads to arbitrary Perl code execution and unsafe symlink handling. These could lead to denial-of-service or privilege escalation. While no public exploitation is confirmed, these patches follow recent CVE-2026-41940 zero-day activity involving Mirai and ransomware, showing the importance of timely patching for web infrastructure.

Analyst Note

These developments show a dual threat: persistent re-exploitation of enterprise applications and the continuous discovery and patching of important vulnerabilities in widely deployed software.

Technical Takeaways

1. "The Gentelman" and Qilin groups maintained high activity, accounting for over half of new compromises.
2. The Construction sector and related industries (Civil Engineering, Building Materials) were consistently targeted, reporting 5 victims.
3. The United States accounted for 19 out of 36 new victims, becoming a primary target geography.
4. Vulnerabilities (CVE-2026-29201, CVE-2026-29202, CVE-2026-29203) in cPanel/WHM show ongoing risks to web infrastructure.
5. ShinyHunters' re-exploitation of Instructure shows persistent threat actor capabilities and challenges in incident response.

FAQ

Which ransomware groups were most active in the last 24 hours?

"The Gentelman" was the most active group, responsible for 10 new victims, followed closely by Qilin with 9 victims. Genesis recorded 5 new victims during this period.

What industries were most targeted by ransomware today?

The Construction sector experienced the highest number of attacks, with 5 victims reported. Other targeted industries included Machinery Manufacturing, Chemical Manufacturing, and Technology / Software.

Which geographic regions saw the most ransomware attacks today?

The United States was overwhelmingly the most targeted country, accounting for 19 of the 36 new victims. India and Germany each reported 2 victims, while other countries saw single incidents.

Have there been any new vulnerabilities relevant to ransomware identified recently?

Yes, cPanel and WHM released patches for three vulnerabilities: CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203. These could lead to arbitrary file reads, code execution, or privilege escalation, and their patching is important to prevent potential ransomware-related exploitation.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

- Ransomware Tracking

- Dark Web Monitoring

- Credential Intelligence

- Supply Chain Risk

- All Solutions

Ransomware Report - 05/08/2026

Statistical Overview

Victim Totals

• This month: 226
• This quarter: 1005
• Year to date: 3622
• Last 24h: 26

Quarterly Breakdown

Q2 ransomware activity counts 1,005 victims, a decrease from Q1's 2,622. The year-to-date total is 3,622, with 26 new victims in the past 24 hours.

Introduction

PurpleOps recorded 26 new ransomware victims in the past 24 hours. This shows continued activity among various threat groups. LockBit was the most active group with five victims, followed by INC_Ransom (4), Akira (3), Play News (3), and Qilin (2). Attacks targeted diverse industries, affecting manufacturing, healthcare, and construction & engineering sectors, mostly in North America and parts of Asia. For more on recent trends, see our Ransomware Victims Update - May 07.

Ransomware Summary Table

LockBit remained the most active group in the last 24 hours, ahead of INC_Ransom and Akira. Manufacturing, construction, and healthcare were frequent targets, showing attacks across many industries by several threat groups. The United States and Canada reported the most incidents. More on LockBit and Qilin's activities is in our Ransomware Threat Activity Update - May 01. Detailed analysis of INC_Ransom and Akira is available in our CVE-2025-5777 Ransomware Breach report.

Victim Distribution

By Country

• United States: 10
• Canada: 3
• None: 2
• Taiwan: 1
• Thailand: 1
• Australia: 1
• Switzerland: 1
• Peru: 1
• Japan: 1
• Jamaica: 1

By Industry

• Industrial Machinery & Equipment: 2
• None: 2
• Machinery Manufacturing: 1
• Software Development: 1
• Self-Storage: 1
• Real Estate: 1
• Precision Machining: 1
• Insurance: 1
• HVAC Distribution: 1
• Healthcare: 1

The United States is the primary target for ransomware attacks, with 10 reported victims. Beyond the U.S., activity spread geographically, with several countries reporting single incidents and no single industry showing overwhelming concentration in this 24-hour period.

Ransomware News

Topline

The past 24 hours brought varied ransomware developments, including data extortion claims against cybersecurity firms, nation-state false-flag operations, and several incidents affecting Japanese organizations.

Campaigns & Operations

RansomHouse, a data-extortion group, claimed a breach of cybersecurity firm Trellix, alleging access to source code and appliance management systems. Trellix confirmed unauthorized access to a portion of its source code repository but found no evidence of compromised release processes. ShinyHunters defaced the Canvas LMS portal, claiming exfiltration of 3.65TB from nearly 9,000 institutions. This group uses an extortion and credential theft model instead of encryption. In Japan, several organizations reported ransomware incidents. These include Shin-Facom Co., Ltd., F1 Corporation's contractor (with potential PII exfiltration for 285 customers), and Medica Publishing. All these incidents occurred around mid-April, and investigations into data impact are ongoing.

Vulnerabilities & TTPs

Rapid7 researchers identified Iranian MOIS-backed MuddyWater using Chaos ransomware as a false-flag cover for espionage and data theft. This operation began with Microsoft Teams social engineering to obtain VPN credentials, followed by remote management tool deployment and data leak threats. It is significant because it lacks encryption and uses ransomware tooling to obscure state-driven objectives.

Analyst Note

The activity shows more complex motivations among threat actors. They combine traditional data encryption with data exfiltration and false-flag operations to achieve various strategic goals.

Technical Takeaways

• Wider Geographic Targeting: The United States is still a primary target, but victims are spread across Canada, Japan, Australia, and parts of Europe and Latin America, showing ransomware groups target many regions.
• Established Groups Remain Active: LockBit continues its high activity, with 5 new victims, showing it persists despite ongoing law enforcement operations.
• Encryption and Extortion Threats: News items show data exfiltration and extortion (e.g., RansomHouse, ShinyHunters) are as common as traditional encryption-based ransomware, presenting substantial data breach risks.
• False-Flag Operations: MuddyWater's use of Chaos ransomware as a false-flag for espionage shows advanced tactics to hide attribution and blends cybercrime with state-sponsored activity.
• Manufacturing Remains a Target: Manufacturing appears on multiple groups' victim lists (Akira, Play News, Qilin, 3AM), which suggests the industry continues to be vulnerable.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

LockBit was the most active group, reporting five new victims. Following LockBit, INC_Ransom claimed four victims, while Akira and Play News each listed three. Qilin reported two new victims.

Q: What industries were most targeted by ransomware in the last 24 hours?

Manufacturing, including Industrial Machinery & Equipment, Machinery Manufacturing, and Precision Machining, together accounted for many incidents. Other targeted sectors included healthcare, construction & engineering, and real estate.

Q: Which countries reported the highest number of ransomware victims today?

The United States reported the highest number of victims with 10 incidents. Canada followed with 3 victims, while Australia, Japan, Switzerland, Peru, Thailand, Jamaica, and Taiwan each reported one victim.

Q: Were there any notable ransomware campaigns or technical insights reported today?

Yes, developments include Iranian state-sponsored group MuddyWater using Chaos ransomware as a false-flag for espionage and data theft. Also, groups like RansomHouse conducted data extortion against Trellix, and ShinyHunters targeted Canvas LMS portals.

About PurpleOps

PurpleOps is a cyber threat intelligence platform that uses AI, covering every threat vector from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

See our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/07/2026

Statistical Overview

Victim Totals

• This month: 201
• This quarter: 980
• Year to date: 3598
• Last 24h: 34

Quarterly Breakdown

Q1: 2622 | Q2: 980 | Q3: 0 | Q4: 0

Ransomware victim counts continue to accumulate in Q2. Today's activity shows consistent pressure on various sectors globally. For more context on recent trends, see our Ransomware Victims Q2 May 06 report.

Introduction

The past 24 hours saw 34 new ransomware victims reported. This shows sustained activity across multiple threat groups. SafePay was the most active group with 9 new victims, closely followed by Qilin with 8. Targets included Legal Services, Professional Services, and Retail & Ecommerce sectors, with the United States experiencing the highest concentration of attacks.

Ransomware Summary Table

SafePay and Qilin demonstrated the highest activity over the last 24 hours, collectively accounting for 17 of the 34 new victims. LeakedData continued its focus on the Legal sector, while M3RXDLS targeted Retail & Ecommerce and Professional Services. This pattern is consistent with recent observations in our M3RXDLS ransomware threat activity report. Geographically, the United States remained the primary target, alongside scattered activity across Europe and South America. Further details on groups like Qilin and SafePay can be found in our ransomware victim summary from May 05.

Victim Distribution

By Country

• United States: 16
• Italy: 4
• United Kingdom: 3
• Germany: 3
• Thailand: 1
• Australia: 1
• Switzerland: 1
• Spain: 1
• Paraguay: 1
• Denmark: 1

By Industry

• Legal Services: 6
• Law Practice: 3
• Transportation, Automotive & Logistics: 1
• Pharmaceutical Manufacturing: 1
• Local Trucking, Without Storage: 1
• IT Services and Systems Integration: 1
• General Engineering and Construction: 1
• Foodservice Design and Consulting: 1
• Facilities Services: 1
• Construction Training and Apprenticeship: 1

The concentration of attacks on the United States and the Legal sector suggests a continued focus on economically significant regions and industries that handle sensitive data. This shows persistent targeting of professional services.

Ransomware News

Topline

Ransomware-related disclosures over the past 24 hours show ongoing supply chain vulnerabilities, targeted data exfiltration campaigns, and the deceptive use of ransomware branding by state-sponsored actors.

Campaigns & Operations

Multiple Japanese organizations, including Nambu Corporation, Nippon Telenet, and Hotel Okura Fukuoka, reported ransomware incidents in March and April 2026. These incidents used compromises of outsourcing partners or cloud-based systems, which led to potential personal and customer data exposure. Separately, Australian car-parts importer Strategic Imports was breached by MedusaLocker, while energy management firm Energy Action was listed on SafePay's dark web leak site following a data exfiltration event. ASEC's Week 1 May 2026 report noted cross-border activity, including BlackWater targeting a Chinese auto parts manufacturer and Guatemalan government data sales.

Vulnerabilities & TTPs

MedusaLocker is known to exploit exposed RDP configurations and phishing campaigns for initial access. The Iranian APT MuddyWater was observed masquerading as Chaos ransomware activity. It employed high-touch social engineering via Microsoft Teams for credential harvesting and MFA manipulation. This was followed by data exfiltration and long-term persistence via DWAgent rather than encryption. This tactic also showed MuddyWater-style certificates and infrastructure, with a victimology shift towards the Middle East, North Africa, and Southeast Asia.

Analyst Note

These events collectively show the significant impact of supply chain compromises and the evolving tactics of threat actors who use ransomware as a cover for more sophisticated data exfiltration and intelligence-gathering operations.

Technical Takeaways

• Geographic Focus: The United States remains a primary target, making up nearly half of all new victims in the last 24 hours.
• Industry Preference: Legal Services and Professional Services are consistently important targets, likely due to access to sensitive client data.
• Supply Chain Exploitation: Recent incidents in Japan show a recurring theme of threat actors compromising third-party vendors and cloud systems to reach primary targets.
• APT Blurring: The use of ransomware branding by advanced persistent threat (APT) groups like MuddyWater shows a strategic shift towards using ransomware as a deceptive tactic for data exfiltration and long-term persistence.
• Common TTPs: Initial access vectors continue to include common methods like exposed RDP and phishing campaigns, as observed with MedusaLocker activity.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

SafePay reported 9 new victims and Qilin reported 8. They were the most active ransomware groups in the past 24 hours based on victim disclosures. LeakedData followed with 6 new victims.

Q: What industries were most targeted by ransomware today?

Legal Services and Law Practice combined account for 9 victims. This makes the legal sector the most heavily targeted industry today. Professional Services also saw significant activity with 5 victims from various groups.

Q: Which countries experienced the highest number of ransomware attacks today?

The United States reported 16 new ransomware victims, which is the highest number of attacks by country in the last 24 hours. Italy, the United Kingdom, and Germany followed with 4 and 3 victims each, respectively.

Q: Were there any new ransomware groups identified or important changes in TTPs?

While no entirely new ransomware groups were identified today, the Iranian APT MuddyWater was observed operating under the Chaos ransomware brand. This is an important change in TTPs, as the group used high-touch social engineering and MFA bypass for data exfiltration and persistence, using ransomware as a cover rather than a primary encryption method.

About PurpleOps

PurpleOps is a cyber threat intelligence platform covering all threat vectors, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/06/2026

Statistical Overview

Victim Totals

• This month: 167
• This quarter: 947
• Year to date: 3565
• Last 24h: 70

Quarterly Breakdown

Ransomware victim counts for Q2 currently stand at 947, showing sustained activity after Q1's 2622 recorded incidents. The past 24 hours alone contributed 70 new victims, indicating continued operations.

Introduction

The past 24 hours saw 70 new ransomware victims added to leak sites, maintaining a consistent threat environment. The_Gentelman was the most active group, claiming 27 victims, followed by Medusa Locker with 18. Other active groups included Meduza, Sinobi, and Akira. Geographically, the United States, Japan, and India were impacted, and the Education and Automotive sectors saw significant targeting.

Ransomware Summary Table

The_Gentelman led ransomware activity in the last 24 hours, responsible for 27 new victim postings in sectors like Education and Pharmaceuticals & Biotech, focusing on Japan and India. For more details on groups such as The_Gentelman and Sinobi, refer to our daily ransomware report from January 12, 2026. Medusa Locker followed with 18 victims, mainly impacting Automotive and Education entities in Brazil and Costa Rica; more information about active groups like Medusa Locker can be found in our previous reports. Other groups included Meduza (7 victims), Sinobi (5 victims, in India and the United States), and Akira (4 victims, targeting Financial Services and Healthcare). Qilin claimed "Le maire de quiberon" (The Mayor of Quiberon) in France, showing persistent targeting of the Government/Public Sector.

Victim Distribution

Which countries were most affected by ransomware today?

• United States: 22
• Italy: 5
• United Kingdom: 4
• Canada: 4
• Taiwan: 3
• United Arab Emirates: 2
• India: 2
• France: 2
• Brazil: 2
• Australia: 2

What industries did ransomware groups target?

• Manufacturing: 5
• Education: 5
• Software Development: 4
• Pharmaceutical Manufacturing: 2
• Healthcare: 2
• Architecture, Engineering & Design: 1
• Accounting and Financial Services: 1
• Public Relations and Communications Services: 1
• Line marking and surface coating: 1
• Environmental Services: 1

The United States was the most frequently targeted nation, accounting for 22 victims. Italy, the United Kingdom, and Canada also saw activity. Manufacturing and Education were the most impacted industries, each registering 5 victims. This shows broad and diverse targeting by ransomware groups.

Ransomware News

Topline

Today's ransomware-relevant developments include significant breach disclosures, changes in attack methods by state-sponsored actors, and continued legal action against cybercriminals.

Campaigns & Operations

Rapid7 researchers reported MuddyWater disguising its intrusions as Chaos ransomware operations. They used Microsoft Teams for social engineering and deployed decoys for broader cyber-espionage. ShinyHunters reportedly breached Instructure's Canvas LMS, exfiltrating approximately 275 million student, teacher, and staff records across 8,809 affected institutions. A production halt at Foxconn's Mount Pleasant, Wisconsin facility, citing abnormal network issues, is suspected to be a cybersecurity incident consistent with an OT/ICS disruption.

Vulnerabilities & TTPs

Reports state that ransomware attacks often succeed because attackers deliberately expose, access, and destroy backups, not just due to their absence. Threat Activity Enablers (TAEs), infrastructure providers operating through shell entities, continue to sustain various ransomware and state-sponsored campaigns. Insider threats also contribute to data broker breaches, as seen with National Public Data's 2.9 billion record exposure and an IT administrator holding systems for ransom. Ransomware incidents in 2024, while fewer, saw more severe breaches with increased ransom payments. Small organizations and email/phishing were primary targets.

Analyst Note

These developments show the connection between state-sponsored and financially motivated actors, the pervasive data supply chain threat, and ongoing efforts to prosecute ransomware affiliates globally, as evidenced by the sentencing of a Latvian national involved in Conti-led operations.

Technical Takeaways

• New Groups Led Activity: The_Gentelman was the most active group in the last 24 hours with 27 victims, outnumbering other established groups.
• Education Sector Still Targeted: Education continued to be a primary target, appearing among the top sectors for victim counts (5 victims), with examples from The_Gentelman and Medusa Locker.
• Geographic Spread Across APAC and Americas: Ransomware activity showed a wide geographic spread, impacting countries like Japan, India, Brazil, and Canada, alongside persistent targeting in the United States.
• Government Sector Targeted: Qilin's targeting of "Le maire de quiberon" (Government/Public Sector, France) shows ongoing threat actor interest in public institutions.
• Backup Destruction Tactics Change: Recent intelligence shows attackers' deliberate strategies to compromise and destroy backups. This demonstrates the need for advanced data resilience.

FAQ

Which ransomware groups were most active in the past 24 hours?

The_Gentelman was the most active group, claiming 27 victims. Medusa Locker followed with 18 victims. Meduza, Sinobi, and Akira also reported activity.

What industries did ransomware groups target?

Manufacturing and Education sectors were equally impacted, each reporting 5 new victims. Other sectors with activity included Software Development, Pharmaceutical Manufacturing, and Healthcare.

Which countries experienced the highest number of ransomware attacks in the last 24 hours?

The United States recorded the highest number of new victims with 22. Italy, the United Kingdom, and Canada each reported 4 victims. This indicates a broad geographic spread of attacks.

Were any government entities targeted by ransomware today?

Yes, the Qilin ransomware group claimed "Le maire de quiberon" (The Mayor of Quiberon) in France, showing continued targeting of the Government/Public Sector.

What emerging ransomware tactics were highlighted in recent news?

Recent intelligence showed MuddyWater using Chaos ransomware as a decoy for cyber-espionage and attackers actively targeting and destroying backups to hinder recovery efforts.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/05/2026

Statistical Overview

Victim Totals

• This month: 97
• This quarter: 854
• Year to date: 3472
• Last 24h: 30

Quarterly Breakdown

Q2 activity continues to add to the year-to-date total, showing a consistent threat situation with 854 victims this quarter and 3472 year-to-date. For more on recent activity, see our latest ransomware victims report.

Introduction

In the past 24 hours, 30 new ransomware victims were reported across various leak sites. Qilin reported 8 new victims, SafePay 6, and INC_Ransom 3, leading the activity. The United States remained the primary geographic target. Financial services and professional services sectors were significantly targeted, along with retail.

Ransomware Summary Table

Qilin was the most active group, primarily targeting financial services and legal sectors across Spain and Ukraine. SafePay was also active, affecting professional services and government entities in Sweden and Japan. The United States remains a focal point for groups like INC Ransom, Akira, and Chaos, showing a diverse range of targets. Qilin notably targeted the Standard-Examiner today, as reported in recent news, which may show a possible focus on media entities. Everest Group claims regarding Liberty Mutual data also point to ongoing pressure on large insurers, though Liberty Mutual attributes this to a third-party vendor incident. For more on active groups like Qilin, SafePay, Akira, and INC_Ransom, see our daily ransomware reports.

Victim Distribution

By Country

• United States: 15
• Canada: 2
• Italy: 2
• Ukraine: 1
• Thailand: 1
• Sweden: 1
• Spain: 1
• Portugal: 1
• Mexico: 1
• Japan: 1

By Industry

• Law Firms & Legal Services: 2
• Construction: 2
• Home Improvement & Hardware Retail: 2
• Automotive: 1
• Specialty Industrial Machinery: 1
• Social Services: 1
• Religious Travel and Tourism: 1
• Real Estate: 1
• Non-Profit & Charitable Organizations: 1
• Investment Management: 1

The United States remains the predominant target, accounting for half of the reported victims in the last 24 hours. Industry distribution is fragmented, with legal services, construction, and retail showing slightly higher victim counts. This suggests opportunistic targeting across various small to medium-sized enterprises.

Ransomware News

Ransomware activity today includes new attacks, significant data leaks, critical vulnerability exploitation, and significant law enforcement action against an extortion group. Rootboy conducted a three-week assault on Standard Bank (South Africa) and Liberty, exfiltrating 1.2 TB of data and over 154 million SQL rows. In Germany, 4SELLERS, an e-commerce solutions provider, experienced a targeted ransomware attack. Champion Homes (Sydney) confirmed a cyber event linked to the DragonForce ransomware operation, resulting in a 44-gigabyte dataset published to the dark web. The Everest Group began leaking what it claims is 108 GB of Liberty Mutual data, following an alleged failure to meet demands, though Liberty Mutual attributes this to a third-party vendor incident. The Qilin ransomware group listed STANDARD-EXAMINER on its leak site after the paper reported production difficulties. Separately, the VENOMOUS#HELPER phishing campaign impacted over 80 organizations, mainly in the U.S., deploying SimpleHelp RMM via compromised domains. Law enforcement efforts saw Latvian national Deniss Zolotarjovs, a Karakurt extortion negotiator, sentenced to 8.5 years for conspiracy to commit wire fraud and money laundering, marking the first U.S. sentencing of a Karakurt member.

A critical authentication-bypass flaw, CVE-2026-41940 in cPanel/WHM/WP Squared, was weaponized within hours of disclosure, leading to botnet deployment and ransomware encrypting files with a .sorry extension. Progress Software patched critical MOVEit Automation vulnerabilities, CVE-2026-4670 (authentication bypass) and CVE-2026-5174 (privilege escalation), in MOVEit Automation. New intelligence details how infostealers act as a major initial attack vector that fuels ransomware campaigns. For more details on Qilin activity and cPanel vulnerabilities, see our report from May 3rd.

Technical Takeaways

• Broadened Initial Access: The VENOMOUS#HELPER phishing campaign's use of dual-channel RMM tools (SimpleHelp and ScreenConnect) shows complex initial access broker tactics designed for redundancy and evasion.
• Rapid CVE Exploitation: The immediate weaponization of CVE-2026-41940 in cPanel/WHM/WP Squared within hours of disclosure shows the urgency for patch deployment, especially for critical authentication bypass flaws.
• Infostealer Nexus: New intelligence confirms infostealers as a significant initial attack vector for ransomware, showing the importance of credential intelligence in preventing attacks.
• Diverse Sector Targeting by Top Groups: Qilin and SafePay showed broad targeting across financial services, legal, professional services, and government sectors, which shows a non-discriminatory approach to victim selection.
• Third-Party Risk: Multiple incidents, including the alleged Liberty Mutual data leak linked to a third-party vendor, emphasize the challenge of managing supply chain risk for organizations.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

Qilin was the most active group with 8 new victims, followed by SafePay with 6 victims, and INC_Ransom with 3 victims. Akira and Chaos each reported 2 new victims.

Q: What geographic regions experienced the most ransomware attacks today?

The United States was the most targeted country, accounting for 15 of the 30 new victims. Canada, Italy, Ukraine, Thailand, Sweden, Spain, Portugal, Mexico, and Japan each saw 1 to 2 reported incidents.

Q: Which industries were most frequently targeted by ransomware in this period?

Industry targeting was diverse, with Law Firms & Legal Services, Construction, and Home Improvement & Hardware Retail each reporting 2 victims. Other industries such as Automotive, Financial Services, and Non-Profit Organizations also experienced attacks.

Q: Were any new critical vulnerabilities exploited by ransomware operators today?

Yes, the critical authentication-bypass flaw CVE-2026-41940 in cPanel/WHM/WP Squared was weaponized within hours of its disclosure, leading to ransomware deployments. Progress Software also patched critical authentication bypass (CVE-2026-4670) and privilege escalation (CVE-2026-5174) vulnerabilities in MOVEit Automation.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/04/2026

Statistical Overview

Victim Totals

• This month: 67
• This quarter: 824
• Year to date: 3442
• Last 24h: 7

Quarterly Breakdown

Q1: 2622 | Q2: 824 | Q3: 0 | Q4: 0

The daily victim count of 7 indicates a steady pace, contributing to a solid Q2 total that, while currently lower than Q1, suggests consistent ransomware pressure across diverse sectors.

Introduction

In the last 24 hours, seven new ransomware victims have been observed, continuing a consistent operational tempo for threat actors. Key groups such as Lamashtu, DragonForce, INC Ransom, Interlock, and Qilin accounted for the majority of these incidents. The primary affected sectors included Hospitality & Travel, Financial Services, Pharmaceuticals & Biotech, and government infrastructure.

Ransomware Summary Table

The past 24 hours show Lamashtu leading with two new victims across Egypt and the UAE, primarily targeting Hospitality & Travel and Pharmaceuticals & Biotech. Other active groups, including DragonForce, INC Ransom, Interlock, Qilin, and Space Bears, each claimed one victim, contributing to diverse attacks. Qilin's targeting of the City of Sandstone in the United States represents a focus on the government/public sector, a high-value target category due to its critical services and sensitive data, similar to recent activities as detailed in our ransomware threat activity updates.

Victim Distribution

By Country

• United States: 3
• Egypt: 1
• The Bahamas: 1
• United Arab Emirates: 1
• United Kingdom: 1

By Industry

• Pharmaceuticals and Cosmetics: 1
• Construction and Technology: 1
• Hospitality: 1
• Financial Services: 1
• Government: 1
• Pharmaceuticals: 1
• Transportation/Trucking/Railroad: 1

The distribution shows a primary focus on the United States and diversified international targeting. Ransomware groups use a broad opportunistic approach across varied industries rather than concentrating heavily on a single sector.

Ransomware News

The threat environment is dynamic, marked by new ransomware operations and the exploitation of critical vulnerabilities. This week saw World Leaks, a rebrand of Hunters International focusing on data theft, claim a breach of Hungarian media firm Mediaworks, publishing approximately 8.5 terabytes of stolen files with potential geopolitical implications. Separately, the Kairos ransomware gang exfiltrated 574GB of sensitive data, including customer PII and passport details, from Australian fine jewellery retailer Gregory Jewellers. The VECT 2.0 Ransomware-as-a-Service operation has been identified as a data-wiper targeting Windows, Linux, and ESXi environments, rendering data irrecoverable even upon ransom payment due to inherent cryptographic flaws. Insider threats continue to be a concern, with a 2020 plot against Tesla networks, involving a $1 million offer to an employee to plant malware, successfully thwarted through rapid reporting and FBI collaboration.

Technical developments include the rapid weaponization of a critical cPanel/WHM vulnerability, CVE-2026-41940, enabling authentication bypass and remote control. Threat actors quickly exploited this flaw to target government and military domains in Southeast Asia, as well as MSPs and hosting providers, using publicly available Proof-of-Concepts and deploying Mirai botnet variants and the Sorry ransomware. The Linux privilege escalation vulnerability CVE-2026-31431 (Copy Fail) and a GitHub remote code execution flaw CVE-2026-3854 have emerged as significant exposures. The ongoing proliferation of AI-powered phishing campaigns, exemplified by kits like Bluekit, continues to enhance social engineering tactics, while TeamPCP-led supply-chain compromises are distributing malware through developer tools.

These incidents collectively show a persistent blend of advanced social engineering, critical vulnerability exploitation, specialized data exfiltration, and other tactics driving current ransomware operations. This situation requires strong threat intelligence and proactive defense strategies, a topic frequently covered in our new ransomware victims reports.

Technical Takeaways

• Data-Wiping Ransomware: The analysis of VECT 2.0 shows a dangerous trend of ransomware variants designed to irrevocably destroy data, negating any recovery prospects even if a ransom is paid.
• Rapid Weaponization of Critical Vulnerabilities: The cPanel/WHM vulnerability (CVE-2026-41940) was rapidly exploited by multiple actors, including ransomware groups like Sorry, to target government entities and MSPs within 24 hours of disclosure.
• Persistent Targeting of Government and Critical Sectors: Groups like Qilin continue to target public sector institutions, as seen with the City of Sandstone incident. Broader exploitation campaigns also target government and military domains in Southeast Asia. For more context on such targeting, refer to our previous analysis on Qilin ransomware and cPanel exploitation.
• Initial Access Tactics: AI-powered phishing campaigns and supply-chain compromises via developer tools by actors like TeamPCP show a shift towards more sophisticated and scalable initial access vectors.
• Insider Threat: The thwarted Tesla plot demonstrates the persistent risk of insider threats. Employee vigilance and reporting mechanisms are important in preventing ransomware attacks.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

Lamashtu was the most active group, observed with two new victims. Other groups, including DragonForce, INC Ransom, Interlock, Qilin, and Space Bears, each claimed one victim during this period.

Q: What industries did ransomware actors primarily target today?

Today's targeting was diverse, with significant incidents observed in Hospitality & Travel, Pharmaceuticals & Biotech, Financial Services, Professional Services, Transportation & Logistics, and the Government/Public Sector.

Q: Were any government entities targeted by ransomware today?

Yes, the City of Sandstone in the United States was targeted by the Qilin ransomware group. The cPanel/WHM vulnerability (CVE-2026-41940) was also rapidly weaponized against government and military domains in Southeast Asia.

Q: What critical vulnerabilities are currently being exploited by ransomware operators?

A critical vulnerability in cPanel/WHM, CVE-2026-41940, enabling authentication bypass and remote control, is currently being weaponized by threat actors, including those deploying the Sorry ransomware. Other vulnerabilities include Linux exploit CVE-2026-31431 and GitHub RCE CVE-2026-3854.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/03/2026

Statistical Overview

Victim Totals

• This month: 60
• This quarter: 817
• Year to date: 3435
• Last 24h: 13

Quarterly Breakdown

Ransomware activity continues with 13 new victims in the last 24 hours, bringing the total to 60 victims this month. Q2 figures currently trail Q1's high volume, but sustained daily operations show threat actors continue pressure across various sectors, as detailed in our Breach Detection Report for May 3rd.

Introduction

In the past 24 hours, ransomware activity saw 13 new victims posted to leak sites. The Qilin group was active, accounting for six of these incidents, followed by M3RXDLS and SLSH. Targeting primarily concentrated on the United States, with Canada and Germany also affected. The technology and financial technology sectors bore the brunt of these attacks, alongside other industries.

Ransomware Summary Table

Today's activity was led by Qilin, responsible for nearly half of all reported incidents. Previous analyses, such as our Ransomware Threat Activity Update on May 1st, show Qilin continues to target broadly across North America. M3RXDLS also showed activity, impacting technology and construction firms, aligning with previous observations detailed in our M3RXDLS Ransomware Threat Activity report from April 26th. The Everest group attacked Fiserv, a major financial technology corporation in the United States, an incident that shows persistent pressure on critical financial infrastructure.

Victim Distribution

By Country

• United States: 10
• Canada: 2
• Germany: 1

By Industry

• Construction: 1
• Quantum Computing: 1
• Information Technology: 1
• Architectural Signage Design and Fabrication: 1
• Educational Technology: 1
• Financial Technology: 1
• Healthcare: 1
• HVAC Services: 1
• Manufacturing - Custom Machinery: 1
• Newspaper Publishing: 1

The United States remains the primary target, accounting for most of today's ransomware victims. While a range of industries were impacted, the concentration of attacks within various technology sub-sectors (Information Technology, Educational Technology, Financial Technology, Quantum Computing) shows these entities hold continued high value for ransomware operators.

Ransomware News

Topline

A critical cPanel/WHM authentication bypass vulnerability, CVE-2026-41940, has been under mass exploitation in the wild, leading to widespread "Sorry" ransomware attacks.

Campaigns & Operations

The "Sorry" ransomware campaign has actively used a critical cPanel/WHM flaw, CVE-2026-41940, for mass exploitation since February. Attackers breached servers and deployed a Go-based Linux encryptor, appending the .sorry extension to encrypted files. Victims are directed to a Tox-based chat for negotiation, with Shadowserver identifying approximately 44,000 affected IP addresses.

Vulnerabilities & TTPs

The campaign exploits CVE-2026-41940, an authentication bypass vulnerability within cPanel/WHM. This involves gaining initial access through a critical software flaw to facilitate subsequent encryption and extortion.

Analyst Note

This incident shows a persistent threat actor strategy involving the mass exploitation of critical vulnerabilities in widely adopted enterprise software for initial access.

Technical Takeaways

• Qilin continues to be a very active ransomware group, diversifying its targeting across sectors like Media & Entertainment and Technology/Software in North America.
• The exploitation of CVE-2026-41940 in cPanel/WHM by the "Sorry" ransomware campaign shows a focus on mass exploitation of critical, widely used software for initial access.
• The targeting of Fiserv by Everest shows ongoing threats specifically directed at the financial technology sector, which handles sensitive data and critical infrastructure.
• Technology-related industries, broadly defined, consistently remain the most frequent targets, showing their perceived value and potential vulnerability.
• Activity includes both very active, established groups (Qilin) and emerging or less frequently observed groups (M3RXDLS, SLSH), which shows dynamic threat actor activity.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

The Qilin ransomware group was the most active in the past 24 hours, publicly claiming six new victims. Following Qilin, M3RXDLS announced three new victims, and SLSH listed two.

Q: What industries were most affected by ransomware today?

The technology sector, encompassing information technology, educational technology, financial technology, and quantum computing, was most affected today. Other affected industries included construction, healthcare, real estate, and manufacturing.

Q: What countries saw the highest ransomware victim count on 05/03/2026?

The United States recorded the highest number of ransomware victims in the last 24 hours, with 10 incidents. Canada followed with two victims, and Germany reported one.

Q: Was any new vulnerability exploited by ransomware in the last 24 hours?

Yes, a critical cPanel/WHM authentication bypass flaw, identified as CVE-2026-41940, has been mass-exploited by the "Sorry" ransomware group since February. This vulnerability allowed attackers to breach servers and deploy their Linux encryptor.

Q: Were there any high-profile ransomware victims today?

Yes, Fiserv, a major financial technology provider in the United States, was listed as a victim by the Everest ransomware group. This is a high-value target due to its critical role in financial infrastructure.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 05/02/2026

Statistical Overview

Victim Totals

• This month: 47
• This quarter: 804
• Year to date: 3422
• Last 24h: 35

Quarterly Breakdown

Q1: 2622 | Q2: 804 | Q3: 0 | Q4: 0

Ransomware activity in Q2, while lower than the peak of Q1, continues to add to the year-to-date victim count. The past 24 hours observed an increase, with 35 new victims reported.

Introduction

The past 24 hours saw a rise in ransomware activity, with 35 new victims added to public leak sites. The Fulcrum group was very active, responsible for most incidents, while CMD and Everest also attacked several targets. Geographically, the United States, United Kingdom, and Germany experienced the highest concentration of targeting. Financial Services, Healthcare, and Construction & Engineering sectors were most affected by attacks. For more information on recent trends, refer to our recent general ransomware activity update.

Ransomware Summary Table

Today's ransomware activity saw Fulcrum as the primary actor, which posted 22 new victims across diverse geographies including Japan and India, primarily affecting Financial Services and Transportation & Logistics. Other groups like CMD and Everest targeted businesses in the United States, United Kingdom, and Canada, focused on Pharmaceuticals & Biotech, Construction & Engineering, and Financial Services. Our ongoing analysis, including previous reports on new ransomware victims and relevant industries, shows these key sectors remain under attack.

Notable targeting observed today includes Energyaction.com.au by SafePay, an attack on the Energy & Utilities sector in Australia, and Bomuhospital.org by Krybit, affecting the Healthcare sector in Kenya. The Everest group, which we have previously detailed in our reports on active ransomware groups, continues to target key financial service providers.

Victim Distribution

By Country

• United States: 15
• United Kingdom: 5
• Germany: 3
• Canada: 3
• Australia: 2
• None: 1
• Kenya: 1
• Japan: 1
• India: 1
• Denmark: 1

By Industry

• Software Development: 4
• Financial Services: 4
• Healthcare: 3
• Construction: 2
• Military and Government Procurement: 1
• Mining and Technology: 1
• Legal and Business Services: 1
• Landscape Architecture and Urban Design: 1
• Information and Analytics: 1
• Healthcare Technology: 1

The United States remains the primary target, with nearly half of the reported victims. However, the geographic spread across 10 countries shows ransomware operators use a broad, indiscriminate approach, with Financial Services and Healthcare consistently affected.

Ransomware News

Topline

Significant legal action against ransomware affiliates and ongoing operational disruptions from attacks show that the ransomware threat is persistent and evolving.

Campaigns & Operations

Two U.S. cybersecurity professionals, Ryan Goldberg and Kevin Martin, were sentenced to four years in prison for acting as affiliates for the ALPHV/BlackCat ransomware group in 2023. They used their incident response and negotiation skills in a ransomware-as-a-service model, extorting over 1,000 victims globally, taking a 20% developer cut and leaking patient data. Separately, Columbia Surgical Partners in Tennessee reported inaccessible electronic health records following a ransomware incident at its parent company, Advanced Diagnostic Imaging (ADI), which disrupted access to patient charts and surgical schedules across multiple offices.

Vulnerabilities & TTPs

While specific CVEs were not reported, the ALPHV affiliate case shows the insider threat vector and the abuse of legitimate cybersecurity expertise for ransomware operations. Frontier AI models like Mythos could give attackers faster, more capable extortion methods, possibly increasing average ransom payments. This requires strong defensive strategies such as real-time microsegmentation and continuous asset visibility.

Analyst Note

These events demonstrate two challenges: sophisticated human actors in ransomware operations and the emerging threat of AI orchestrating attacks. Both contribute to the persistent risk for critical sectors.

Technical Takeaways

• Fulcrum was the most active ransomware group in the past 24 hours, responsible for 22 out of 35 reported victims.
• The United States had the highest number of ransomware victims (15), followed by the United Kingdom (5) and Canada (3).
• Financial Services and Software Development were the most targeted industries, each with 4 reported victims.
• Critical infrastructure and healthcare entities, such as Energyaction.com.au (Energy & Utilities) and Bomuhospital.org (Healthcare), were among the high-value targets.
• Several different ransomware groups, with nine distinct entities claiming victims, shows a fragmented but active threat environment.

FAQ

Q: Which ransomware groups were most active on May 2, 2026?

The Fulcrum ransomware group was the most active, responsible for 22 new victims in the last 24 hours. CMD and Everest were also active, each reporting 3 new victims.

Q: What industries did ransomware groups primarily target today?

Ransomware groups primarily targeted the Software Development and Financial Services industries, each had 4 new reported victims. Healthcare also had 3 new victims.

Q: Which countries experienced the most ransomware attacks in the last 24 hours?

The United States had the highest number of ransomware attacks with 15 victims in the last 24 hours. The United Kingdom followed with 5 victims, and Canada and Germany each reported 3 victims.

Q: Were there any notable high-value ransomware victims reported today?

Yes, high-value victims include Energyaction.com.au in Australia, which affected the Energy & Utilities sector, and Bomuhospital.org in Kenya, which affected the Healthcare sector. This shows continued targeting of critical infrastructure and services.

Q: What is the current cumulative ransomware victim count for the quarter?

As of May 2, 2026, the cumulative ransomware victim count for this quarter is 804. The year-to-date total is 3422 victims, showing ongoing high levels of ransomware activity.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

- Ransomware Tracking

- Dark Web Monitoring

- Credential Intelligence

- Supply Chain Risk

- All Solutions

Ransomware Report - 05/01/2026

Statistical Overview

Victim Totals

• This month: 12
• This quarter: 769
• Year to date: 3388
• Last 24h: 20

Quarterly Breakdown

Ransomware activity continues at a consistent pace in Q2, with 769 victims reported this quarter. While Q1 saw a higher overall volume, the current daily rate suggests a sustained threat level as the second quarter progresses.

Introduction

Over the past 24 hours, PurpleOps observed 20 new ransomware victims. The most active groups included Qilin with 7 new targets, LockBit with 4, and World_Leaks affecting 3 organizations. Attacks were geographically concentrated in the United States, with targets in the Construction, Financial Services, and Technology sectors.

Ransomware Summary Table

Today's activity shows Qilin was the most active group, claiming seven new victims primarily in the United States, with a focus on sectors like Media & Entertainment and Agriculture & Food. LockBit maintains a presence with four new victims across Turkey and Spain, impacting Construction and Technology. World_Leaks continues to target organizations like Ceywater consultants and Peyton law firm, affecting Telecommunications and Construction firms in the U.S. and Sri Lanka. For more information on active ransomware groups, see our recent report on active ransomware groups.

Victim Distribution

By Country

• United States: 13
• Spain: 2
• Canada: 1
• Turkey: 1
• Thailand: 1
• Sri Lanka: 1
• None: 1

By Industry

• Construction: 2
• Education Technology: 1
• Telecommunications: 1
• Media & Entertainment: 1
• Law Practice: 1
• Insurance: 1
• Healthcare Services: 1
• Health Insurance: 1
• Golf Courses and Country Clubs: 1
• Food & Beverage: 1

The United States remains the primary target geography, accounting for 65% of new victims in the last 24 hours. Industry targeting is diverse, with Construction appearing twice, and other sectors like Education Technology, Financial Services, and Healthcare each seeing single instances. This indicates a broad, opportunistic approach by ransomware operators rather than a narrow sector focus.

Ransomware News

Topline

Recent developments show the complexity of ransomware threats, from legal consequences for affiliates to evolving attack methods and their societal impacts.

Campaigns & Operations

Two former cybersecurity incident responders received four-year prison sentences for their involvement as BlackCat/ALPHV affiliates, conspiring to obstruct commerce by extortion. Meanwhile, the M3rx ransomware group listed Prime Properties, a Sydney-based consultancy, as a victim, claiming exfiltrated data. Cybercriminals also leaked data from a ransomware attack against Winona County, Wisconsin, which disrupted vital statistics and DMV systems. The FBI reported on a rising cargo-theft model where attackers breach freight systems to impersonate companies, post fraudulent loads, and hijack valuable cargo, sometimes demanding ransom for shipments. Reports indicate a surge in hospital ransomware attacks, with a University of Minnesota study linking such incidents to at least 47 patient deaths from 2016-2021 due to care delays.

Vulnerabilities & TTPs

The M3rx ransomware variant employs a PE32+ x64 Go binary with an embedded configuration, utilizing X25519 key exchange and AES-CTR for encryption. The FBI advisory on cargo theft outlines a method: attackers use compromised carrier accounts to spoof brokers, alter details with authorities, and hijack shipments.

Analyst Note

These incidents reflect a persistent threat environment, marked by sophisticated criminal collaboration, new groups, and attack methods that impact critical supply chains and essential services.

Technical Takeaways

• Qilin was highly active, accounting for 35% of new victims in the past 24 hours. More on recent victim trends can be found in our new ransomware victims report from April 30th.
• The United States continues to be the predominant target, with 13 of 20 victims located within the country.
• Industry targeting remains opportunistic, with Construction, Financial Services, Technology, and Healthcare sectors each experiencing multiple incidents.
• The M3rx ransomware variant utilizes a PE32+ x64 Go binary for its operations, employing specific cryptographic methods.
• Recent intelligence shows criminal TTPs have evolved to include cargo hijacking for ransom, as well as legal actions against ransomware affiliates.

FAQ

Q: Which ransomware groups were most active in the past 24 hours?

Qilin was the most active ransomware group, claiming 7 new victims. LockBit followed with 4 new victims, and World Leaks reported 3 new targets. These groups collectively accounted for over 70% of today's observed activity. For broader Q2 trends, refer to our Q2 ransomware activity report.

Q: What countries were most affected by ransomware attacks today?

The United States was the most targeted country, experiencing 13 of the 20 new ransomware attacks. Other affected countries included Spain (2 victims), and single instances in Canada, Turkey, Thailand, and Sri Lanka.

Q: Which industries were predominantly targeted by ransomware operators today?

While targeting was diverse, the Construction industry saw two new victims. Other sectors experiencing single attacks included Education Technology, Telecommunications, Media & Entertainment, Financial Services, Healthcare, and Insurance, indicating a broad scope of targeting.

Q: Were there any ransomware news developments or new TTPs reported today?

Yes, news includes the sentencing of two former cybersecurity incident responders for their involvement as BlackCat/ALPHV affiliates. The FBI also reported on a rising trend of cargo-theft where attackers hijack shipments and demand ransom, and the M3rx group was observed using a PE32+ x64 Go binary for encryption.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/30/2026

Statistical Overview

Victim Totals

• This month: 750
• This quarter: 750
• Year to date: 3369
• Last 24h: 32

Quarterly Breakdown

Q1: 2622 | Q2: 750 | Q3: 0 | Q4: 0

The first month of Q2 has seen 750 reported ransomware victims, indicating a significant pace of activity that could exceed Q1's total if current trends persist.

Introduction

In the last 24 hours, PurpleOps observed 32 new ransomware victims. Qilin was responsible for seven reported incidents, followed by The_Gentelman with five. Financial Services and Manufacturing were the main sectors impacted, and the United States registered the highest number of new attacks.

Ransomware Summary Table

Qilin continues to show activity, targeting sectors like pharmaceuticals and financial services across multiple geographies including the Philippines and Colombia. The_Gentelman also remained active, impacting financial services and retail in Sweden and Turkey. For more information on the groups operating this month, refer to our latest ransomware groups report for April 29 and a proactive threat update on Qilin. A broader view on Q2 trends can be found in our active ransomware groups Q2 report.

Victim Distribution

By Country

• United States: 16
• Italy: 3
• Zambia: 1
• Belgium: 1
• Turkey: 1
• Sweden: 1
• Poland: 1
• Philippines: 1
• Peru: 1
• Papua New Guinea: 1

By Industry

• Financial Services: 3
• Manufacturing: 3
• Real Estate: 2
• Retail: 2
• Advertising Services: 1
• Insurance: 1
• Spring and Wire Product Manufacturing: 1
• Pediatric Dentistry: 1
• Non-profit Organizations: 1
• Legal Services: 1

The United States remains the primary target for ransomware operators, accounting for half of all reported victims in the last 24 hours. Financial Services and Manufacturing continue to be consistently targeted across various regions.

Ransomware News

Topline

The past 24 hours saw several critical ransomware incidents affecting public services, educational institutions, and industrial technology firms, and a regional threat analysis showed significant increases in ransomware activity.

Campaigns & Operations

Taiwanese firm Syntec Technology Co., Ltd. disclosed a ransomware attack around April 29, 2026, which triggered immediate incident response measures, with preliminary assessments indicating no material impact on operations or confidential data leakage. Concurrently, Austria's B3-Schulzentrum in Bruck an der Mur experienced a cyberattack on April 29, 2026, where attackers demanded ransom and claimed exfiltration of sensitive student data, prompting containment and recovery efforts. In the United States, Adams County, Mississippi, offices were disrupted for over a week by a ransomware attack, traced to a Windows 7 PC in its sanitation department, leading to significant IT infrastructure overhaul costs.

Vulnerabilities & TTPs

The Adams County incident shows the risk posed by legacy operating systems like Windows 7 as initial access vectors. Separately, an analysis of the Australia and New Zealand ICS threat environment for Q4 2025 indicated a 1.6x increase in ransomware, primarily driven by internet-origin threats and coinciding with phishing campaigns that increased worm and spyware activity in operational technology environments.

Analyst Note

These incidents show the persistent threat to diverse sectors, including critical public services and education, and the ongoing challenge from outdated systems and prevalent phishing tactics.

Technical Takeaways

• Qilin ransomware group continues activity, impacting Pharmaceuticals & Biotech and Financial Services across multiple countries.
• Financial Services and Manufacturing sectors are consistently high-value targets for various ransomware groups, including The_Gentelman and PayoutsKing.
• The United States remains the most targeted region, accounting for 50% of new victims in the past 24 hours.
• Observed incidents confirm the use of legacy operating systems, such as Windows 7, as initial compromise vectors in public sector attacks.
• Regional threat reports indicate a sustained increase in internet-origin ransomware attacks, often linked to phishing campaigns, affecting industrial control systems.

FAQ

Q: Which ransomware groups were most active on April 30, 2026?

Qilin was the most active ransomware group on April 30, 2026, with seven reported victims. Following Qilin, The_Gentelman claimed five victims, and PayoutsKing was responsible for three, making them the top three most active groups observed today.

Q: What industries were most targeted by ransomware on April 30, 2026?

Financial Services and Manufacturing were the most targeted industries on April 30, 2026, each experiencing three new ransomware incidents. Other affected sectors included Real Estate, Retail, Professional Services, and Pharmaceuticals & Biotech.

Q: Which country experienced the highest number of ransomware victims in the last 24 hours?

The United States reported the highest number of ransomware victims in the last 24 hours, with 16 new incidents. This accounts for half of all reported victims, indicating a significant focus by ransomware operators on U.S. entities.

Q: Were there any notable attacks on government or critical infrastructure today?

Yes, Adams County, Mississippi, experienced a ransomware attack that disrupted county offices for over a week, leading to a significant IT overhaul. Additionally, the B3 School Center in Austria suffered a cyberattack with ransom demands and claims of student data exfiltration.

Q: What are the latest ransomware activity trends in Australia and New Zealand?

According to a Q4 2025 report, Australia and New Zealand's ICS threat environment saw a 1.6x increase in ransomware activity. These attacks were primarily internet-origin driven and coincided with phishing campaigns that increased worm and spyware presence in OT environments, with New Zealand leading in ransomware detections.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/29/2026

Statistical Overview

Victim Totals

• This month: 718
• This quarter: 718
• Year to date: 3337
• Last 24h: 23

Quarterly Breakdown

Q1: 2622 | Q2: 718 | Q3: 0 | Q4: 0

Ransomware activity continues into Q2, with 718 victims recorded this quarter after 2622 in Q1. This shows organizations globally face ongoing attacks.

Introduction

In the past 24 hours, 23 new ransomware victims appeared on leak sites. Aur0ra and Qilin were the most active groups, each claiming six targets. Other groups included INC_Ransom, M3RXDLS, and Blackwater. The United States remained the primary geographic target, and sectors like Transportation & Logistics, Education, and Government saw activity.

Ransomware Summary Table

Aur0ra and Qilin were most active today, each claiming six victims across various sectors and regions. Aur0ra focused on Transportation & Logistics and Legal firms in the United States and Australia. Qilin affected Education and Construction & Engineering in the United Kingdom and United States. Everest targeted Indonesia's customs analytics platform, showing ongoing attacks on public-sector infrastructure. For more on Qilin's recent activities, see our ransomware threat activity update.

Victim Distribution

By Country

• United States: 13
• Australia: 2
• United Kingdom: 2
• Taiwan: 1
• Maldives: 1
• Indonesia: 1
• India: 1
• Hungary: 1
• China: 1

By Industry

• Information Technology and Services: 2
• Clinical Toxicology and Molecular Diagnostics: 1
• Warehousing: 1
• Third-Party Logistics (3PL): 1
• Property Management: 1
• Oil and Gas: 1
• Legal Services: 1
• Law Firms & Legal Services: 1
• Healthcare: 1
• Government: 1

The United States was hit hardest by ransomware attacks today, accounting for over half of all new victims and showing continued targeting of North American entities. Many industries were affected, but no single sector dominated beyond IT and Legal services.

Ransomware News

Topline

Today's ransomware intelligence showed new groups appearing, critical vulnerabilities exploited, operational details of existing threats, and internal conflicts within the ransomware environment.

Campaigns & Operations

The new Vect ransomware-as-a-service (RaaS) operation uses a mature affiliate network, providing a Builder for custom encryptors across Windows, Linux, and ESXi, and is linked to TeamPCP. Meanwhile, Gelatissimo, Australia's largest gelato retailer, confirmed unauthorized network access after claims from the DragonForce ransomware group, which claims to have stolen 352.24 GB of data. Also, the M3RX ransomware group has appeared, and ShinyHunters claimed a data leak from a US interactive media company. A feud between ransomware groups 0APT and KryBit led to both leaking each other's operational data, including admin panels and access logs, offering insight into their infrastructure. Specific incidents included a ransomware attack on Pricon Microelectronics, Inc. (Philippines) affecting servers on April 22, 2026, and a confirmed encryption event at Mam Create Co., Ltd. (Japan) on April 7, 2024. For more information into M3RXDLS, review our threat activity report from April.

Vulnerabilities & TTPs

CISA added two actively exploited flaws to its Known Exploited Vulnerabilities catalog: CVE-2024-1708, a high-severity path traversal in ConnectWise ScreenConnect enabling remote code execution, and CVE-2026-32202, a Windows Shell protection mechanism failure that could allow network spoofing. Exploitation of CVE-2024-1708/1709 has been linked to Medusa ransomware campaigns. Separately, Check Point's analysis revealed that Vect 2.0 ransomware, despite its intent, acts as a data wiper for large files due to a design error, making three-quarters of encrypted data unrecoverable across Windows, Linux, and VMware ESXi environments.

Analyst Note

This activity shows the changing nature of ransomware, with RaaS offerings becoming more professional, critical vulnerabilities quickly exploited, and unexpected tactical information emerging from inter-group conflicts.

Technical Takeaways

• Dominant Groups: Aur0ra and Qilin accounted for over 50% of new ransomware victims in the last 24 hours, showing their high activity level.
• Government Targeting: Everest specifically targeted Indonesia's customs analytics platform, showing continued attacks on public sector and critical government infrastructure.
• Wiper Functionality: Vect 2.0 ransomware has been identified as acting as an accidental wiper for large files due to a design flaw, making most encrypted data unrecoverable.
• Key Vulnerability Exploitation: CISA added CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-32202 (Windows Shell) to its KEV catalog. CVE-2024-1708 is noted for active exploitation in Medusa ransomware campaigns.
• Internal Group Dynamics: The public feud between 0APT and KryBit, involving data leaks of each other's infrastructure, offers insights into ransomware operational practices and affiliate models.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

Aur0ra and Qilin were the most active ransomware groups, each claiming six new victims. Other groups like INC_Ransom, M3RXDLS, and Blackwater also recorded activity.

Q: Which industries were most targeted by ransomware today?

The primary industries targeted today were Transportation & Logistics, Education, and Construction & Engineering, based on the victim profiles of the most active ransomware groups.

Q: What geographic regions experienced the most ransomware attacks on April 29, 2026?

The United States was the most targeted geographic region, with 13 new victims. Australia and the United Kingdom followed, each recording two new victims.

Q: Were any new critical vulnerabilities (CVEs) added to CISA's KEV catalog today with ransomware relevance?

Yes, CISA added CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-32202 (Windows Shell) to its Known Exploited Vulnerabilities catalog. Exploitation of CVE-2024-1708 has been tied to Medusa ransomware operations.

Q: What is notable about the Vect 2.0 ransomware observed today?

Vect 2.0 ransomware has been identified as acting as a data wiper for large files. A design flaw causes the loss of most encryption nonces, making approximately three-quarters of each large file unrecoverable even if a ransom were paid.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/28/2026

Statistical Overview

Victim Totals

• This month: 695
• This quarter: 695
• Year to date: 3315
• Last 24h: 21

Quarterly Breakdown

Q1: 2622 | Q2: 695 | Q3: 0 | Q4: 0

Ransomware activity in Q2 shows a sustained pace, with 695 victims already recorded. While Q1 saw a higher volume, the current quarter's figures indicate persistent threat actor operations, a trend PurpleOps continues to track in its active ransomware groups Q2 report.

Introduction

In the last 24 hours, PurpleOps has identified 21 new ransomware victims, indicating continued pressure on various sectors globally. World_Leaks was the most active group, accounting for four new incidents, followed by INC_Ransom, LeakedData, LockBit, and MNT6, each with two reported victims. This activity aligns with observations from our daily ransomware reports which have previously detailed groups like INC_Ransom. This activity spans diverse industries and geographies, with a concentration in the United States.

Ransomware Summary Table

The summary table reveals World_Leaks as the top actor, primarily targeting Technology/Software and Manufacturing in Brazil and the United States. INC_Ransom, LeakedData, LockBit, and MNT6 maintained consistent activity, impacting sectors such as Legal, Manufacturing, Construction & Engineering, Healthcare, and Transportation & Logistics across the United States, Canada, New Zealand, and Spain. For more insights into LockBit's operations and broader Q2 trends, refer to our latest ransomware threat activity report. No government, military, or critical infrastructure entities were explicitly listed as new victims from these groups in the past 24 hours' data.

Victim Distribution

By Country

• United States: 10
• Italy: 2
• Sweden: 1
• Austria: 1
• Spain: 1
• New Zealand: 1
• Mexico: 1
• Indonesia: 1
• Ghana: 1
• Canada: 1

By Industry

• Legal Services: 2
• None: 1
• Software & Services: 1
• Senior Care Services: 1
• Real Estate: 1
• Mental Health Services: 1
• Law Practice: 1
• Industrial Marking Equipment: 1
• Artificial Intelligence: 1
• Architecture and Planning: 1

The United States continues to bear the brunt of ransomware attacks, accounting for nearly half of the new victims. While Legal Services saw the most explicit targeting, the overall distribution across industries remains highly diversified, reflecting opportunistic or broad-scope targeting by various groups.

Ransomware News

Topline

The past 24 hours saw significant developments, including an arrest linked to the Scattered Spider group, new ransomware incidents impacting public and private sectors, and technical insights into a destructive wiper masquerading as ransomware.

Campaigns & Operations

U.S. authorities reportedly charged a 19-year-old, known as Bouquet, tied to the Scattered Spider group following his arrest in Finland for wire fraud and computer intrusion related to multiple high-profile extortions, including Caesars and MGM Resorts. The DragonForce group claimed a 352.24 GB data theft from Australian ice-cream franchise Gelatissimo, while ShinyHunters alleged a breach of medical device maker Medtronic, claiming 9 million records. Kent District Library in Michigan reported a ransomware incident leading to branch closures and system lockdowns.

Vulnerabilities & TTPs

Check Point researchers described VECT 2.0, a "ransomware" variant that functions as a data wiper due to flawed ChaCha20-IETF encryption, irreversibly destroying files over 131KB across Windows, Linux, and ESXi. This operation features an affiliate program and anti-analysis checks. A Q4 2025 report on European industrial automation systems described sharp regional divergences in threat exposure, with Southern Europe facing high rates of targeted OT attacks via email and phishing, including ransomware growth in Greece.

Analyst Note

Ransomware continues to change, from destructive wiper functions to persistent social engineering tactics. The attack surface also varies widely, from enterprise IT to operational technology.

Technical Takeaways

1. World_Leaks continues its high operational tempo, focusing on Technology/Software and Manufacturing.
2. The reported VECT 2.0 operation shows the emergence of data wipers disguised as ransomware, complicating incident response with irreversible data destruction.
3. Geographic targeting remains broad, with the United States as a primary target, but significant activity observed across Europe, Canada, and New Zealand.
4. Scattered Spider's continued reliance on social engineering and MFA bombing for credential harvesting remains a pervasive TTP for high-value extortion.
5. The healthcare and legal sectors show persistent vulnerability, as evidenced by LockBit's targeting of healthcare and LeakedData/CL0P impacting legal services.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

A: In the past 24 hours, World_Leaks was the most active ransomware group, claiming four new victims. Following them were INC_Ransom, LeakedData, LockBit, and MNT6, each responsible for two newly reported incidents.

Q: What industries were most targeted by ransomware today?

A: Legal Services saw the highest explicit concentration of new victims with two reported incidents. However, the overall targeting was highly diversified, affecting Manufacturing, Technology/Software, Healthcare, Construction & Engineering, and Media & Entertainment.

Q: What geographic regions experienced the most ransomware attacks today?

A: The United States was the most targeted country, accounting for 10 out of the 21 new victims. Other affected regions included Italy, Sweden, Austria, Spain, New Zealand, Mexico, Indonesia, Ghana, and Canada, each reporting 1-2 incidents.

Q: Are there any new ransomware variants or important TTPs observed?

A: Yes, the VECT 2.0 "ransomware" was identified as functioning as a data wiper across Windows, Linux, and ESXi systems due to flawed encryption, rendering data irrecoverable. The arrest linked to Scattered Spider showed their continued reliance on social engineering and MFA bombing.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/27/2026

Statistical Overview

Victim Totals

• This month: 674
• This quarter: 674
• Year to date: 3294
• Last 24h: 62

Quarterly Breakdown

Ransomware activity continues into Q2 at a steady pace, with 62 new victims recorded in the last 24 hours. The current quarter's total of 674 victims shows consistent operations from various threat groups.

Introduction

In the past 24 hours, 62 new ransomware victims were identified. Lapsus (14), DragonForce (13), APT73 (8), The_Gentelman (7), and Qilin were the most active groups (6 victims). The United States had the largest share of new targets. Affected sectors included Education, Pharmaceuticals & Biotech, and Financial Services. For broader context on recent trends, see our Ransomware Threat Activity Update from April 26.

Ransomware Summary Table

Lapsus was the most active group today, impacting entities in Switzerland and Spain, predominantly in Education and Pharmaceuticals. DragonForce and APT73 also showed high activity, targeting Pharmaceuticals, Financial Services, and Transportation in the United States, Australia, Egypt, and Saudi Arabia. A significant target was the Rural municipality of Gimli by Payload in Canada, showing continued interest in government and public sector entities. Qilin also continued its operations, as detailed in our Ransomware Threat Activity Update from April 25, with 6 new victims today.

Victim Distribution

By Country

• United States: 20
• France: 5
• United Kingdom: 4
• Canada: 4
• Germany: 3
• Singapore: 2
• Italy: 2
• Japan: 2
• Saudi Arabia: 2
• Spain: 1

By Industry

• Manufacturing: 3
• Healthcare: 3
• Retail: 3
• Education: 3
• Insurance: 2
• Textile Manufacturing: 2
• Non-profit Organization: 2
• Software Development: 2
• Oil and Gas: 2
• Healthcare Information Services: 1

The United States remains the primary target region, followed by France, the UK, and Canada. Attacks were broadly distributed across Manufacturing, Healthcare, Retail, and Education, suggesting active groups are not focusing on a single sector.

Ransomware News

Topline

Ransomware and extortion activity continued in the past 24 hours, with BlackFile, ShinyHunters, and the Coinbase Cartel using diverse tactics. A Check Point report also pointed out vulnerabilities and operational insights into the threat environment.

Campaigns & Operations

BlackFile, linked to The Com and tracked as UNC6671/Cordial Spider, actively escalates extortion by impersonating IT support through voice-phishing and social engineering. It compromises credentials and moves laterally within SaaS platforms and internal repositories. This group has used seven-figure ransom demands and tactics such as swatting executives. Medtronic confirmed a breach of its corporate IT environment after the ShinyHunters extortion group claimed to steal over 9 million records; no impact on patient safety was reported. Hudson Rock's investigation into the Coinbase Cartel shows it operates as an extortion-only group. It bypasses encryption by using aged infostealer credentials to access cloud and file-sharing infrastructure. An estimated 80% of its 164 victims had prior infostealer infections. Check Point's daily threat report also mentioned The Gentlemen ransomware-as-a-service.

Vulnerabilities & TTPs

Vulnerabilities and supply-chain compromises include Vercel's breach via a Context.ai compromise exploiting stolen OAuth tokens, a Bitwarden supply-chain compromise involving a malware-tainted npm release, and a Google Ads malvertising operation that stole over $1.27 million impersonating crypto platforms. Active exploitation windows for relevant CVEs include CVE-2026-40372 (Microsoft ASP.NET Core), CVE-2026-28950 (Apple iOS/iPadOS), CVE-2026-33626 (LMDeploy), and CVE-2025-29635 (D-Link DIR-823X).

Analyst Note

These incidents show the pervasive threat of credential compromise, supply-chain vulnerabilities, and the growing trend of extortion-only operations across various attack surfaces. For a full overview of today's broader threat environment, refer to our Cyber Operations Threat Briefing for April 27.

Technical Takeaways

• Lapsus maintained high activity, accounting for 14 new victims across Education and Pharmaceuticals in Europe.
• The Coinbase Cartel uses a pure extortion model, employing stale infostealer credentials for initial access rather than traditional encryption.
• Public sector entities remain a target; Payload compromised a Canadian rural municipality.
• Voice-phishing and social engineering, as seen with BlackFile, continue to be effective initial access methods for data exfiltration.
• Several active CVEs, including CVE-2026-40372 and CVE-2026-28950, demonstrate the ongoing exploitation of known vulnerabilities in enterprise and mobile environments.

FAQ

Q: Which ransomware groups were most active in the past 24 hours?

Lapsus was the most active group, reporting 14 new victims, followed by DragonForce with 13, and APT73 with 8. The_Gentelman and Qilin also showed significant activity with 7 and 6 victims, respectively.

Q: Which industries were most targeted by ransomware today?

The most targeted industries were Manufacturing, Healthcare, Retail, and Education, each with 3 new victims. Other affected sectors included Insurance, Textile Manufacturing, Non-profit Organizations, and Software Development.

Q: What geographic regions experienced the highest volume of ransomware attacks?

The United States recorded the highest number of new victims with 20. Other significantly impacted countries included France (5), the United Kingdom (4), Canada (4), and Germany (3).

Q: Are there new ransomware groups leveraging unique TTPs?

The Coinbase Cartel is known for its "extortion-only" model, which bypasses encryption and primarily uses aged infostealer credentials to access cloud and file-sharing infrastructure. This is a distinct shift from traditional ransomware operations.

Q: Were any government or critical infrastructure entities targeted by ransomware today?

Yes, Payload claimed one victim, the Rural municipality of Gimli in Canada, a Government / Public Sector entity. This shows continued targeting of public sector institutions by ransomware operators.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform. It covers every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/26/2026

Statistical Overview

Victim Totals

• This month: 613
• This quarter: 613
• Year to date: 3234
• Last 24h: 7

Quarterly Breakdown

Q2 ransomware activity shows a consistent pace. The 613 reported victims for the quarter reflect a steady, though slower, rate compared to Q1's peak. Current trends show ongoing activity across various sectors.

Introduction

PurpleOps observed 7 new ransomware victims in the past 24 hours, showing moderate activity in the threat environment. M3RXDLS was the most active group, with 5 new victims. Brain Cipher and Medusa each accounted for one. Targeting spanned diverse sectors, from Media & Entertainment to Healthcare Services, and multiple geographies, including the United States, United Kingdom, and Switzerland. For a broader perspective on recent trends, refer to our Ransomware Threat Activity Update - April 25.

Ransomware Summary Table

M3RXDLS was the most active group in the last 24 hours, posting the majority of new victims and affecting organizations across Switzerland and Australia. Brain Cipher's only observed activity involved the United Kingdom's construction sector. Medusa continued its opportunistic targeting with one reported breach in the US healthcare sector. The ongoing activity of groups like Medusa shows persistent threats, as detailed in our Ransomware Intelligence Report - March 18.

Victim Distribution

By Country

• United Kingdom: 2
• United States: 2
• Australia: 1
• Canada: 1
• Switzerland: 1

By Industry

• Property Investment and Management Consultancy: 1
• Healthcare Services: 1
• Information Technology and Services: 1
• Civil Engineering and Rail Infrastructure: 1
• Performing Arts: 1
• Automotive Services: 1
• Medical Device: 1

The victim distribution over the last 24 hours shows no single concentrated geographical or industry-specific campaign. Instead, activity suggests a distributed, opportunistic targeting approach across various countries and diverse sectors. These include Healthcare Services, a sector frequently attacked, as seen in incidents like the Qilin ransomware attack on NHS.

Ransomware News

Topline - No significant ransomware-related news or public disclosures were observed within the past 24 hours, showing a period of low public reporting on new campaigns or vulnerabilities.

Campaigns & Operations - No specific new ransomware campaigns, actor activities, or reported incidents became public during this reporting period. The lack of public reporting does not preclude ongoing covert operations.

Vulnerabilities & TTPs - There were no new CVEs or notable changes in Tactics, Techniques, and Procedures (TTPs) publicly reported as being actively exploited by ransomware operators in the last 24 hours.

Analyst Note - The absence of public news may indicate a quiet reporting cycle rather than a complete halt in activity, as ransomware operations often maintain a covert posture.

Technical Takeaways

• M3RXDLS was the most active ransomware group in the past 24 hours, responsible for 71% of newly reported victims.
• M3RXDLS targeting showed geographical diversity, affecting organizations in Switzerland and Australia.
• The Healthcare sector, including Medical Device and Healthcare Services, remains a target, with Medusa claiming a victim in the United States.
• Observed activity indicates a broad and opportunistic targeting strategy rather than a focused campaign on specific critical infrastructure or government entities.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

M3RXDLS was the most active ransomware group in the past 24 hours, accounting for 5 of the 7 newly observed victims. Brain Cipher and Medusa each claimed one victim during this period.

Q: What industries were targeted by ransomware operators today?

Ransomware operators targeted a diverse range of industries. These included Property Investment and Management Consultancy, Healthcare Services, Information Technology and Services, Civil Engineering and Rail Infrastructure, Performing Arts, Automotive Services, and Medical Device manufacturing.

Q: Which countries experienced ransomware attacks on April 26, 2026?

Countries that experienced newly reported ransomware attacks on April 26, 2026, include the United Kingdom (2 victims), United States (2 victims), Australia (1 victim), Canada (1 victim), and Switzerland (1 victim).

Q: Is Medusa ransomware still active in the healthcare sector?

Yes, Medusa ransomware remains active. In the last 24 hours, Medusa claimed one victim, Walman optical, within the Healthcare sector in the United States, showing their continued targeting of this industry.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Our intelligence solutions include:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/25/2026

Statistical Overview

Victim Totals

• This month: 606
• This quarter: 606
• Year to date: 3227
• Last 24h: 23

Quarterly Breakdown

Ransomware activity in Q2 continues, with the current victim count matching the quarterly total due to the reporting period's commencement. Year-to-date figures indicate sustained threat actor operations.

Introduction

In the past 24 hours, 23 new ransomware victims were reported. The Qilin ransomware group had the most activity, with 19 new listings. Other active groups included Lamashtu, INC_Ransom, and NightSpire, affecting various sectors. Geographic targeting remained broad, with the United States experiencing the most new attacks.

Ransomware Summary Table

The summary table shows notable activity from the Qilin ransomware group. It was responsible for most new victim postings, affecting organizations primarily in Financial Services and Agriculture & Food across regions like Sweden and Japan. Lamashtu was active in Southeast Asia, while INC Ransom and NightSpire each claimed one victim in the United States. For more information on Qilin's recent activities, see our Ransomware Threat Activity Report - April 22. Our daily ransomware reports often mention groups like NightSpire.

Victim Distribution

By Country

• United States: 11
• United Kingdom: 2
• Germany: 2
• Argentina: 1
• Thailand: 1
• Sweden: 1
• Philippines: 1
• Mexico: 1
• Malaysia: 1
• Japan: 1

By Industry

• Banking: 2
• Information Technology & Services: 1
• Woodworking and Cabinet Manufacturing: 1
• Retail: 1
• Public Relations: 1
• Propane Delivery and Services: 1
• Non-Profit & Charitable Organizations: 1
• Mining & Metals: 1
• Healthcare: 1
• Food Production: 1

The distribution of new victims shows a concentration in the United States across various industries, suggesting opportunistic targeting rather than a narrow sectoral focus. The global spread indicates threat actors continue to target a wide range of locations.

Ransomware News

Topline

Today's ransomware-relevant developments include critical vulnerability disclosures by CISA, the emergence of a new extortion group, and several disruptive county-level cybersecurity incidents.

Campaigns & Operations

Winona County, Minnesota, and Harrison County, West Virginia, both reported network disruptions due to cybersecurity incidents. Winona County confirmed a ransomware attack that affected vital services. ADT confirmed unauthorized access to customer data following a ShinyHunters leak threat, reportedly stemming from a vishing campaign targeting an employee's Okta SSO. A new financially motivated group, BlackFile (also tracked as CL-CRI-1116, UNC6671, and Cordial Spider), has been linked to a recent increase in data theft and extortion operations. It targets retail and hospitality firms, employing vishing tactics.

Vulnerabilities & TTPs

CISA has added four actively exploited vulnerabilities to its KEV catalog: CVE-2024-57726 and CVE-2024-57728 affecting SimpleHelp, CVE-2024-7399 in Samsung MagicINFO 9 Server, and CVE-2025-29635 in D-Link DIR-823X routers. These have reported links to DragonForce ransomware activity. BlackFile's operations heavily use vishing calls to spoof IT support, steal credentials, bypass multifactor authentication, and exfiltrate data from platforms like Salesforce and SharePoint via API functions.

Analyst Note

The continued reliance on credential theft and social engineering, demonstrated by Verizon DBIR findings on pre-compromised credentials and by new groups like BlackFile, shows initial access often relies on human factors.

Technical Takeaways

• Qilin's Expanded Targeting: Qilin's large number of new victims indicates an active and potentially expanding campaign across various financial and agricultural sectors, with a presence in Europe and Asia.
• Vishing Dominance in Initial Access: The tactics of the new BlackFile group and the ADT breach by ShinyHunters show the continued effectiveness of vishing campaigns and social engineering for initial access and credential compromise.
• Federal Mandates for Vulnerability Patching: CISA's addition of four new CVEs to the KEV catalog, some linked to DragonForce ransomware, highlights the ongoing need for federal agencies and critical infrastructure to prioritize patching known exploited flaws.
• Geographic Focus on US: Most new victim postings, including those from INC_Ransom and NightSpire, originated from the United States, showing this region remains a main target for ransomware operators.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

The Qilin ransomware group was the most active, reporting 19 new victims. Other groups with reported activity included Lamashtu (2 victims), INC_Ransom (1 victim), and NightSpire (1 victim).

Q: What industries were most targeted by ransomware today?

Financial Services and Agriculture & Food were main sectors affected by the Qilin group. Other industries impacted included Banking, Information Technology & Services, and Healthcare, reflecting a broad targeting approach.

Q: Which geographic regions experienced the most ransomware attacks today?

The United States reported the highest number of new ransomware victims, with 11 organizations affected. Other countries with new victims included the United Kingdom, Germany, Argentina, Thailand, Sweden, Philippines, Mexico, Malaysia, and Japan.

Q: Are there any new vulnerabilities being exploited by ransomware operators?

CISA has added four actively exploited vulnerabilities to its KEV catalog, including CVE-2024-57726 and CVE-2024-57728 for SimpleHelp, CVE-2024-7399 for Samsung MagicINFO 9 Server, and CVE-2025-29635 for D-Link DIR-823X routers. These flaws have been publicly linked to DragonForce ransomware activity.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Our intelligence solutions include:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/24/2026

Statistical Overview

Victim Totals

• This month: 583
• This quarter: 583
• Year to date: 3204
• Last 24h: 25

Quarterly Breakdown

Q2 activity began with 583 victims so far, contributing to the overall year-to-date total of 3204. The past 24 hours saw a steady number of new victims across various groups, showing global ransomware operations continue.

Introduction

The past 24 hours recorded 25 new ransomware victims, contributing to a year-to-date total of 3204. Qilin, Payload, and The_Gentleman were the most active groups, collectively accounting for 13 of the new incidents. The United States was the most targeted country. Financial Services, Transportation & Logistics, Education, and Healthcare sectors also experienced activity. For more insights into current threat actors, refer to our analysis on active ransomware groups.

Ransomware Summary Table

Qilin, Payload, and The_Gentleman were the most active ransomware groups over the last 24 hours. They targeted various industries and regions. Qilin focused on Financial Services and Transportation in the United States and United Kingdom. Payload impacted Education and Healthcare entities in Spain and Austria, while The_Gentleman concentrated on Construction and Professional Services across Thailand and Egypt. Qilin's activity, which included an incident against the "City of napoleon, ohio," aligns with observations detailed in our recent Qilin ransomware threat activity report. Incidents also include "Dorotea Sweden" targeted by INC Ransom and "Star Energy Geothermal Salak" in Indonesia compromised by RansomHouse, showing persistent threats to government and critical infrastructure.

Victim Distribution

By Country

• United States: 10
• Germany: 2
• Canada: 2
• Thailand: 1
• Venezuela: 1
• United Kingdom: 1
• Austria: 1
• Sweden: 1
• Spain: 1
• Paraguay: 1

By Industry

• Information Technology and Services: 2
• Legal Services: 2
• Medical Equipment and Healthcare Infrastructure: 1
• Security and Protection Services: 1
• Retail (Grocery), Health Food Store: 1
• Ready-Mixed Concrete Manufacturing: 1
• Industrial Machinery & Equipment: 1
• Government: 1
• Franchising: 1
• Education Technology: 1

The United States was the most targeted country, accounting for 40% of new victims. Various sectors were affected, suggesting attackers were opportunistic rather than focused on specific industries. Information Technology and Legal Services saw repeat hits.

Ransomware News

Topline

Recent threat intelligence shows Trigona ransomware re-emerging with a bespoke exfiltration tool and details a ransomware breach affecting a Hong Kong club.

Campaigns & Operations

Trigona ransomware returned after a 2023 disruption, deploying a custom command-line exfiltration tool, uploader_client.exe, in its March attacks. The tool enables faster data theft by using parallel uploads, rotating connections, and selectively exfiltrating files. Separately, the Yau Yat Chuen Garden City Club in Hong Kong disclosed a ransomware breach from October 28, 2025, impacting over 9,000 individuals due to vulnerabilities in outdated remote-access software and weak security controls.

Vulnerabilities & TTPs

Trigona's custom uploader_client.exe shows a shift from public tools to proprietary tools for covert data exfiltration. It uses techniques like kernel drivers (e.g., HRSword) to disable security. The Hong Kong club incident was attributed to compromised service-provider credentials exploiting an outdated remote-access software vulnerability, alongside dated antivirus and firewall protections.

Analyst Note

These incidents show the continued use of sophisticated data exfiltration tactics and the persistent risk from unpatched software and inadequate organizational security.

What are the main technical observations from today's ransomware activity?

1. Custom Exfiltration Tools: The return of Trigona ransomware with a proprietary uploader_client.exe shows a move from publicly available tools for data exfiltration, suggesting efforts to evade detection and speed up data theft.
2. Vulnerabilities in Older Systems: The Yau Yat Chuen Garden City Club breach shows that outdated remote-access software with known vulnerabilities, and weak authentication and security controls, continues to be the main way ransomware gets in.
3. Diverse Targeting: While the United States was the most targeted country, the diverse geographic spread of victims, from Austria and Spain to Thailand and Indonesia, shows broad targeting by active ransomware groups.
4. Government and Critical Infrastructure Remain Targets: Incidents involving "City of napoleon, ohio," "Dorotea Sweden," and "Star Energy Geothermal Salak" show that government and critical energy infrastructure sectors continue to face direct ransomware threats.
5. Established and Emerging Groups Show Steady Activity: Groups like LockBit continue to be active, as do emerging groups like Payload and The_Gentleman. This adds to the steady number of new victims daily. LockBit continues to post new victims, reflecting broader trends often covered in our latest ransomware threat activity reports.

FAQ

Q: Which ransomware groups were most active today?

Qilin was the most active group in the past 24 hours with 5 reported victims, followed by Payload and The_Gentleman, both with 4 victims. These three groups accounted for over half of all new ransomware incidents reported.

Q: What industries experienced the highest number of ransomware attacks in the past 24 hours?

No single industry dominated attacks, showing broad targeting. Information Technology and Services, and Legal Services each recorded 2 victims, while a wide array of other sectors, including Healthcare, Retail, Government, and Manufacturing, each saw 1 reported incident.

Q: Which countries were most affected by ransomware activity today?

The United States was the most affected country, accounting for 10 of the 25 new victims reported in the last 24 hours. Germany and Canada each reported 2 victims, with other countries like Thailand, Venezuela, and the United Kingdom each seeing a single incident.

Q: Were there any new ransomware tactics or notable vulnerabilities reported today?

Yes, new intelligence shows Trigona ransomware is now using a custom exfiltration tool, uploader_client.exe, to speed up data theft and maintain a lower profile. Additionally, a breach at the Yau Yat Chuen Garden City Club highlighted the exploitation of outdated remote-access software with known vulnerabilities as a main entry point.

Q: Were any critical infrastructure or government entities targeted by ransomware today?

Yes, "City of napoleon, ohio" was listed as a victim of Qilin, and "Dorotea Sweden" was targeted by INC Ransom, both representing government entities. Furthermore, "Star Energy Geothermal Salak," an Energy & Utilities provider in Indonesia, was compromised by RansomHouse, showing continued targeting of critical infrastructure.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/23/2026

Statistical Overview

Victim Totals

• This month: 558
• This quarter: 558
• Year to date: 3179
• Last 24h: 19

Quarterly Breakdown

Q1: 2622 | Q2: 558 | Q3: 0 | Q4: 0

Ransomware activity continues into Q2, with 558 victims already reported this quarter. This consistent activity places pressure on global organizations. The 19 new victims in the last 24 hours show ongoing threat actor operations.

Introduction

In the past 24 hours, PurpleOps observed 19 new ransomware victims, driven by groups such as CoinbaseCartel and INC Ransom, among others. The United States remains the most targeted country, with the Professional Services, Government/Public Sector, and Technology/Software sectors experiencing significant impact. Threat actors continue to diversify their approaches, using social engineering tactics and experimenting with new encryption techniques.

Ransomware Summary Table

CoinbaseCartel was the most active group, accounting for seven new victims, targeting government and technology entities across Brazil and Indonesia. INC Ransom and Akira followed, focusing on Professional Services and manufacturing sectors primarily in the United States and Germany. A high-value breach includes Kementerian pertanian (Ministry of Agriculture) in Indonesia by CoinbaseCartel. This indicates persistent targeting of public-sector institutions.

Victim Distribution

By Country

• United States: 10
• Germany: 2
• Australia: 1
• Peru: 1
• None: 1
• Indonesia: 1
• France: 1
• Canada: 1
• Brazil: 1

By Industry

• Biopharmaceuticals: 1
• Specialty Materials Manufacturing: 1
• Medical Equipment Manufacturing: 1
• Medical Devices: 1
• Legal Services: 1
• Legal Practice: 1
• Lawn Care Services: 1
• Labor Union: 1
• Healthcare: 1
• Environmental Services: 1

The United States continues to experience the highest concentration of ransomware attacks, consistent with historical trends. While the industries targeted today are diverse, Professional Services appeared multiple times. This suggests either an opportunistic or strategic approach to targeting business operations.

Ransomware News

Today's intelligence shows continuous evolution and diversity in ransomware operations, with technical advancements and new actors emerging.

Topline

Threat actors are employing social engineering and established ransomware-as-a-service (RaaS) models, alongside technical capabilities, to compromise organizations across various sectors, while also exploring new encryption methods.

Campaigns & Operations

The data exfiltration group ShinyHunters claimed breaches against a major U.S. convenience-store chain and a U.S. software development firm. This signals cross-sector risks related to dark web monitoring and data exfiltration. ASEC introduced Prinz Eugen, a new data-extortion group. "The Gentlemen" ransomware-as-a-service (RaaS) outfit has rapidly risen since mid-2025, deploying a GO-written, cross-platform locker, using SystemBC SOCKS5 proxy for covert operations, and showing an enterprise-scale intrusion capability via Active Directory Group Policy. Genealogy SA, an Australian nonprofit, confirmed a cyber incident with SafePay claiming exfiltrated data, while LockBit was speculatively linked to a February technology outage in Orange, Virginia.

Vulnerabilities & TTPs

Social engineering remains a critical vector, with the M&S breach showing how a single password reset, achieved via social engineering against a service desk, can lead to legitimate credential exfiltration and subsequent ransomware deployment. Kyber ransomware variants, analyzed by Rapid7, showcase technical experimentation, including a Windows build written in Rust that incorporates Kyber1024 for symmetric key protection and an experimental Hyper-V targeting option, alongside multi-platform capabilities for VMware ESXi environments. The Gentlemen group employs antivirus killers and complex infection chains for lateral movement.

Technical Takeaways

• Persistence in Professional Services Targeting: Professional Services firms consistently appear among the top targeted industries. This indicates either opportunistic attacks or a strategic focus on entities handling sensitive client data.
• Rise of New and Advanced Groups: The rapid ascent of "The Gentlemen" and the emergence of "Prinz Eugen" show a changing threat environment with new actors bringing advanced capabilities, including GO-written malware and advanced lateral movement.
• Experimentation with Post-Quantum Cryptography: Kyber ransomware's implementation of Kyber1024 in its Windows variant, even if experimental, demonstrates a forward-looking approach by threat actors to encryption methodologies, potentially anticipating future cryptographic shifts.
• Social Engineering as a Primary Vector: The M&S breach shows that social engineering, around password resets, remains an effective initial access technique, leading to significant financial and operational impact.
• Geographic Concentration in the United States: The United States continues to be the most frequently targeted country, suggesting a sustained focus by ransomware groups on U.S.-based organizations.

FAQ

Q: Which ransomware groups were most active today, 04/23/2026?

CoinbaseCartel was the most active ransomware group in the past 24 hours, responsible for 7 new victims. INC Ransom followed with 3 victims, and Akira reported 2 new victims during this period.

Q: What industries were most targeted by ransomware today?

In the last 24 hours, Professional Services was a frequently targeted sector, with groups like INC Ransom, Anubis, and BlackShrantac impacting multiple organizations. Government/Public Sector and Technology/Software also saw targeting, especially by CoinbaseCartel.

Q: What geographic regions saw the most ransomware attacks in the last 24 hours?

The United States experienced the highest number of ransomware victims today, with 10 reported incidents. Germany followed with 2 victims, and Brazil, Indonesia, France, Australia, Peru, and Canada each reported one new victim.

Q: Were any new ransomware groups identified or highlighted in today's intelligence report?

Yes, today's intelligence introduced Prinz Eugen as a new data-extortion group. "The Gentlemen" ransomware-as-a-service outfit was also highlighted for its rapid ascent since mid-2025 and advanced technical capabilities, placing it among top-tier actors.

Q: What technical trends or tactics did threat actors employ in recent ransomware activity?

Recent activity showcases several key technical trends, including Kyber ransomware's experimentation with post-quantum encryption (Kyber1024) in its Windows variant and its multi-platform targeting of ESXi environments. Social engineering, for password resets, was also noted as an effective initial access method, leading to credential compromise and subsequent ransomware deployment.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/22/2026

Statistical Overview

Victim Totals

• This month: 539
• This quarter: 539
• Year to date: 3160
• Last 24h: 19

Quarterly Breakdown

Q2 ransomware activity started with 539 victims, adding to the year-to-date total of 3160. This figure indicates ransomware groups maintain their operational tempo, consistent with prior quarter trends. See our analysis of the most active ransomware groups for details on recent group activities.

Introduction

Over the last 24 hours, PurpleOps observed 19 new ransomware victims across various groups and sectors. Qilin emerged as the most active threat actor with 6 reported victims, followed by Akira and DragonForce. Geographically, the United States saw the highest number of incidents, while the Professional Services and Manufacturing sectors were prominently targeted. To understand the broader context of Q2 activity, refer to our Q2 victim report.

Ransomware Summary Table

Qilin was most active today, impacting diverse sectors including construction and technology across Turkey and Spain. Akira and DragonForce maintained a presence, primarily targeting U.S.-based entities in Media & Entertainment, Professional Services, and Legal sectors. No high-value critical infrastructure or government entities were identified among the sample victims today. However, the diverse geographic and industry targeting shows ransomware operations are persistent and opportunistic. Our detailed analysis of Qilin ransomware victims and attacks provides more information on this group's tactics.

Victim Distribution

By Country

• United States: 7
• Canada: 3
• Spain: 1
• United Kingdom: 1
• Turkey: 1
• Panama: 1
• Morocco: 1
• Greece: 1
• Germany: 1
• France: 1

By Industry

• Manufacturing: 2
• Legal Services: 2
• Warehousing and Storage: 1
• Office Technology Solutions: 1
• Law Practice: 1
• Entertainment: 1
• Electrical Contracting: 1
• Accounting: 1
• Printing and Direct Mail Services: 1
• Construction and Contracting: 1

The United States continues to be the primary target for ransomware groups, accounting for over a third of today's observed victims. Industry-wise, Professional Services (including Legal and Accounting) and Manufacturing show a concentrated targeting trend, reflecting ongoing threat actor focus on organizations with valuable intellectual property or client data.

Ransomware News

Topline

Recent developments highlight persistent ransomware threats, including supply chain vulnerabilities, new campaign discoveries, significant legal actions against affiliates, and ongoing policy discussions.

Campaigns & Operations

The "The Gentlemen" ransomware operation has been linked to a SystemBC C2 server, revealing a botnet exceeding 1,570 victims globally. It uses SOCKS5 tunnels and custom RC4-encrypted protocols for payload delivery. At the same time, SafePay dumped a 237-gigabyte dataset from Favelle Favco's Australian operations, comprising passport scans and sensitive industrial data. This shows risks to personnel identity and critical assets in construction. Separately, a former DigitalMint ransomware negotiator, Angelo John Martino III, pleaded guilty to conspiring with BlackCat/ALPHV affiliates, extorting approximately $75.3 million from five U.S. victims by using confidential negotiation intelligence.

Vulnerabilities & TTPs

A surge in attacks exploiting Bomgar Remote Support (now BeyondTrust) RMM has been observed, using CVE-2026-1731, an unauthenticated remote code execution flaw. This vulnerability allows attackers to run arbitrary OS commands and pivot into upstream servers, demonstrating rapid lateral movement capabilities, as seen in incidents affecting dental software providers and MSPs where LockBit ransomware was deployed.

Analyst Note

These incidents show the critical challenges from supply chain vulnerabilities, insider threat potential, the continuous evolution of ransomware tactics and infrastructure, and they also bring policy debates regarding hospital ransomware to the forefront.

Technical Takeaways

• Qilin's Sustained Activity: Qilin remains an active threat actor, capable of multi-sector targeting across diverse geographies.
• Supply Chain Vulnerability Exploitation: The exploitation of Bomgar Remote Support (CVE-2026-1731) shows the ongoing risk from unpatched RMM solutions and their potential for widespread downstream impact.
• Insider Threat & Negotiation Risks: The plea of a former ransomware negotiator exposes vulnerabilities within incident response, emphasizing the critical need for vetted partners and secure negotiation practices.
• Persistent Targeting of Professional Services: Legal, accounting, and consulting firms continue to be attractive targets for ransomware groups, indicating the value of their sensitive client data and operational disruption potential.
• Evolution of Ransomware-as-a-Service (RaaS) Infrastructure: The "The Gentlemen" operation using SystemBC shows RaaS capabilities, including multi-OS targeting and advanced lateral movement techniques.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

Qilin was the most active ransomware group in the last 24 hours, with 6 reported victims. Akira and DragonForce were also active, each claiming 2 new victims during this period.

Q: Which industries were most targeted by ransomware today?

Today, the Professional Services sector (including Legal Services, Law Practice, and Accounting) and Manufacturing were among the most targeted industries, each accounting for 2 reported victims. Construction & Engineering also saw activity.

Q: What regions saw the most ransomware attacks in the past 24 hours?

The United States experienced the highest concentration of ransomware attacks in the last 24 hours, with 7 victims. Canada followed with 3 victims, while Spain, the United Kingdom, and Turkey each reported 1 victim.

Q: Are there any new CVEs being exploited by ransomware operators that were reported today?

Yes, a new wave of attacks is actively exploiting CVE-2026-1731, an unauthenticated remote code execution flaw in Bomgar Remote Support (now BeyondTrust) RMM. This vulnerability allows attackers to run arbitrary OS commands and pivot into downstream systems, with LockBit ransomware observed in deployments using this flaw.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform. It tracks ransomware and discovers attack surfaces. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/21/2026

Statistical Overview

Victim Totals

• This month: 520
• This quarter: 520
• Year to date: 3141
• Last 24h: 32

Quarterly Breakdown

Ransomware activity in Q2 continues to accumulate, with the current month's victim count already reaching 520. This trajectory suggests a sustained threat environment, following a strong Q1.

Introduction

The past 24 hours saw 32 new ransomware victims added to leak sites, showing persistent global activity. Qilin emerged as the most prolific group, claiming 11 victims. Akira, CoinbaseCartel, and The_Gentelman each claimed 4 victims. Geographically, the United States, France, and Spain were mostly targeted, with the Manufacturing and Telecommunications sectors impacted.

Ransomware Summary Table

The past 24 hours saw Qilin lead with 11 new victims, targeting broadly across Financial Services and Agriculture & Food. Several groups, including Akira, CoinbaseCartel, and The Gentelman, each claimed 4 victims, contributing to activity across various sectors. CoinbaseCartel targeted critical infrastructure entities like Commscope (Telecommunications) and Engie (Energy & Utilities). This shows persistent risks to vital services, a trend we monitor as part of our ransomware intelligence Q2 overview.

Victim Distribution

By Country

• United States: 14
• France: 3
• Spain: 2
• Germany: 2
• Switzerland: 1
• United Kingdom: 1
• Thailand: 1
• Australia: 1
• None: 1
• Myanmar: 1

By Industry

• Manufacturing: 3
• Telecommunications: 2
• Packaging and Containers: 1
• Retail & Wholesale: 1
• Product Safety and EMC Compliance: 1
• Legal Services: 1
• Healthcare Services: 1
• Government: 1
• Engineering Services: 1
• Construction: 1

The United States is the primary target country, accounting for nearly half of all new victims in the last 24 hours. Manufacturing and Telecommunications sectors show a concentration of attacks, indicating exploitation of industrial and communication infrastructure.

Ransomware News

Threat intelligence today shows ongoing legal actions against ransomware affiliates, persistent exploitation of vulnerabilities, and changing tactics of established groups.

Angelo Martino, a former ransomware negotiator for BlackCat (ALPHV) affiliates, pleaded guilty to charges related to 2023-2025 attacks. He admitted to sharing confidential victim negotiation details. This conviction shows the legal risks for individuals involved in the ransomware ecosystem. Meanwhile, The Gentlemen ransomware group has expanded its operations by integrating SystemBC for bot-powered payload delivery and covert proxying, using Mimikatz for credential harvesting and Group Policy for lateral movement in targeted corporate environments. Additionally, the administration of Sprendlingen-Gensingen (Germany) reported a ransomware attack on April 16, 2026, causing network shutdown and an ongoing forensic investigation.

A reported uptick in compromised Bomgar RMM instances followed exploitation of CVE-2026-1731, with attackers deploying ransomware like LockBit LB3 and installing remote tools for reconnaissance and lateral movement. Observations indicate that approximately 70% of intrusions begin with VPN authentication, showing the need for strong cyber hygiene, including multi-factor authentication (MFA) and diligent patching. Ransomware trends show operations as a franchised, supply-chain-driven ecosystem, using tactics like data theft, double extortion, and Bring Your Own Vulnerable Driver (BYOVD) to bypass security solutions.

This activity shows the ongoing challenge from ransomware's changing operational models and the importance of a layered defense strategy.

Technical Takeaways

• Group TTP Evolution: The Gentlemen ransomware now uses SystemBC for bot-powered attacks, alongside Mimikatz and RPC-based remote execution for lateral movement. This shows a mature toolchain.
• Vulnerability Exploitation: Active exploitation of Bomgar RMM instances specifically targets CVE-2026-1731, leading to ransomware deployment and further network compromise.
• Initial Access Vector Dominance: Huntress data indicates that roughly 70% of intrusions begin with VPN authentication. This reinforces VPNs as a primary initial access vector for ransomware actors.
• Insider Threat Mitigation: The guilty plea of a former BlackCat ransomware negotiator shows the insider threat and the value of intelligence around negotiation tactics and insurance limits for threat actors.
• Ecosystem Sophistication: Ransomware operations are increasingly supply-chain-driven, incorporating techniques like BYOVD, AI-assisted malware, and double extortion, requiring full defensive strategies.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

A: In the past 24 hours, Qilin was the most active ransomware group, responsible for 11 new victims. Akira, CoinbaseCartel, and The_Gentelman each claimed 4 victims, contributing significantly to the day's activity. For a broader view on recurring threats, our analysis of the most active ransomware groups provides further context.

Q: What industries were most targeted by ransomware today?

A: Manufacturing and Telecommunications were the most frequently targeted industries, each accounting for 3 and 2 victims respectively. Other affected sectors included Financial Services, Energy & Utilities, Agriculture & Food, and Healthcare.

Q: What regions saw the most ransomware attacks today?

A: The United States was the most targeted country, experiencing 14 of the 32 new ransomware incidents reported. France followed with 3 victims, while Spain and Germany each saw 2 new victims.

Q: Were there any new vulnerabilities or exploitation trends identified today?

A: Yes, an uptick in the exploitation of Bomgar RMM instances followed CVE-2026-1731, used by groups like LockBit LB3 to deploy ransomware. Additionally, VPN authentication is a dominant initial access vector, accounting for approximately 70% of intrusions.

Q: What new tactics are ransomware groups like The Gentlemen employing?

A: The Gentlemen ransomware group has been observed expanding its tactics to include the use of SystemBC as a proxy botnet for payload delivery and covert communication. This sophisticated approach involves credential harvesting via Mimikatz, RPC-based remote execution, and Group Policy-driven lateral movement.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform that covers every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats and investigate incidents in natural language 24/7.

Our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/20/2026

Statistical Overview

Victim Totals

• This month: 488
• This quarter: 488
• Year to date: 3109
• Last 24h: 17

Quarterly Breakdown

Q1: 2622 | Q2: 488 | Q3: 0 | Q4: 0

Ransomware activity in Q2 currently stands at 488 victims. The 17 new victims identified in the last 24 hours indicate ongoing opportunistic and targeted operations by various groups.

Introduction

The past 24 hours recorded 17 new ransomware victims. Everest and Qilin were the most active groups, responsible for six and four incidents, respectively. Financial services, healthcare, and legal sectors were impacted across key geographies, particularly the United States and France. This activity shows the persistent and diversified targeting strategies ransomware operators use.

Ransomware Summary Table

Everest was the most active group, claiming six victims. They mainly targeted financial services, including Citizens Bank and Frost Bank in the United States, and transportation and logistics entities across the US and Spain. Qilin followed with four victims, affecting education and healthcare, notably Cooperativa de hospitales de antioquia - cohan. For more details on this group's operations, explore our Qilin ransomware victims and attack analysis. Legal services faced attacks from multiple groups, including Payload, Krybit, and PEAR. Akira's single victim, Integra Architecture, shows its continued but less frequent targeting; insights into their methods are available in our Akira ransomware TTP analysis.

Victim Distribution

By Country

• United States: 6
• France: 2
• United Kingdom: 2
• Canada: 1
• Colombia: 1
• Egypt: 1
• Indonesia: 1
• Malaysia: 1
• Qatar: 1
• Spain: 1

By Industry

• Legal Services: 3
• Architecture and Planning: 1
• Healthcare and Pharmaceutical Distribution: 1
• Real Estate Development: 1
• Education and Training: 1
• Law Firms & Legal Services: 1
• E-commerce: 1
• Property Development: 1
• Aerospace and Unmanned Aerial Systems: 1
• Aviation Solutions: 1

The United States recorded the highest number of new victims, confirming its status as a primary target for ransomware. Legal services saw concentrated attacks in the last 24 hours, suggesting either opportunistic targeting or a specific campaign focus.

Ransomware News

Topline

Recent intelligence indicates confirmed data breaches, alleged ransomware incidents affecting critical services, and active exploitation of multiple vulnerabilities.

Campaigns & Operations

The Kairos ransomware group claims to have breached NSW-based Strata Republic, exfiltrating 441GB of data, including sensitive personal and financial records, with a five-day publication deadline set. A ransomware attack on Hsinchu Logistics in Taiwan significantly disrupted operations, rendering systems inoperable and forcing manual processes. Cloud development platform Vercel also confirmed a security incident involving unauthorized access to internal systems. An attacker claiming to be ShinyHunters offered stolen access keys, source code, and employee data for a reported $2 million ransom.

Vulnerabilities & TTPs

The Hsinchu Logistics incident occurred amidst active exploitation of three Microsoft Defender zero-day vulnerabilities, including CVE-2026-33825, and a Fortinet FortiSandbox vulnerability (CVE-2026-39808) with public proof-of-concept. Attackers in this incident used Payouts King malware, designed to evade endpoint and EDR solutions by concealing itself within QEMU-VMs and employing Alpine-Linux-based backdoors.

Analyst Note

These events show the persistent targeting of supply chain entities, the urgency of strong vulnerability management, and the increasing sophistication of evasion techniques threat actors use.

Technical Takeaways

• Financial Institutions Targeted: Everest's activity against major banks like Citizens Bank and Frost Bank shows a continued high-value focus on the financial sector.
• Healthcare Sector Threats: Qilin's compromise of Cooperativa de hospitales de antioquia - cohan highlights ongoing threats to healthcare infrastructure.
• Legal Services as a Target: Multiple groups, including Payload, Krybit, and PEAR, demonstrate legal services firms remain a frequent target, likely due to sensitive client data.
• Zero-Day Exploitation: The Hsinchu Logistics incident involved active exploitation of CVE-2026-33825 and CVE-2026-39808, showing the immediate risk of unpatched vulnerabilities.
• Advanced Evasion: Payouts King malware, used in QEMU-VMs with Alpine-Linux backdoors, showcases advanced methods to bypass detection.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

The most active ransomware groups observed in the last 24 hours were Everest (6 new victims), Qilin (4 victims), and Payload (2 victims).

Q: What industries were most impacted by ransomware today?

Legal services were highly impacted, with 3 reported victims. Financial services, healthcare, education, real estate, and transportation & logistics also saw significant targeting by various ransomware groups.

Q: Which countries reported the highest number of new ransomware victims?

The United States reported the highest number of new ransomware victims in the past 24 hours, with a total of 6 incidents. France and the United Kingdom each reported 2 victims.

Q: Were any critical vulnerabilities exploited in recent ransomware attacks?

Yes, the ransomware attack on Hsinchu Logistics occurred amidst active exploitation of Microsoft Defender zero-day vulnerabilities, including CVE-2026-33825, and a Fortinet FortiSandbox vulnerability, CVE-2026-39808.

About PurpleOps

PurpleOps is an AI-driven cyber threat intelligence platform that covers various threat vectors, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/19/2026

Statistical Overview

Victim Totals

• This month: 471
• This quarter: 471
• Year to date: 3092
• Last 24h: 15

Quarterly Breakdown

Q2 activity continues to build with 471 victims recorded to date, reflecting an active start to the quarter, although a slowdown compared to Q1's aggressive pace.

Introduction

PurpleOps recorded 15 new ransomware victims in the last 24 hours, bringing the total for Q2 to 471. The_Gentelman was the most active group, responsible for 9 reported breaches, followed by Qilin with 4. The United States, Brazil, and the United Kingdom saw attacks, and sectors such as Transportation & Logistics and Technology / Software were targets.

Ransomware Summary Table

Today's activity was primarily from The_Gentelman, accounting for 9 victims across Transportation & Logistics and Technology / Software in Brazil and the United Kingdom. Qilin had consistent activity with 4 new victims, predominantly in the United States and Canada, targeting Agriculture & Food and Financial Services. CoinbaseCartel listed the Astm group in Italy, an infrastructure entity. This shows critical infrastructure remains a target. More information on Q2 trends and groups like CoinbaseCartel is available in our Ransomware Intelligence Q2: April 18 Update.

Victim Distribution

By Country

• United States: 5
• Belgium: 1
• Brazil: 1
• Canada: 1
• Denmark: 1
• Ireland: 1
• Italy: 1
• Poland: 1
• Taiwan: 1
• Thailand: 1

By Industry

• None: 1
• Clinical Laboratory Services: 1
• Seismic Monitoring Solutions: 1
• Freight Forwarding and Logistics: 1
• Legal Services: 1
• Infrastructure: 1
• B2B Online Retail: 1
• Stationery and Gift Manufacturing: 1
• Logistics and Maritime Services: 1
• Information Technology and Services: 1

Attacks spread across ten different countries. The United States was the most targeted nation. Industry targeting also varied, suggesting most reported incidents were opportunistic rather than highly specialized campaigns.

Ransomware News

Topline

No new significant ransomware news or incident reports surfaced in the last 24 hours.

Campaigns & Operations

Activity remains focused on previously identified campaigns. Threat actors reported no new major incident disclosures or large-scale operations. This suggests sustained, not novel, operations.

Vulnerabilities & TTPs

Ransomware groups identified or exploited no new critical vulnerabilities (CVEs) or significant shifts in Tactics, Techniques, and Procedures (TTPs) in the past day.

Analyst Note

Current intelligence points to a continuation of existing ransomware methodologies and targeting profiles. No new strategic shifts immediately emerged.

Technical Takeaways

• The_Gentelman group showed significant activity, accounting for 60% of new victims in the last 24 hours. They primarily affected Brazil and the United Kingdom across transportation and technology sectors. For more on this group, see our Daily Ransomware Report from January 12, 2026.
• Qilin ransomware had consistent activity, with 4 new victims in North America (United States, Canada). They focused on agriculture, food, and financial services sectors. An in-depth analysis of their operations is available in our Qilin Ransomware: Victims, Attacks, and Analysis.
• Ransomware operations targeted a broad geographic spread, impacting 10 different countries with just 15 new victims. This suggests widespread, opportunistic targeting, not concentrated regional campaigns.
• Industry targeting remains diverse; no single sector was heavily disproportionate. Logistics, technology, and manufacturing continue to appear frequently.

FAQ

Q: Which ransomware groups were most active today, April 19, 2026?

The_Gentelman was the most active ransomware group, claiming 9 victims in the last 24 hours. Qilin followed with 4 new victims, while CoinbaseCartel and PayoutsKing each reported one new victim.

Q: What industries were most targeted by ransomware on April 19, 2026?

Ransomware activity today showed broad targeting across multiple industries. Prominent sectors included Transportation & Logistics, Technology / Software, Agriculture & Food, Financial Services, Professional Services, and Manufacturing.

Q: Which countries experienced the most ransomware attacks today?

The United States was the most targeted country with 5 reported victims. Belgium, Brazil, Canada, Denmark, Ireland, Italy, Poland, Taiwan, and Thailand each had one victim.

Q: Were there any high-value targets impacted by ransomware today?

Yes, the Astm group, an infrastructure entity in Italy, was listed as a victim by the CoinbaseCartel ransomware group. This shows critical infrastructure continues to be targeted.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform. It covers every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/18/2026

Statistical Overview

Victim Totals

• This month: 456
• This quarter: 456
• Year to date: 3077
• Last 24h: 23

Quarterly Breakdown

Q1: 2622 | Q2: 456 | Q3: 0 | Q4: 0

Ransomware activity continues at a steady pace into Q2, with 456 victims reported so far. This early-quarter activity shows continued pressure from threat actors across various sectors.

Introduction

In the last 24 hours, PurpleOps observed 23 new ransomware victims. Leading the activity were Black Nevas with 9 reported incidents, followed by CoinbaseCartel (4) and Blackwater (3). Affected sectors included Manufacturing, Real Estate, and Healthcare, while geographically, the United States, India, Turkey, and Germany saw the highest number of new compromises. This period shows continued targeting across a diverse set of industries and regions.

Ransomware Summary Table

The summary table for today's activity shows a varied threat environment. Black Nevas targeted widely across China and Italy, primarily impacting professional services and manufacturing. CoinbaseCartel concentrated on manufacturing and construction in France and Canada, while Blackwater focused on hospitality and healthcare across Turkey and Brazil. Minidoka Memorial Hospital was listed as a victim of Blackwater, showing continued threats to critical infrastructure within the healthcare sector. For more granular insights into active groups, our Ransomware Tracking platform provides real-time data.

Victim Distribution

By Country

• United States: 5
• India: 2
• Turkey: 2
• Germany: 2
• United Kingdom: 1
• Saudi Arabia: 1
• Japan: 1
• Italy: 1
• Australia: 1
• Hong Kong: 1

By Industry

• Manufacturing: 2
• Property Management: 2
• Healthcare: 2
• Software Development: 1
• Jewelry Manufacturing: 1
• Commercial Real Estate: 1
• Law Firms & Legal Services: 1
• Construction Machinery Manufacturing: 1
• Building Materials: 1
• Used Construction Machinery Auctions: 1

The distribution indicates continued prevalence of attacks in the United States, while India, Turkey, and Germany appear as secondary targets. Industrially, the persistent targeting of Manufacturing and Real Estate shows these sectors' continued vulnerability to various ransomware campaigns.

Ransomware News

Topline

Recent intelligence shows historical incident disclosure failures and new ransomware operations using advanced technical evasion tactics.

Campaigns & Operations

The City of York, Pennsylvania, did not publicly disclose a July 2025 ransomware attack that disrupted municipal email and parking services. A subsequent February 2026 investigation revealed a $500,000 settlement backed by an insurer after negotiations. This incident shows potential gaps in public incident reporting and the financial implications for affected municipalities.

Vulnerabilities & TTPs

The Payouts King ransomware is using the QEMU CPU emulator to deploy hidden Alpine Linux virtual machines on compromised hosts. This technique allows payload execution, malicious file storage, and covert remote access, bypassing conventional endpoint security measures. Campaigns linked to this operation, identified as GOLD ENCOUNTER (STAC4713 and STAC3725), exploited exposed SonicWall VPNs, the SolarWinds Web Help Desk vulnerability CVE-2025-26399, and the CitrixBleed 2 vulnerability CVE-2025-5777 on NetScaler ADC/Gateway devices. Attackers then install QEMU, launch hidden VMs with tools like AdaptixC2, Chisel, and Rclone, harvest credentials, enumerate Active Directory, and exfiltrate data. Organizations are advised to monitor for unauthorized QEMU installations and unusual SSH activity.

Analyst Note

The observed technical complexity, particularly the use of virtual machines and exploitation of known vulnerabilities, suggests a trend towards more complex evasion tactics and diversified initial access vectors. This shows the importance of strong Dark Web Monitoring for early warning of emerging TTPs.

Technical Takeaways

• Diverse Group Activity: Black Nevas, CoinbaseCartel, and Blackwater were the most active groups, collectively responsible for over 70% of reported victims in the last 24 hours, showing a distributed threat environment rather than a single dominant actor.
• Persistent Healthcare Sector Targeting: The compromise of Minidoka Memorial Hospital by Blackwater shows the ongoing threat to the healthcare sector, classified as critical infrastructure.
• Manufacturing and Real Estate Vulnerability: Manufacturing and Real Estate sectors continue to experience high targeting, accounting for 20% of today's new victims, showing persistent vulnerabilities or value proposition for ransomware groups.
• Advanced Evasion Techniques: The Payouts King ransomware's use of QEMU virtual machines to bypass endpoint security represents an advanced TTP designed to achieve stealthy persistence and execution.
• Exploitation of Known Vulnerabilities: Ransomware campaigns continue to use critical vulnerabilities such as CVE-2025-26399 (SolarWinds) and CVE-2025-5777 (CitrixBleed 2) for initial access, showing the critical need for timely patching.

FAQ

Q: Which ransomware groups were most active in the last 24 hours?

A: In the past 24 hours, Black Nevas was the most active ransomware group, accounting for 9 victims. CoinbaseCartel followed with 4 victims, and Blackwater was responsible for 3, showing concentrated activity from these three entities.

Q: Which industries were primarily targeted by ransomware today?

A: Today's ransomware activity primarily targeted the Manufacturing, Property Management, and Healthcare sectors, each experiencing 2 new victims. Other affected industries include Software Development, Commercial Real Estate, and Law Firms & Legal Services.

Q: Were there any significant geographic shifts in ransomware targeting today?

A: The United States remained the most targeted country with 5 new victims. Beyond the US, India, Turkey, and Germany each saw 2 new victims, suggesting these regions are experiencing significant, though lesser, ransomware activity.

Q: What new technical insights or vulnerabilities were reported in today's ransomware activity?

A: Today's intelligence shows the Payouts King ransomware using QEMU virtual machines for payload execution and evasion, exploiting CVE-2025-26399 (SolarWinds) and CVE-2025-5777 (CitrixBleed 2) for initial access. This indicates an increasing reliance on advanced virtualized environments and known vulnerabilities to bypass security controls.

Q: What is the status of overall ransomware victim counts this quarter?

A: As of 04/18/2026, Q2 has accumulated 456 reported ransomware victims. This contributes to a year-to-date total of 3077 victims, showing a significant and sustained level of global ransomware activity at the start of the current quarter.

About PurpleOps

PurpleOps is an AI-first cyber threat intelligence platform covering every threat vector, from ransomware tracking to attack surface discovery. Our AI agents JINX and BUGSY triage threats 24/7 and investigate incidents in natural language.

Explore our intelligence solutions:

• Ransomware Tracking
• Dark Web Monitoring
• Credential Intelligence
• Supply Chain Risk
• All Solutions

Ransomware Report - 04/17/2026

Statistical Overview

Victim Totals

• This month: 433
• This quarter: 433
• Year to date: 3054
• Last 24h: 28

Quarterly Breakdown

Q1: 2622 - Q2: 433 - Q3: 0 - Q4: 0

Ransomware activity continues its consistent pace into Q2. The 24-hour victim count aligns with the overall monthly accumulation. Year-to-date figures show a persistent threat situation, maintaining pressure across various sectors.

Introduction

In the past 24 hours, ransomware activity saw 28 new victims added to public leak sites. SafePay, SLSH, and LockBit were the most active groups. Geographically, the United States and Germany recorded the highest number of reported incidents. Attacks targeted diverse sectors, including professional services, retail, and transportation, reflecting a broad opportunistic approach by threat actors.

Ransomware Summary Table